[PATCH 2 of 2 v2] hg-ssh: more flexible permissions for hg-ssh

Wagner Bruna wagner.bruna+mercurial at gmail.com
Wed May 23 10:04:14 CDT 2012


On 22-05-2012 18:21, David Schleimer wrote:
>> I believe a prepushkey hook should be added here as well. Also, I'd suggest using
>> "hooks.prechangegroup.hg-ssh", to add a bit more information to the error
>> message.
>>
> prepushkey is a good point, and I'll definitely add it, thanks.
> 
> I didn't append .hg-ssh to the hook name because I wanted to give minimal
> information on failure, but I don't feel strongly about it.

IMHO that info could be important to avoid silently overriding an existing
user hook.

>> BTW, an alternative approach could be adding a --user parameter to hg-ssh, to
>> check it against web.deny_push / web.allow_push for authorization. This would
>> be simpler for users: each ssh key would simply authenticate a single user,
>> leaving authorization to the existing (and documented) configuration
>> mechanisms.
> 
> I feel like you should just use the unix file permissions for the case where
> you actually have multiple users.  Trying to reimplement permissions when
> there's already a good permissions model available seems like a waste of
> time at best.  I want the read-only flag because I have multiple things
> sharing the same user and I want to grant them different levels of access.

... except (as you stated on your other mail) when you dont want / need full
Unix users. The parameter would just differentiate the access inside
Mercurial; that users don't need to appear anywhere else.

In my current setup, for instance, users are authenticated by Apache against
LDAP, so no Unix accounts. But sometimes it is useful to be able to access the
same repositories, with the same permissions, through ssh.

Regards,
Wagner


More information about the Mercurial-devel mailing list