[PATCH 1 of 2] acl: add support for branch-based access control; more informative messages
Matt Mackall
mpm at selenic.com
Fri Apr 30 15:00:44 CDT 2010
On Fri, 2010-04-30 at 15:58 -0300, elifarley at gmail.com wrote:
> +DENY_BRANCHES = 'acl.deny.branches'
> +ALLOW_BRANCHES = 'acl.allow.branches'
> +DENY_FILES = 'acl.deny'
> +ALLOW_FILES = 'acl.allow'
This is silly.
> +
> def _getusers(group):
> return grp.getgrnam(group).gr_mem
>
> @@ -111,25 +156,31 @@
>
> return False
>
> -def buildmatch(ui, repo, user, key):
> +def _buildmatch(ui, repo, user, key):
> '''return tuple of (match function, list enabled).'''
> +
> if not ui.has_section(key):
> - ui.debug('acl: %s not enabled\n' % key)
> + ui.debug('acl: [%s] not defined\n' % key)
Please don't mix these sorts of unrelated changes in with your patches.
If you want to make preparatory clean-ups or reworks, those should be in
separate patches.
> return None
>
> - pats = [pat for pat, users in ui.configitems(key)
> + items = [item for item, users in ui.configitems(key)
> if _usermatch(user, users)]
> - ui.debug('acl: %s enabled, %d entries for user %s\n' %
> - (key, len(pats), user))
> - if pats:
> - return match.match(repo.root, '', pats)
> - return match.exact(repo.root, '', [])
> + ui.debug('acl: [%s] has %d entries\n' % (key, len(items)))
>
> + if not items:
> + return lambda b: False
> +
> + if repo:
> + return match.match(repo.root, '', items)
> +
> + return lambda b: '*' in items or b in items
I can't tell if any of the changes above are actually relevant. None of
them have any rationale given.
> def hook(ui, repo, hooktype, node=None, source=None, **kwargs):
> +
Bzzt.
> if hooktype not in ['pretxnchangegroup', 'pretxncommit']:
> raise util.Abort(_('config error - hook type "%s" cannot stop '
> 'incoming changesets nor commits') % hooktype)
> +
Bzzt.
> if (hooktype == 'pretxnchangegroup' and
> source not in ui.config('acl', 'sources', 'serve').split()):
> ui.debug('acl: changes have source "%s" - skipping\n' % source)
> @@ -144,19 +195,43 @@
> if user is None:
> user = getpass.getuser()
>
> + ui.debug('acl: checking access for user "%s"\n' % user)
> +
> cfg = ui.config('acl', 'config')
> if cfg:
> - ui.readconfig(cfg, sections = ['acl.allow', 'acl.deny'])
> - allow = buildmatch(ui, repo, user, 'acl.allow')
> - deny = buildmatch(ui, repo, user, 'acl.deny')
> + ui.readconfig(cfg, sections = [ALLOW_BRANCHES, DENY_BRANCHES,
> + ALLOW_FILES, DENY_FILES])
>
> - for rev in xrange(repo[node], len(repo)):
> - ctx = repo[rev]
> - for f in ctx.files():
> - if deny and deny(f):
> - ui.debug('acl: user %s denied on %s\n' % (user, f))
> - raise util.Abort(_('acl: access denied for changeset %s') % ctx)
> - if allow and not allow(f):
> - ui.debug('acl: user %s not allowed on %s\n' % (user, f))
> - raise util.Abort(_('acl: access denied for changeset %s') % ctx)
> - ui.debug('acl: allowing changeset %s\n' % ctx)
> + allow = _buildmatch(ui, None, user, ALLOW_BRANCHES)
> + deny = _buildmatch(ui, None, user, DENY_BRANCHES)
> +
> + if deny or allow:
> + ui.debug('acl: checking branch access\n')
> + for rev in xrange(repo[node], len(repo)):
> + branch = repo[rev].branch()
> + if deny and deny(branch):
> + raise util.Abort(_('acl: user "%s" denied on branch "%s"'
> + ' (changeset "%s")')
> + % (user, branch, repo[rev]))
> + if allow and not allow(branch):
> + raise util.Abort(_('acl: user "%s" not allowed on branch "%s"'
> + ' (changeset "%s")')
> + % (user, branch, repo[rev]))
> + ui.debug('acl: access granted: "%s" on branch "%s"\n'
> + % (repo[rev], branch))
> +
> + allow = _buildmatch(ui, repo, user, ALLOW_FILES)
> + deny = _buildmatch(ui, repo, user, DENY_FILES)
> +
> + if deny or allow:
> + ui.debug('acl: checking path access\n')
> + for rev in xrange(repo[node], len(repo)):
> + ctx = repo[rev]
> + for f in ctx.files():
> + if deny and deny(f):
> + raise util.Abort(_('acl: user "%s" denied on "%s"'
> + ' (changeset "%s")') % (user, f, ctx))
> + if allow and not allow(f):
> + raise util.Abort(_('acl: user "%s" not allowed on "%s"'
> + ' (changeset "%s")') % (user, f, ctx))
> + ui.debug('acl: access granted: "%s"\n' % ctx)
Why are two loops needed?
--
http://selenic.com : development and support for Mercurial and Linux
More information about the Mercurial-devel
mailing list