author | Martin von Zweigbergk <martinvonz@google.com> |
Thu, 12 Nov 2020 17:06:45 -0800 | |
changeset 45855 | c10683da6889 |
parent 43506 | 9f70512ae2cf |
child 45942 | 89a2afe31e82 |
permissions | -rw-r--r-- |
2344
ae12e5a2c4a3
add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
1 |
# acl.py - changeset access control for mercurial |
ae12e5a2c4a3
add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
2 |
# |
ae12e5a2c4a3
add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
3 |
# Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com> |
ae12e5a2c4a3
add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
4 |
# |
8225
46293a0c7e9f
updated license to be explicit about GPL version 2
Martin Geisler <mg@lazybytes.net>
parents:
8142
diff
changeset
|
5 |
# This software may be used and distributed according to the terms of the |
10263 | 6 |
# GNU General Public License version 2 or any later version. |
8873
e872ef2e6758
help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8846
diff
changeset
|
7 |
|
8935
f4f0e902b750
extensions: change descriptions for hook-providing extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8894
diff
changeset
|
8 |
'''hooks for controlling repository access |
8873
e872ef2e6758
help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8846
diff
changeset
|
9 |
|
11095
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
10 |
This hook makes it possible to allow or deny write access to given |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
11 |
branches and paths of a repository when receiving incoming changesets |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
12 |
via pretxnchangegroup and pretxncommit. |
9250
00986b9ed649
acl: wrap docstrings at 70 characters
Martin Geisler <mg@lazybytes.net>
parents:
9201
diff
changeset
|
13 |
|
00986b9ed649
acl: wrap docstrings at 70 characters
Martin Geisler <mg@lazybytes.net>
parents:
9201
diff
changeset
|
14 |
The authorization is matched based on the local user name on the |
00986b9ed649
acl: wrap docstrings at 70 characters
Martin Geisler <mg@lazybytes.net>
parents:
9201
diff
changeset
|
15 |
system where the hook runs, and not the committer of the original |
00986b9ed649
acl: wrap docstrings at 70 characters
Martin Geisler <mg@lazybytes.net>
parents:
9201
diff
changeset
|
16 |
changeset (since the latter is merely informative). |
8873
e872ef2e6758
help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8846
diff
changeset
|
17 |
|
9250
00986b9ed649
acl: wrap docstrings at 70 characters
Martin Geisler <mg@lazybytes.net>
parents:
9201
diff
changeset
|
18 |
The acl hook is best used along with a restricted shell like hgsh, |
11095
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
19 |
preventing authenticating users from doing anything other than pushing |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
20 |
or pulling. The hook is not safe to use if users have interactive |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
21 |
shell access, as they can then disable the hook. Nor is it safe if |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
22 |
remote users share an account, because then there is no way to |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
23 |
distinguish them. |
8873
e872ef2e6758
help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8846
diff
changeset
|
24 |
|
11092
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
25 |
The order in which access checks are performed is: |
11094 | 26 |
|
27 |
1) Deny list for branches (section ``acl.deny.branches``) |
|
28 |
2) Allow list for branches (section ``acl.allow.branches``) |
|
29 |
3) Deny list for paths (section ``acl.deny``) |
|
30 |
4) Allow list for paths (section ``acl.allow``) |
|
11042
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
31 |
|
11092
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
32 |
The allow and deny sections take key-value pairs. |
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
33 |
|
11094 | 34 |
Branch-based Access Control |
17267
979b107eaea2
doc: unify section level between help topics
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
16957
diff
changeset
|
35 |
--------------------------- |
11092
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
36 |
|
11095
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
37 |
Use the ``acl.deny.branches`` and ``acl.allow.branches`` sections to |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
38 |
have branch-based access control. Keys in these sections can be |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
39 |
either: |
11057
7f0796a0b35c
acl: fix ReST syntax in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11042
diff
changeset
|
40 |
|
11095
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
41 |
- a branch name, or |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
42 |
- an asterisk, to match any branch; |
11092
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
43 |
|
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
44 |
The corresponding values can be either: |
11094 | 45 |
|
11095
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
46 |
- a comma-separated list containing users and groups, or |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
47 |
- an asterisk, to match anyone; |
11042
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
48 |
|
16957
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
49 |
You can add the "!" prefix to a user or group name to invert the sense |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
50 |
of the match. |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
51 |
|
11094 | 52 |
Path-based Access Control |
17267
979b107eaea2
doc: unify section level between help topics
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
16957
diff
changeset
|
53 |
------------------------- |
11092
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
54 |
|
11095
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
55 |
Use the ``acl.deny`` and ``acl.allow`` sections to have path-based |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
56 |
access control. Keys in these sections accept a subtree pattern (with |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
57 |
a glob syntax by default). The corresponding values follow the same |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
58 |
syntax as the other sections above. |
11092
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
59 |
|
38531
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
60 |
Bookmark-based Access Control |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
61 |
----------------------------- |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
62 |
Use the ``acl.deny.bookmarks`` and ``acl.allow.bookmarks`` sections to |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
63 |
have bookmark-based access control. Keys in these sections can be |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
64 |
either: |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
65 |
|
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
66 |
- a bookmark name, or |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
67 |
- an asterisk, to match any bookmark; |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
68 |
|
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
69 |
The corresponding values can be either: |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
70 |
|
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
71 |
- a comma-separated list containing users and groups, or |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
72 |
- an asterisk, to match anyone; |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
73 |
|
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
74 |
You can add the "!" prefix to a user or group name to invert the sense |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
75 |
of the match. |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
76 |
|
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
77 |
Note: for interactions between clients and servers using Mercurial 3.6+ |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
78 |
a rejection will generally reject the entire push, for interactions |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
79 |
involving older clients, the commit transactions will already be accepted, |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
80 |
and only the bookmark movement will be rejected. |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
81 |
|
11094 | 82 |
Groups |
17267
979b107eaea2
doc: unify section level between help topics
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
16957
diff
changeset
|
83 |
------ |
11092
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
84 |
|
11095
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
85 |
Group names must be prefixed with an ``@`` symbol. Specifying a group |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
86 |
name has the same effect as specifying all the users in that group. |
8873
e872ef2e6758
help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8846
diff
changeset
|
87 |
|
11115
b3d5619f1f2b
acl: update docstring to describe section [acl.groups]
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11114
diff
changeset
|
88 |
You can define group members in the ``acl.groups`` section. |
b3d5619f1f2b
acl: update docstring to describe section [acl.groups]
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11114
diff
changeset
|
89 |
If a group name is not defined there, and Mercurial is running under |
b3d5619f1f2b
acl: update docstring to describe section [acl.groups]
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11114
diff
changeset
|
90 |
a Unix-like system, the list of users will be taken from the OS. |
b3d5619f1f2b
acl: update docstring to describe section [acl.groups]
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11114
diff
changeset
|
91 |
Otherwise, an exception will be raised. |
b3d5619f1f2b
acl: update docstring to describe section [acl.groups]
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11114
diff
changeset
|
92 |
|
11094 | 93 |
Example Configuration |
17267
979b107eaea2
doc: unify section level between help topics
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
16957
diff
changeset
|
94 |
--------------------- |
11094 | 95 |
|
96 |
:: |
|
8873
e872ef2e6758
help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8846
diff
changeset
|
97 |
|
e872ef2e6758
help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8846
diff
changeset
|
98 |
[hooks] |
11042
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
99 |
|
11092
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
100 |
# Use this if you want to check access restrictions at commit time |
11042
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
101 |
pretxncommit.acl = python:hgext.acl.hook |
11423
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
102 |
|
11095
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
103 |
# Use this if you want to check access restrictions for pull, push, |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
104 |
# bundle and serve. |
8873
e872ef2e6758
help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8846
diff
changeset
|
105 |
pretxnchangegroup.acl = python:hgext.acl.hook |
e872ef2e6758
help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8846
diff
changeset
|
106 |
|
e872ef2e6758
help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8846
diff
changeset
|
107 |
[acl] |
11131
0b6fd18ab8af
acl: clarify acl.sources, fix typo
Patrick Mezard <pmezard@gmail.com>
parents:
11115
diff
changeset
|
108 |
# Allow or deny access for incoming changes only if their source is |
0b6fd18ab8af
acl: clarify acl.sources, fix typo
Patrick Mezard <pmezard@gmail.com>
parents:
11115
diff
changeset
|
109 |
# listed here, let them pass otherwise. Source is "serve" for all |
0b6fd18ab8af
acl: clarify acl.sources, fix typo
Patrick Mezard <pmezard@gmail.com>
parents:
11115
diff
changeset
|
110 |
# remote access (http or ssh), "push", "pull" or "bundle" when the |
0b6fd18ab8af
acl: clarify acl.sources, fix typo
Patrick Mezard <pmezard@gmail.com>
parents:
11115
diff
changeset
|
111 |
# related commands are run locally. |
0b6fd18ab8af
acl: clarify acl.sources, fix typo
Patrick Mezard <pmezard@gmail.com>
parents:
11115
diff
changeset
|
112 |
# Default: serve |
8893 | 113 |
sources = serve |
8873
e872ef2e6758
help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8846
diff
changeset
|
114 |
|
11423
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
115 |
[acl.deny.branches] |
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
116 |
|
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
117 |
# Everyone is denied to the frozen branch: |
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
118 |
frozen-branch = * |
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
119 |
|
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
120 |
# A bad user is denied on all branches: |
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
121 |
* = bad-user |
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
122 |
|
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
123 |
[acl.allow.branches] |
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
124 |
|
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
125 |
# A few users are allowed on branch-a: |
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
126 |
branch-a = user-1, user-2, user-3 |
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
127 |
|
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
128 |
# Only one user is allowed on branch-b: |
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
129 |
branch-b = user-1 |
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
130 |
|
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
131 |
# The super user is allowed on any branch: |
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
132 |
* = super-user |
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
133 |
|
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
134 |
# Everyone is allowed on branch-for-tests: |
776f9784b34b
acl: delete trailing whitespace in docstring
Martin Geisler <mg@lazybytes.net>
parents:
11140
diff
changeset
|
135 |
branch-for-tests = * |
11092
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
136 |
|
11042
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
137 |
[acl.deny] |
11095
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
138 |
# This list is checked first. If a match is found, acl.allow is not |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
139 |
# checked. All users are granted access if acl.deny is not present. |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
140 |
# Format for both lists: glob pattern = user, ..., @group, ... |
11042
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
141 |
|
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
142 |
# To match everyone, use an asterisk for the user: |
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
143 |
# my/glob/pattern = * |
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
144 |
|
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
145 |
# user6 will not have write access to any file: |
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
146 |
** = user6 |
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
147 |
|
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
148 |
# Group "hg-denied" will not have write access to any file: |
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
149 |
** = @hg-denied |
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
150 |
|
17537 | 151 |
# Nobody will be able to change "DONT-TOUCH-THIS.txt", despite |
11095
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
152 |
# everyone being able to change all other files. See below. |
17537 | 153 |
src/main/resources/DONT-TOUCH-THIS.txt = * |
8873
e872ef2e6758
help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8846
diff
changeset
|
154 |
|
e872ef2e6758
help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8846
diff
changeset
|
155 |
[acl.allow] |
11131
0b6fd18ab8af
acl: clarify acl.sources, fix typo
Patrick Mezard <pmezard@gmail.com>
parents:
11115
diff
changeset
|
156 |
# if acl.allow is not present, all users are allowed by default |
11042
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
157 |
# empty acl.allow = no users allowed |
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
158 |
|
11095
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
159 |
# User "doc_writer" has write access to any file under the "docs" |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
160 |
# folder: |
8873
e872ef2e6758
help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8846
diff
changeset
|
161 |
docs/** = doc_writer |
11042
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
162 |
|
11095
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
163 |
# User "jack" and group "designers" have write access to any file |
d56124931909
acl: more consistent docstring
Martin Geisler <mg@aragost.com>
parents:
11094
diff
changeset
|
164 |
# under the "images" folder: |
11042
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
165 |
images/** = jack, @designers |
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
166 |
|
16499
0b463f52b948
doc: fix explanation comment in acl extension
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
15207
diff
changeset
|
167 |
# Everyone (except for "user6" and "@hg-denied" - see acl.deny above) |
0b463f52b948
doc: fix explanation comment in acl extension
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
15207
diff
changeset
|
168 |
# will have write access to any file under the "resources" folder |
0b463f52b948
doc: fix explanation comment in acl extension
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
15207
diff
changeset
|
169 |
# (except for 1 file. See acl.deny): |
11042
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
170 |
src/main/resources/** = * |
d82f3651cd13
acl: updated doc string to reflect recent changes
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11041
diff
changeset
|
171 |
|
8873
e872ef2e6758
help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8846
diff
changeset
|
172 |
.hgtags = release_engineer |
e872ef2e6758
help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8846
diff
changeset
|
173 |
|
16957
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
174 |
Examples using the "!" prefix |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
175 |
............................. |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
176 |
|
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
177 |
Suppose there's a branch that only a given user (or group) should be able to |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
178 |
push to, and you don't want to restrict access to any other branch that may |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
179 |
be created. |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
180 |
|
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
181 |
The "!" prefix allows you to prevent anyone except a given user or group to |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
182 |
push changesets in a given branch or path. |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
183 |
|
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
184 |
In the examples below, we will: |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
185 |
1) Deny access to branch "ring" to anyone but user "gollum" |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
186 |
2) Deny access to branch "lake" to anyone but members of the group "hobbit" |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
187 |
3) Deny access to a file to anyone but user "gollum" |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
188 |
|
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
189 |
:: |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
190 |
|
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
191 |
[acl.allow.branches] |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
192 |
# Empty |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
193 |
|
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
194 |
[acl.deny.branches] |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
195 |
|
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
196 |
# 1) only 'gollum' can commit to branch 'ring'; |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
197 |
# 'gollum' and anyone else can still commit to any other branch. |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
198 |
ring = !gollum |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
199 |
|
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
200 |
# 2) only members of the group 'hobbit' can commit to branch 'lake'; |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
201 |
# 'hobbit' members and anyone else can still commit to any other branch. |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
202 |
lake = !@hobbit |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
203 |
|
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
204 |
# You can also deny access based on file paths: |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
205 |
|
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
206 |
[acl.allow] |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
207 |
# Empty |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
208 |
|
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
209 |
[acl.deny] |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
210 |
# 3) only 'gollum' can change the file below; |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
211 |
# 'gollum' and anyone else can still change any other file. |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
212 |
/misty/mountains/cave/ring = !gollum |
d7b608149f6c
acl: user docs for the "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16956
diff
changeset
|
213 |
|
8873
e872ef2e6758
help: add/fix docstrings for a bunch of extensions
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
8846
diff
changeset
|
214 |
''' |
2344
ae12e5a2c4a3
add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
215 |
|
28089
a1163ee26e4a
acl: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents:
26587
diff
changeset
|
216 |
from __future__ import absolute_import |
a1163ee26e4a
acl: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents:
26587
diff
changeset
|
217 |
|
3891 | 218 |
from mercurial.i18n import _ |
28089
a1163ee26e4a
acl: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents:
26587
diff
changeset
|
219 |
from mercurial import ( |
a1163ee26e4a
acl: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents:
26587
diff
changeset
|
220 |
error, |
34829
120c5c155ba4
acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents:
34779
diff
changeset
|
221 |
extensions, |
28089
a1163ee26e4a
acl: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents:
26587
diff
changeset
|
222 |
match, |
38783
e7aa113b14f7
global: use pycompat.xrange()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
38531
diff
changeset
|
223 |
pycompat, |
33185
8b109c61bc11
configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents:
29841
diff
changeset
|
224 |
registrar, |
28089
a1163ee26e4a
acl: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents:
26587
diff
changeset
|
225 |
util, |
a1163ee26e4a
acl: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents:
26587
diff
changeset
|
226 |
) |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
227 |
from mercurial.utils import procutil |
11041
623fe42a649e
acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
10955
diff
changeset
|
228 |
|
28883
032c4c2f802a
pycompat: switch to util.urlreq/util.urlerr for py3 compat
timeless <timeless@mozdev.org>
parents:
28089
diff
changeset
|
229 |
urlreq = util.urlreq |
032c4c2f802a
pycompat: switch to util.urlreq/util.urlerr for py3 compat
timeless <timeless@mozdev.org>
parents:
28089
diff
changeset
|
230 |
|
29841
d5883fd055c6
extensions: change magic "shipped with hg" string
Augie Fackler <augie@google.com>
parents:
28883
diff
changeset
|
231 |
# Note for extension authors: ONLY specify testedwith = 'ships-with-hg-core' for |
25186
80c5b2666a96
extensions: document that `testedwith = 'internal'` is special
Augie Fackler <augie@google.com>
parents:
19872
diff
changeset
|
232 |
# extensions which SHIP WITH MERCURIAL. Non-mainline extensions should |
80c5b2666a96
extensions: document that `testedwith = 'internal'` is special
Augie Fackler <augie@google.com>
parents:
19872
diff
changeset
|
233 |
# be specifying the version(s) of Mercurial they are tested with, or |
80c5b2666a96
extensions: document that `testedwith = 'internal'` is special
Augie Fackler <augie@google.com>
parents:
19872
diff
changeset
|
234 |
# leave the attribute unspecified. |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
235 |
testedwith = b'ships-with-hg-core' |
16743
38caf405d010
hgext: mark all first-party extensions as such
Augie Fackler <raf@durin42.com>
parents:
16499
diff
changeset
|
236 |
|
33185
8b109c61bc11
configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents:
29841
diff
changeset
|
237 |
configtable = {} |
8b109c61bc11
configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents:
29841
diff
changeset
|
238 |
configitem = registrar.configitem(configtable) |
8b109c61bc11
configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents:
29841
diff
changeset
|
239 |
|
8b109c61bc11
configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents:
29841
diff
changeset
|
240 |
# deprecated config: acl.config |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
241 |
configitem( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
242 |
b'acl', b'config', default=None, |
33185
8b109c61bc11
configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents:
29841
diff
changeset
|
243 |
) |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
244 |
configitem( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
245 |
b'acl.groups', b'.*', default=None, generic=True, |
34779
cfb054a7ecc4
configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents:
33216
diff
changeset
|
246 |
) |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
247 |
configitem( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
248 |
b'acl.deny.branches', b'.*', default=None, generic=True, |
34779
cfb054a7ecc4
configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents:
33216
diff
changeset
|
249 |
) |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
250 |
configitem( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
251 |
b'acl.allow.branches', b'.*', default=None, generic=True, |
34779
cfb054a7ecc4
configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents:
33216
diff
changeset
|
252 |
) |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
253 |
configitem( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
254 |
b'acl.deny', b'.*', default=None, generic=True, |
34779
cfb054a7ecc4
configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents:
33216
diff
changeset
|
255 |
) |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
256 |
configitem( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
257 |
b'acl.allow', b'.*', default=None, generic=True, |
34779
cfb054a7ecc4
configitems: register acl config section
Boris Feld <boris.feld@octobus.net>
parents:
33216
diff
changeset
|
258 |
) |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
259 |
configitem( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
260 |
b'acl', b'sources', default=lambda: [b'serve'], |
33186
478cb17cc610
configitems: register the 'acl.sources' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents:
33185
diff
changeset
|
261 |
) |
33185
8b109c61bc11
configitems: register the 'acl.config' config
Pierre-Yves David <pierre-yves.david@octobus.net>
parents:
29841
diff
changeset
|
262 |
|
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
263 |
|
11114
62714143742f
acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11095
diff
changeset
|
264 |
def _getusers(ui, group): |
62714143742f
acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11095
diff
changeset
|
265 |
|
62714143742f
acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11095
diff
changeset
|
266 |
# First, try to use group definition from section [acl.groups] |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
267 |
hgrcusers = ui.configlist(b'acl.groups', group) |
11114
62714143742f
acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11095
diff
changeset
|
268 |
if hgrcusers: |
62714143742f
acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11095
diff
changeset
|
269 |
return hgrcusers |
62714143742f
acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11095
diff
changeset
|
270 |
|
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
271 |
ui.debug(b'acl: "%s" not defined in [acl.groups]\n' % group) |
11114
62714143742f
acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11095
diff
changeset
|
272 |
# If no users found in group definition, get users from OS-level group |
11140
1f26cf0a3663
acl: improve undefined group error handling
Patrick Mezard <pmezard@gmail.com>
parents:
11138
diff
changeset
|
273 |
try: |
1f26cf0a3663
acl: improve undefined group error handling
Patrick Mezard <pmezard@gmail.com>
parents:
11138
diff
changeset
|
274 |
return util.groupmembers(group) |
1f26cf0a3663
acl: improve undefined group error handling
Patrick Mezard <pmezard@gmail.com>
parents:
11138
diff
changeset
|
275 |
except KeyError: |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
276 |
raise error.Abort(_(b"group '%s' is undefined") % group) |
11041
623fe42a649e
acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
10955
diff
changeset
|
277 |
|
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
278 |
|
11114
62714143742f
acl: support for group definitions in section [acl.groups], which take precedence over OS-level groups
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11095
diff
changeset
|
279 |
def _usermatch(ui, user, usersorgroups): |
11041
623fe42a649e
acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
10955
diff
changeset
|
280 |
|
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
281 |
if usersorgroups == b'*': |
11041
623fe42a649e
acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
10955
diff
changeset
|
282 |
return True |
623fe42a649e
acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
10955
diff
changeset
|
283 |
|
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
284 |
for ug in usersorgroups.replace(b',', b' ').split(): |
16956
c49cf339b5bb
acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16767
diff
changeset
|
285 |
|
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
286 |
if ug.startswith(b'!'): |
16956
c49cf339b5bb
acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16767
diff
changeset
|
287 |
# Test for excluded user or group. Format: |
c49cf339b5bb
acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16767
diff
changeset
|
288 |
# if ug is a user name: !username |
c49cf339b5bb
acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16767
diff
changeset
|
289 |
# if ug is a group name: !@groupname |
c49cf339b5bb
acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16767
diff
changeset
|
290 |
ug = ug[1:] |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
291 |
if ( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
292 |
not ug.startswith(b'@') |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
293 |
and user != ug |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
294 |
or ug.startswith(b'@') |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
295 |
and user not in _getusers(ui, ug[1:]) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
296 |
): |
16956
c49cf339b5bb
acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16767
diff
changeset
|
297 |
return True |
c49cf339b5bb
acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16767
diff
changeset
|
298 |
|
c49cf339b5bb
acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16767
diff
changeset
|
299 |
# Test for user or group. Format: |
c49cf339b5bb
acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16767
diff
changeset
|
300 |
# if ug is a user name: username |
c49cf339b5bb
acl: use of "!" prefix in user or group names
Elifarley Callado Coelho Cruz
parents:
16767
diff
changeset
|
301 |
# if ug is a group name: @groupname |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
302 |
elif ( |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
303 |
user == ug or ug.startswith(b'@') and user in _getusers(ui, ug[1:]) |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
304 |
): |
11041
623fe42a649e
acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
10955
diff
changeset
|
305 |
return True |
623fe42a649e
acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
10955
diff
changeset
|
306 |
|
623fe42a649e
acl: add support for OS-level groups using @group syntax
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
10955
diff
changeset
|
307 |
return False |
2344
ae12e5a2c4a3
add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
308 |
|
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
309 |
|
6766 | 310 |
def buildmatch(ui, repo, user, key): |
311 |
'''return tuple of (match function, list enabled).''' |
|
312 |
if not ui.has_section(key): |
|
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
313 |
ui.debug(b'acl: %s not enabled\n' % key) |
6766 | 314 |
return None |
2344
ae12e5a2c4a3
add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
315 |
|
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
316 |
pats = [ |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
317 |
pat for pat, users in ui.configitems(key) if _usermatch(ui, user, users) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
318 |
] |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
319 |
ui.debug( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
320 |
b'acl: %s enabled, %d entries for user %s\n' % (key, len(pats), user) |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
321 |
) |
11092
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
322 |
|
16765
754e98e0a615
acl: added some comments to easily identify branch- and path-based verifications
Elifarley Callado Coelho Cruz
parents:
16764
diff
changeset
|
323 |
# Branch-based ACL |
11092
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
324 |
if not repo: |
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
325 |
if pats: |
16766
9d778f80ad2a
acl: perform some computations earlier, so that returned lambda functions are simpler
Elifarley Callado Coelho Cruz
parents:
16765
diff
changeset
|
326 |
# If there's an asterisk (meaning "any branch"), always return True; |
9d778f80ad2a
acl: perform some computations earlier, so that returned lambda functions are simpler
Elifarley Callado Coelho Cruz
parents:
16765
diff
changeset
|
327 |
# Otherwise, test if b is in pats |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
328 |
if b'*' in pats: |
16766
9d778f80ad2a
acl: perform some computations earlier, so that returned lambda functions are simpler
Elifarley Callado Coelho Cruz
parents:
16765
diff
changeset
|
329 |
return util.always |
9d778f80ad2a
acl: perform some computations earlier, so that returned lambda functions are simpler
Elifarley Callado Coelho Cruz
parents:
16765
diff
changeset
|
330 |
return lambda b: b in pats |
16764 | 331 |
return util.never |
11092
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
332 |
|
16765
754e98e0a615
acl: added some comments to easily identify branch- and path-based verifications
Elifarley Callado Coelho Cruz
parents:
16764
diff
changeset
|
333 |
# Path-based ACL |
6766 | 334 |
if pats: |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
335 |
return match.match(repo.root, b'', pats) |
16767
363bde4224c8
acl: 'util.never' can be used instead of a more complex expression
Elifarley Callado Coelho Cruz
parents:
16766
diff
changeset
|
336 |
return util.never |
2344
ae12e5a2c4a3
add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
337 |
|
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
338 |
|
34829
120c5c155ba4
acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents:
34779
diff
changeset
|
339 |
def ensureenabled(ui): |
120c5c155ba4
acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents:
34779
diff
changeset
|
340 |
"""make sure the extension is enabled when used as hook |
120c5c155ba4
acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents:
34779
diff
changeset
|
341 |
|
120c5c155ba4
acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents:
34779
diff
changeset
|
342 |
When acl is used through hooks, the extension is never formally loaded and |
120c5c155ba4
acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents:
34779
diff
changeset
|
343 |
enabled. This has some side effect, for example the config declaration is |
120c5c155ba4
acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents:
34779
diff
changeset
|
344 |
never loaded. This function ensure the extension is enabled when running |
120c5c155ba4
acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents:
34779
diff
changeset
|
345 |
hooks. |
120c5c155ba4
acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents:
34779
diff
changeset
|
346 |
""" |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
347 |
if b'acl' in ui._knownconfig: |
34829
120c5c155ba4
acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents:
34779
diff
changeset
|
348 |
return |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
349 |
ui.setconfig(b'extensions', b'acl', b'', source=b'internal') |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
350 |
extensions.loadall(ui, [b'acl']) |
34829
120c5c155ba4
acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents:
34779
diff
changeset
|
351 |
|
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
352 |
|
2344
ae12e5a2c4a3
add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
353 |
def hook(ui, repo, hooktype, node=None, source=None, **kwargs): |
34829
120c5c155ba4
acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents:
34779
diff
changeset
|
354 |
|
120c5c155ba4
acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents:
34779
diff
changeset
|
355 |
ensureenabled(ui) |
120c5c155ba4
acl: make sure the extensions is enabled when the acl-hooks run
Boris Feld <boris.feld@octobus.net>
parents:
34779
diff
changeset
|
356 |
|
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
357 |
if hooktype not in [b'pretxnchangegroup', b'pretxncommit', b'prepushkey']: |
38531
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
358 |
raise error.Abort( |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
359 |
_( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
360 |
b'config error - hook type "%s" cannot stop ' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
361 |
b'incoming changesets, commits, nor bookmarks' |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
362 |
) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
363 |
% hooktype |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
364 |
) |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
365 |
if hooktype == b'pretxnchangegroup' and source not in ui.configlist( |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
366 |
b'acl', b'sources' |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
367 |
): |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
368 |
ui.debug(b'acl: changes have source "%s" - skipping\n' % source) |
2344
ae12e5a2c4a3
add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
369 |
return |
ae12e5a2c4a3
add acl extension, to limit who can push to subdirs of central repo.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
370 |
|
8846
b30775386d40
acl: support for getting authenticated user from web server (issue298)
Henrik Stuart <hg@hstuart.dk>
parents:
8682
diff
changeset
|
371 |
user = None |
43506
9f70512ae2cf
cleanup: remove pointless r-prefixes on single-quoted strings
Augie Fackler <augie@google.com>
parents:
43117
diff
changeset
|
372 |
if source == b'serve' and 'url' in kwargs: |
9f70512ae2cf
cleanup: remove pointless r-prefixes on single-quoted strings
Augie Fackler <augie@google.com>
parents:
43117
diff
changeset
|
373 |
url = kwargs['url'].split(b':') |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
374 |
if url[0] == b'remote' and url[1].startswith(b'http'): |
28883
032c4c2f802a
pycompat: switch to util.urlreq/util.urlerr for py3 compat
timeless <timeless@mozdev.org>
parents:
28089
diff
changeset
|
375 |
user = urlreq.unquote(url[3]) |
8846
b30775386d40
acl: support for getting authenticated user from web server (issue298)
Henrik Stuart <hg@hstuart.dk>
parents:
8682
diff
changeset
|
376 |
|
b30775386d40
acl: support for getting authenticated user from web server (issue298)
Henrik Stuart <hg@hstuart.dk>
parents:
8682
diff
changeset
|
377 |
if user is None: |
37120
a8a902d7176e
procutil: bulk-replace function calls to point to new module
Yuya Nishihara <yuya@tcha.org>
parents:
36412
diff
changeset
|
378 |
user = procutil.getuser() |
8846
b30775386d40
acl: support for getting authenticated user from web server (issue298)
Henrik Stuart <hg@hstuart.dk>
parents:
8682
diff
changeset
|
379 |
|
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
380 |
ui.debug(b'acl: checking access for user "%s"\n' % user) |
15207
0f7f9f06c759
acl: more descriptive error messages
Elifarley Callado Coelho Cruz
parents:
12778
diff
changeset
|
381 |
|
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
382 |
if hooktype == b'prepushkey': |
38531
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
383 |
_pkhook(ui, repo, hooktype, node, source, user, **kwargs) |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
384 |
else: |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
385 |
_txnhook(ui, repo, hooktype, node, source, user, **kwargs) |
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
386 |
|
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
387 |
|
38531
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
388 |
def _pkhook(ui, repo, hooktype, node, source, user, **kwargs): |
43506
9f70512ae2cf
cleanup: remove pointless r-prefixes on single-quoted strings
Augie Fackler <augie@google.com>
parents:
43117
diff
changeset
|
389 |
if kwargs['namespace'] == b'bookmarks': |
9f70512ae2cf
cleanup: remove pointless r-prefixes on single-quoted strings
Augie Fackler <augie@google.com>
parents:
43117
diff
changeset
|
390 |
bookmark = kwargs['key'] |
9f70512ae2cf
cleanup: remove pointless r-prefixes on single-quoted strings
Augie Fackler <augie@google.com>
parents:
43117
diff
changeset
|
391 |
ctx = kwargs['new'] |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
392 |
allowbookmarks = buildmatch(ui, None, user, b'acl.allow.bookmarks') |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
393 |
denybookmarks = buildmatch(ui, None, user, b'acl.deny.bookmarks') |
38531
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
394 |
|
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
395 |
if denybookmarks and denybookmarks(bookmark): |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
396 |
raise error.Abort( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
397 |
_( |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
398 |
b'acl: user "%s" denied on bookmark "%s"' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
399 |
b' (changeset "%s")' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
400 |
) |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
401 |
% (user, bookmark, ctx) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
402 |
) |
38531
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
403 |
if allowbookmarks and not allowbookmarks(bookmark): |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
404 |
raise error.Abort( |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
405 |
_( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
406 |
b'acl: user "%s" not allowed on bookmark "%s"' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
407 |
b' (changeset "%s")' |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
408 |
) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
409 |
% (user, bookmark, ctx) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
410 |
) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
411 |
ui.debug( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
412 |
b'acl: bookmark access granted: "%s" on bookmark "%s"\n' |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
413 |
% (ctx, bookmark) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
414 |
) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
415 |
|
38531
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
416 |
|
6beb8347b709
acl: add bookmarks support
Sandu Turcan <idlsoft@gmail.com>
parents:
37120
diff
changeset
|
417 |
def _txnhook(ui, repo, hooktype, node, source, user, **kwargs): |
25792
dd166d42e7b2
acl: mark deprecated config option
Matt Mackall <mpm@selenic.com>
parents:
25186
diff
changeset
|
418 |
# deprecated config: acl.config |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
419 |
cfg = ui.config(b'acl', b'config') |
6766 | 420 |
if cfg: |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
421 |
ui.readconfig( |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
422 |
cfg, |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
423 |
sections=[ |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
424 |
b'acl.groups', |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
425 |
b'acl.allow.branches', |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
426 |
b'acl.deny.branches', |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
427 |
b'acl.allow', |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
428 |
b'acl.deny', |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
429 |
], |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
430 |
) |
11092
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
431 |
|
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
432 |
allowbranches = buildmatch(ui, None, user, b'acl.allow.branches') |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
433 |
denybranches = buildmatch(ui, None, user, b'acl.deny.branches') |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
434 |
allow = buildmatch(ui, repo, user, b'acl.allow') |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
435 |
deny = buildmatch(ui, repo, user, b'acl.deny') |
6766 | 436 |
|
38783
e7aa113b14f7
global: use pycompat.xrange()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
38531
diff
changeset
|
437 |
for rev in pycompat.xrange(repo[node].rev(), len(repo)): |
6766 | 438 |
ctx = repo[rev] |
11092
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
439 |
branch = ctx.branch() |
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
440 |
if denybranches and denybranches(branch): |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
441 |
raise error.Abort( |
43117
8ff1ecfadcd1
cleanup: join string literals that are already on one line
Martin von Zweigbergk <martinvonz@google.com>
parents:
43077
diff
changeset
|
442 |
_(b'acl: user "%s" denied on branch "%s" (changeset "%s")') |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
443 |
% (user, branch, ctx) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
444 |
) |
11092
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
445 |
if allowbranches and not allowbranches(branch): |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
446 |
raise error.Abort( |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
447 |
_( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
448 |
b'acl: user "%s" not allowed on branch "%s"' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
449 |
b' (changeset "%s")' |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
450 |
) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
451 |
% (user, branch, ctx) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
452 |
) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
453 |
ui.debug( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
454 |
b'acl: branch access granted: "%s" on branch "%s"\n' % (ctx, branch) |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
455 |
) |
11092
2dd91779eb27
acl: add support for branch-based access control
Elifarley Callado Coelho Cruz <elifarley@gmail.com>
parents:
11058
diff
changeset
|
456 |
|
6766 | 457 |
for f in ctx.files(): |
458 |
if deny and deny(f): |
|
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
459 |
raise error.Abort( |
43117
8ff1ecfadcd1
cleanup: join string literals that are already on one line
Martin von Zweigbergk <martinvonz@google.com>
parents:
43077
diff
changeset
|
460 |
_(b'acl: user "%s" denied on "%s" (changeset "%s")') |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
461 |
% (user, f, ctx) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
462 |
) |
6766 | 463 |
if allow and not allow(f): |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
464 |
raise error.Abort( |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
465 |
_( |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
466 |
b'acl: user "%s" not allowed on "%s"' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
467 |
b' (changeset "%s")' |
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
468 |
) |
43076
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
469 |
% (user, f, ctx) |
2372284d9457
formatting: blacken the codebase
Augie Fackler <augie@google.com>
parents:
41759
diff
changeset
|
470 |
) |
43077
687b865b95ad
formatting: byteify all mercurial/ and hgext/ string literals
Augie Fackler <augie@google.com>
parents:
43076
diff
changeset
|
471 |
ui.debug(b'acl: path access granted: "%s"\n' % ctx) |