Mercurial: comparison hgext/acl.py

equal deleted inserted replaced

-:c7adea82d495
+:d56124931909
 # This software may be used and distributed according to the terms of the
 # GNU General Public License version 2 or any later version.
 '''hooks for controlling repository access
-This hook makes it possible to allow or deny write access to given branches and
+This hook makes it possible to allow or deny write access to given
-paths of a repository when receiving incoming changesets via pretxnchangegroup
+branches and paths of a repository when receiving incoming changesets
-and pretxncommit.
+via pretxnchangegroup and pretxncommit.
 The authorization is matched based on the local user name on the
 system where the hook runs, and not the committer of the original
 changeset (since the latter is merely informative).
 The acl hook is best used along with a restricted shell like hgsh,
-preventing authenticating users from doing anything other than
+preventing authenticating users from doing anything other than pushing
-pushing or pulling. The hook is not safe to use if users have
+or pulling. The hook is not safe to use if users have interactive
-interactive shell access, as they can then disable the hook.
+shell access, as they can then disable the hook. Nor is it safe if
-Nor is it safe if remote users share an account, because then there
+remote users share an account, because then there is no way to
-is no way to distinguish them.
+distinguish them.
 The order in which access checks are performed is:
 1) Deny  list for branches (section ``acl.deny.branches``)
 2) Allow list for branches (section ``acl.allow.branches``)
 The allow and deny sections take key-value pairs.
 Branch-based Access Control
 ---------------------------
-Use the ``acl.deny.branches`` and ``acl.allow.branches`` sections to have
+Use the ``acl.deny.branches`` and ``acl.allow.branches`` sections to
-branch-based access control.
+have branch-based access control. Keys in these sections can be
+either:
-Keys in these sections can be either:
+- a branch name, or
-1) a branch name
+- an asterisk, to match any branch;
-2) an asterisk, to match any branch;
 The corresponding values can be either:
-1) a comma-separated list containing users and groups.
+- a comma-separated list containing users and groups, or
-2) an asterisk, to match anyone;
+- an asterisk, to match anyone;
 Path-based Access Control
 -------------------------
-Use the ``acl.deny`` and ``acl.allow`` sections to have path-based access control.
+Use the ``acl.deny`` and ``acl.allow`` sections to have path-based
-Keys in these sections accept a subtree pattern (with a glob syntax by default).
+access control. Keys in these sections accept a subtree pattern (with
-The corresponding values follow the same syntax as the other sections above.
+a glob syntax by default). The corresponding values follow the same
+syntax as the other sections above.
 Groups
 ------
-Group names must be prefixed with an ``@`` symbol.
+Group names must be prefixed with an ``@`` symbol. Specifying a group
-Specifying a group name has the same effect as specifying all the users in
+name has the same effect as specifying all the users in that group.
-that group.
-The set of users for a group is taken from "grp.getgrnam"
-(see http://docs.python.org/library/grp.html#grp.getgrnam).
 Example Configuration
 ---------------------
 ::
 [hooks]
 # Use this if you want to check access restrictions at commit time
 pretxncommit.acl = python:hgext.acl.hook
-# Use this if you want to check access restrictions for pull, push, bundle
+# Use this if you want to check access restrictions for pull, push,
-# and serve.
+# bundle and serve.
 pretxnchangegroup.acl = python:hgext.acl.hook
 [acl]
-# Check whether the source of incoming changes is in this list
+# Check whether the source of incoming changes is in this list where
-# ("serve" == ssh or http, "push", "pull", "bundle")
+# "serve" == ssh or http, and "push", "pull" and "bundle" are the
+# corresponding hg commands.
 sources = serve
 [acl.deny.branches]
 # Everyone is denied to the frozen branch:
 # Everyone is allowed on branch-for-tests:
 branch-for-tests = *
 [acl.deny]
-# If a match is found, "acl.allow" will not be checked.
+# This list is checked first. If a match is found, acl.allow is not
-# if acl.deny is not present, no users denied by default
+# checked. All users are granted access if acl.deny is not present.
-# empty acl.deny = all users allowed
+# Format for both lists: glob pattern = user, ..., @group, ...
-# Format for both lists: glob pattern = user4, user5, @group1
 # To match everyone, use an asterisk for the user:
 # my/glob/pattern = *
 # user6 will not have write access to any file:
 ** = user6
 # Group "hg-denied" will not have write access to any file:
 ** = @hg-denied
-# Nobody will be able to change "DONT-TOUCH-THIS.txt", despite everyone being
+# Nobody will be able to change "DONT-TOUCH-THIS.txt", despite
-# able to change all other files. See below.
+# everyone being able to change all other files. See below.
 src/main/resources/DONT-TOUCH-THIS.txt = *
 [acl.allow]
 # if acl.allow not present, all users allowed by default
 # empty acl.allow = no users allowed
-# User "doc_writer" has write access to any file under the "docs" folder:
+# User "doc_writer" has write access to any file under the "docs"
+# folder:
 docs/** = doc_writer
-# User "jack" and group "designers" have write access to any file under the
+# User "jack" and group "designers" have write access to any file
-# "images" folder:
+# under the "images" folder:
 images/** = jack, @designers
-# Everyone (except for "user6" - see "acl.deny" above) will have write access
+# Everyone (except for "user6" - see acl.deny above) will have write
-to any file under the "resources" folder (except for 1 file. See "acl.deny"):
+# access to any file under the "resources" folder (except for 1
+# file. See acl.deny):
 src/main/resources/** = *
 .hgtags = release_engineer
 '''

changeset 11095	d56124931909
parent 11094	c7adea82d495
child 11114	62714143742f