hgext/acl.py
author Gregory Szorc <gregory.szorc@gmail.com>
Tue, 01 Mar 2022 20:37:09 -0800
changeset 48909 0aae0e2e90fc
parent 48875 6000f5b25c9b
child 49284 d44e3c45f0e4
permissions -rw-r--r--
revlogutils: unconditionally pass version to random seed Differential Revision: https://phab.mercurial-scm.org/D12312
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
2344
ae12e5a2c4a3 add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
     1
# acl.py - changeset access control for mercurial
ae12e5a2c4a3 add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
     2
#
ae12e5a2c4a3 add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
     3
# Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
ae12e5a2c4a3 add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
     4
#
8225
46293a0c7e9f updated license to be explicit about GPL version 2
Martin Geisler <mg@lazybytes.net>
parents: 8142
diff changeset
     5
# This software may be used and distributed according to the terms of the
10263
25e572394f5c Update license to GPLv2+
Matt Mackall <mpm@selenic.com>
parents: 10112
diff changeset
     6
# GNU General Public License version 2 or any later version.
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
     7
8935
f4f0e902b750 extensions: change descriptions for hook-providing extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8894
diff changeset
     8
'''hooks for controlling repository access
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
     9
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    10
This hook makes it possible to allow or deny write access to given
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    11
branches and paths of a repository when receiving incoming changesets
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    12
via pretxnchangegroup and pretxncommit.
9250
00986b9ed649 acl: wrap docstrings at 70 characters
Martin Geisler <mg@lazybytes.net>
parents: 9201
diff changeset
    13
00986b9ed649 acl: wrap docstrings at 70 characters
Martin Geisler <mg@lazybytes.net>
parents: 9201
diff changeset
    14
The authorization is matched based on the local user name on the
00986b9ed649 acl: wrap docstrings at 70 characters
Martin Geisler <mg@lazybytes.net>
parents: 9201
diff changeset
    15
system where the hook runs, and not the committer of the original
00986b9ed649 acl: wrap docstrings at 70 characters
Martin Geisler <mg@lazybytes.net>
parents: 9201
diff changeset
    16
changeset (since the latter is merely informative).
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
    17
9250
00986b9ed649 acl: wrap docstrings at 70 characters
Martin Geisler <mg@lazybytes.net>
parents: 9201
diff changeset
    18
The acl hook is best used along with a restricted shell like hgsh,
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    19
preventing authenticating users from doing anything other than pushing
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    20
or pulling. The hook is not safe to use if users have interactive
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    21
shell access, as they can then disable the hook. Nor is it safe if
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    22
remote users share an account, because then there is no way to
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    23
distinguish them.
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
    24
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
    25
The order in which access checks are performed is:
11094
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
    26
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
    27
1) Deny  list for branches (section ``acl.deny.branches``)
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
    28
2) Allow list for branches (section ``acl.allow.branches``)
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
    29
3) Deny  list for paths    (section ``acl.deny``)
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
    30
4) Allow list for paths    (section ``acl.allow``)
11042
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
    31
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
    32
The allow and deny sections take key-value pairs.
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
    33
11094
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
    34
Branch-based Access Control
17267
979b107eaea2 doc: unify section level between help topics
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 16957
diff changeset
    35
---------------------------
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
    36
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    37
Use the ``acl.deny.branches`` and ``acl.allow.branches`` sections to
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    38
have branch-based access control. Keys in these sections can be
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    39
either:
11057
7f0796a0b35c acl: fix ReST syntax in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11042
diff changeset
    40
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    41
- a branch name, or
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    42
- an asterisk, to match any branch;
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
    43
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
    44
The corresponding values can be either:
11094
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
    45
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    46
- a comma-separated list containing users and groups, or
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    47
- an asterisk, to match anyone;
11042
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
    48
16957
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
    49
You can add the "!" prefix to a user or group name to invert the sense
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
    50
of the match.
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
    51
11094
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
    52
Path-based Access Control
17267
979b107eaea2 doc: unify section level between help topics
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 16957
diff changeset
    53
-------------------------
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
    54
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    55
Use the ``acl.deny`` and ``acl.allow`` sections to have path-based
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    56
access control. Keys in these sections accept a subtree pattern (with
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    57
a glob syntax by default). The corresponding values follow the same
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    58
syntax as the other sections above.
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
    59
38531
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    60
Bookmark-based Access Control
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    61
-----------------------------
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    62
Use the ``acl.deny.bookmarks`` and ``acl.allow.bookmarks`` sections to
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    63
have bookmark-based access control. Keys in these sections can be
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    64
either:
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    65
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    66
- a bookmark name, or
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    67
- an asterisk, to match any bookmark;
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    68
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    69
The corresponding values can be either:
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    70
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    71
- a comma-separated list containing users and groups, or
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    72
- an asterisk, to match anyone;
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    73
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    74
You can add the "!" prefix to a user or group name to invert the sense
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    75
of the match.
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    76
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    77
Note: for interactions between clients and servers using Mercurial 3.6+
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    78
a rejection will generally reject the entire push, for interactions
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    79
involving older clients, the commit transactions will already be accepted,
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    80
and only the bookmark movement will be rejected.
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
    81
11094
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
    82
Groups
17267
979b107eaea2 doc: unify section level between help topics
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 16957
diff changeset
    83
------
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
    84
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    85
Group names must be prefixed with an ``@`` symbol. Specifying a group
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
    86
name has the same effect as specifying all the users in that group.
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
    87
11115
b3d5619f1f2b acl: update docstring to describe section [acl.groups]
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11114
diff changeset
    88
You can define group members in the ``acl.groups`` section.
b3d5619f1f2b acl: update docstring to describe section [acl.groups]
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11114
diff changeset
    89
If a group name is not defined there, and Mercurial is running under
b3d5619f1f2b acl: update docstring to describe section [acl.groups]
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11114
diff changeset
    90
a Unix-like system, the list of users will be taken from the OS.
b3d5619f1f2b acl: update docstring to describe section [acl.groups]
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11114
diff changeset
    91
Otherwise, an exception will be raised.
b3d5619f1f2b acl: update docstring to describe section [acl.groups]
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11114
diff changeset
    92
11094
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
    93
Example Configuration
17267
979b107eaea2 doc: unify section level between help topics
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 16957
diff changeset
    94
---------------------
11094
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
    95
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
    96
::
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
    97
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
    98
  [hooks]
11042
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
    99
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
   100
  # Use this if you want to check access restrictions at commit time
11042
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   101
  pretxncommit.acl = python:hgext.acl.hook
11423
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   102
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
   103
  # Use this if you want to check access restrictions for pull, push,
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
   104
  # bundle and serve.
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
   105
  pretxnchangegroup.acl = python:hgext.acl.hook
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
   106
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
   107
  [acl]
11131
0b6fd18ab8af acl: clarify acl.sources, fix typo
Patrick Mezard <pmezard@gmail.com>
parents: 11115
diff changeset
   108
  # Allow or deny access for incoming changes only if their source is
0b6fd18ab8af acl: clarify acl.sources, fix typo
Patrick Mezard <pmezard@gmail.com>
parents: 11115
diff changeset
   109
  # listed here, let them pass otherwise. Source is "serve" for all
0b6fd18ab8af acl: clarify acl.sources, fix typo
Patrick Mezard <pmezard@gmail.com>
parents: 11115
diff changeset
   110
  # remote access (http or ssh), "push", "pull" or "bundle" when the
0b6fd18ab8af acl: clarify acl.sources, fix typo
Patrick Mezard <pmezard@gmail.com>
parents: 11115
diff changeset
   111
  # related commands are run locally.
0b6fd18ab8af acl: clarify acl.sources, fix typo
Patrick Mezard <pmezard@gmail.com>
parents: 11115
diff changeset
   112
  # Default: serve
8893
cc0593af30d4 acl: help improvements
Cédric Duval <cedricduval@free.fr>
parents: 8873
diff changeset
   113
  sources = serve
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
   114
11423
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   115
  [acl.deny.branches]
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   116
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   117
  # Everyone is denied to the frozen branch:
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   118
  frozen-branch = *
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   119
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   120
  # A bad user is denied on all branches:
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   121
  * = bad-user
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   122
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   123
  [acl.allow.branches]
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   124
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   125
  # A few users are allowed on branch-a:
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   126
  branch-a = user-1, user-2, user-3
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   127
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   128
  # Only one user is allowed on branch-b:
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   129
  branch-b = user-1
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   130
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   131
  # The super user is allowed on any branch:
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   132
  * = super-user
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   133
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   134
  # Everyone is allowed on branch-for-tests:
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
   135
  branch-for-tests = *
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
   136
11042
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   137
  [acl.deny]
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
   138
  # This list is checked first. If a match is found, acl.allow is not
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
   139
  # checked. All users are granted access if acl.deny is not present.
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
   140
  # Format for both lists: glob pattern = user, ..., @group, ...
11042
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   141
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   142
  # To match everyone, use an asterisk for the user:
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   143
  # my/glob/pattern = *
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   144
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   145
  # user6 will not have write access to any file:
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   146
  ** = user6
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   147
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   148
  # Group "hg-denied" will not have write access to any file:
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   149
  ** = @hg-denied
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   150
17537
31f32a96e1e3 Merge spelling fixes
Bryan O'Sullivan <bryano@fb.com>
parents: 17487
diff changeset
   151
  # Nobody will be able to change "DONT-TOUCH-THIS.txt", despite
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
   152
  # everyone being able to change all other files. See below.
17537
31f32a96e1e3 Merge spelling fixes
Bryan O'Sullivan <bryano@fb.com>
parents: 17487
diff changeset
   153
  src/main/resources/DONT-TOUCH-THIS.txt = *
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
   154
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
   155
  [acl.allow]
11131
0b6fd18ab8af acl: clarify acl.sources, fix typo
Patrick Mezard <pmezard@gmail.com>
parents: 11115
diff changeset
   156
  # if acl.allow is not present, all users are allowed by default
11042
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   157
  # empty acl.allow = no users allowed
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   158
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
   159
  # User "doc_writer" has write access to any file under the "docs"
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
   160
  # folder:
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
   161
  docs/** = doc_writer
11042
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   162
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
   163
  # User "jack" and group "designers" have write access to any file
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
   164
  # under the "images" folder:
11042
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   165
  images/** = jack, @designers
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   166
16499
0b463f52b948 doc: fix explanation comment in acl extension
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 15207
diff changeset
   167
  # Everyone (except for "user6" and "@hg-denied" - see acl.deny above)
0b463f52b948 doc: fix explanation comment in acl extension
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 15207
diff changeset
   168
  # will have write access to any file under the "resources" folder
0b463f52b948 doc: fix explanation comment in acl extension
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 15207
diff changeset
   169
  # (except for 1 file. See acl.deny):
11042
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   170
  src/main/resources/** = *
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
   171
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
   172
  .hgtags = release_engineer
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
   173
16957
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   174
Examples using the "!" prefix
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   175
.............................
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   176
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   177
Suppose there's a branch that only a given user (or group) should be able to
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   178
push to, and you don't want to restrict access to any other branch that may
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   179
be created.
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   180
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   181
The "!" prefix allows you to prevent anyone except a given user or group to
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   182
push changesets in a given branch or path.
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   183
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   184
In the examples below, we will:
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   185
1) Deny access to branch "ring" to anyone but user "gollum"
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   186
2) Deny access to branch "lake" to anyone but members of the group "hobbit"
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   187
3) Deny access to a file to anyone but user "gollum"
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   188
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   189
::
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   190
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   191
  [acl.allow.branches]
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   192
  # Empty
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   193
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   194
  [acl.deny.branches]
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   195
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   196
  # 1) only 'gollum' can commit to branch 'ring';
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   197
  # 'gollum' and anyone else can still commit to any other branch.
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   198
  ring = !gollum
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   199
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   200
  # 2) only members of the group 'hobbit' can commit to branch 'lake';
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   201
  # 'hobbit' members and anyone else can still commit to any other branch.
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   202
  lake = !@hobbit
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   203
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   204
  # You can also deny access based on file paths:
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   205
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   206
  [acl.allow]
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   207
  # Empty
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   208
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   209
  [acl.deny]
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   210
  # 3) only 'gollum' can change the file below;
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   211
  # 'gollum' and anyone else can still change any other file.
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   212
  /misty/mountains/cave/ring = !gollum
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
   213
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
   214
'''
2344
ae12e5a2c4a3 add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
   215
28089
a1163ee26e4a acl: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents: 26587
diff changeset
   216
3891
6b4127c7d52a Simplify i18n imports
Matt Mackall <mpm@selenic.com>
parents: 3877
diff changeset
   217
from mercurial.i18n import _
28089
a1163ee26e4a acl: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents: 26587
diff changeset
   218
from mercurial import (
a1163ee26e4a acl: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents: 26587
diff changeset
   219
    error,
34829
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
   220
    extensions,
28089
a1163ee26e4a acl: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents: 26587
diff changeset
   221
    match,
38783
e7aa113b14f7 global: use pycompat.xrange()
Gregory Szorc <gregory.szorc@gmail.com>
parents: 38531
diff changeset
   222
    pycompat,
33185
8b109c61bc11 configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents: 29841
diff changeset
   223
    registrar,
28089
a1163ee26e4a acl: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents: 26587
diff changeset
   224
    util,
a1163ee26e4a acl: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents: 26587
diff changeset
   225
)
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   226
from mercurial.utils import procutil
11041
623fe42a649e acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 10955
diff changeset
   227
28883
032c4c2f802a pycompat: switch to util.urlreq/util.urlerr for py3 compat
timeless <timeless@mozdev.org>
parents: 28089
diff changeset
   228
urlreq = util.urlreq
032c4c2f802a pycompat: switch to util.urlreq/util.urlerr for py3 compat
timeless <timeless@mozdev.org>
parents: 28089
diff changeset
   229
29841
d5883fd055c6 extensions: change magic "shipped with hg" string
Augie Fackler <augie@google.com>
parents: 28883
diff changeset
   230
# Note for extension authors: ONLY specify testedwith = 'ships-with-hg-core' for
25186
80c5b2666a96 extensions: document that `testedwith = 'internal'` is special
Augie Fackler <augie@google.com>
parents: 19872
diff changeset
   231
# extensions which SHIP WITH MERCURIAL. Non-mainline extensions should
80c5b2666a96 extensions: document that `testedwith = 'internal'` is special
Augie Fackler <augie@google.com>
parents: 19872
diff changeset
   232
# be specifying the version(s) of Mercurial they are tested with, or
80c5b2666a96 extensions: document that `testedwith = 'internal'` is special
Augie Fackler <augie@google.com>
parents: 19872
diff changeset
   233
# leave the attribute unspecified.
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   234
testedwith = b'ships-with-hg-core'
16743
38caf405d010 hgext: mark all first-party extensions as such
Augie Fackler <raf@durin42.com>
parents: 16499
diff changeset
   235
33185
8b109c61bc11 configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents: 29841
diff changeset
   236
configtable = {}
8b109c61bc11 configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents: 29841
diff changeset
   237
configitem = registrar.configitem(configtable)
8b109c61bc11 configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents: 29841
diff changeset
   238
8b109c61bc11 configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents: 29841
diff changeset
   239
# deprecated config: acl.config
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   240
configitem(
45942
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   241
    b'acl',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   242
    b'config',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   243
    default=None,
33185
8b109c61bc11 configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents: 29841
diff changeset
   244
)
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   245
configitem(
45942
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   246
    b'acl.groups',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   247
    b'.*',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   248
    default=None,
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   249
    generic=True,
34779
cfb054a7ecc4 configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents: 33216
diff changeset
   250
)
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   251
configitem(
45942
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   252
    b'acl.deny.branches',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   253
    b'.*',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   254
    default=None,
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   255
    generic=True,
34779
cfb054a7ecc4 configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents: 33216
diff changeset
   256
)
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   257
configitem(
45942
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   258
    b'acl.allow.branches',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   259
    b'.*',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   260
    default=None,
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   261
    generic=True,
34779
cfb054a7ecc4 configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents: 33216
diff changeset
   262
)
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   263
configitem(
45942
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   264
    b'acl.deny',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   265
    b'.*',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   266
    default=None,
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   267
    generic=True,
34779
cfb054a7ecc4 configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents: 33216
diff changeset
   268
)
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   269
configitem(
45942
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   270
    b'acl.allow',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   271
    b'.*',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   272
    default=None,
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   273
    generic=True,
34779
cfb054a7ecc4 configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents: 33216
diff changeset
   274
)
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   275
configitem(
45942
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   276
    b'acl',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   277
    b'sources',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
   278
    default=lambda: [b'serve'],
33186
478cb17cc610 configitems: register the 'acl.sources' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents: 33185
diff changeset
   279
)
33185
8b109c61bc11 configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents: 29841
diff changeset
   280
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   281
11114
62714143742f acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11095
diff changeset
   282
def _getusers(ui, group):
62714143742f acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11095
diff changeset
   283
62714143742f acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11095
diff changeset
   284
    # First, try to use group definition from section [acl.groups]
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   285
    hgrcusers = ui.configlist(b'acl.groups', group)
11114
62714143742f acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11095
diff changeset
   286
    if hgrcusers:
62714143742f acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11095
diff changeset
   287
        return hgrcusers
62714143742f acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11095
diff changeset
   288
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   289
    ui.debug(b'acl: "%s" not defined in [acl.groups]\n' % group)
11114
62714143742f acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11095
diff changeset
   290
    # If no users found in group definition, get users from OS-level group
11140
1f26cf0a3663 acl: improve undefined group error handling
Patrick Mezard <pmezard@gmail.com>
parents: 11138
diff changeset
   291
    try:
1f26cf0a3663 acl: improve undefined group error handling
Patrick Mezard <pmezard@gmail.com>
parents: 11138
diff changeset
   292
        return util.groupmembers(group)
1f26cf0a3663 acl: improve undefined group error handling
Patrick Mezard <pmezard@gmail.com>
parents: 11138
diff changeset
   293
    except KeyError:
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   294
        raise error.Abort(_(b"group '%s' is undefined") % group)
11041
623fe42a649e acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 10955
diff changeset
   295
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   296
11114
62714143742f acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11095
diff changeset
   297
def _usermatch(ui, user, usersorgroups):
11041
623fe42a649e acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 10955
diff changeset
   298
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   299
    if usersorgroups == b'*':
11041
623fe42a649e acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 10955
diff changeset
   300
        return True
623fe42a649e acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 10955
diff changeset
   301
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   302
    for ug in usersorgroups.replace(b',', b' ').split():
16956
c49cf339b5bb acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16767
diff changeset
   303
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   304
        if ug.startswith(b'!'):
16956
c49cf339b5bb acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16767
diff changeset
   305
            # Test for excluded user or group. Format:
c49cf339b5bb acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16767
diff changeset
   306
            # if ug is a user  name: !username
c49cf339b5bb acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16767
diff changeset
   307
            # if ug is a group name: !@groupname
c49cf339b5bb acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16767
diff changeset
   308
            ug = ug[1:]
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   309
            if (
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   310
                not ug.startswith(b'@')
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   311
                and user != ug
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   312
                or ug.startswith(b'@')
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   313
                and user not in _getusers(ui, ug[1:])
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   314
            ):
16956
c49cf339b5bb acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16767
diff changeset
   315
                return True
c49cf339b5bb acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16767
diff changeset
   316
c49cf339b5bb acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16767
diff changeset
   317
        # Test for user or group. Format:
c49cf339b5bb acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16767
diff changeset
   318
        # if ug is a user  name: username
c49cf339b5bb acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16767
diff changeset
   319
        # if ug is a group name: @groupname
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   320
        elif (
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   321
            user == ug or ug.startswith(b'@') and user in _getusers(ui, ug[1:])
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   322
        ):
11041
623fe42a649e acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 10955
diff changeset
   323
            return True
623fe42a649e acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 10955
diff changeset
   324
623fe42a649e acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 10955
diff changeset
   325
    return False
2344
ae12e5a2c4a3 add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
   326
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   327
6766
e81d2bd66908 acl: refactoring
Matt Mackall <mpm@selenic.com>
parents: 6750
diff changeset
   328
def buildmatch(ui, repo, user, key):
e81d2bd66908 acl: refactoring
Matt Mackall <mpm@selenic.com>
parents: 6750
diff changeset
   329
    '''return tuple of (match function, list enabled).'''
e81d2bd66908 acl: refactoring
Matt Mackall <mpm@selenic.com>
parents: 6750
diff changeset
   330
    if not ui.has_section(key):
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   331
        ui.debug(b'acl: %s not enabled\n' % key)
6766
e81d2bd66908 acl: refactoring
Matt Mackall <mpm@selenic.com>
parents: 6750
diff changeset
   332
        return None
2344
ae12e5a2c4a3 add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
   333
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   334
    pats = [
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   335
        pat for pat, users in ui.configitems(key) if _usermatch(ui, user, users)
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   336
    ]
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   337
    ui.debug(
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   338
        b'acl: %s enabled, %d entries for user %s\n' % (key, len(pats), user)
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   339
    )
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
   340
16765
754e98e0a615 acl: added some comments to easily identify branch- and path-based verifications
Elifarley Callado Coelho Cruz
parents: 16764
diff changeset
   341
    # Branch-based ACL
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
   342
    if not repo:
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
   343
        if pats:
16766
9d778f80ad2a acl: perform some computations earlier, so that returned lambda functions are simpler
Elifarley Callado Coelho Cruz
parents: 16765
diff changeset
   344
            # If there's an asterisk (meaning "any branch"), always return True;
9d778f80ad2a acl: perform some computations earlier, so that returned lambda functions are simpler
Elifarley Callado Coelho Cruz
parents: 16765
diff changeset
   345
            # Otherwise, test if b is in pats
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   346
            if b'*' in pats:
16766
9d778f80ad2a acl: perform some computations earlier, so that returned lambda functions are simpler
Elifarley Callado Coelho Cruz
parents: 16765
diff changeset
   347
                return util.always
9d778f80ad2a acl: perform some computations earlier, so that returned lambda functions are simpler
Elifarley Callado Coelho Cruz
parents: 16765
diff changeset
   348
            return lambda b: b in pats
16764
ffb68b9dbaa9 acl: 'util.never' used
Elifarley Callado Coelho Cruz
parents: 16763
diff changeset
   349
        return util.never
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
   350
16765
754e98e0a615 acl: added some comments to easily identify branch- and path-based verifications
Elifarley Callado Coelho Cruz
parents: 16764
diff changeset
   351
    # Path-based ACL
6766
e81d2bd66908 acl: refactoring
Matt Mackall <mpm@selenic.com>
parents: 6750
diff changeset
   352
    if pats:
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   353
        return match.match(repo.root, b'', pats)
16767
363bde4224c8 acl: 'util.never' can be used instead of a more complex expression
Elifarley Callado Coelho Cruz
parents: 16766
diff changeset
   354
    return util.never
2344
ae12e5a2c4a3 add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
   355
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   356
34829
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
   357
def ensureenabled(ui):
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
   358
    """make sure the extension is enabled when used as hook
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
   359
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
   360
    When acl is used through hooks, the extension is never formally loaded and
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
   361
    enabled. This has some side effect, for example the config declaration is
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
   362
    never loaded. This function ensure the extension is enabled when running
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
   363
    hooks.
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
   364
    """
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   365
    if b'acl' in ui._knownconfig:
34829
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
   366
        return
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   367
    ui.setconfig(b'extensions', b'acl', b'', source=b'internal')
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   368
    extensions.loadall(ui, [b'acl'])
34829
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
   369
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   370
2344
ae12e5a2c4a3 add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
   371
def hook(ui, repo, hooktype, node=None, source=None, **kwargs):
34829
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
   372
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
   373
    ensureenabled(ui)
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
   374
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   375
    if hooktype not in [b'pretxnchangegroup', b'pretxncommit', b'prepushkey']:
38531
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
   376
        raise error.Abort(
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   377
            _(
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   378
                b'config error - hook type "%s" cannot stop '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   379
                b'incoming changesets, commits, nor bookmarks'
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   380
            )
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   381
            % hooktype
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   382
        )
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   383
    if hooktype == b'pretxnchangegroup' and source not in ui.configlist(
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   384
        b'acl', b'sources'
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   385
    ):
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   386
        ui.debug(b'acl: changes have source "%s" - skipping\n' % source)
2344
ae12e5a2c4a3 add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
   387
        return
ae12e5a2c4a3 add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
   388
8846
b30775386d40 acl: support for getting authenticated user from web server (issue298)
Henrik Stuart <hg@hstuart.dk>
parents: 8682
diff changeset
   389
    user = None
43506
9f70512ae2cf cleanup: remove pointless r-prefixes on single-quoted strings
Augie Fackler <augie@google.com>
parents: 43117
diff changeset
   390
    if source == b'serve' and 'url' in kwargs:
9f70512ae2cf cleanup: remove pointless r-prefixes on single-quoted strings
Augie Fackler <augie@google.com>
parents: 43117
diff changeset
   391
        url = kwargs['url'].split(b':')
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   392
        if url[0] == b'remote' and url[1].startswith(b'http'):
28883
032c4c2f802a pycompat: switch to util.urlreq/util.urlerr for py3 compat
timeless <timeless@mozdev.org>
parents: 28089
diff changeset
   393
            user = urlreq.unquote(url[3])
8846
b30775386d40 acl: support for getting authenticated user from web server (issue298)
Henrik Stuart <hg@hstuart.dk>
parents: 8682
diff changeset
   394
b30775386d40 acl: support for getting authenticated user from web server (issue298)
Henrik Stuart <hg@hstuart.dk>
parents: 8682
diff changeset
   395
    if user is None:
37120
a8a902d7176e procutil: bulk-replace function calls to point to new module
Yuya Nishihara <yuya@tcha.org>
parents: 36412
diff changeset
   396
        user = procutil.getuser()
8846
b30775386d40 acl: support for getting authenticated user from web server (issue298)
Henrik Stuart <hg@hstuart.dk>
parents: 8682
diff changeset
   397
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   398
    ui.debug(b'acl: checking access for user "%s"\n' % user)
15207
0f7f9f06c759 acl: more descriptive error messages
Elifarley Callado Coelho Cruz
parents: 12778
diff changeset
   399
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   400
    if hooktype == b'prepushkey':
38531
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
   401
        _pkhook(ui, repo, hooktype, node, source, user, **kwargs)
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
   402
    else:
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
   403
        _txnhook(ui, repo, hooktype, node, source, user, **kwargs)
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
   404
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   405
38531
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
   406
def _pkhook(ui, repo, hooktype, node, source, user, **kwargs):
43506
9f70512ae2cf cleanup: remove pointless r-prefixes on single-quoted strings
Augie Fackler <augie@google.com>
parents: 43117
diff changeset
   407
    if kwargs['namespace'] == b'bookmarks':
9f70512ae2cf cleanup: remove pointless r-prefixes on single-quoted strings
Augie Fackler <augie@google.com>
parents: 43117
diff changeset
   408
        bookmark = kwargs['key']
9f70512ae2cf cleanup: remove pointless r-prefixes on single-quoted strings
Augie Fackler <augie@google.com>
parents: 43117
diff changeset
   409
        ctx = kwargs['new']
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   410
        allowbookmarks = buildmatch(ui, None, user, b'acl.allow.bookmarks')
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   411
        denybookmarks = buildmatch(ui, None, user, b'acl.deny.bookmarks')
38531
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
   412
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
   413
        if denybookmarks and denybookmarks(bookmark):
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   414
            raise error.Abort(
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   415
                _(
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   416
                    b'acl: user "%s" denied on bookmark "%s"'
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   417
                    b' (changeset "%s")'
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   418
                )
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   419
                % (user, bookmark, ctx)
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   420
            )
38531
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
   421
        if allowbookmarks and not allowbookmarks(bookmark):
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   422
            raise error.Abort(
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   423
                _(
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   424
                    b'acl: user "%s" not allowed on bookmark "%s"'
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   425
                    b' (changeset "%s")'
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   426
                )
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   427
                % (user, bookmark, ctx)
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   428
            )
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   429
        ui.debug(
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   430
            b'acl: bookmark access granted: "%s" on bookmark "%s"\n'
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   431
            % (ctx, bookmark)
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   432
        )
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   433
38531
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
   434
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
   435
def _txnhook(ui, repo, hooktype, node, source, user, **kwargs):
25792
dd166d42e7b2 acl: mark deprecated config option
Matt Mackall <mpm@selenic.com>
parents: 25186
diff changeset
   436
    # deprecated config: acl.config
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   437
    cfg = ui.config(b'acl', b'config')
6766
e81d2bd66908 acl: refactoring
Matt Mackall <mpm@selenic.com>
parents: 6750
diff changeset
   438
    if cfg:
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   439
        ui.readconfig(
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   440
            cfg,
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   441
            sections=[
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   442
                b'acl.groups',
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   443
                b'acl.allow.branches',
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   444
                b'acl.deny.branches',
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   445
                b'acl.allow',
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   446
                b'acl.deny',
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   447
            ],
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   448
        )
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
   449
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   450
    allowbranches = buildmatch(ui, None, user, b'acl.allow.branches')
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   451
    denybranches = buildmatch(ui, None, user, b'acl.deny.branches')
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   452
    allow = buildmatch(ui, repo, user, b'acl.allow')
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   453
    deny = buildmatch(ui, repo, user, b'acl.deny')
6766
e81d2bd66908 acl: refactoring
Matt Mackall <mpm@selenic.com>
parents: 6750
diff changeset
   454
38783
e7aa113b14f7 global: use pycompat.xrange()
Gregory Szorc <gregory.szorc@gmail.com>
parents: 38531
diff changeset
   455
    for rev in pycompat.xrange(repo[node].rev(), len(repo)):
6766
e81d2bd66908 acl: refactoring
Matt Mackall <mpm@selenic.com>
parents: 6750
diff changeset
   456
        ctx = repo[rev]
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
   457
        branch = ctx.branch()
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
   458
        if denybranches and denybranches(branch):
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   459
            raise error.Abort(
43117
8ff1ecfadcd1 cleanup: join string literals that are already on one line
Martin von Zweigbergk <martinvonz@google.com>
parents: 43077
diff changeset
   460
                _(b'acl: user "%s" denied on branch "%s" (changeset "%s")')
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   461
                % (user, branch, ctx)
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   462
            )
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
   463
        if allowbranches and not allowbranches(branch):
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   464
            raise error.Abort(
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   465
                _(
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   466
                    b'acl: user "%s" not allowed on branch "%s"'
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   467
                    b' (changeset "%s")'
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   468
                )
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   469
                % (user, branch, ctx)
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   470
            )
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   471
        ui.debug(
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   472
            b'acl: branch access granted: "%s" on branch "%s"\n' % (ctx, branch)
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   473
        )
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
   474
6766
e81d2bd66908 acl: refactoring
Matt Mackall <mpm@selenic.com>
parents: 6750
diff changeset
   475
        for f in ctx.files():
e81d2bd66908 acl: refactoring
Matt Mackall <mpm@selenic.com>
parents: 6750
diff changeset
   476
            if deny and deny(f):
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   477
                raise error.Abort(
43117
8ff1ecfadcd1 cleanup: join string literals that are already on one line
Martin von Zweigbergk <martinvonz@google.com>
parents: 43077
diff changeset
   478
                    _(b'acl: user "%s" denied on "%s" (changeset "%s")')
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   479
                    % (user, f, ctx)
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   480
                )
6766
e81d2bd66908 acl: refactoring
Matt Mackall <mpm@selenic.com>
parents: 6750
diff changeset
   481
            if allow and not allow(f):
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   482
                raise error.Abort(
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   483
                    _(
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   484
                        b'acl: user "%s" not allowed on "%s"'
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   485
                        b' (changeset "%s")'
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   486
                    )
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   487
                    % (user, f, ctx)
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
   488
                )
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
   489
        ui.debug(b'acl: path access granted: "%s"\n' % ctx)