hgext/acl.py
author Raphaël Gomès <rgomes@octobus.net>
Mon, 15 Mar 2021 10:57:02 +0100
changeset 46719 0732a7264226
parent 45942 89a2afe31e82
child 48875 6000f5b25c9b
permissions -rw-r--r--
configitems: add TODOs blocking the move out of experimental for revlogv2 These are the todos so far, we probably will have more, but we might as well list them while they're fresh in our minds. Differential Revision: https://phab.mercurial-scm.org/D10216
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
2344
ae12e5a2c4a3 add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
     1
# acl.py - changeset access control for mercurial
ae12e5a2c4a3 add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
     2
#
ae12e5a2c4a3 add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
     3
# Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
ae12e5a2c4a3 add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
     4
#
8225
46293a0c7e9f updated license to be explicit about GPL version 2
Martin Geisler <mg@lazybytes.net>
parents: 8142
diff changeset
     5
# This software may be used and distributed according to the terms of the
10263
25e572394f5c Update license to GPLv2+
Matt Mackall <mpm@selenic.com>
parents: 10112
diff changeset
     6
# GNU General Public License version 2 or any later version.
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
     7
8935
f4f0e902b750 extensions: change descriptions for hook-providing extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8894
diff changeset
     8
'''hooks for controlling repository access
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
     9
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    10
This hook makes it possible to allow or deny write access to given
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    11
branches and paths of a repository when receiving incoming changesets
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    12
via pretxnchangegroup and pretxncommit.
9250
00986b9ed649 acl: wrap docstrings at 70 characters
Martin Geisler <mg@lazybytes.net>
parents: 9201
diff changeset
    13
00986b9ed649 acl: wrap docstrings at 70 characters
Martin Geisler <mg@lazybytes.net>
parents: 9201
diff changeset
    14
The authorization is matched based on the local user name on the
00986b9ed649 acl: wrap docstrings at 70 characters
Martin Geisler <mg@lazybytes.net>
parents: 9201
diff changeset
    15
system where the hook runs, and not the committer of the original
00986b9ed649 acl: wrap docstrings at 70 characters
Martin Geisler <mg@lazybytes.net>
parents: 9201
diff changeset
    16
changeset (since the latter is merely informative).
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
    17
9250
00986b9ed649 acl: wrap docstrings at 70 characters
Martin Geisler <mg@lazybytes.net>
parents: 9201
diff changeset
    18
The acl hook is best used along with a restricted shell like hgsh,
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    19
preventing authenticating users from doing anything other than pushing
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    20
or pulling. The hook is not safe to use if users have interactive
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    21
shell access, as they can then disable the hook. Nor is it safe if
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    22
remote users share an account, because then there is no way to
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    23
distinguish them.
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
    24
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
    25
The order in which access checks are performed is:
11094
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
    26
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
    27
1) Deny  list for branches (section ``acl.deny.branches``)
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
    28
2) Allow list for branches (section ``acl.allow.branches``)
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
    29
3) Deny  list for paths    (section ``acl.deny``)
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
    30
4) Allow list for paths    (section ``acl.allow``)
11042
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
    31
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
    32
The allow and deny sections take key-value pairs.
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
    33
11094
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
    34
Branch-based Access Control
17267
979b107eaea2 doc: unify section level between help topics
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 16957
diff changeset
    35
---------------------------
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
    36
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    37
Use the ``acl.deny.branches`` and ``acl.allow.branches`` sections to
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    38
have branch-based access control. Keys in these sections can be
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    39
either:
11057
7f0796a0b35c acl: fix ReST syntax in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11042
diff changeset
    40
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    41
- a branch name, or
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    42
- an asterisk, to match any branch;
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
    43
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
    44
The corresponding values can be either:
11094
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
    45
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    46
- a comma-separated list containing users and groups, or
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    47
- an asterisk, to match anyone;
11042
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
    48
16957
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
    49
You can add the "!" prefix to a user or group name to invert the sense
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
    50
of the match.
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
    51
11094
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
    52
Path-based Access Control
17267
979b107eaea2 doc: unify section level between help topics
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 16957
diff changeset
    53
-------------------------
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
    54
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    55
Use the ``acl.deny`` and ``acl.allow`` sections to have path-based
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    56
access control. Keys in these sections accept a subtree pattern (with
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    57
a glob syntax by default). The corresponding values follow the same
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    58
syntax as the other sections above.
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
    59
38531
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    60
Bookmark-based Access Control
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    61
-----------------------------
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    62
Use the ``acl.deny.bookmarks`` and ``acl.allow.bookmarks`` sections to
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    63
have bookmark-based access control. Keys in these sections can be
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    64
either:
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    65
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    66
- a bookmark name, or
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    67
- an asterisk, to match any bookmark;
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    68
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    69
The corresponding values can be either:
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    70
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    71
- a comma-separated list containing users and groups, or
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    72
- an asterisk, to match anyone;
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    73
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    74
You can add the "!" prefix to a user or group name to invert the sense
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    75
of the match.
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    76
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    77
Note: for interactions between clients and servers using Mercurial 3.6+
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    78
a rejection will generally reject the entire push, for interactions
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    79
involving older clients, the commit transactions will already be accepted,
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    80
and only the bookmark movement will be rejected.
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    81
11094
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
    82
Groups
17267
979b107eaea2 doc: unify section level between help topics
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 16957
diff changeset
    83
------
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
    84
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    85
Group names must be prefixed with an ``@`` symbol. Specifying a group
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    86
name has the same effect as specifying all the users in that group.
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
    87
11115
b3d5619f1f2b acl: update docstring to describe section [acl.groups]
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11114
diff changeset
    88
You can define group members in the ``acl.groups`` section.
b3d5619f1f2b acl: update docstring to describe section [acl.groups]
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11114
diff changeset
    89
If a group name is not defined there, and Mercurial is running under
b3d5619f1f2b acl: update docstring to describe section [acl.groups]
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11114
diff changeset
    90
a Unix-like system, the list of users will be taken from the OS.
b3d5619f1f2b acl: update docstring to describe section [acl.groups]
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11114
diff changeset
    91
Otherwise, an exception will be raised.
b3d5619f1f2b acl: update docstring to describe section [acl.groups]
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11114
diff changeset
    92
11094
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
    93
Example Configuration
17267
979b107eaea2 doc: unify section level between help topics
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 16957
diff changeset
    94
---------------------
11094
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
    95
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
    96
::
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
    97
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
    98
  [hooks]
11042
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
    99
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
   100
  # Use this if you want to check access restrictions at commit time
11042
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   101
  pretxncommit.acl = python:hgext.acl.hook
11423
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   102
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
   103
  # Use this if you want to check access restrictions for pull, push,
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
   104
  # bundle and serve.
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
   105
  pretxnchangegroup.acl = python:hgext.acl.hook
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
   106
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
   107
  [acl]
11131
0b6fd18ab8af acl: clarify acl.sources, fix typo
Patrick Mezard <pmezard@gmail.com>
parents: 11115
diff changeset
   108
  # Allow or deny access for incoming changes only if their source is
0b6fd18ab8af acl: clarify acl.sources, fix typo
Patrick Mezard <pmezard@gmail.com>
parents: 11115
diff changeset
   109
  # listed here, let them pass otherwise. Source is "serve" for all
0b6fd18ab8af acl: clarify acl.sources, fix typo
Patrick Mezard <pmezard@gmail.com>
parents: 11115
diff changeset
   110
  # remote access (http or ssh), "push", "pull" or "bundle" when the
0b6fd18ab8af acl: clarify acl.sources, fix typo
Patrick Mezard <pmezard@gmail.com>
parents: 11115
diff changeset
   111
  # related commands are run locally.
0b6fd18ab8af acl: clarify acl.sources, fix typo
Patrick Mezard <pmezard@gmail.com>
parents: 11115
diff changeset
   112
  # Default: serve
8893
cc0593af30d4 acl: help improvements
Cédric Duval <cedricduval@free.fr>
parents: 8873
diff changeset
   113
  sources = serve
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
   114
11423
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   115
  [acl.deny.branches]
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   116
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   117
  # Everyone is denied to the frozen branch:
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   118
  frozen-branch = *
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   119
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   120
  # A bad user is denied on all branches:
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   121
  * = bad-user
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   122
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   123
  [acl.allow.branches]
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   124
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   125
  # A few users are allowed on branch-a:
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   126
  branch-a = user-1, user-2, user-3
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   127
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   128
  # Only one user is allowed on branch-b:
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   129
  branch-b = user-1
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   130
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   131
  # The super user is allowed on any branch:
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   132
  * = super-user
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   133
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   134
  # Everyone is allowed on branch-for-tests:
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   135
  branch-for-tests = *
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
   136
11042
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   137
  [acl.deny]
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
   138
  # This list is checked first. If a match is found, acl.allow is not
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
   139
  # checked. All users are granted access if acl.deny is not present.
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
   140
  # Format for both lists: glob pattern = user, ..., @group, ...
11042
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   141
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   142
  # To match everyone, use an asterisk for the user:
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   143
  # my/glob/pattern = *
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   144
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   145
  # user6 will not have write access to any file:
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   146
  ** = user6
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   147
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   148
  # Group "hg-denied" will not have write access to any file:
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   149
  ** = @hg-denied
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   150
17537
31f32a96e1e3 Merge spelling fixes
Bryan O'Sullivan <bryano@fb.com>
parents: 17487
diff changeset
   151
  # Nobody will be able to change "DONT-TOUCH-THIS.txt", despite
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
   152
  # everyone being able to change all other files. See below.
17537
31f32a96e1e3 Merge spelling fixes
Bryan O'Sullivan <bryano@fb.com>
parents: 17487
diff changeset
   153
  src/main/resources/DONT-TOUCH-THIS.txt = *
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
   154
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
   155
  [acl.allow]
11131
0b6fd18ab8af acl: clarify acl.sources, fix typo
Patrick Mezard <pmezard@gmail.com>
parents: 11115
diff changeset
   156
  # if acl.allow is not present, all users are allowed by default
11042
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   157
  # empty acl.allow = no users allowed
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   158
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
   159
  # User "doc_writer" has write access to any file under the "docs"
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
   160
  # folder:
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
   161
  docs/** = doc_writer
11042
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   162
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
   163
  # User "jack" and group "designers" have write access to any file
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
   164
  # under the "images" folder:
11042
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   165
  images/** = jack, @designers
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   166
16499
0b463f52b948 doc: fix explanation comment in acl extension
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 15207
diff changeset
   167
  # Everyone (except for "user6" and "@hg-denied" - see acl.deny above)
0b463f52b948 doc: fix explanation comment in acl extension
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 15207
diff changeset
   168
  # will have write access to any file under the "resources" folder
0b463f52b948 doc: fix explanation comment in acl extension
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 15207
diff changeset
   169
  # (except for 1 file. See acl.deny):
11042
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   170
  src/main/resources/** = *
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   171
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
   172
  .hgtags = release_engineer
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
   173
16957
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   174
Examples using the "!" prefix
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   175
.............................
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   176
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   177
Suppose there's a branch that only a given user (or group) should be able to
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   178
push to, and you don't want to restrict access to any other branch that may
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   179
be created.
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   180
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   181
The "!" prefix allows you to prevent anyone except a given user or group to
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   182
push changesets in a given branch or path.
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   183
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   184
In the examples below, we will:
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   185
1) Deny access to branch "ring" to anyone but user "gollum"
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   186
2) Deny access to branch "lake" to anyone but members of the group "hobbit"
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   187
3) Deny access to a file to anyone but user "gollum"
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   188
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   189
::
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   190
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   191
  [acl.allow.branches]
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   192
  # Empty
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   193
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   194
  [acl.deny.branches]
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   195
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   196
  # 1) only 'gollum' can commit to branch 'ring';
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   197
  # 'gollum' and anyone else can still commit to any other branch.
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   198
  ring = !gollum
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   199
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   200
  # 2) only members of the group 'hobbit' can commit to branch 'lake';
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   201
  # 'hobbit' members and anyone else can still commit to any other branch.
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   202
  lake = !@hobbit
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   203
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   204
  # You can also deny access based on file paths:
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   205
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   206
  [acl.allow]
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   207
  # Empty
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   208
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   209
  [acl.deny]
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   210
  # 3) only 'gollum' can change the file below;
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   211
  # 'gollum' and anyone else can still change any other file.
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   212
  /misty/mountains/cave/ring = !gollum
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   213
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
   214
'''
2344
ae12e5a2c4a3 add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
   215
28089
a1163ee26e4a acl: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents: 26587
diff changeset
   216
from __future__ import absolute_import
a1163ee26e4a acl: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents: 26587
diff changeset
   217
3891
6b4127c7d52a Simplify i18n imports
Matt Mackall <mpm@selenic.com>
parents: 3877
diff changeset
   218
from mercurial.i18n import _
28089
a1163ee26e4a acl: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents: 26587
diff changeset
   219
from mercurial import (
a1163ee26e4a acl: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents: 26587
diff changeset
   220
    error,
34829
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
   221
    extensions,
28089
a1163ee26e4a acl: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents: 26587
diff changeset
   222
    match,
38783
e7aa113b14f7 global: use pycompat.xrange()
Gregory Szorc <gregory.szorc@gmail.com>
parents: 38531
diff changeset
   223
    pycompat,
33185
8b109c61bc11 configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents: 29841
diff changeset
   224
    registrar,
28089
a1163ee26e4a acl: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents: 26587
diff changeset
   225
    util,
a1163ee26e4a acl: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents: 26587
diff changeset
   226
)
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   227
from mercurial.utils import procutil
11041
623fe42a649e acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 10955
diff changeset
   228
28883
032c4c2f802a pycompat: switch to util.urlreq/util.urlerr for py3 compat
timeless <timeless@mozdev.org>
parents: 28089
diff changeset
   229
urlreq = util.urlreq
032c4c2f802a pycompat: switch to util.urlreq/util.urlerr for py3 compat
timeless <timeless@mozdev.org>
parents: 28089
diff changeset
   230
29841
d5883fd055c6 extensions: change magic "shipped with hg" string
Augie Fackler <augie@google.com>
parents: 28883
diff changeset
   231
# Note for extension authors: ONLY specify testedwith = 'ships-with-hg-core' for
25186
80c5b2666a96 extensions: document that `testedwith = 'internal'` is special
Augie Fackler <augie@google.com>
parents: 19872
diff changeset
   232
# extensions which SHIP WITH MERCURIAL. Non-mainline extensions should
80c5b2666a96 extensions: document that `testedwith = 'internal'` is special
Augie Fackler <augie@google.com>
parents: 19872
diff changeset
   233
# be specifying the version(s) of Mercurial they are tested with, or
80c5b2666a96 extensions: document that `testedwith = 'internal'` is special
Augie Fackler <augie@google.com>
parents: 19872
diff changeset
   234
# leave the attribute unspecified.
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   235
testedwith = b'ships-with-hg-core'
16743
38caf405d010 hgext: mark all first-party extensions as such
Augie Fackler <raf@durin42.com>
parents: 16499
diff changeset
   236
33185
8b109c61bc11 configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents: 29841
diff changeset
   237
configtable = {}
8b109c61bc11 configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents: 29841
diff changeset
   238
configitem = registrar.configitem(configtable)
8b109c61bc11 configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents: 29841
diff changeset
   239
8b109c61bc11 configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents: 29841
diff changeset
   240
# deprecated config: acl.config
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   241
configitem(
45942
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   242
    b'acl',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   243
    b'config',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   244
    default=None,
33185
8b109c61bc11 configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents: 29841
diff changeset
   245
)
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   246
configitem(
45942
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   247
    b'acl.groups',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   248
    b'.*',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   249
    default=None,
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   250
    generic=True,
34779
cfb054a7ecc4 configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents: 33216
diff changeset
   251
)
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   252
configitem(
45942
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   253
    b'acl.deny.branches',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   254
    b'.*',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   255
    default=None,
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   256
    generic=True,
34779
cfb054a7ecc4 configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents: 33216
diff changeset
   257
)
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   258
configitem(
45942
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   259
    b'acl.allow.branches',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   260
    b'.*',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   261
    default=None,
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   262
    generic=True,
34779
cfb054a7ecc4 configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents: 33216
diff changeset
   263
)
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   264
configitem(
45942
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   265
    b'acl.deny',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   266
    b'.*',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   267
    default=None,
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   268
    generic=True,
34779
cfb054a7ecc4 configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents: 33216
diff changeset
   269
)
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   270
configitem(
45942
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   271
    b'acl.allow',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   272
    b'.*',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   273
    default=None,
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   274
    generic=True,
34779
cfb054a7ecc4 configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents: 33216
diff changeset
   275
)
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   276
configitem(
45942
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   277
    b'acl',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   278
    b'sources',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   279
    default=lambda: [b'serve'],
33186
478cb17cc610 configitems: register the 'acl.sources' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents: 33185
diff changeset
   280
)
33185
8b109c61bc11 configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents: 29841
diff changeset
   281
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   282
11114
62714143742f acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11095
diff changeset
   283
def _getusers(ui, group):
62714143742f acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11095
diff changeset
   284
62714143742f acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11095
diff changeset
   285
    # First, try to use group definition from section [acl.groups]
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   286
    hgrcusers = ui.configlist(b'acl.groups', group)
11114
62714143742f acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11095
diff changeset
   287
    if hgrcusers:
62714143742f acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11095
diff changeset
   288
        return hgrcusers
62714143742f acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11095
diff changeset
   289
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   290
    ui.debug(b'acl: "%s" not defined in [acl.groups]\n' % group)
11114
62714143742f acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11095
diff changeset
   291
    # If no users found in group definition, get users from OS-level group
11140
1f26cf0a3663 acl: improve undefined group error handling
Patrick Mezard <pmezard@gmail.com>
parents: 11138
diff changeset
   292
    try:
1f26cf0a3663 acl: improve undefined group error handling
Patrick Mezard <pmezard@gmail.com>
parents: 11138
diff changeset
   293
        return util.groupmembers(group)
1f26cf0a3663 acl: improve undefined group error handling
Patrick Mezard <pmezard@gmail.com>
parents: 11138
diff changeset
   294
    except KeyError:
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   295
        raise error.Abort(_(b"group '%s' is undefined") % group)
11041
623fe42a649e acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 10955
diff changeset
   296
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   297
11114
62714143742f acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11095
diff changeset
   298
def _usermatch(ui, user, usersorgroups):
11041
623fe42a649e acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 10955
diff changeset
   299
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   300
    if usersorgroups == b'*':
11041
623fe42a649e acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 10955
diff changeset
   301
        return True
623fe42a649e acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 10955
diff changeset
   302
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   303
    for ug in usersorgroups.replace(b',', b' ').split():
16956
c49cf339b5bb acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16767
diff changeset
   304
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   305
        if ug.startswith(b'!'):
16956
c49cf339b5bb acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16767
diff changeset
   306
            # Test for excluded user or group. Format:
c49cf339b5bb acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16767
diff changeset
   307
            # if ug is a user  name: !username
c49cf339b5bb acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16767
diff changeset
   308
            # if ug is a group name: !@groupname
c49cf339b5bb acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16767
diff changeset
   309
            ug = ug[1:]
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   310
            if (
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   311
                not ug.startswith(b'@')
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   312
                and user != ug
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   313
                or ug.startswith(b'@')
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   314
                and user not in _getusers(ui, ug[1:])
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   315
            ):
16956
c49cf339b5bb acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16767
diff changeset
   316
                return True
c49cf339b5bb acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16767
diff changeset
   317
c49cf339b5bb acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16767
diff changeset
   318
        # Test for user or group. Format:
c49cf339b5bb acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16767
diff changeset
   319
        # if ug is a user  name: username
c49cf339b5bb acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16767
diff changeset
   320
        # if ug is a group name: @groupname
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   321
        elif (
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   322
            user == ug or ug.startswith(b'@') and user in _getusers(ui, ug[1:])
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   323
        ):
11041
623fe42a649e acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 10955
diff changeset
   324
            return True
623fe42a649e acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 10955
diff changeset
   325
623fe42a649e acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 10955
diff changeset
   326
    return False
2344
ae12e5a2c4a3 add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
   327
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   328
6766
e81d2bd66908 acl: refactoring
Matt Mackall <mpm@selenic.com>
parents: 6750
diff changeset
   329
def buildmatch(ui, repo, user, key):
e81d2bd66908 acl: refactoring
Matt Mackall <mpm@selenic.com>
parents: 6750
diff changeset
   330
    '''return tuple of (match function, list enabled).'''
e81d2bd66908 acl: refactoring
Matt Mackall <mpm@selenic.com>
parents: 6750
diff changeset
   331
    if not ui.has_section(key):
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   332
        ui.debug(b'acl: %s not enabled\n' % key)
6766
e81d2bd66908 acl: refactoring
Matt Mackall <mpm@selenic.com>
parents: 6750
diff changeset
   333
        return None
2344
ae12e5a2c4a3 add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
   334
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   335
    pats = [
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   336
        pat for pat, users in ui.configitems(key) if _usermatch(ui, user, users)
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   337
    ]
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   338
    ui.debug(
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   339
        b'acl: %s enabled, %d entries for user %s\n' % (key, len(pats), user)
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   340
    )
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
   341
16765
754e98e0a615 acl: added some comments to easily identify branch- and path-based verifications
Elifarley Callado Coelho Cruz
parents: 16764
diff changeset
   342
    # Branch-based ACL
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
   343
    if not repo:
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
   344
        if pats:
16766
9d778f80ad2a acl: perform some computations earlier, so that returned lambda functions are simpler
Elifarley Callado Coelho Cruz
parents: 16765
diff changeset
   345
            # If there's an asterisk (meaning "any branch"), always return True;
9d778f80ad2a acl: perform some computations earlier, so that returned lambda functions are simpler
Elifarley Callado Coelho Cruz
parents: 16765
diff changeset
   346
            # Otherwise, test if b is in pats
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   347
            if b'*' in pats:
16766
9d778f80ad2a acl: perform some computations earlier, so that returned lambda functions are simpler
Elifarley Callado Coelho Cruz
parents: 16765
diff changeset
   348
                return util.always
9d778f80ad2a acl: perform some computations earlier, so that returned lambda functions are simpler
Elifarley Callado Coelho Cruz
parents: 16765
diff changeset
   349
            return lambda b: b in pats
16764
ffb68b9dbaa9 acl: 'util.never' used
Elifarley Callado Coelho Cruz
parents: 16763
diff changeset
   350
        return util.never
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
   351
16765
754e98e0a615 acl: added some comments to easily identify branch- and path-based verifications
Elifarley Callado Coelho Cruz
parents: 16764
diff changeset
   352
    # Path-based ACL
6766
e81d2bd66908 acl: refactoring
Matt Mackall <mpm@selenic.com>
parents: 6750
diff changeset
   353
    if pats:
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   354
        return match.match(repo.root, b'', pats)
16767
363bde4224c8 acl: 'util.never' can be used instead of a more complex expression
Elifarley Callado Coelho Cruz
parents: 16766
diff changeset
   355
    return util.never
2344
ae12e5a2c4a3 add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
   356
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   357
34829
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
   358
def ensureenabled(ui):
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
   359
    """make sure the extension is enabled when used as hook
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
   360
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
   361
    When acl is used through hooks, the extension is never formally loaded and
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
   362
    enabled. This has some side effect, for example the config declaration is
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
   363
    never loaded. This function ensure the extension is enabled when running
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
   364
    hooks.
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
   365
    """
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   366
    if b'acl' in ui._knownconfig:
34829
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
   367
        return
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   368
    ui.setconfig(b'extensions', b'acl', b'', source=b'internal')
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   369
    extensions.loadall(ui, [b'acl'])
34829
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
   370
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   371
2344
ae12e5a2c4a3 add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
   372
def hook(ui, repo, hooktype, node=None, source=None, **kwargs):
34829
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
   373
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
   374
    ensureenabled(ui)
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
   375
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   376
    if hooktype not in [b'pretxnchangegroup', b'pretxncommit', b'prepushkey']:
38531
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
   377
        raise error.Abort(
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   378
            _(
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   379
                b'config error - hook type "%s" cannot stop '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   380
                b'incoming changesets, commits, nor bookmarks'
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   381
            )
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   382
            % hooktype
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   383
        )
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   384
    if hooktype == b'pretxnchangegroup' and source not in ui.configlist(
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   385
        b'acl', b'sources'
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   386
    ):
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   387
        ui.debug(b'acl: changes have source "%s" - skipping\n' % source)
2344
ae12e5a2c4a3 add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
   388
        return
ae12e5a2c4a3 add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
   389
8846
b30775386d40 acl: support for getting authenticated user from web server (issue298)
Henrik Stuart <hg@hstuart.dk>
parents: 8682
diff changeset
   390
    user = None
43506
9f70512ae2cf cleanup: remove pointless r-prefixes on single-quoted strings
Augie Fackler <augie@google.com>
parents: 43117
diff changeset
   391
    if source == b'serve' and 'url' in kwargs:
9f70512ae2cf cleanup: remove pointless r-prefixes on single-quoted strings
Augie Fackler <augie@google.com>
parents: 43117
diff changeset
   392
        url = kwargs['url'].split(b':')
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   393
        if url[0] == b'remote' and url[1].startswith(b'http'):
28883
032c4c2f802a pycompat: switch to util.urlreq/util.urlerr for py3 compat
timeless <timeless@mozdev.org>
parents: 28089
diff changeset
   394
            user = urlreq.unquote(url[3])
8846
b30775386d40 acl: support for getting authenticated user from web server (issue298)
Henrik Stuart <hg@hstuart.dk>
parents: 8682
diff changeset
   395
b30775386d40 acl: support for getting authenticated user from web server (issue298)
Henrik Stuart <hg@hstuart.dk>
parents: 8682
diff changeset
   396
    if user is None:
37120
a8a902d7176e procutil: bulk-replace function calls to point to new module
Yuya Nishihara <yuya@tcha.org>
parents: 36412
diff changeset
   397
        user = procutil.getuser()
8846
b30775386d40 acl: support for getting authenticated user from web server (issue298)
Henrik Stuart <hg@hstuart.dk>
parents: 8682
diff changeset
   398
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   399
    ui.debug(b'acl: checking access for user "%s"\n' % user)
15207
0f7f9f06c759 acl: more descriptive error messages
Elifarley Callado Coelho Cruz
parents: 12778
diff changeset
   400
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   401
    if hooktype == b'prepushkey':
38531
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
   402
        _pkhook(ui, repo, hooktype, node, source, user, **kwargs)
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
   403
    else:
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
   404
        _txnhook(ui, repo, hooktype, node, source, user, **kwargs)
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
   405
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   406
38531
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
   407
def _pkhook(ui, repo, hooktype, node, source, user, **kwargs):
43506
9f70512ae2cf cleanup: remove pointless r-prefixes on single-quoted strings
Augie Fackler <augie@google.com>
parents: 43117
diff changeset
   408
    if kwargs['namespace'] == b'bookmarks':
9f70512ae2cf cleanup: remove pointless r-prefixes on single-quoted strings
Augie Fackler <augie@google.com>
parents: 43117
diff changeset
   409
        bookmark = kwargs['key']
9f70512ae2cf cleanup: remove pointless r-prefixes on single-quoted strings
Augie Fackler <augie@google.com>
parents: 43117
diff changeset
   410
        ctx = kwargs['new']
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   411
        allowbookmarks = buildmatch(ui, None, user, b'acl.allow.bookmarks')
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   412
        denybookmarks = buildmatch(ui, None, user, b'acl.deny.bookmarks')
38531
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
   413
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
   414
        if denybookmarks and denybookmarks(bookmark):
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   415
            raise error.Abort(
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   416
                _(
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   417
                    b'acl: user "%s" denied on bookmark "%s"'
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   418
                    b' (changeset "%s")'
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   419
                )
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   420
                % (user, bookmark, ctx)
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   421
            )
38531
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
   422
        if allowbookmarks and not allowbookmarks(bookmark):
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   423
            raise error.Abort(
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   424
                _(
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   425
                    b'acl: user "%s" not allowed on bookmark "%s"'
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   426
                    b' (changeset "%s")'
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   427
                )
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   428
                % (user, bookmark, ctx)
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   429
            )
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   430
        ui.debug(
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   431
            b'acl: bookmark access granted: "%s" on bookmark "%s"\n'
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   432
            % (ctx, bookmark)
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   433
        )
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   434
38531
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
   435
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
   436
def _txnhook(ui, repo, hooktype, node, source, user, **kwargs):
25792
dd166d42e7b2 acl: mark deprecated config option
Matt Mackall <mpm@selenic.com>
parents: 25186
diff changeset
   437
    # deprecated config: acl.config
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   438
    cfg = ui.config(b'acl', b'config')
6766
e81d2bd66908 acl: refactoring
Matt Mackall <mpm@selenic.com>
parents: 6750
diff changeset
   439
    if cfg:
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   440
        ui.readconfig(
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   441
            cfg,
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   442
            sections=[
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   443
                b'acl.groups',
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   444
                b'acl.allow.branches',
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   445
                b'acl.deny.branches',
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   446
                b'acl.allow',
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   447
                b'acl.deny',
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   448
            ],
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   449
        )
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
   450
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   451
    allowbranches = buildmatch(ui, None, user, b'acl.allow.branches')
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   452
    denybranches = buildmatch(ui, None, user, b'acl.deny.branches')
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   453
    allow = buildmatch(ui, repo, user, b'acl.allow')
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   454
    deny = buildmatch(ui, repo, user, b'acl.deny')
6766
e81d2bd66908 acl: refactoring
Matt Mackall <mpm@selenic.com>
parents: 6750
diff changeset
   455
38783
e7aa113b14f7 global: use pycompat.xrange()
Gregory Szorc <gregory.szorc@gmail.com>
parents: 38531
diff changeset
   456
    for rev in pycompat.xrange(repo[node].rev(), len(repo)):
6766
e81d2bd66908 acl: refactoring
Matt Mackall <mpm@selenic.com>
parents: 6750
diff changeset
   457
        ctx = repo[rev]
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
   458
        branch = ctx.branch()
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
   459
        if denybranches and denybranches(branch):
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   460
            raise error.Abort(
43117
8ff1ecfadcd1 cleanup: join string literals that are already on one line
Martin von Zweigbergk <martinvonz@google.com>
parents: 43077
diff changeset
   461
                _(b'acl: user "%s" denied on branch "%s" (changeset "%s")')
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   462
                % (user, branch, ctx)
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   463
            )
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
   464
        if allowbranches and not allowbranches(branch):
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   465
            raise error.Abort(
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   466
                _(
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   467
                    b'acl: user "%s" not allowed on branch "%s"'
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   468
                    b' (changeset "%s")'
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   469
                )
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   470
                % (user, branch, ctx)
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   471
            )
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   472
        ui.debug(
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   473
            b'acl: branch access granted: "%s" on branch "%s"\n' % (ctx, branch)
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   474
        )
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
   475
6766
e81d2bd66908 acl: refactoring
Matt Mackall <mpm@selenic.com>
parents: 6750
diff changeset
   476
        for f in ctx.files():
e81d2bd66908 acl: refactoring
Matt Mackall <mpm@selenic.com>
parents: 6750
diff changeset
   477
            if deny and deny(f):
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   478
                raise error.Abort(
43117
8ff1ecfadcd1 cleanup: join string literals that are already on one line
Martin von Zweigbergk <martinvonz@google.com>
parents: 43077
diff changeset
   479
                    _(b'acl: user "%s" denied on "%s" (changeset "%s")')
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   480
                    % (user, f, ctx)
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   481
                )
6766
e81d2bd66908 acl: refactoring
Matt Mackall <mpm@selenic.com>
parents: 6750
diff changeset
   482
            if allow and not allow(f):
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   483
                raise error.Abort(
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   484
                    _(
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   485
                        b'acl: user "%s" not allowed on "%s"'
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   486
                        b' (changeset "%s")'
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   487
                    )
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   488
                    % (user, f, ctx)
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   489
                )
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   490
        ui.debug(b'acl: path access granted: "%s"\n' % ctx)