diff --git a/mercurial/hgweb/hgweb_mod.py b/mercurial/hgweb/hgweb_mod.py
--- a/mercurial/hgweb/hgweb_mod.py
+++ b/mercurial/hgweb/hgweb_mod.py
@@ -284,14 +284,13 @@ class hgweb(object):
             raise ErrorResponse(HTTP_UNAUTHORIZED, 'read not authorized')
 
         allow_read = self.configlist('web', 'allow_read')
-        result = (not allow_read) or (allow_read == ['*']) or (user in allow_read)
-        if not result:
+        result = (not allow_read) or (allow_read == ['*'])
+        if not result or user in allow_read:
             raise ErrorResponse(HTTP_UNAUTHORIZED, 'read not authorized')
 
         if op == 'pull' and not self.allowpull:
             raise ErrorResponse(HTTP_UNAUTHORIZED, 'pull not authorized')
-        # op is None when checking allow/deny_read permissions for a web-browser request
-        elif op == 'pull' or op is None:
+        elif op == 'pull' or op is None: # op is None for interface requests
             return
 
         # enforce that you can only push using POST requests
diff --git a/mercurial/hgweb/hgwebdir_mod.py b/mercurial/hgweb/hgwebdir_mod.py
--- a/mercurial/hgweb/hgwebdir_mod.py
+++ b/mercurial/hgweb/hgwebdir_mod.py
@@ -102,11 +102,11 @@ class hgwebdir(object):
 
         user = req.env.get('REMOTE_USER')
 
-        deny_read = ui.configlist('web', 'deny_read', default=None, untrusted=True)
+        deny_read = ui.configlist('web', 'deny_read', untrusted=True)
         if deny_read and (not user or deny_read == ['*'] or user in deny_read):
             return False
 
-        allow_read = ui.configlist('web', 'allow_read', default=None, untrusted=True)
+        allow_read = ui.configlist('web', 'allow_read', untrusted=True)
         # by default, allow reading if no allow_read option has been set
         if (not allow_read) or (allow_read == ['*']) or (user in allow_read):
             return True