Finer-grained access restrictions to hgwebdir

Nilton Volpato nilton.volpato at gmail.com
Fri Oct 19 21:00:07 CDT 2007


Hi,

I've implemented, inspired a bit by svn_authz, finer-grained access
restrictions to hgwebdir.cgi. The syntax for hgweb.conf files, is
like:

"""
[paths]
repo1 = repo1/
repo2 = repo2/
repo3 = repo3/

[repo:repo1]
* = r
bob = rw

[repo:repo2]
alice = rw
bob = r

[repo:repo3]
* = rw
eve =
"""

Which adds permission for anyone to read repo1 but just bob can write
(push). Grants permission for reading/writing to alice on repo2 and
just reading to bob. And, on repo3 allows anyone permission to read
and write, except to eve, which has no permissions.

User authentication is done as usual, by apache using mod_auth, or
similar in other web servers.

If there is no section defined for some repository, then exactly the
same old behavior is kept. Also, note that using this kind of access
control has priority over allow_push in the repository .hg/hgrc file.

Also, when listing all repositories, hgwebdir will not show the ones
that the authenticated user has no read permission.

I think this is very useful when hosting multiple repositories on the
same machine for a group of users. Can this be merged into the main hg
repository?

Thanks,
-- Nilton
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hgwebdir-auth.patch
Type: application/octet-stream
Size: 7957 bytes
Desc: not available
Url : http://selenic.com/pipermail/mercurial-devel/attachments/20071020/50642f54/attachment.obj 


More information about the Mercurial-devel mailing list