[PATCH] acl: support negating the list of users/groups with leading "~"
Matt Mackall
mpm at selenic.com
Mon Feb 7 16:31:55 CST 2011
On Mon, 2011-02-07 at 17:03 -0500, John Mulligan wrote:
> # HG changeset patch
> # User John Mulligan <phlogistonjohn at asynchrono.us>
> # Date 1297114623 18000
> # Node ID 864fb160e483d212c3a3c64362766f1c0cbd95ee
> # Parent 69e69b131458023d21ec40aa48fc5299e43ce69b
> acl: support negating the list of users/groups with leading "~"
>
> the config lines in the acl extension that accept user or goup lists may
> be prefixed with a "~" character which stands for "not matching" and
> applies to all users/groups in the list. This allows the statement "deny access
> to any user not in the following list" to be easily expressed in the config file.
> The tilde character is used rather than the "!" in order not to be confused
> with the hgrc method of disabling other configuration lines.
(I hate this sort of thing. It's a documentation nightmare. And most
users will continually file bugs even if the docs are correct and
precise, because there exists no complete and consistent algorithm that
matches their intuition of how such things should work.)
What are the ordering rules?
> In addition this adds tests for branch acls.
>
> Example:
>
> [acl.deny.branches]
> admin = ~ admin1, admin2
> release = ~release-engineer
This example is a good example of why this is confusing. What does this
example mean? Denying to all except admin1 and admin2 or do we accept
admin1 and deny admin2?
Why is this better than:
[acl.accept.branches]
admin = admin1, admin2
(which implicitly denies everyone else?)
The ACL rules are -already- too complex.
--
Mathematics is the supreme nostalgia of our time.
More information about the Mercurial-devel
mailing list