ACLs and hgweb?

Jeff Abbott fdiv_bug at sniping.org
Wed Feb 27 14:25:02 CST 2008


Heya, Ezra!  Thanks for the feedback!

Ezra.Smith at bentley.com wrote:

> We're running on a Windows network here, and we've found that the best
> way to integrate Mercurial with our current access control setup was to
> use filesystem permissions and repository hooks. Hgweb already works
> well with filesystem permissions by default. If a user can't read a
> directory, it doesn't show up on the web interface.

Really?  How does that work?  At least with Apache on Linux, the hgweb 
script is running as the Apache user, not as the logged-in user.  Are 
you using NTLM authentication with IIS, or some such?

> To handle pushes and pulls more elegantly, we wrote some Python scripts
> that get called from prechangegroup and preoutgoing hooks. For any user
> trying to push/pull/clone a repository, a hook will find out what groups
> the user belongs to, match it against groups that have read or write
> access to the repository, and proceed accordingly.

I was also looking into hooks, and I found no clear way to identify the 
location which was being pulled from, or the REMOTE_USER setting.  Am I 
missing something?

> It's really easy to work with now that we have it set up. To change a
> repository's access controls, all we have to do is change its
> permissions in the filesystem, and that lets us control everything with
> ActiveDirectory groups.

This sounds pretty ideal, frankly, but I guess I'm doing something wrong 
with regards to how I'm trying to implement it here because it's doesn't 
seem to work for me the way it works for you.  :-\

Thanks,
Jeff


More information about the Mercurial mailing list