ACLs and hgweb?

[Jesse Glick]

Jeffrey Cunningham wrote:
> What about a system that takes its authorization list with it?
> Perhaps in some encrypted form? There could be a core person or group
> of persons who can add (or subtract), say, read or write privileges
> users. It could involve some kind of 'web of trust' like PGP.

I believe Monotone does something like this. Perhaps a similar system 
could be implemented as a Mercurial extension if there is enough 
interest. It would be interesting; you could pull promiscuously from 
various sources but only selectively merge your own branch(es) with 
heads signed by people you trust.

Anyway for the simple case of hgwebdir serving several repositories, it 
is not difficult to set up per-repo ACL for push at least. You just make 
Apache authenticate using HTTP basic authentication, then define a 
separate web.allow_push list for each repo in its .hg/hgrc.

I have not heard of attempts to restrict view or pull access, but 
perhaps you could do this with Apache configuration to permit access to 
certain URLs to certain principals only.