Mercurial > hg
annotate hgext/acl.py @ 39065:730e7d92a023
debugcommands: urlerror only has a read() method in Python 2
Differential Revision: https://phab.mercurial-scm.org/D4258
author | Augie Fackler <augie@google.com> |
---|---|
date | Fri, 10 Aug 2018 03:33:38 -0400 |
parents | e7aa113b14f7 |
children | 3694c9aaf5e4 |
rev | line source |
---|---|
2344
ae12e5a2c4a3
add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
1 # acl.py - changeset access control for mercurial |
ae12e5a2c4a3
add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
2 # |
ae12e5a2c4a3
add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
3 # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com> |
ae12e5a2c4a3
add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
4 # |
8225
46293a0c7e9f
updated license to be explicit about GPL version 2
Martin Geisler <mg@lazybytes.net>
parents:
8142
diff
changeset
|
5 # This software may be used and distributed according to the terms of the |
10263 | 6 # GNU General Public License version 2 or any later version. |
8873
e872ef2e6758
help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8846
diff
changeset
|
7 |
8935
f4f0e902b750
extensions: change descriptions for hook-providing extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8894
diff
changeset
|
8 '''hooks for controlling repository access |
8873
e872ef2e6758
help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8846
diff
changeset
|
9 |
11095
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
10 This hook makes it possible to allow or deny write access to given |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
11 branches and paths of a repository when receiving incoming changesets |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
12 via pretxnchangegroup and pretxncommit. |
9250
00986b9ed649
acl: wrap docstrings at 70 characters
Martin Geisler <mg@lazybytes.net>
parents:
9201
diff
changeset
|
13 |
00986b9ed649
acl: wrap docstrings at 70 characters
Martin Geisler <mg@lazybytes.net>
parents:
9201
diff
changeset
|
14 The authorization is matched based on the local user name on the |
00986b9ed649
acl: wrap docstrings at 70 characters
Martin Geisler <mg@lazybytes.net>
parents:
9201
diff
changeset
|
15 system where the hook runs, and not the committer of the original |
00986b9ed649
acl: wrap docstrings at 70 characters
Martin Geisler <mg@lazybytes.net>
parents:
9201
diff
changeset
|
16 changeset (since the latter is merely informative). |
8873
e872ef2e6758
help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8846
diff
changeset
|
17 |
9250
00986b9ed649
acl: wrap docstrings at 70 characters
Martin Geisler <mg@lazybytes.net>
parents:
9201
diff
changeset
|
18 The acl hook is best used along with a restricted shell like hgsh, |
11095
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
19 preventing authenticating users from doing anything other than pushing |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
20 or pulling. The hook is not safe to use if users have interactive |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
21 shell access, as they can then disable the hook. Nor is it safe if |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
22 remote users share an account, because then there is no way to |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
23 distinguish them. |
8873
e872ef2e6758
help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8846
diff
changeset
|
24 |
11092
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
25 The order in which access checks are performed is: |
11094 | 26 |
27 1) Deny list for branches (section ``acl.deny.branches``) | |
28 2) Allow list for branches (section ``acl.allow.branches``) | |
29 3) Deny list for paths (section ``acl.deny``) | |
30 4) Allow list for paths (section ``acl.allow``) | |
11042
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
31 |
11092
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
32 The allow and deny sections take key-value pairs. |
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
33 |
11094 | 34 Branch-based Access Control |
17267
979b107eaea2
doc: unify section level between help topics
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
16957
diff
changeset
|
35 --------------------------- |
11092
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
36 |
11095
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
37 Use the ``acl.deny.branches`` and ``acl.allow.branches`` sections to |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
38 have branch-based access control. Keys in these sections can be |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
39 either: |
11057
7f0796a0b35c
acl: fix ReST syntax in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11042
diff
changeset
|
40 |
11095
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
41 - a branch name, or |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
42 - an asterisk, to match any branch; |
11092
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
43 |
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
44 The corresponding values can be either: |
11094 | 45 |
11095
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
46 - a comma-separated list containing users and groups, or |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
47 - an asterisk, to match anyone; |
11042
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
48 |
16957
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
49 You can add the "!" prefix to a user or group name to invert the sense |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
50 of the match. |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
51 |
11094 | 52 Path-based Access Control |
17267
979b107eaea2
doc: unify section level between help topics
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
16957
diff
changeset
|
53 ------------------------- |
11092
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
54 |
11095
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
55 Use the ``acl.deny`` and ``acl.allow`` sections to have path-based |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
56 access control. Keys in these sections accept a subtree pattern (with |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
57 a glob syntax by default). The corresponding values follow the same |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
58 syntax as the other sections above. |
11092
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
59 |
38531
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
60 Bookmark-based Access Control |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
61 ----------------------------- |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
62 Use the ``acl.deny.bookmarks`` and ``acl.allow.bookmarks`` sections to |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
63 have bookmark-based access control. Keys in these sections can be |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
64 either: |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
65 |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
66 - a bookmark name, or |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
67 - an asterisk, to match any bookmark; |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
68 |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
69 The corresponding values can be either: |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
70 |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
71 - a comma-separated list containing users and groups, or |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
72 - an asterisk, to match anyone; |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
73 |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
74 You can add the "!" prefix to a user or group name to invert the sense |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
75 of the match. |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
76 |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
77 Note: for interactions between clients and servers using Mercurial 3.6+ |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
78 a rejection will generally reject the entire push, for interactions |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
79 involving older clients, the commit transactions will already be accepted, |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
80 and only the bookmark movement will be rejected. |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
81 |
11094 | 82 Groups |
17267
979b107eaea2
doc: unify section level between help topics
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
16957
diff
changeset
|
83 ------ |
11092
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
84 |
11095
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
85 Group names must be prefixed with an ``@`` symbol. Specifying a group |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
86 name has the same effect as specifying all the users in that group. |
8873
e872ef2e6758
help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8846
diff
changeset
|
87 |
11115
b3d5619f1f2b
acl: update docstring to describe section [acl.groups]
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11114
diff
changeset
|
88 You can define group members in the ``acl.groups`` section. |
b3d5619f1f2b
acl: update docstring to describe section [acl.groups]
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11114
diff
changeset
|
89 If a group name is not defined there, and Mercurial is running under |
b3d5619f1f2b
acl: update docstring to describe section [acl.groups]
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11114
diff
changeset
|
90 a Unix-like system, the list of users will be taken from the OS. |
b3d5619f1f2b
acl: update docstring to describe section [acl.groups]
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11114
diff
changeset
|
91 Otherwise, an exception will be raised. |
b3d5619f1f2b
acl: update docstring to describe section [acl.groups]
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11114
diff
changeset
|
92 |
11094 | 93 Example Configuration |
17267
979b107eaea2
doc: unify section level between help topics
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
16957
diff
changeset
|
94 --------------------- |
11094 | 95 |
96 :: | |
8873
e872ef2e6758
help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8846
diff
changeset
|
97 |
e872ef2e6758
help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8846
diff
changeset
|
98 [hooks] |
11042
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
99 |
11092
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
100 # Use this if you want to check access restrictions at commit time |
11042
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
101 pretxncommit.acl = python:hgext.acl.hook |
11423
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
102 |
11095
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
103 # Use this if you want to check access restrictions for pull, push, |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
104 # bundle and serve. |
8873
e872ef2e6758
help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8846
diff
changeset
|
105 pretxnchangegroup.acl = python:hgext.acl.hook |
e872ef2e6758
help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8846
diff
changeset
|
106 |
e872ef2e6758
help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8846
diff
changeset
|
107 [acl] |
11131
0b6fd18ab8af
acl: clarify acl.sources, fix typo
Patrick Mezard <pmezard@gmail.com>
parents:
11115
diff
changeset
|
108 # Allow or deny access for incoming changes only if their source is |
0b6fd18ab8af
acl: clarify acl.sources, fix typo
Patrick Mezard <pmezard@gmail.com>
parents:
11115
diff
changeset
|
109 # listed here, let them pass otherwise. Source is "serve" for all |
0b6fd18ab8af
acl: clarify acl.sources, fix typo
Patrick Mezard <pmezard@gmail.com>
parents:
11115
diff
changeset
|
110 # remote access (http or ssh), "push", "pull" or "bundle" when the |
0b6fd18ab8af
acl: clarify acl.sources, fix typo
Patrick Mezard <pmezard@gmail.com>
parents:
11115
diff
changeset
|
111 # related commands are run locally. |
0b6fd18ab8af
acl: clarify acl.sources, fix typo
Patrick Mezard <pmezard@gmail.com>
parents:
11115
diff
changeset
|
112 # Default: serve |
8893 | 113 sources = serve |
8873
e872ef2e6758
help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8846
diff
changeset
|
114 |
11423
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
115 [acl.deny.branches] |
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
116 |
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
117 # Everyone is denied to the frozen branch: |
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
118 frozen-branch = * |
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
119 |
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
120 # A bad user is denied on all branches: |
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
121 * = bad-user |
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
122 |
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
123 [acl.allow.branches] |
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
124 |
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
125 # A few users are allowed on branch-a: |
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
126 branch-a = user-1, user-2, user-3 |
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
127 |
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
128 # Only one user is allowed on branch-b: |
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
129 branch-b = user-1 |
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
130 |
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
131 # The super user is allowed on any branch: |
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
132 * = super-user |
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
133 |
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
134 # Everyone is allowed on branch-for-tests: |
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
135 branch-for-tests = * |
11092
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
136 |
11042
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
137 [acl.deny] |
11095
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
138 # This list is checked first. If a match is found, acl.allow is not |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
139 # checked. All users are granted access if acl.deny is not present. |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
140 # Format for both lists: glob pattern = user, ..., @group, ... |
11042
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
141 |
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
142 # To match everyone, use an asterisk for the user: |
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
143 # my/glob/pattern = * |
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
144 |
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
145 # user6 will not have write access to any file: |
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
146 ** = user6 |
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
147 |
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
148 # Group "hg-denied" will not have write access to any file: |
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
149 ** = @hg-denied |
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
150 |
17537 | 151 # Nobody will be able to change "DONT-TOUCH-THIS.txt", despite |
11095
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
152 # everyone being able to change all other files. See below. |
17537 | 153 src/main/resources/DONT-TOUCH-THIS.txt = * |
8873
e872ef2e6758
help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8846
diff
changeset
|
154 |
e872ef2e6758
help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8846
diff
changeset
|
155 [acl.allow] |
11131
0b6fd18ab8af
acl: clarify acl.sources, fix typo
Patrick Mezard <pmezard@gmail.com>
parents:
11115
diff
changeset
|
156 # if acl.allow is not present, all users are allowed by default |
11042
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
157 # empty acl.allow = no users allowed |
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
158 |
11095
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
159 # User "doc_writer" has write access to any file under the "docs" |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
160 # folder: |
8873
e872ef2e6758
help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8846
diff
changeset
|
161 docs/** = doc_writer |
11042
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
162 |
11095
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
163 # User "jack" and group "designers" have write access to any file |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
164 # under the "images" folder: |
11042
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
165 images/** = jack, @designers |
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
166 |
16499
0b463f52b948
doc: fix explanation comment in acl extension
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
15207
diff
changeset
|
167 # Everyone (except for "user6" and "@hg-denied" - see acl.deny above) |
0b463f52b948
doc: fix explanation comment in acl extension
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
15207
diff
changeset
|
168 # will have write access to any file under the "resources" folder |
0b463f52b948
doc: fix explanation comment in acl extension
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
15207
diff
changeset
|
169 # (except for 1 file. See acl.deny): |
11042
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
170 src/main/resources/** = * |
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
171 |
8873
e872ef2e6758
help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8846
diff
changeset
|
172 .hgtags = release_engineer |
e872ef2e6758
help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8846
diff
changeset
|
173 |
16957
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
174 Examples using the "!" prefix |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
175 ............................. |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
176 |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
177 Suppose there's a branch that only a given user (or group) should be able to |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
178 push to, and you don't want to restrict access to any other branch that may |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
179 be created. |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
180 |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
181 The "!" prefix allows you to prevent anyone except a given user or group to |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
182 push changesets in a given branch or path. |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
183 |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
184 In the examples below, we will: |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
185 1) Deny access to branch "ring" to anyone but user "gollum" |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
186 2) Deny access to branch "lake" to anyone but members of the group "hobbit" |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
187 3) Deny access to a file to anyone but user "gollum" |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
188 |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
189 :: |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
190 |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
191 [acl.allow.branches] |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
192 # Empty |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
193 |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
194 [acl.deny.branches] |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
195 |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
196 # 1) only 'gollum' can commit to branch 'ring'; |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
197 # 'gollum' and anyone else can still commit to any other branch. |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
198 ring = !gollum |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
199 |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
200 # 2) only members of the group 'hobbit' can commit to branch 'lake'; |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
201 # 'hobbit' members and anyone else can still commit to any other branch. |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
202 lake = !@hobbit |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
203 |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
204 # You can also deny access based on file paths: |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
205 |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
206 [acl.allow] |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
207 # Empty |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
208 |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
209 [acl.deny] |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
210 # 3) only 'gollum' can change the file below; |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
211 # 'gollum' and anyone else can still change any other file. |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
212 /misty/mountains/cave/ring = !gollum |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
213 |
8873
e872ef2e6758
help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8846
diff
changeset
|
214 ''' |
2344
ae12e5a2c4a3
add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
215 |
28089
a1163ee26e4a
acl: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents:
26587
diff
changeset
|
216 from __future__ import absolute_import |
a1163ee26e4a
acl: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents:
26587
diff
changeset
|
217 |
3891 | 218 from mercurial.i18n import _ |
28089
a1163ee26e4a
acl: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents:
26587
diff
changeset
|
219 from mercurial import ( |
a1163ee26e4a
acl: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents:
26587
diff
changeset
|
220 error, |
34829
120c5c155ba4
acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents:
34779
diff
changeset
|
221 extensions, |
28089
a1163ee26e4a
acl: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents:
26587
diff
changeset
|
222 match, |
38783
e7aa113b14f7
global: use pycompat.xrange()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
38531
diff
changeset
|
223 pycompat, |
33185
8b109c61bc11
configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents:
29841
diff
changeset
|
224 registrar, |
28089
a1163ee26e4a
acl: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents:
26587
diff
changeset
|
225 util, |
a1163ee26e4a
acl: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents:
26587
diff
changeset
|
226 ) |
37120
a8a902d7176e
procutil: bulk-replace function calls to point to new module
Yuya Nishihara <yuya@tcha.org>
parents:
36412
diff
changeset
|
227 from mercurial.utils import ( |
a8a902d7176e
procutil: bulk-replace function calls to point to new module
Yuya Nishihara <yuya@tcha.org>
parents:
36412
diff
changeset
|
228 procutil, |
a8a902d7176e
procutil: bulk-replace function calls to point to new module
Yuya Nishihara <yuya@tcha.org>
parents:
36412
diff
changeset
|
229 ) |
11041
623fe42a649e
acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
10955
diff
changeset
|
230 |
28883
032c4c2f802a
pycompat: switch to util.urlreq/util.urlerr for py3 compat
timeless <timeless@mozdev.org>
parents:
28089
diff
changeset
|
231 urlreq = util.urlreq |
032c4c2f802a
pycompat: switch to util.urlreq/util.urlerr for py3 compat
timeless <timeless@mozdev.org>
parents:
28089
diff
changeset
|
232 |
29841
d5883fd055c6
extensions: change magic "shipped with hg" string
Augie Fackler <augie@google.com>
parents:
28883
diff
changeset
|
233 # Note for extension authors: ONLY specify testedwith = 'ships-with-hg-core' for |
25186
80c5b2666a96
extensions: document that `testedwith = 'internal'` is special
Augie Fackler <augie@google.com>
parents:
19872
diff
changeset
|
234 # extensions which SHIP WITH MERCURIAL. Non-mainline extensions should |
80c5b2666a96
extensions: document that `testedwith = 'internal'` is special
Augie Fackler <augie@google.com>
parents:
19872
diff
changeset
|
235 # be specifying the version(s) of Mercurial they are tested with, or |
80c5b2666a96
extensions: document that `testedwith = 'internal'` is special
Augie Fackler <augie@google.com>
parents:
19872
diff
changeset
|
236 # leave the attribute unspecified. |
29841
d5883fd055c6
extensions: change magic "shipped with hg" string
Augie Fackler <augie@google.com>
parents:
28883
diff
changeset
|
237 testedwith = 'ships-with-hg-core' |
16743
38caf405d010
hgext: mark all first-party extensions as such
Augie Fackler <raf@durin42.com>
parents:
16499
diff
changeset
|
238 |
33185
8b109c61bc11
configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents:
29841
diff
changeset
|
239 configtable = {} |
8b109c61bc11
configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents:
29841
diff
changeset
|
240 configitem = registrar.configitem(configtable) |
8b109c61bc11
configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents:
29841
diff
changeset
|
241 |
8b109c61bc11
configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents:
29841
diff
changeset
|
242 # deprecated config: acl.config |
8b109c61bc11
configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents:
29841
diff
changeset
|
243 configitem('acl', 'config', |
8b109c61bc11
configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents:
29841
diff
changeset
|
244 default=None, |
8b109c61bc11
configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents:
29841
diff
changeset
|
245 ) |
34779
cfb054a7ecc4
configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents:
33216
diff
changeset
|
246 configitem('acl.groups', '.*', |
cfb054a7ecc4
configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents:
33216
diff
changeset
|
247 default=None, |
cfb054a7ecc4
configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents:
33216
diff
changeset
|
248 generic=True, |
cfb054a7ecc4
configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents:
33216
diff
changeset
|
249 ) |
cfb054a7ecc4
configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents:
33216
diff
changeset
|
250 configitem('acl.deny.branches', '.*', |
cfb054a7ecc4
configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents:
33216
diff
changeset
|
251 default=None, |
cfb054a7ecc4
configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents:
33216
diff
changeset
|
252 generic=True, |
cfb054a7ecc4
configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents:
33216
diff
changeset
|
253 ) |
cfb054a7ecc4
configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents:
33216
diff
changeset
|
254 configitem('acl.allow.branches', '.*', |
cfb054a7ecc4
configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents:
33216
diff
changeset
|
255 default=None, |
cfb054a7ecc4
configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents:
33216
diff
changeset
|
256 generic=True, |
cfb054a7ecc4
configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents:
33216
diff
changeset
|
257 ) |
cfb054a7ecc4
configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents:
33216
diff
changeset
|
258 configitem('acl.deny', '.*', |
cfb054a7ecc4
configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents:
33216
diff
changeset
|
259 default=None, |
cfb054a7ecc4
configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents:
33216
diff
changeset
|
260 generic=True, |
cfb054a7ecc4
configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents:
33216
diff
changeset
|
261 ) |
cfb054a7ecc4
configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents:
33216
diff
changeset
|
262 configitem('acl.allow', '.*', |
cfb054a7ecc4
configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents:
33216
diff
changeset
|
263 default=None, |
cfb054a7ecc4
configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents:
33216
diff
changeset
|
264 generic=True, |
cfb054a7ecc4
configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents:
33216
diff
changeset
|
265 ) |
33186
478cb17cc610
configitems: register the 'acl.sources' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents:
33185
diff
changeset
|
266 configitem('acl', 'sources', |
33216
fc2baecdef1d
configitem: create a new list of each 'acl.sources' access
Pierre-Yves David <pierre-yves.david@octobus.net>
parents:
33187
diff
changeset
|
267 default=lambda: ['serve'], |
33186
478cb17cc610
configitems: register the 'acl.sources' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents:
33185
diff
changeset
|
268 ) |
33185
8b109c61bc11
configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents:
29841
diff
changeset
|
269 |
11114
62714143742f
acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11095
diff
changeset
|
270 def _getusers(ui, group): |
62714143742f
acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11095
diff
changeset
|
271 |
62714143742f
acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11095
diff
changeset
|
272 # First, try to use group definition from section [acl.groups] |
62714143742f
acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11095
diff
changeset
|
273 hgrcusers = ui.configlist('acl.groups', group) |
62714143742f
acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11095
diff
changeset
|
274 if hgrcusers: |
62714143742f
acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11095
diff
changeset
|
275 return hgrcusers |
62714143742f
acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11095
diff
changeset
|
276 |
62714143742f
acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11095
diff
changeset
|
277 ui.debug('acl: "%s" not defined in [acl.groups]\n' % group) |
62714143742f
acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11095
diff
changeset
|
278 # If no users found in group definition, get users from OS-level group |
11140
1f26cf0a3663
acl: improve undefined group error handling
Patrick Mezard <pmezard@gmail.com>
parents:
11138
diff
changeset
|
279 try: |
1f26cf0a3663
acl: improve undefined group error handling
Patrick Mezard <pmezard@gmail.com>
parents:
11138
diff
changeset
|
280 return util.groupmembers(group) |
1f26cf0a3663
acl: improve undefined group error handling
Patrick Mezard <pmezard@gmail.com>
parents:
11138
diff
changeset
|
281 except KeyError: |
26587
56b2bcea2529
error: get Abort from 'error' instead of 'util'
Pierre-Yves David <pierre-yves.david@fb.com>
parents:
25792
diff
changeset
|
282 raise error.Abort(_("group '%s' is undefined") % group) |
11041
623fe42a649e
acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
10955
diff
changeset
|
283 |
11114
62714143742f
acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11095
diff
changeset
|
284 def _usermatch(ui, user, usersorgroups): |
11041
623fe42a649e
acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
10955
diff
changeset
|
285 |
623fe42a649e
acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
10955
diff
changeset
|
286 if usersorgroups == '*': |
623fe42a649e
acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
10955
diff
changeset
|
287 return True |
623fe42a649e
acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
10955
diff
changeset
|
288 |
623fe42a649e
acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
10955
diff
changeset
|
289 for ug in usersorgroups.replace(',', ' ').split(): |
16956
c49cf339b5bb
acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16767
diff
changeset
|
290 |
c49cf339b5bb
acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16767
diff
changeset
|
291 if ug.startswith('!'): |
c49cf339b5bb
acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16767
diff
changeset
|
292 # Test for excluded user or group. Format: |
c49cf339b5bb
acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16767
diff
changeset
|
293 # if ug is a user name: !username |
c49cf339b5bb
acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16767
diff
changeset
|
294 # if ug is a group name: !@groupname |
c49cf339b5bb
acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16767
diff
changeset
|
295 ug = ug[1:] |
c49cf339b5bb
acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16767
diff
changeset
|
296 if not ug.startswith('@') and user != ug \ |
c49cf339b5bb
acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16767
diff
changeset
|
297 or ug.startswith('@') and user not in _getusers(ui, ug[1:]): |
c49cf339b5bb
acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16767
diff
changeset
|
298 return True |
c49cf339b5bb
acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16767
diff
changeset
|
299 |
c49cf339b5bb
acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16767
diff
changeset
|
300 # Test for user or group. Format: |
c49cf339b5bb
acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16767
diff
changeset
|
301 # if ug is a user name: username |
c49cf339b5bb
acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16767
diff
changeset
|
302 # if ug is a group name: @groupname |
c49cf339b5bb
acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16767
diff
changeset
|
303 elif user == ug \ |
c49cf339b5bb
acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16767
diff
changeset
|
304 or ug.startswith('@') and user in _getusers(ui, ug[1:]): |
11041
623fe42a649e
acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
10955
diff
changeset
|
305 return True |
623fe42a649e
acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
10955
diff
changeset
|
306 |
623fe42a649e
acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
10955
diff
changeset
|
307 return False |
2344
ae12e5a2c4a3
add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
308 |
6766 | 309 def buildmatch(ui, repo, user, key): |
310 '''return tuple of (match function, list enabled).''' | |
311 if not ui.has_section(key): | |
9467
4c041f1ee1b4
do not attempt to translate ui.debug output
Martin Geisler <mg@lazybytes.net>
parents:
9250
diff
changeset
|
312 ui.debug('acl: %s not enabled\n' % key) |
6766 | 313 return None |
2344
ae12e5a2c4a3
add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
314 |
6766 | 315 pats = [pat for pat, users in ui.configitems(key) |
11114
62714143742f
acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11095
diff
changeset
|
316 if _usermatch(ui, user, users)] |
9467
4c041f1ee1b4
do not attempt to translate ui.debug output
Martin Geisler <mg@lazybytes.net>
parents:
9250
diff
changeset
|
317 ui.debug('acl: %s enabled, %d entries for user %s\n' % |
6766 | 318 (key, len(pats), user)) |
11092
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
319 |
16765
754e98e0a615
acl: added some comments to easily identify branch- and path-based verifications
Elifarley Callado Coelho Cruz
parents:
16764
diff
changeset
|
320 # Branch-based ACL |
11092
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
321 if not repo: |
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
322 if pats: |
16766
9d778f80ad2a
acl: perform some computations earlier, so that returned lambda functions are simpler
Elifarley Callado Coelho Cruz
parents:
16765
diff
changeset
|
323 # If there's an asterisk (meaning "any branch"), always return True; |
9d778f80ad2a
acl: perform some computations earlier, so that returned lambda functions are simpler
Elifarley Callado Coelho Cruz
parents:
16765
diff
changeset
|
324 # Otherwise, test if b is in pats |
9d778f80ad2a
acl: perform some computations earlier, so that returned lambda functions are simpler
Elifarley Callado Coelho Cruz
parents:
16765
diff
changeset
|
325 if '*' in pats: |
9d778f80ad2a
acl: perform some computations earlier, so that returned lambda functions are simpler
Elifarley Callado Coelho Cruz
parents:
16765
diff
changeset
|
326 return util.always |
9d778f80ad2a
acl: perform some computations earlier, so that returned lambda functions are simpler
Elifarley Callado Coelho Cruz
parents:
16765
diff
changeset
|
327 return lambda b: b in pats |
16764 | 328 return util.never |
11092
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
329 |
16765
754e98e0a615
acl: added some comments to easily identify branch- and path-based verifications
Elifarley Callado Coelho Cruz
parents:
16764
diff
changeset
|
330 # Path-based ACL |
6766 | 331 if pats: |
8567
fea40a677d43
match: add some default args
Matt Mackall <mpm@selenic.com>
parents:
8566
diff
changeset
|
332 return match.match(repo.root, '', pats) |
16767
363bde4224c8
acl: 'util.never' can be used instead of a more complex expression
Elifarley Callado Coelho Cruz
parents:
16766
diff
changeset
|
333 return util.never |
2344
ae12e5a2c4a3
add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
334 |
34829
120c5c155ba4
acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents:
34779
diff
changeset
|
335 def ensureenabled(ui): |
120c5c155ba4
acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents:
34779
diff
changeset
|
336 """make sure the extension is enabled when used as hook |
120c5c155ba4
acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents:
34779
diff
changeset
|
337 |
120c5c155ba4
acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents:
34779
diff
changeset
|
338 When acl is used through hooks, the extension is never formally loaded and |
120c5c155ba4
acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents:
34779
diff
changeset
|
339 enabled. This has some side effect, for example the config declaration is |
120c5c155ba4
acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents:
34779
diff
changeset
|
340 never loaded. This function ensure the extension is enabled when running |
120c5c155ba4
acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents:
34779
diff
changeset
|
341 hooks. |
120c5c155ba4
acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents:
34779
diff
changeset
|
342 """ |
120c5c155ba4
acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents:
34779
diff
changeset
|
343 if 'acl' in ui._knownconfig: |
120c5c155ba4
acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents:
34779
diff
changeset
|
344 return |
120c5c155ba4
acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents:
34779
diff
changeset
|
345 ui.setconfig('extensions', 'acl', '', source='internal') |
120c5c155ba4
acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents:
34779
diff
changeset
|
346 extensions.loadall(ui, ['acl']) |
120c5c155ba4
acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents:
34779
diff
changeset
|
347 |
2344
ae12e5a2c4a3
add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
348 def hook(ui, repo, hooktype, node=None, source=None, **kwargs): |
34829
120c5c155ba4
acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents:
34779
diff
changeset
|
349 |
120c5c155ba4
acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents:
34779
diff
changeset
|
350 ensureenabled(ui) |
120c5c155ba4
acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents:
34779
diff
changeset
|
351 |
38531
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
352 if hooktype not in ['pretxnchangegroup', 'pretxncommit', 'prepushkey']: |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
353 raise error.Abort( |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
354 _('config error - hook type "%s" cannot stop ' |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
355 'incoming changesets, commits, nor bookmarks') % hooktype) |
10955
470a6ace7574
Added support for 'pretxncommit', so that one can call the ACL hook at
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
10801
diff
changeset
|
356 if (hooktype == 'pretxnchangegroup' and |
33187
2b233065f57a
acl: use configlist to retrieve the source config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents:
33186
diff
changeset
|
357 source not in ui.configlist('acl', 'sources')): |
9467
4c041f1ee1b4
do not attempt to translate ui.debug output
Martin Geisler <mg@lazybytes.net>
parents:
9250
diff
changeset
|
358 ui.debug('acl: changes have source "%s" - skipping\n' % source) |
2344
ae12e5a2c4a3
add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
359 return |
ae12e5a2c4a3
add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
360 |
8846
b30775386d40
acl: support for getting authenticated user from web server (issue298)
Henrik Stuart <hg@hstuart.dk>
parents:
8682
diff
changeset
|
361 user = None |
36377
39212037e65e
py3: fix keyword arguments handling in hgext/acl.py
Pulkit Goyal <7895pulkit@gmail.com>
parents:
36376
diff
changeset
|
362 if source == 'serve' and r'url' in kwargs: |
39212037e65e
py3: fix keyword arguments handling in hgext/acl.py
Pulkit Goyal <7895pulkit@gmail.com>
parents:
36376
diff
changeset
|
363 url = kwargs[r'url'].split(':') |
8846
b30775386d40
acl: support for getting authenticated user from web server (issue298)
Henrik Stuart <hg@hstuart.dk>
parents:
8682
diff
changeset
|
364 if url[0] == 'remote' and url[1].startswith('http'): |
28883
032c4c2f802a
pycompat: switch to util.urlreq/util.urlerr for py3 compat
timeless <timeless@mozdev.org>
parents:
28089
diff
changeset
|
365 user = urlreq.unquote(url[3]) |
8846
b30775386d40
acl: support for getting authenticated user from web server (issue298)
Henrik Stuart <hg@hstuart.dk>
parents:
8682
diff
changeset
|
366 |
b30775386d40
acl: support for getting authenticated user from web server (issue298)
Henrik Stuart <hg@hstuart.dk>
parents:
8682
diff
changeset
|
367 if user is None: |
37120
a8a902d7176e
procutil: bulk-replace function calls to point to new module
Yuya Nishihara <yuya@tcha.org>
parents:
36412
diff
changeset
|
368 user = procutil.getuser() |
8846
b30775386d40
acl: support for getting authenticated user from web server (issue298)
Henrik Stuart <hg@hstuart.dk>
parents:
8682
diff
changeset
|
369 |
15207
0f7f9f06c759
acl: more descriptive error messages
Elifarley Callado Coelho Cruz
parents:
12778
diff
changeset
|
370 ui.debug('acl: checking access for user "%s"\n' % user) |
0f7f9f06c759
acl: more descriptive error messages
Elifarley Callado Coelho Cruz
parents:
12778
diff
changeset
|
371 |
38531
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
372 if hooktype == 'prepushkey': |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
373 _pkhook(ui, repo, hooktype, node, source, user, **kwargs) |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
374 else: |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
375 _txnhook(ui, repo, hooktype, node, source, user, **kwargs) |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
376 |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
377 def _pkhook(ui, repo, hooktype, node, source, user, **kwargs): |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
378 if kwargs['namespace'] == 'bookmarks': |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
379 bookmark = kwargs['key'] |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
380 ctx = kwargs['new'] |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
381 allowbookmarks = buildmatch(ui, None, user, 'acl.allow.bookmarks') |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
382 denybookmarks = buildmatch(ui, None, user, 'acl.deny.bookmarks') |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
383 |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
384 if denybookmarks and denybookmarks(bookmark): |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
385 raise error.Abort(_('acl: user "%s" denied on bookmark "%s"' |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
386 ' (changeset "%s")') |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
387 % (user, bookmark, ctx)) |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
388 if allowbookmarks and not allowbookmarks(bookmark): |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
389 raise error.Abort(_('acl: user "%s" not allowed on bookmark "%s"' |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
390 ' (changeset "%s")') |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
391 % (user, bookmark, ctx)) |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
392 ui.debug('acl: bookmark access granted: "%s" on bookmark "%s"\n' |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
393 % (ctx, bookmark)) |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
394 |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
395 def _txnhook(ui, repo, hooktype, node, source, user, **kwargs): |
25792
dd166d42e7b2
acl: mark deprecated config option
Matt Mackall <mpm@selenic.com>
parents:
25186
diff
changeset
|
396 # deprecated config: acl.config |
6766 | 397 cfg = ui.config('acl', 'config') |
398 if cfg: | |
19872
681f7b9213a4
check-code: check for spaces around = for named parameters
Mads Kiilerich <madski@unity3d.com>
parents:
17537
diff
changeset
|
399 ui.readconfig(cfg, sections=['acl.groups', 'acl.allow.branches', |
681f7b9213a4
check-code: check for spaces around = for named parameters
Mads Kiilerich <madski@unity3d.com>
parents:
17537
diff
changeset
|
400 'acl.deny.branches', 'acl.allow', 'acl.deny']) |
11092
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
401 |
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
402 allowbranches = buildmatch(ui, None, user, 'acl.allow.branches') |
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
403 denybranches = buildmatch(ui, None, user, 'acl.deny.branches') |
6766 | 404 allow = buildmatch(ui, repo, user, 'acl.allow') |
405 deny = buildmatch(ui, repo, user, 'acl.deny') | |
406 | |
38783
e7aa113b14f7
global: use pycompat.xrange()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
38531
diff
changeset
|
407 for rev in pycompat.xrange(repo[node].rev(), len(repo)): |
6766 | 408 ctx = repo[rev] |
11092
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
409 branch = ctx.branch() |
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
410 if denybranches and denybranches(branch): |
26587
56b2bcea2529
error: get Abort from 'error' instead of 'util'
Pierre-Yves David <pierre-yves.david@fb.com>
parents:
25792
diff
changeset
|
411 raise error.Abort(_('acl: user "%s" denied on branch "%s"' |
11092
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
412 ' (changeset "%s")') |
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
413 % (user, branch, ctx)) |
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
414 if allowbranches and not allowbranches(branch): |
26587
56b2bcea2529
error: get Abort from 'error' instead of 'util'
Pierre-Yves David <pierre-yves.david@fb.com>
parents:
25792
diff
changeset
|
415 raise error.Abort(_('acl: user "%s" not allowed on branch "%s"' |
11092
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
416 ' (changeset "%s")') |
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
417 % (user, branch, ctx)) |
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
418 ui.debug('acl: branch access granted: "%s" on branch "%s"\n' |
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
419 % (ctx, branch)) |
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
420 |
6766 | 421 for f in ctx.files(): |
422 if deny and deny(f): | |
26587
56b2bcea2529
error: get Abort from 'error' instead of 'util'
Pierre-Yves David <pierre-yves.david@fb.com>
parents:
25792
diff
changeset
|
423 raise error.Abort(_('acl: user "%s" denied on "%s"' |
15207
0f7f9f06c759
acl: more descriptive error messages
Elifarley Callado Coelho Cruz
parents:
12778
diff
changeset
|
424 ' (changeset "%s")') % (user, f, ctx)) |
6766 | 425 if allow and not allow(f): |
26587
56b2bcea2529
error: get Abort from 'error' instead of 'util'
Pierre-Yves David <pierre-yves.david@fb.com>
parents:
25792
diff
changeset
|
426 raise error.Abort(_('acl: user "%s" not allowed on "%s"' |
15207
0f7f9f06c759
acl: more descriptive error messages
Elifarley Callado Coelho Cruz
parents:
12778
diff
changeset
|
427 ' (changeset "%s")') % (user, f, ctx)) |
0f7f9f06c759
acl: more descriptive error messages
Elifarley Callado Coelho Cruz
parents:
12778
diff
changeset
|
428 ui.debug('acl: path access granted: "%s"\n' % ctx) |