diff --git a/mercurial/hgweb/hgweb_mod.py b/mercurial/hgweb/hgweb_mod.py
--- a/mercurial/hgweb/hgweb_mod.py
+++ b/mercurial/hgweb/hgweb_mod.py
@@ -16,6 +16,13 @@ from common import HTTP_OK, HTTP_BAD_REQ
 from request import wsgirequest
 import webcommands, protocol, webutil
 
+perms = {
+    'changegroup': 'pull',
+    'changegroupsubset': 'pull',
+    'unbundle': 'push',
+    'stream_out': 'pull',
+}
+
 class hgweb(object):
     def __init__(self, repo, name=None):
         if isinstance(repo, str):
@@ -95,6 +102,8 @@ class hgweb(object):
 
         cmd = req.form.get('cmd', [''])[0]
         if cmd and cmd in protocol.__all__:
+            if cmd in perms and not self.check_perm(req, perms[cmd]):
+                return
             method = getattr(protocol, cmd)
             method(self, req)
             return
@@ -343,16 +352,39 @@ class hgweb(object):
         'zip': ('application/zip', 'zip', '.zip', None),
         }
 
-    def check_perm(self, req, op, default):
-        '''check permission for operation based on user auth.
-        return true if op allowed, else false.
-        default is policy to use if no config given.'''
+    def check_perm(self, req, op):
+        '''Check permission for operation based on request data (including
+        authentication info. Return true if op allowed, else false.'''
+
+        def error(status, message):
+            req.respond(status, protocol.HGTYPE)
+            req.write('0\n%s\n' % message)
+
+        if op == 'pull':
+            return self.allowpull
+
+        # enforce that you can only push using POST requests
+        if req.env['REQUEST_METHOD'] != 'POST':
+            error('405 Method Not Allowed', 'push requires POST request')
+            return False
+
+        # require ssl by default for pushing, auth info cannot be sniffed
+        # and replayed
+        scheme = req.env.get('wsgi.url_scheme')
+        if self.configbool('web', 'push_ssl', True) and scheme != 'https':
+            error(HTTP_OK, 'ssl required')
+            return False
 
         user = req.env.get('REMOTE_USER')
 
-        deny = self.configlist('web', 'deny_' + op)
+        deny = self.configlist('web', 'deny_push')
         if deny and (not user or deny == ['*'] or user in deny):
+            error('401 Unauthorized', 'push not authorized')
             return False
 
-        allow = self.configlist('web', 'allow_' + op)
-        return (allow and (allow == ['*'] or user in allow)) or default
+        allow = self.configlist('web', 'allow_push')
+        result = allow and (allow == ['*'] or user in allow)
+        if not result:
+            error('401 Unauthorized', 'push not authorized')
+
+        return result
diff --git a/mercurial/hgweb/protocol.py b/mercurial/hgweb/protocol.py
--- a/mercurial/hgweb/protocol.py
+++ b/mercurial/hgweb/protocol.py
@@ -62,8 +62,6 @@ def between(web, req):
 def changegroup(web, req):
     req.respond(HTTP_OK, HGTYPE)
     nodes = []
-    if not web.allowpull:
-        return
 
     if 'roots' in req.form:
         nodes = map(bin, req.form['roots'][0].split(" "))
@@ -82,8 +80,6 @@ def changegroupsubset(web, req):
     req.respond(HTTP_OK, HGTYPE)
     bases = []
     heads = []
-    if not web.allowpull:
-        return
 
     if 'bases' in req.form:
         bases = [bin(x) for x in req.form['bases'][0].split(' ')]
@@ -120,28 +116,7 @@ def unbundle(web, req):
         req.write('0\n')
         req.write(response)
 
-    # enforce that you can only unbundle with POST requests
-    if req.env['REQUEST_METHOD'] != 'POST':
-        headers = {'status': '405 Method Not Allowed'}
-        bail('unbundle requires POST request\n', headers)
-        return
-
-    # require ssl by default, auth info cannot be sniffed and
-    # replayed
-    ssl_req = web.configbool('web', 'push_ssl', True)
-    if ssl_req:
-        if req.env.get('wsgi.url_scheme') != 'https':
-            bail('ssl required\n')
-            return
-        proto = 'https'
-    else:
-        proto = 'http'
-
-    # do not allow push unless explicitly allowed
-    if not web.check_perm(req, 'push', False):
-        bail('push not authorized\n', headers={'status': '401 Unauthorized'})
-        return
-
+    proto = req.env.get('wsgi.url_scheme') or 'http'
     their_heads = req.form['heads'][0].split(' ')
 
     def check_heads():
@@ -224,7 +199,5 @@ def unbundle(web, req):
         os.unlink(tempname)
 
 def stream_out(web, req):
-    if not web.allowpull:
-        return
     req.respond(HTTP_OK, HGTYPE)
     streamclone.stream_out(web.repo, req, untrusted=True)
diff --git a/tests/test-hgweb-commands.out b/tests/test-hgweb-commands.out
index a9666456a4e9c97af4b479b399d886234b61ab19..fdbe42f38f282b6fbc29f5d7e0478c864520810e
GIT binary patch
literal 18057
zc%1E9>2l*X5}y4zs(pwKUCw1oBxU)MWo0I|cap8lQDaZ-@n;qyA&E5<$t5An&haMu
zu-gp~yhNR`r;;iwjzj{DZlJr-{o$BhxaI<;5r{E|m`7oQxvm$Cz-8tz%--m67k&yy
z39!HgXUu{TPa18@f@>%CA_3u4L{ou;z8}t#Mx*!L-Nc7m9w%NHoEvt_GJpq8NbJrH
zmN=egeAjREhMc>Aq(O3SjD?80rfIj2TNeIjo5=srd?~_-(QiQSi)Irpq+~xFL9<C^
zp4*>m)ibda>wGWxgk$p0jfDF{1I95Q)(Bz9zlj_Tv)qXJg2w?9d|^w~LU_XGeZdov
z_pWEEQmmdvF7j~u_UW<Jv~2vlv8=BA+mqitQ<F51oChMl$99_UOV>pO2{r;$A*wgl
z%15)c`Osp{ap#oTom^tQQYJihrm@F-b0=faWS!w@o4f6U)06gqTZc!3)04xt%MaZl
zKRG_&47m?2m!}#{wX;AQF~2p}WhgZVJvJ5NFs4W71#F_U*fZs$EaVgB`TZ|<Z2Ra8
zzb%`-?ZY!w(lb>(u`+XB8>t-0qv^o+lJW8eIT1B+!a$&<K-@?C+_)QyiEpSLyWZ_W
zceYPYPt5``ijFx^caw-Y$OvB(9^Z0f1G8frCD}yLN)>7E$oov~PjiknU<u#KX^P@`
zXLxwb4%tb&-8t$o>(pvHN5kV`r*kq~+iBKi_~bMzoJN^+J%?!YObWgIrx^Ye!=GaK
zQw)EK;eQOL`4hzOIxo`!7@aYqg~OKdTQ{#p<u0v2VC*F#jPD;VFh9+or}?vL{(N!y
z_TuJW@2=p7o7X?VyAR+0^y38>P1F3x!G&pF-dw7RPRp|4CT2n637l!@F6Px6>}`*F
zO+TEWpu&9cutR!2n2BJ*bIkFGN?TDdGExnB6E@-|6=35D7YxY8=SCb3LXjAdjtU6_
zm*4F}5UQRVV3wpM;@;<I1um*GWlhUT5-n2jJ7LOqlT=ikgb6x|C_<xpsHOO@DDpjr
zkv8P~-a~sCWRz5XhS@+eJ2xo6fQ&<wD@mfUzJxeQssga6#Q**E^*nnsHOwG%rALq(
zIzCI#4F^*p!XP0krg>6~vW>ozgG5%W9>pvg8-4jxsX`optmwN^G4y<10$rxjr!qxH
zgo{U89cmvRH2c-9*0KN*DVAz3p)0rh+7U83)MK0K@O=Wz5i;4BvP)PRksaB9`$SKv
zfW^)j)u<l2JyTX9kr&Y9OI@7b8sND(dBHyoNW7o%`M^T{0lW1^=oVe*B@^cR+J3s+
z=;zAT9WMo3qyM$_4UG|M2r(m}*}O>An^FQPgT`diaOEUn1D|WT2{yZ;2m=v|J#lZz
ztSMB86|N@3iEZ>JEVzez93YxaxK#=nnT<5K&s7JZTN+yxyl;X)Sw9tkKQWC=j;Oz4
zWcFtqS=nGJ%rENoW{%k2%n{pvU`H&)FKiSRgIAhXXR}!g!59xbr{#o`0>B|+Z!&@;
zc8WQP_^6yT^IS1LKR$#p_eNuJermxWj9ng|TY%B|+{k$0P)jkxRPhzVgiMD|8F$T$
zyJDkYoAhNZPG6a?Ax)m^A11?<{X9=_g;~yK&H0&*rD-B8<ey9}T~LugWgiu+XsTue
zGF*`kWR&WOu~tt;VdUJv!Vn<FlF+RoTo#e)<EaWvQhG_Y=er~qf528UOA=-EvdCV1
z%cP}Iuq+GhA&oL8MOI*5s5C7pNylmRTcaFJuz01BYhjMND`O&k*Kk&qH{&V%odtkX
zT`w$v78`)e3w-?A4}%e~QTWZWQAlS?eXd4QTD`<yO?4VZeN~IwQiPr-m$Vt-lAgId
zkwFmS7c$RZ>hw`0O&6}YYO~BIBS2{eTzbPHO#oUlrMxm+(!=#rpi3uSFikLksXV2V
z2)+lQ4q-dKtx_TW_CbAY8fCND1k*(~4W_>Te7V)Iw<NYKJn~n|Zl|)_nQZC%dwY8@
zNKLejXeL$(K1c;0WP%S!@QWAFwDys;y>G*d7h8|3ld|t*>}3Smqf=MSQ!Z)eZD?<0
z!&YX+mbN24eKtGVt#&5AoyjlQ^3e=ww+=GN2btstHKyI_WFk75hy@1ClG>jJxGjZl
zjUD*mRROa^OgLjK{E%?9OvL9)jO$>5g^zC#=EIMdu<nTiHhITl+CEx$yR5P93aHW8
z$n%w(w#FkuJFAGRp0&4b@2Ss?#xDE~6AU6FpEll>sh`|ynRUnlFD$v2+E`^tH=f<a
zP5J|uHJUL(vnKsP=Md6ymr7HnPq=<9TraV~@4)a&wxBW$Z$Bu8pNF8?MA~RSt2~Yp
znM6$}$D^Z)Dm4p&5Y^0Un&_&U<-~knl#p~yQCw0;lN6Q_Ia<pg7<r9E&3O!w;N4YZ
z+XD8+5=lAm)<Tvd?J~@qXQ#2YX0{4m=bJc-K=!<hh{qEzkv1%f%7eumm-?=j(Xiek
z+T<|34j!wlTbN=w7G4|kN~EN6x%8hjm;ZT^__DyiMIKxOuFd5@or8Aa?JbXQJwE%~
z*9jl$+KCLA8{a$0TNSr^RN&2yH<RgP!s2^%F@;<{I|0=-jqEH?oddqsE&$gTuhRp;
z!V%x^Jup?<1=)G&CIjB$lyk*#EGlI4gV@h~#3?t4mEIot1V4jUG|6k>)juV^qOf@_
zV$Ts0SV1u|%??^&JTh<ItJ7ASnx&7;M7C+U!qs4`GSLbQ3J13GnAT_1R~|G!TpLh)
zc?diw0oo>rZX-a~9C>2K2a9oCdBgTvP0Y`BLTaurVyh!kb2&hb&<G!?n#Y?ZJ1sE_
zSO!RSpBqCzWT?oPa@?7bM>L6=a+s_1{GDo~Y^2YVSRYJC2^Jg$r3XApNn;N&1-hJa
zAIZ^xTjo#kE#)kItT1kM6jWuTPJ{}lMzWa(3F?d{OUhL(2J9C3rQL>KYao4PutjuV
zqMs)%Efz|&auHCW&K3qGO3F=Db*Jlu65Sl;t~4sF1qQKMuMp`RM*quTkVI!%f$32s
z_kFtcA)}vV=>2ZD2pAQ@#Q&$kry!gKbGzeiA4_?h(S5mdY)Kq#XWs{H{5m3}eR?bl
zJ6WM5wc3>i9Z7pqZgAAep?cfO>a0^qAz4@_8Hr+XnlqMkN9`)Or!J$SL<)VgVIT<G
zCj>@7OoFcrib)h!<Wkx&rg>FX{R-DhA-7t{tg_BL(ykm8_q@K|$HzR~&xV8LYC;#w
z3Mf6vBX)JcRq1bUu)(@v(1+5l9}ZtFi%X@0m<7(5mMS`wxqQf`zM!Rxd`Nft%FM7q
zu}yxco6_ptL6!}<uqye4!6lsG>|C<cthba}rNgh)V~cg>Y3??2#<U;Jm_?J!8&jQs
ztY@f-#tA<uJobAuzNC9AG`^%|jmC@f$ES>#Dm<iFhUu(hEK=fvncHf$suJcxL2V>h
z68;}E1Z?Xe(!ztqW_<{IR<Ca?Pr8rm2nP!tp~i6AI>C<7S7Gn*L;tp6zP!&?c7QxE
zuXc#7LTYtOb2Eq7EEd-|gx*P85*%_v7JZ<)O*V&3hhZob!mqFSsFt}Zz$>RH5aKH1
zV|6<$zp{vHj_O{oUib80RxTeRVpMzS8dFy`wsyf`5gT~EC%onVKGhGyPtz#H0HZjZ
zM#*$QSYR3qrh$vP|KXKwz54e){d})}KD^llTI(!jy!K(%E~q{%V`jlupZNV(NUP`F
zLx^7c_zbKyKWh_`g>scI8_eDRod3Ld_UzeTpZ#SQmxeKClaENVtci`>hYXF60Y#f}
z9~Z{|oq91(;N9En8~H{Dksa$0UUM-HU3e1;cu6d{iyCi4(`3A$(JoxeodJ;Zaj7Zb
z7oa)Obh#78a{b*6!hoN_Z;ckt8?2s<J;9su0()0s3|UEgPm62iRtCkZWHC(|Y>{BV
zoKK|az-?ks2;(m7xbjn=v+L=&{75>r9ZvFS1G)=GR&;j;nvluQ84f)VO}Y%(1$i}*
z$7c=5K2jG9<5Zwm_7JImTi%qfU7Jr-r_v*K6qiaE#heGSF1y^2SH@h8MIHU;<<T^b
z{8ZcN@eo$l^l^31KzA)Yj03bSj;uy!NAg3%PC0a;9SM3*DWt*ZU3O&1CZ2zfU133z
z70$R4ItYFDtbtPX<<Z4r9mlDYSt}!LGw_iOu}7t<1D8e2Pvoa=4D*U3e&)Au5l$vy
z0N<Jox~}pIOjtbfkjNq}qB~(GkkU#UJtV;AEUxm>Dbu7waJq3$JEs`iiG3@(j-2_X
zZCSg@X?2yJZE5{srCN-&Uuew-VT`^}>ln8@#@Ww&T`a<=%8kVBL#brw#ff&$c^g;T
z7paR~@c9sXkPgEO#vCWFR48icT3^R6DkoW@on(P}PEuFT>k&_^p&!+`Md~SXYpJt{
zqD7QU8pjPQ4S{y}uhQ3FfB;NW!XoMeh0=m!WzH|1tk|%XKHqP~B6mIl1#-JycBy=^
z6nXwOSGL%t>gQJ;ONYZ@t>4wjXvrM34>dJ~oiOal0;|vfX-<Lb4TnGnaB_Ual}ZZ3
zD;GV+=%_ERXw#9pfXHr#a#_UDOB&CkP~8KeSnp#Zy~W`3JU1H><aVQ=;jrMACFPcE
zkc9q}!q)Sjn=*xV;SgU?6<ugrts`{75>w<e^>^r>Aq+;6SJiWH1|}XNDd|P!K9oAA
zB^;B4-x@${<@PG^PS7Fup&-cjNY*&j>%l4J*|aN#HY-PF7X_aj%CT+G|2cu!E5sc`
z3fj+IFNu71PZ=bn4D!5?QjamXEU=gAjjhJB3s>*ozkPoVS8p!fet2_p_5SLz@qheR
B&RGBe