annotate hgext/acl.py @ 48868:a52f5bfc9358

import-checker: assume absolute and use modern import checker Since we require Python 3 now, we can assume we always use absolute imports and the modern import checker should be used. Differential Revision: https://phab.mercurial-scm.org/D12246
author Gregory Szorc <gregory.szorc@gmail.com>
date Sun, 20 Feb 2022 13:43:44 -0700
parents 89a2afe31e82
children 6000f5b25c9b
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
2344
ae12e5a2c4a3 add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
1 # acl.py - changeset access control for mercurial
ae12e5a2c4a3 add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
2 #
ae12e5a2c4a3 add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
3 # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
ae12e5a2c4a3 add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
4 #
8225
46293a0c7e9f updated license to be explicit about GPL version 2
Martin Geisler <mg@lazybytes.net>
parents: 8142
diff changeset
5 # This software may be used and distributed according to the terms of the
10263
25e572394f5c Update license to GPLv2+
Matt Mackall <mpm@selenic.com>
parents: 10112
diff changeset
6 # GNU General Public License version 2 or any later version.
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
7
8935
f4f0e902b750 extensions: change descriptions for hook-providing extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8894
diff changeset
8 '''hooks for controlling repository access
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
9
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
10 This hook makes it possible to allow or deny write access to given
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
11 branches and paths of a repository when receiving incoming changesets
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
12 via pretxnchangegroup and pretxncommit.
9250
00986b9ed649 acl: wrap docstrings at 70 characters
Martin Geisler <mg@lazybytes.net>
parents: 9201
diff changeset
13
00986b9ed649 acl: wrap docstrings at 70 characters
Martin Geisler <mg@lazybytes.net>
parents: 9201
diff changeset
14 The authorization is matched based on the local user name on the
00986b9ed649 acl: wrap docstrings at 70 characters
Martin Geisler <mg@lazybytes.net>
parents: 9201
diff changeset
15 system where the hook runs, and not the committer of the original
00986b9ed649 acl: wrap docstrings at 70 characters
Martin Geisler <mg@lazybytes.net>
parents: 9201
diff changeset
16 changeset (since the latter is merely informative).
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
17
9250
00986b9ed649 acl: wrap docstrings at 70 characters
Martin Geisler <mg@lazybytes.net>
parents: 9201
diff changeset
18 The acl hook is best used along with a restricted shell like hgsh,
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
19 preventing authenticating users from doing anything other than pushing
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
20 or pulling. The hook is not safe to use if users have interactive
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
21 shell access, as they can then disable the hook. Nor is it safe if
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
22 remote users share an account, because then there is no way to
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
23 distinguish them.
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
24
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
25 The order in which access checks are performed is:
11094
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
26
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
27 1) Deny list for branches (section ``acl.deny.branches``)
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
28 2) Allow list for branches (section ``acl.allow.branches``)
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
29 3) Deny list for paths (section ``acl.deny``)
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
30 4) Allow list for paths (section ``acl.allow``)
11042
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
31
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
32 The allow and deny sections take key-value pairs.
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
33
11094
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
34 Branch-based Access Control
17267
979b107eaea2 doc: unify section level between help topics
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 16957
diff changeset
35 ---------------------------
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
36
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
37 Use the ``acl.deny.branches`` and ``acl.allow.branches`` sections to
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
38 have branch-based access control. Keys in these sections can be
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
39 either:
11057
7f0796a0b35c acl: fix ReST syntax in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11042
diff changeset
40
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
41 - a branch name, or
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
42 - an asterisk, to match any branch;
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
43
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
44 The corresponding values can be either:
11094
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
45
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
46 - a comma-separated list containing users and groups, or
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
47 - an asterisk, to match anyone;
11042
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
48
16957
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
49 You can add the "!" prefix to a user or group name to invert the sense
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
50 of the match.
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
51
11094
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
52 Path-based Access Control
17267
979b107eaea2 doc: unify section level between help topics
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 16957
diff changeset
53 -------------------------
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
54
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
55 Use the ``acl.deny`` and ``acl.allow`` sections to have path-based
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
56 access control. Keys in these sections accept a subtree pattern (with
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
57 a glob syntax by default). The corresponding values follow the same
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
58 syntax as the other sections above.
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
59
38531
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
60 Bookmark-based Access Control
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
61 -----------------------------
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
62 Use the ``acl.deny.bookmarks`` and ``acl.allow.bookmarks`` sections to
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
63 have bookmark-based access control. Keys in these sections can be
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
64 either:
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
65
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
66 - a bookmark name, or
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
67 - an asterisk, to match any bookmark;
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
68
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
69 The corresponding values can be either:
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
70
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
71 - a comma-separated list containing users and groups, or
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
72 - an asterisk, to match anyone;
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
73
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
74 You can add the "!" prefix to a user or group name to invert the sense
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
75 of the match.
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
76
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
77 Note: for interactions between clients and servers using Mercurial 3.6+
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
78 a rejection will generally reject the entire push, for interactions
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
79 involving older clients, the commit transactions will already be accepted,
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
80 and only the bookmark movement will be rejected.
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
81
11094
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
82 Groups
17267
979b107eaea2 doc: unify section level between help topics
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 16957
diff changeset
83 ------
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
84
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
85 Group names must be prefixed with an ``@`` symbol. Specifying a group
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
86 name has the same effect as specifying all the users in that group.
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
87
11115
b3d5619f1f2b acl: update docstring to describe section [acl.groups]
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11114
diff changeset
88 You can define group members in the ``acl.groups`` section.
b3d5619f1f2b acl: update docstring to describe section [acl.groups]
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11114
diff changeset
89 If a group name is not defined there, and Mercurial is running under
b3d5619f1f2b acl: update docstring to describe section [acl.groups]
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11114
diff changeset
90 a Unix-like system, the list of users will be taken from the OS.
b3d5619f1f2b acl: update docstring to describe section [acl.groups]
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11114
diff changeset
91 Otherwise, an exception will be raised.
b3d5619f1f2b acl: update docstring to describe section [acl.groups]
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11114
diff changeset
92
11094
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
93 Example Configuration
17267
979b107eaea2 doc: unify section level between help topics
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 16957
diff changeset
94 ---------------------
11094
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
95
c7adea82d495 acl: fix reST syntax
Martin Geisler <mg@aragost.com>
parents: 11092
diff changeset
96 ::
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
97
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
98 [hooks]
11042
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
99
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
100 # Use this if you want to check access restrictions at commit time
11042
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
101 pretxncommit.acl = python:hgext.acl.hook
11423
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
102
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
103 # Use this if you want to check access restrictions for pull, push,
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
104 # bundle and serve.
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
105 pretxnchangegroup.acl = python:hgext.acl.hook
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
106
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
107 [acl]
11131
0b6fd18ab8af acl: clarify acl.sources, fix typo
Patrick Mezard <pmezard@gmail.com>
parents: 11115
diff changeset
108 # Allow or deny access for incoming changes only if their source is
0b6fd18ab8af acl: clarify acl.sources, fix typo
Patrick Mezard <pmezard@gmail.com>
parents: 11115
diff changeset
109 # listed here, let them pass otherwise. Source is "serve" for all
0b6fd18ab8af acl: clarify acl.sources, fix typo
Patrick Mezard <pmezard@gmail.com>
parents: 11115
diff changeset
110 # remote access (http or ssh), "push", "pull" or "bundle" when the
0b6fd18ab8af acl: clarify acl.sources, fix typo
Patrick Mezard <pmezard@gmail.com>
parents: 11115
diff changeset
111 # related commands are run locally.
0b6fd18ab8af acl: clarify acl.sources, fix typo
Patrick Mezard <pmezard@gmail.com>
parents: 11115
diff changeset
112 # Default: serve
8893
cc0593af30d4 acl: help improvements
Cédric Duval <cedricduval@free.fr>
parents: 8873
diff changeset
113 sources = serve
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
114
11423
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
115 [acl.deny.branches]
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
116
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
117 # Everyone is denied to the frozen branch:
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
118 frozen-branch = *
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
119
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
120 # A bad user is denied on all branches:
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
121 * = bad-user
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
122
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
123 [acl.allow.branches]
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
124
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
125 # A few users are allowed on branch-a:
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
126 branch-a = user-1, user-2, user-3
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
127
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
128 # Only one user is allowed on branch-b:
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
129 branch-b = user-1
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
130
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
131 # The super user is allowed on any branch:
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
132 * = super-user
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
133
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
134 # Everyone is allowed on branch-for-tests:
776f9784b34b acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents: 11140
diff changeset
135 branch-for-tests = *
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
136
11042
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
137 [acl.deny]
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
138 # This list is checked first. If a match is found, acl.allow is not
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
139 # checked. All users are granted access if acl.deny is not present.
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
140 # Format for both lists: glob pattern = user, ..., @group, ...
11042
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
141
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
142 # To match everyone, use an asterisk for the user:
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
143 # my/glob/pattern = *
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
144
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
145 # user6 will not have write access to any file:
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
146 ** = user6
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
147
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
148 # Group "hg-denied" will not have write access to any file:
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
149 ** = @hg-denied
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
150
17537
31f32a96e1e3 Merge spelling fixes
Bryan O'Sullivan <bryano@fb.com>
parents: 17487
diff changeset
151 # Nobody will be able to change "DONT-TOUCH-THIS.txt", despite
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
152 # everyone being able to change all other files. See below.
17537
31f32a96e1e3 Merge spelling fixes
Bryan O'Sullivan <bryano@fb.com>
parents: 17487
diff changeset
153 src/main/resources/DONT-TOUCH-THIS.txt = *
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
154
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
155 [acl.allow]
11131
0b6fd18ab8af acl: clarify acl.sources, fix typo
Patrick Mezard <pmezard@gmail.com>
parents: 11115
diff changeset
156 # if acl.allow is not present, all users are allowed by default
11042
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
157 # empty acl.allow = no users allowed
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
158
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
159 # User "doc_writer" has write access to any file under the "docs"
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
160 # folder:
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
161 docs/** = doc_writer
11042
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
162
11095
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
163 # User "jack" and group "designers" have write access to any file
d56124931909 acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents: 11094
diff changeset
164 # under the "images" folder:
11042
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
165 images/** = jack, @designers
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
166
16499
0b463f52b948 doc: fix explanation comment in acl extension
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 15207
diff changeset
167 # Everyone (except for "user6" and "@hg-denied" - see acl.deny above)
0b463f52b948 doc: fix explanation comment in acl extension
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 15207
diff changeset
168 # will have write access to any file under the "resources" folder
0b463f52b948 doc: fix explanation comment in acl extension
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 15207
diff changeset
169 # (except for 1 file. See acl.deny):
11042
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
170 src/main/resources/** = *
d82f3651cd13 acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11041
diff changeset
171
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
172 .hgtags = release_engineer
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
173
16957
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
174 Examples using the "!" prefix
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
175 .............................
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
176
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
177 Suppose there's a branch that only a given user (or group) should be able to
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
178 push to, and you don't want to restrict access to any other branch that may
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
179 be created.
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
180
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
181 The "!" prefix allows you to prevent anyone except a given user or group to
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
182 push changesets in a given branch or path.
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
183
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
184 In the examples below, we will:
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
185 1) Deny access to branch "ring" to anyone but user "gollum"
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
186 2) Deny access to branch "lake" to anyone but members of the group "hobbit"
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
187 3) Deny access to a file to anyone but user "gollum"
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
188
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
189 ::
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
190
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
191 [acl.allow.branches]
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
192 # Empty
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
193
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
194 [acl.deny.branches]
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
195
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
196 # 1) only 'gollum' can commit to branch 'ring';
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
197 # 'gollum' and anyone else can still commit to any other branch.
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
198 ring = !gollum
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
199
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
200 # 2) only members of the group 'hobbit' can commit to branch 'lake';
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
201 # 'hobbit' members and anyone else can still commit to any other branch.
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
202 lake = !@hobbit
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
203
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
204 # You can also deny access based on file paths:
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
205
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
206 [acl.allow]
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
207 # Empty
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
208
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
209 [acl.deny]
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
210 # 3) only 'gollum' can change the file below;
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
211 # 'gollum' and anyone else can still change any other file.
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
212 /misty/mountains/cave/ring = !gollum
d7b608149f6c acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16956
diff changeset
213
8873
e872ef2e6758 help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents: 8846
diff changeset
214 '''
2344
ae12e5a2c4a3 add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
215
28089
a1163ee26e4a acl: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents: 26587
diff changeset
216 from __future__ import absolute_import
a1163ee26e4a acl: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents: 26587
diff changeset
217
3891
6b4127c7d52a Simplify i18n imports
Matt Mackall <mpm@selenic.com>
parents: 3877
diff changeset
218 from mercurial.i18n import _
28089
a1163ee26e4a acl: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents: 26587
diff changeset
219 from mercurial import (
a1163ee26e4a acl: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents: 26587
diff changeset
220 error,
34829
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
221 extensions,
28089
a1163ee26e4a acl: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents: 26587
diff changeset
222 match,
38783
e7aa113b14f7 global: use pycompat.xrange()
Gregory Szorc <gregory.szorc@gmail.com>
parents: 38531
diff changeset
223 pycompat,
33185
8b109c61bc11 configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents: 29841
diff changeset
224 registrar,
28089
a1163ee26e4a acl: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents: 26587
diff changeset
225 util,
a1163ee26e4a acl: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents: 26587
diff changeset
226 )
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
227 from mercurial.utils import procutil
11041
623fe42a649e acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 10955
diff changeset
228
28883
032c4c2f802a pycompat: switch to util.urlreq/util.urlerr for py3 compat
timeless <timeless@mozdev.org>
parents: 28089
diff changeset
229 urlreq = util.urlreq
032c4c2f802a pycompat: switch to util.urlreq/util.urlerr for py3 compat
timeless <timeless@mozdev.org>
parents: 28089
diff changeset
230
29841
d5883fd055c6 extensions: change magic "shipped with hg" string
Augie Fackler <augie@google.com>
parents: 28883
diff changeset
231 # Note for extension authors: ONLY specify testedwith = 'ships-with-hg-core' for
25186
80c5b2666a96 extensions: document that `testedwith = 'internal'` is special
Augie Fackler <augie@google.com>
parents: 19872
diff changeset
232 # extensions which SHIP WITH MERCURIAL. Non-mainline extensions should
80c5b2666a96 extensions: document that `testedwith = 'internal'` is special
Augie Fackler <augie@google.com>
parents: 19872
diff changeset
233 # be specifying the version(s) of Mercurial they are tested with, or
80c5b2666a96 extensions: document that `testedwith = 'internal'` is special
Augie Fackler <augie@google.com>
parents: 19872
diff changeset
234 # leave the attribute unspecified.
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
235 testedwith = b'ships-with-hg-core'
16743
38caf405d010 hgext: mark all first-party extensions as such
Augie Fackler <raf@durin42.com>
parents: 16499
diff changeset
236
33185
8b109c61bc11 configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents: 29841
diff changeset
237 configtable = {}
8b109c61bc11 configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents: 29841
diff changeset
238 configitem = registrar.configitem(configtable)
8b109c61bc11 configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents: 29841
diff changeset
239
8b109c61bc11 configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents: 29841
diff changeset
240 # deprecated config: acl.config
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
241 configitem(
45942
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
242 b'acl',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
243 b'config',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
244 default=None,
33185
8b109c61bc11 configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents: 29841
diff changeset
245 )
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
246 configitem(
45942
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
247 b'acl.groups',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
248 b'.*',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
249 default=None,
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
250 generic=True,
34779
cfb054a7ecc4 configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents: 33216
diff changeset
251 )
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
252 configitem(
45942
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
253 b'acl.deny.branches',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
254 b'.*',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
255 default=None,
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
256 generic=True,
34779
cfb054a7ecc4 configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents: 33216
diff changeset
257 )
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
258 configitem(
45942
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
259 b'acl.allow.branches',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
260 b'.*',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
261 default=None,
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
262 generic=True,
34779
cfb054a7ecc4 configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents: 33216
diff changeset
263 )
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
264 configitem(
45942
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
265 b'acl.deny',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
266 b'.*',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
267 default=None,
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
268 generic=True,
34779
cfb054a7ecc4 configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents: 33216
diff changeset
269 )
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
270 configitem(
45942
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
271 b'acl.allow',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
272 b'.*',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
273 default=None,
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
274 generic=True,
34779
cfb054a7ecc4 configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents: 33216
diff changeset
275 )
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
276 configitem(
45942
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
277 b'acl',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
278 b'sources',
89a2afe31e82 formating: upgrade to black 20.8b1
Augie Fackler <raf@durin42.com>
parents: 43506
diff changeset
279 default=lambda: [b'serve'],
33186
478cb17cc610 configitems: register the 'acl.sources' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents: 33185
diff changeset
280 )
33185
8b109c61bc11 configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents: 29841
diff changeset
281
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
282
11114
62714143742f acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11095
diff changeset
283 def _getusers(ui, group):
62714143742f acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11095
diff changeset
284
62714143742f acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11095
diff changeset
285 # First, try to use group definition from section [acl.groups]
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
286 hgrcusers = ui.configlist(b'acl.groups', group)
11114
62714143742f acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11095
diff changeset
287 if hgrcusers:
62714143742f acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11095
diff changeset
288 return hgrcusers
62714143742f acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11095
diff changeset
289
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
290 ui.debug(b'acl: "%s" not defined in [acl.groups]\n' % group)
11114
62714143742f acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11095
diff changeset
291 # If no users found in group definition, get users from OS-level group
11140
1f26cf0a3663 acl: improve undefined group error handling
Patrick Mezard <pmezard@gmail.com>
parents: 11138
diff changeset
292 try:
1f26cf0a3663 acl: improve undefined group error handling
Patrick Mezard <pmezard@gmail.com>
parents: 11138
diff changeset
293 return util.groupmembers(group)
1f26cf0a3663 acl: improve undefined group error handling
Patrick Mezard <pmezard@gmail.com>
parents: 11138
diff changeset
294 except KeyError:
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
295 raise error.Abort(_(b"group '%s' is undefined") % group)
11041
623fe42a649e acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 10955
diff changeset
296
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
297
11114
62714143742f acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11095
diff changeset
298 def _usermatch(ui, user, usersorgroups):
11041
623fe42a649e acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 10955
diff changeset
299
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
300 if usersorgroups == b'*':
11041
623fe42a649e acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 10955
diff changeset
301 return True
623fe42a649e acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 10955
diff changeset
302
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
303 for ug in usersorgroups.replace(b',', b' ').split():
16956
c49cf339b5bb acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16767
diff changeset
304
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
305 if ug.startswith(b'!'):
16956
c49cf339b5bb acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16767
diff changeset
306 # Test for excluded user or group. Format:
c49cf339b5bb acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16767
diff changeset
307 # if ug is a user name: !username
c49cf339b5bb acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16767
diff changeset
308 # if ug is a group name: !@groupname
c49cf339b5bb acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16767
diff changeset
309 ug = ug[1:]
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
310 if (
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
311 not ug.startswith(b'@')
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
312 and user != ug
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
313 or ug.startswith(b'@')
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
314 and user not in _getusers(ui, ug[1:])
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
315 ):
16956
c49cf339b5bb acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16767
diff changeset
316 return True
c49cf339b5bb acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16767
diff changeset
317
c49cf339b5bb acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16767
diff changeset
318 # Test for user or group. Format:
c49cf339b5bb acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16767
diff changeset
319 # if ug is a user name: username
c49cf339b5bb acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents: 16767
diff changeset
320 # if ug is a group name: @groupname
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
321 elif (
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
322 user == ug or ug.startswith(b'@') and user in _getusers(ui, ug[1:])
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
323 ):
11041
623fe42a649e acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 10955
diff changeset
324 return True
623fe42a649e acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 10955
diff changeset
325
623fe42a649e acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 10955
diff changeset
326 return False
2344
ae12e5a2c4a3 add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
327
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
328
6766
e81d2bd66908 acl: refactoring
Matt Mackall <mpm@selenic.com>
parents: 6750
diff changeset
329 def buildmatch(ui, repo, user, key):
e81d2bd66908 acl: refactoring
Matt Mackall <mpm@selenic.com>
parents: 6750
diff changeset
330 '''return tuple of (match function, list enabled).'''
e81d2bd66908 acl: refactoring
Matt Mackall <mpm@selenic.com>
parents: 6750
diff changeset
331 if not ui.has_section(key):
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
332 ui.debug(b'acl: %s not enabled\n' % key)
6766
e81d2bd66908 acl: refactoring
Matt Mackall <mpm@selenic.com>
parents: 6750
diff changeset
333 return None
2344
ae12e5a2c4a3 add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
334
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
335 pats = [
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
336 pat for pat, users in ui.configitems(key) if _usermatch(ui, user, users)
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
337 ]
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
338 ui.debug(
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
339 b'acl: %s enabled, %d entries for user %s\n' % (key, len(pats), user)
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
340 )
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
341
16765
754e98e0a615 acl: added some comments to easily identify branch- and path-based verifications
Elifarley Callado Coelho Cruz
parents: 16764
diff changeset
342 # Branch-based ACL
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
343 if not repo:
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
344 if pats:
16766
9d778f80ad2a acl: perform some computations earlier, so that returned lambda functions are simpler
Elifarley Callado Coelho Cruz
parents: 16765
diff changeset
345 # If there's an asterisk (meaning "any branch"), always return True;
9d778f80ad2a acl: perform some computations earlier, so that returned lambda functions are simpler
Elifarley Callado Coelho Cruz
parents: 16765
diff changeset
346 # Otherwise, test if b is in pats
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
347 if b'*' in pats:
16766
9d778f80ad2a acl: perform some computations earlier, so that returned lambda functions are simpler
Elifarley Callado Coelho Cruz
parents: 16765
diff changeset
348 return util.always
9d778f80ad2a acl: perform some computations earlier, so that returned lambda functions are simpler
Elifarley Callado Coelho Cruz
parents: 16765
diff changeset
349 return lambda b: b in pats
16764
ffb68b9dbaa9 acl: 'util.never' used
Elifarley Callado Coelho Cruz
parents: 16763
diff changeset
350 return util.never
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
351
16765
754e98e0a615 acl: added some comments to easily identify branch- and path-based verifications
Elifarley Callado Coelho Cruz
parents: 16764
diff changeset
352 # Path-based ACL
6766
e81d2bd66908 acl: refactoring
Matt Mackall <mpm@selenic.com>
parents: 6750
diff changeset
353 if pats:
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
354 return match.match(repo.root, b'', pats)
16767
363bde4224c8 acl: 'util.never' can be used instead of a more complex expression
Elifarley Callado Coelho Cruz
parents: 16766
diff changeset
355 return util.never
2344
ae12e5a2c4a3 add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
356
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
357
34829
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
358 def ensureenabled(ui):
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
359 """make sure the extension is enabled when used as hook
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
360
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
361 When acl is used through hooks, the extension is never formally loaded and
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
362 enabled. This has some side effect, for example the config declaration is
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
363 never loaded. This function ensure the extension is enabled when running
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
364 hooks.
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
365 """
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
366 if b'acl' in ui._knownconfig:
34829
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
367 return
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
368 ui.setconfig(b'extensions', b'acl', b'', source=b'internal')
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
369 extensions.loadall(ui, [b'acl'])
34829
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
370
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
371
2344
ae12e5a2c4a3 add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
372 def hook(ui, repo, hooktype, node=None, source=None, **kwargs):
34829
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
373
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
374 ensureenabled(ui)
120c5c155ba4 acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents: 34779
diff changeset
375
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
376 if hooktype not in [b'pretxnchangegroup', b'pretxncommit', b'prepushkey']:
38531
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
377 raise error.Abort(
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
378 _(
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
379 b'config error - hook type "%s" cannot stop '
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
380 b'incoming changesets, commits, nor bookmarks'
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
381 )
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
382 % hooktype
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
383 )
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
384 if hooktype == b'pretxnchangegroup' and source not in ui.configlist(
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
385 b'acl', b'sources'
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
386 ):
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
387 ui.debug(b'acl: changes have source "%s" - skipping\n' % source)
2344
ae12e5a2c4a3 add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
388 return
ae12e5a2c4a3 add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
389
8846
b30775386d40 acl: support for getting authenticated user from web server (issue298)
Henrik Stuart <hg@hstuart.dk>
parents: 8682
diff changeset
390 user = None
43506
9f70512ae2cf cleanup: remove pointless r-prefixes on single-quoted strings
Augie Fackler <augie@google.com>
parents: 43117
diff changeset
391 if source == b'serve' and 'url' in kwargs:
9f70512ae2cf cleanup: remove pointless r-prefixes on single-quoted strings
Augie Fackler <augie@google.com>
parents: 43117
diff changeset
392 url = kwargs['url'].split(b':')
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
393 if url[0] == b'remote' and url[1].startswith(b'http'):
28883
032c4c2f802a pycompat: switch to util.urlreq/util.urlerr for py3 compat
timeless <timeless@mozdev.org>
parents: 28089
diff changeset
394 user = urlreq.unquote(url[3])
8846
b30775386d40 acl: support for getting authenticated user from web server (issue298)
Henrik Stuart <hg@hstuart.dk>
parents: 8682
diff changeset
395
b30775386d40 acl: support for getting authenticated user from web server (issue298)
Henrik Stuart <hg@hstuart.dk>
parents: 8682
diff changeset
396 if user is None:
37120
a8a902d7176e procutil: bulk-replace function calls to point to new module
Yuya Nishihara <yuya@tcha.org>
parents: 36412
diff changeset
397 user = procutil.getuser()
8846
b30775386d40 acl: support for getting authenticated user from web server (issue298)
Henrik Stuart <hg@hstuart.dk>
parents: 8682
diff changeset
398
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
399 ui.debug(b'acl: checking access for user "%s"\n' % user)
15207
0f7f9f06c759 acl: more descriptive error messages
Elifarley Callado Coelho Cruz
parents: 12778
diff changeset
400
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
401 if hooktype == b'prepushkey':
38531
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
402 _pkhook(ui, repo, hooktype, node, source, user, **kwargs)
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
403 else:
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
404 _txnhook(ui, repo, hooktype, node, source, user, **kwargs)
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
405
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
406
38531
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
407 def _pkhook(ui, repo, hooktype, node, source, user, **kwargs):
43506
9f70512ae2cf cleanup: remove pointless r-prefixes on single-quoted strings
Augie Fackler <augie@google.com>
parents: 43117
diff changeset
408 if kwargs['namespace'] == b'bookmarks':
9f70512ae2cf cleanup: remove pointless r-prefixes on single-quoted strings
Augie Fackler <augie@google.com>
parents: 43117
diff changeset
409 bookmark = kwargs['key']
9f70512ae2cf cleanup: remove pointless r-prefixes on single-quoted strings
Augie Fackler <augie@google.com>
parents: 43117
diff changeset
410 ctx = kwargs['new']
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
411 allowbookmarks = buildmatch(ui, None, user, b'acl.allow.bookmarks')
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
412 denybookmarks = buildmatch(ui, None, user, b'acl.deny.bookmarks')
38531
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
413
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
414 if denybookmarks and denybookmarks(bookmark):
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
415 raise error.Abort(
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
416 _(
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
417 b'acl: user "%s" denied on bookmark "%s"'
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
418 b' (changeset "%s")'
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
419 )
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
420 % (user, bookmark, ctx)
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
421 )
38531
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
422 if allowbookmarks and not allowbookmarks(bookmark):
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
423 raise error.Abort(
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
424 _(
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
425 b'acl: user "%s" not allowed on bookmark "%s"'
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
426 b' (changeset "%s")'
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
427 )
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
428 % (user, bookmark, ctx)
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
429 )
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
430 ui.debug(
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
431 b'acl: bookmark access granted: "%s" on bookmark "%s"\n'
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
432 % (ctx, bookmark)
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
433 )
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
434
38531
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
435
6beb8347b709 acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents: 37120
diff changeset
436 def _txnhook(ui, repo, hooktype, node, source, user, **kwargs):
25792
dd166d42e7b2 acl: mark deprecated config option
Matt Mackall <mpm@selenic.com>
parents: 25186
diff changeset
437 # deprecated config: acl.config
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
438 cfg = ui.config(b'acl', b'config')
6766
e81d2bd66908 acl: refactoring
Matt Mackall <mpm@selenic.com>
parents: 6750
diff changeset
439 if cfg:
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
440 ui.readconfig(
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
441 cfg,
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
442 sections=[
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
443 b'acl.groups',
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
444 b'acl.allow.branches',
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
445 b'acl.deny.branches',
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
446 b'acl.allow',
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
447 b'acl.deny',
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
448 ],
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
449 )
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
450
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
451 allowbranches = buildmatch(ui, None, user, b'acl.allow.branches')
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
452 denybranches = buildmatch(ui, None, user, b'acl.deny.branches')
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
453 allow = buildmatch(ui, repo, user, b'acl.allow')
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
454 deny = buildmatch(ui, repo, user, b'acl.deny')
6766
e81d2bd66908 acl: refactoring
Matt Mackall <mpm@selenic.com>
parents: 6750
diff changeset
455
38783
e7aa113b14f7 global: use pycompat.xrange()
Gregory Szorc <gregory.szorc@gmail.com>
parents: 38531
diff changeset
456 for rev in pycompat.xrange(repo[node].rev(), len(repo)):
6766
e81d2bd66908 acl: refactoring
Matt Mackall <mpm@selenic.com>
parents: 6750
diff changeset
457 ctx = repo[rev]
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
458 branch = ctx.branch()
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
459 if denybranches and denybranches(branch):
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
460 raise error.Abort(
43117
8ff1ecfadcd1 cleanup: join string literals that are already on one line
Martin von Zweigbergk <martinvonz@google.com>
parents: 43077
diff changeset
461 _(b'acl: user "%s" denied on branch "%s" (changeset "%s")')
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
462 % (user, branch, ctx)
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
463 )
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
464 if allowbranches and not allowbranches(branch):
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
465 raise error.Abort(
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
466 _(
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
467 b'acl: user "%s" not allowed on branch "%s"'
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
468 b' (changeset "%s")'
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
469 )
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
470 % (user, branch, ctx)
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
471 )
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
472 ui.debug(
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
473 b'acl: branch access granted: "%s" on branch "%s"\n' % (ctx, branch)
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
474 )
11092
2dd91779eb27 acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents: 11058
diff changeset
475
6766
e81d2bd66908 acl: refactoring
Matt Mackall <mpm@selenic.com>
parents: 6750
diff changeset
476 for f in ctx.files():
e81d2bd66908 acl: refactoring
Matt Mackall <mpm@selenic.com>
parents: 6750
diff changeset
477 if deny and deny(f):
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
478 raise error.Abort(
43117
8ff1ecfadcd1 cleanup: join string literals that are already on one line
Martin von Zweigbergk <martinvonz@google.com>
parents: 43077
diff changeset
479 _(b'acl: user "%s" denied on "%s" (changeset "%s")')
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
480 % (user, f, ctx)
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
481 )
6766
e81d2bd66908 acl: refactoring
Matt Mackall <mpm@selenic.com>
parents: 6750
diff changeset
482 if allow and not allow(f):
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
483 raise error.Abort(
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
484 _(
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
485 b'acl: user "%s" not allowed on "%s"'
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
486 b' (changeset "%s")'
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
487 )
43076
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
488 % (user, f, ctx)
2372284d9457 formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents: 41759
diff changeset
489 )
43077
687b865b95ad formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents: 43076
diff changeset
490 ui.debug(b'acl: path access granted: "%s"\n' % ctx)