Acl Extension

1. Overview

The ACL extension lets you have fine grained access control to parts of a repository using deny and allow lists. These lists associate glob patterns to users. Furthermore, it can restrict changes depending on its source (http, ssh, pull, push, bundle).

It's recommended that this extension is used with hg-ssh (a restricted shell for mercurial ssh access) to tighten security.

2. Configuration

Below is an example configuration file (hgrc) provided with the sources. The acl lists use the pattern = user syntax, where pattern is a glob by default. :

[extensions]
hgext.acl=

[hooks]
pretxtnchangegroup.acl = python:hgext.acl.hook

[acl]
sources = serve        # check if source of incoming changes in this list
                       # ("serve" == ssh or http, "push", "pull", "bundle")

[acl.allow]
# if acl.allow not present, all users allowed by default
# empty acl.allow = no users allowed
docs/** = doc_writer
.hgtags = release_engineer

[acl.deny]
# if acl.deny not present, no users denied by default
# empty acl.deny = all users allowed
glob pattern = user4, user5
** = user6