--- a/hgext/acl.py	Sat Jun 20 18:58:34 2009 +0200
+++ b/hgext/acl.py	Sun Jun 21 19:06:57 2009 +0200
@@ -5,49 +5,49 @@
 # This software may be used and distributed according to the terms of the
 # GNU General Public License version 2, incorporated herein by reference.
 #
-# this hook allows to allow or deny access to parts of a repo when
-# taking incoming changesets.
-#
-# authorization is against local user name on system where hook is
-# run, not committer of original changeset (since that is easy to
-# spoof).
-#
-# acl hook is best to use if you use hgsh to set up restricted shells
-# for authenticated users to only push to / pull from.  not safe if
-# user has interactive shell access, because they can disable hook.
-# also not safe if remote users share one local account, because then
-# no way to tell remote users apart.
-#
-# to use, configure acl extension in hgrc like this:
-#
-#   [extensions]
-#   hgext.acl =
-#
-#   [hooks]
-#   pretxnchangegroup.acl = python:hgext.acl.hook
-#
-#   [acl]
-#   sources = serve        # check if source of incoming changes in this list
-#                          # ("serve" == ssh or http, "push", "pull", "bundle")
-#
-# allow and deny lists have subtree pattern (default syntax is glob)
-# on left, user names on right. deny list checked before allow list.
-#
-#   [acl.allow]
-#   # if acl.allow not present, all users allowed by default
-#   # empty acl.allow = no users allowed
-#   docs/** = doc_writer
-#   .hgtags = release_engineer
-#
-#   [acl.deny]
-#   # if acl.deny not present, no users denied by default
-#   # empty acl.deny = all users allowed
-#   glob pattern = user4, user5
-#   ** = user6
+
+'''provide simple hooks for access control
+
+Authorization is against local user name on system where hook is run, not
+committer of original changeset (since that is easy to spoof).
+
+The acl hook is best to use if you use hgsh to set up restricted shells for
+authenticated users to only push to / pull from. It's not safe if user has
+interactive shell access, because they can disable the hook. It's also not
+safe if remote users share one local account, because then there's no way to
+tell remote users apart.
+
+To use, configure the acl extension in hgrc like this:
+
+  [extensions]
+  hgext.acl =
+
+  [hooks]
+  pretxnchangegroup.acl = python:hgext.acl.hook
+
+  [acl]
+  sources = serve        # check if source of incoming changes in this list
+                         # ("serve" == ssh or http, "push", "pull", "bundle")
+
+Allow and deny lists have a subtree pattern (default syntax is glob) on the
+left and user names on right. The deny list is checked before the allow list.
+
+  [acl.allow]
+  # if acl.allow not present, all users allowed by default
+  # empty acl.allow = no users allowed
+  docs/** = doc_writer
+  .hgtags = release_engineer
+
+  [acl.deny]
+  # if acl.deny not present, no users denied by default
+  # empty acl.deny = all users allowed
+  glob pattern = user4, user5
+   ** = user6
+'''
 
 from mercurial.i18n import _
 from mercurial import util, match
-import getpass
+import getpass, urllib
 
 def buildmatch(ui, repo, user, key):
     '''return tuple of (match function, list enabled).'''
@@ -72,7 +72,15 @@
         ui.debug(_('acl: changes have source "%s" - skipping\n') % source)
         return
 
-    user = getpass.getuser()
+    user = None
+    if source == 'serve' and 'url' in kwargs:
+        url = kwargs['url'].split(':')
+        if url[0] == 'remote' and url[1].startswith('http'):
+            user = urllib.unquote(url[2])
+
+    if user is None:
+        user = getpass.getuser()
+
     cfg = ui.config('acl', 'config')
     if cfg:
         ui.readconfig(cfg, sections = ['acl.allow', 'acl.deny'])