[issue1188] Allow/Deny http-access on username basis.

Henryk Gerlach mercurial-bugs at selenic.com
Thu Jun 19 08:48:04 CDT 2008

New submission from Henryk Gerlach <hgerlach at gmx.de>:

While one can control whether an authenticated user can push (allow_push) to a
repo or if he can see it (hidden), mercurial does not offer an option to deny
access to a certain repo of a collection.

The attached hgweb-access.patch introduces an option allow_access and
deny_access which takes like (allow_push) a list of users that may access a repo
of a collection. All others are denied.

Issues with the patch:
 - I don't like the duplicate code for bail
 - It does not use 401 standard conform since hgweb does not send a   
   WWW-Authenticate header field as required (cf. 
   10.4.2 401 Unauthorized). However hgweb already breaks this rule in other 
 - It fixes some a bug in check_perm for default value "False" without stating 
 - In theory this feature could be handled by the webserver. However compared to 
   the proposed patch handeling it in the webserver config is quite complex.

files: hgweb-access.patch
messages: 6356
nosy: HenrykGerlach
priority: feature
status: unread
title: Allow/Deny http-access on username basis.
topic: hgweb

Mercurial issue tracker <mercurial-bugs at selenic.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hgweb-access.patch
Type: text/x-diff
Size: 4328 bytes
Desc: not available
Url : http://selenic.com/pipermail/mercurial-devel/attachments/20080619/3a4860be/attachment.patch 

More information about the Mercurial-devel mailing list