[issue1188] Allow/Deny http-access on username basis.
Henryk Gerlach
mercurial-bugs at selenic.com
Thu Jun 19 08:48:04 CDT 2008
New submission from Henryk Gerlach <hgerlach at gmx.de>:
While one can control whether an authenticated user can push (allow_push) to a
repo or if he can see it (hidden), mercurial does not offer an option to deny
access to a certain repo of a collection.
The attached hgweb-access.patch introduces an option allow_access and
deny_access which takes like (allow_push) a list of users that may access a repo
of a collection. All others are denied.
Issues with the patch:
- I don't like the duplicate code for bail
- It does not use 401 standard conform since hgweb does not send a
WWW-Authenticate header field as required (cf.
http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
10.4.2 401 Unauthorized). However hgweb already breaks this rule in other
places.
- It fixes some a bug in check_perm for default value "False" without stating
it.
- In theory this feature could be handled by the webserver. However compared to
the proposed patch handeling it in the webserver config is quite complex.
----------
files: hgweb-access.patch
messages: 6356
nosy: HenrykGerlach
priority: feature
status: unread
title: Allow/Deny http-access on username basis.
topic: hgweb
____________________________________________________
Mercurial issue tracker <mercurial-bugs at selenic.com>
<http://www.selenic.com/mercurial/bts/issue1188>
____________________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hgweb-access.patch
Type: text/x-diff
Size: 4328 bytes
Desc: not available
Url : http://selenic.com/pipermail/mercurial-devel/attachments/20080619/3a4860be/attachment.patch
More information about the Mercurial-devel
mailing list