##// END OF EJS Templates
inotify: repowatcher: don't use a watches attribute to count watches...
inotify: repowatcher: don't use a watches attribute to count watches The encapsulated watcher alread has a __len__ method for this purpose. Also, repowatcher.watches was never decremented on watch deletions.

File last commit:

r8682:cc7da5aa default
r8794:1c610db4 default
Show More
acl.py
91 lines | 3.3 KiB | text/x-python | PythonLexer
Vadim Gelfer
add acl extension, to limit who can push to subdirs of central repo.
r2344 # acl.py - changeset access control for mercurial
#
# Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
#
Martin Geisler
updated license to be explicit about GPL version 2
r8225 # This software may be used and distributed according to the terms of the
# GNU General Public License version 2, incorporated herein by reference.
Vadim Gelfer
add acl extension, to limit who can push to subdirs of central repo.
r2344 #
# this hook allows to allow or deny access to parts of a repo when
# taking incoming changesets.
#
# authorization is against local user name on system where hook is
# run, not committer of original changeset (since that is easy to
# spoof).
#
# acl hook is best to use if you use hgsh to set up restricted shells
# for authenticated users to only push to / pull from. not safe if
# user has interactive shell access, because they can disable hook.
# also not safe if remote users share one local account, because then
# no way to tell remote users apart.
#
# to use, configure acl extension in hgrc like this:
#
# [extensions]
# hgext.acl =
#
# [hooks]
# pretxnchangegroup.acl = python:hgext.acl.hook
#
# [acl]
# sources = serve # check if source of incoming changes in this list
# # ("serve" == ssh or http, "push", "pull", "bundle")
#
# allow and deny lists have subtree pattern (default syntax is glob)
# on left, user names on right. deny list checked before allow list.
#
# [acl.allow]
# # if acl.allow not present, all users allowed by default
# # empty acl.allow = no users allowed
# docs/** = doc_writer
# .hgtags = release_engineer
#
# [acl.deny]
# # if acl.deny not present, no users denied by default
# # empty acl.deny = all users allowed
# glob pattern = user4, user5
# ** = user6
Matt Mackall
Simplify i18n imports
r3891 from mercurial.i18n import _
Matt Mackall
match: change all users of util.matcher to match.match
r8566 from mercurial import util, match
Matt Mackall
Replace demandload with new demandimport
r3877 import getpass
Vadim Gelfer
add acl extension, to limit who can push to subdirs of central repo.
r2344
Matt Mackall
acl: refactoring...
r6766 def buildmatch(ui, repo, user, key):
'''return tuple of (match function, list enabled).'''
if not ui.has_section(key):
ui.debug(_('acl: %s not enabled\n') % key)
return None
Vadim Gelfer
add acl extension, to limit who can push to subdirs of central repo.
r2344
Matt Mackall
acl: refactoring...
r6766 pats = [pat for pat, users in ui.configitems(key)
if user in users.replace(',', ' ').split()]
ui.debug(_('acl: %s enabled, %d entries for user %s\n') %
(key, len(pats), user))
if pats:
Matt Mackall
match: add some default args
r8567 return match.match(repo.root, '', pats)
Matt Mackall
match: remove match.never...
r8682 return match.exact(repo.root, '', [])
Matt Mackall
match: change all users of util.matcher to match.match
r8566
Vadim Gelfer
add acl extension, to limit who can push to subdirs of central repo.
r2344
def hook(ui, repo, hooktype, node=None, source=None, **kwargs):
if hooktype != 'pretxnchangegroup':
raise util.Abort(_('config error - hook type "%s" cannot stop '
'incoming changesets') % hooktype)
Matt Mackall
acl: refactoring...
r6766 if source not in ui.config('acl', 'sources', 'serve').split():
Vadim Gelfer
add acl extension, to limit who can push to subdirs of central repo.
r2344 ui.debug(_('acl: changes have source "%s" - skipping\n') % source)
return
Matt Mackall
acl: refactoring...
r6766 user = getpass.getuser()
cfg = ui.config('acl', 'config')
if cfg:
Matt Mackall
ui: fold readsections into readconfig...
r8142 ui.readconfig(cfg, sections = ['acl.allow', 'acl.deny'])
Matt Mackall
acl: refactoring...
r6766 allow = buildmatch(ui, repo, user, 'acl.allow')
deny = buildmatch(ui, repo, user, 'acl.deny')
for rev in xrange(repo[node], len(repo)):
ctx = repo[rev]
for f in ctx.files():
if deny and deny(f):
ui.debug(_('acl: user %s denied on %s\n') % (user, f))
raise util.Abort(_('acl: access denied for changeset %s') % ctx)
if allow and not allow(f):
ui.debug(_('acl: user %s not allowed on %s\n') % (user, f))
raise util.Abort(_('acl: access denied for changeset %s') % ctx)
ui.debug(_('acl: allowing changeset %s\n') % ctx)