[issue1188] Allow/Deny http-access on username basis.
mercurial-bugs at selenic.com
Thu Jun 19 08:48:04 CDT 2008
New submission from Henryk Gerlach <hgerlach at gmx.de>:
While one can control whether an authenticated user can push (allow_push) to a
repo or if he can see it (hidden), mercurial does not offer an option to deny
access to a certain repo of a collection.
The attached hgweb-access.patch introduces an option allow_access and
deny_access which takes like (allow_push) a list of users that may access a repo
of a collection. All others are denied.
Issues with the patch:
- I don't like the duplicate code for bail
- It does not use 401 standard conform since hgweb does not send a
WWW-Authenticate header field as required (cf.
10.4.2 401 Unauthorized). However hgweb already breaks this rule in other
- It fixes some a bug in check_perm for default value "False" without stating
- In theory this feature could be handled by the webserver. However compared to
the proposed patch handeling it in the webserver config is quite complex.
title: Allow/Deny http-access on username basis.
Mercurial issue tracker <mercurial-bugs at selenic.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4328 bytes
Desc: not available
Url : http://selenic.com/pipermail/mercurial-devel/attachments/20080619/3a4860be/attachment.patch
More information about the Mercurial-devel