# HG changeset patch # User Wagner Bruna # Date 1366063024 10800 # Node ID 7d31f2e42a8afb54c8fae87e8e3e29a63578aea4 # Parent 341083b02d1be3fc707f27c360981bb00213dd07 hgweb: refactor checks for granting and revoking user permissions Provides an entry point for extensions implementing more complex authorization schemes. Original patch proposed by Markus Zapke-GrĂ¼ndemann. diff -r 341083b02d1b -r 7d31f2e42a8a mercurial/hgweb/common.py --- a/mercurial/hgweb/common.py Wed Apr 17 14:38:02 2013 -0500 +++ b/mercurial/hgweb/common.py Mon Apr 15 18:57:04 2013 -0300 @@ -18,6 +18,15 @@ HTTP_SERVER_ERROR = 500 +def ismember(ui, username, userlist): + """Check if username is a member of userlist. + + If userlist has a single '*' member, all users are considered members. + Can be overriden by extensions to provide more complex authorization + schemes. + """ + return userlist == ['*'] or username in userlist + def checkauthz(hgweb, req, op): '''Check permission for operation based on request data (including authentication info). Return if op allowed, else raise an ErrorResponse @@ -26,12 +35,11 @@ user = req.env.get('REMOTE_USER') deny_read = hgweb.configlist('web', 'deny_read') - if deny_read and (not user or deny_read == ['*'] or user in deny_read): + if deny_read and (not user or ismember(hgweb.repo.ui, user, deny_read)): raise ErrorResponse(HTTP_UNAUTHORIZED, 'read not authorized') allow_read = hgweb.configlist('web', 'allow_read') - result = (not allow_read) or (allow_read == ['*']) - if not (result or user in allow_read): + if allow_read and (not ismember(hgweb.repo.ui, user, allow_read)): raise ErrorResponse(HTTP_UNAUTHORIZED, 'read not authorized') if op == 'pull' and not hgweb.allowpull: @@ -51,12 +59,11 @@ raise ErrorResponse(HTTP_FORBIDDEN, 'ssl required') deny = hgweb.configlist('web', 'deny_push') - if deny and (not user or deny == ['*'] or user in deny): + if deny and (not user or ismember(hgweb.repo.ui, user, deny)): raise ErrorResponse(HTTP_UNAUTHORIZED, 'push not authorized') allow = hgweb.configlist('web', 'allow_push') - result = allow and (allow == ['*'] or user in allow) - if not result: + if not (allow and ismember(hgweb.repo.ui, user, allow)): raise ErrorResponse(HTTP_UNAUTHORIZED, 'push not authorized') # Hooks for hgweb permission checks; extensions can add hooks here. diff -r 341083b02d1b -r 7d31f2e42a8a mercurial/hgweb/hgwebdir_mod.py --- a/mercurial/hgweb/hgwebdir_mod.py Wed Apr 17 14:38:02 2013 -0500 +++ b/mercurial/hgweb/hgwebdir_mod.py Mon Apr 15 18:57:04 2013 -0300 @@ -10,7 +10,7 @@ from mercurial.i18n import _ from mercurial import ui, hg, scmutil, util, templater from mercurial import error, encoding -from common import ErrorResponse, get_mtime, staticfile, paritygen, \ +from common import ErrorResponse, get_mtime, staticfile, paritygen, ismember, \ get_contact, HTTP_OK, HTTP_NOT_FOUND, HTTP_SERVER_ERROR from hgweb_mod import hgweb, makebreadcrumb from request import wsgirequest @@ -164,12 +164,12 @@ user = req.env.get('REMOTE_USER') deny_read = ui.configlist('web', 'deny_read', untrusted=True) - if deny_read and (not user or deny_read == ['*'] or user in deny_read): + if deny_read and (not user or ismember(ui, user, deny_read)): return False allow_read = ui.configlist('web', 'allow_read', untrusted=True) # by default, allow reading if no allow_read option has been set - if (not allow_read) or (allow_read == ['*']) or (user in allow_read): + if (not allow_read) or ismember(ui, user, allow_read): return True return False