--- a/hgext/acl.py	Fri May 07 14:14:41 2010 -0500
+++ b/hgext/acl.py	Thu May 06 14:23:14 2010 -0300
@@ -145,16 +145,24 @@
 from mercurial import util, match
 import getpass, urllib, grp
 
-def _getusers(group):
+def _getusers(ui, group):
+
+    # First, try to use group definition from section [acl.groups]
+    hgrcusers = ui.configlist('acl.groups', group)
+    if hgrcusers:
+        return hgrcusers
+
+    ui.debug('acl: "%s" not defined in [acl.groups]\n' % group)
+    # If no users found in group definition, get users from OS-level group
     return grp.getgrnam(group).gr_mem
 
-def _usermatch(user, usersorgroups):
+def _usermatch(ui, user, usersorgroups):
 
     if usersorgroups == '*':
         return True
 
     for ug in usersorgroups.replace(',', ' ').split():
-        if user == ug or ug.find('@') == 0 and user in _getusers(ug[1:]):
+        if user == ug or ug.find('@') == 0 and user in _getusers(ui, ug[1:]):
             return True
 
     return False
@@ -166,7 +174,7 @@
         return None
 
     pats = [pat for pat, users in ui.configitems(key)
-            if _usermatch(user, users)]
+            if _usermatch(ui, user, users)]
     ui.debug('acl: %s enabled, %d entries for user %s\n' %
              (key, len(pats), user))
 
@@ -200,7 +208,7 @@
 
     cfg = ui.config('acl', 'config')
     if cfg:
-        ui.readconfig(cfg, sections = ['acl.allow.branches',
+        ui.readconfig(cfg, sections = ['acl.groups', 'acl.allow.branches',
         'acl.deny.branches', 'acl.allow', 'acl.deny'])
 
     allowbranches = buildmatch(ui, None, user, 'acl.allow.branches')

--- a/tests/test-acl	Fri May 07 14:14:41 2010 -0500
+++ b/tests/test-acl	Thu May 06 14:23:14 2010 -0300
@@ -28,7 +28,13 @@
 {
 cat > fakegroups.py <<EOF
 from hgext import acl
-acl._getusers = lambda x: ["fred", "betty"]
+def fakegetusers(ui, group):
+    try:
+        return acl._getusersorig(ui, group)
+    except:
+        return ["fred", "betty"]
+acl._getusersorig = acl._getusers
+acl._getusers = fakegetusers
 EOF
 
 rm -f acl.config