# HG changeset patch
# User Dirkjan Ochtman <dirkjan@ochtman.nl>
# Date 2008-06-29 09:35:06
# Node ID d3147b4e3e8a4b0278f3905bce3629768994d550
# Parent  959efdac4a9c7aa0e0018b3652e77bd894401a66

hgweb: centralize permission checks for protocol commands

Consistently enforces authorization checks set up in hgrc up front, so that
the actual commands don't have to worry about them and implementers of
hgweb alternatives can easily implement their own permission checks.

diff --git a/mercurial/hgweb/hgweb_mod.py b/mercurial/hgweb/hgweb_mod.py
--- a/mercurial/hgweb/hgweb_mod.py
+++ b/mercurial/hgweb/hgweb_mod.py
@@ -16,6 +16,13 @@ from common import HTTP_OK, HTTP_BAD_REQ
 from request import wsgirequest
 import webcommands, protocol, webutil
 
+perms = {
+    'changegroup': 'pull',
+    'changegroupsubset': 'pull',
+    'unbundle': 'push',
+    'stream_out': 'pull',
+}
+
 class hgweb(object):
     def __init__(self, repo, name=None):
         if isinstance(repo, str):
@@ -95,6 +102,8 @@ class hgweb(object):
 
         cmd = req.form.get('cmd', [''])[0]
         if cmd and cmd in protocol.__all__:
+            if cmd in perms and not self.check_perm(req, perms[cmd]):
+                return
             method = getattr(protocol, cmd)
             method(self, req)
             return
@@ -343,16 +352,39 @@ class hgweb(object):
         'zip': ('application/zip', 'zip', '.zip', None),
         }
 
-    def check_perm(self, req, op, default):
-        '''check permission for operation based on user auth.
-        return true if op allowed, else false.
-        default is policy to use if no config given.'''
+    def check_perm(self, req, op):
+        '''Check permission for operation based on request data (including
+        authentication info. Return true if op allowed, else false.'''
+
+        def error(status, message):
+            req.respond(status, protocol.HGTYPE)
+            req.write('0\n%s\n' % message)
+
+        if op == 'pull':
+            return self.allowpull
+
+        # enforce that you can only push using POST requests
+        if req.env['REQUEST_METHOD'] != 'POST':
+            error('405 Method Not Allowed', 'push requires POST request')
+            return False
+
+        # require ssl by default for pushing, auth info cannot be sniffed
+        # and replayed
+        scheme = req.env.get('wsgi.url_scheme')
+        if self.configbool('web', 'push_ssl', True) and scheme != 'https':
+            error(HTTP_OK, 'ssl required')
+            return False
 
         user = req.env.get('REMOTE_USER')
 
-        deny = self.configlist('web', 'deny_' + op)
+        deny = self.configlist('web', 'deny_push')
         if deny and (not user or deny == ['*'] or user in deny):
+            error('401 Unauthorized', 'push not authorized')
             return False
 
-        allow = self.configlist('web', 'allow_' + op)
-        return (allow and (allow == ['*'] or user in allow)) or default
+        allow = self.configlist('web', 'allow_push')
+        result = allow and (allow == ['*'] or user in allow)
+        if not result:
+            error('401 Unauthorized', 'push not authorized')
+
+        return result
diff --git a/mercurial/hgweb/protocol.py b/mercurial/hgweb/protocol.py
--- a/mercurial/hgweb/protocol.py
+++ b/mercurial/hgweb/protocol.py
@@ -62,8 +62,6 @@ def between(web, req):
 def changegroup(web, req):
     req.respond(HTTP_OK, HGTYPE)
     nodes = []
-    if not web.allowpull:
-        return
 
     if 'roots' in req.form:
         nodes = map(bin, req.form['roots'][0].split(" "))
@@ -82,8 +80,6 @@ def changegroupsubset(web, req):
     req.respond(HTTP_OK, HGTYPE)
     bases = []
     heads = []
-    if not web.allowpull:
-        return
 
     if 'bases' in req.form:
         bases = [bin(x) for x in req.form['bases'][0].split(' ')]
@@ -120,28 +116,7 @@ def unbundle(web, req):
         req.write('0\n')
         req.write(response)
 
-    # enforce that you can only unbundle with POST requests
-    if req.env['REQUEST_METHOD'] != 'POST':
-        headers = {'status': '405 Method Not Allowed'}
-        bail('unbundle requires POST request\n', headers)
-        return
-
-    # require ssl by default, auth info cannot be sniffed and
-    # replayed
-    ssl_req = web.configbool('web', 'push_ssl', True)
-    if ssl_req:
-        if req.env.get('wsgi.url_scheme') != 'https':
-            bail('ssl required\n')
-            return
-        proto = 'https'
-    else:
-        proto = 'http'
-
-    # do not allow push unless explicitly allowed
-    if not web.check_perm(req, 'push', False):
-        bail('push not authorized\n', headers={'status': '401 Unauthorized'})
-        return
-
+    proto = req.env.get('wsgi.url_scheme') or 'http'
     their_heads = req.form['heads'][0].split(' ')
 
     def check_heads():
@@ -224,7 +199,5 @@ def unbundle(web, req):
         os.unlink(tempname)
 
 def stream_out(web, req):
-    if not web.allowpull:
-        return
     req.respond(HTTP_OK, HGTYPE)
     streamclone.stream_out(web.repo, req, untrusted=True)
diff --git a/tests/test-hgweb-commands.out b/tests/test-hgweb-commands.out
index a9666456a4e9c97af4b479b399d886234b61ab19..fdbe42f38f282b6fbc29f5d7e0478c864520810e
GIT binary patch
literal 18057
zc%1E9>2l*X5}y4zs(pwKUCw1oBxU)MWo0I|cap8lQDaZ-@n;qyA&E5<$t5An&haMu
zu-gp~yhNR`r;;iwjzj{DZlJr-{o$BhxaI<;5r{E|m`7oQxvm$Cz-8tz%--m67k&yy
z39!HgXUu{TPa18@f@>%CA_3u4L{ou;z8}t#Mx*!L-Nc7m9w%NHoEvt_GJpq8NbJrH
zmN=egeAjREhMc>Aq(O3SjD?80rfIj2TNeIjo5=srd?~_-(QiQSi)Irpq+~xFL9<C^
zp4*>m)ibda>wGWxgk$p0jfDF{1I95Q)(Bz9zlj_Tv)qXJg2w?9d|^w~LU_XGeZdov
z_pWEEQmmdvF7j~u_UW<Jv~2vlv8=BA+mqitQ<F51oChMl$99_UOV>pO2{r;$A*wgl
z%15)c`Osp{ap#oTom^tQQYJihrm@F-b0=faWS!w@o4f6U)06gqTZc!3)04xt%MaZl
zKRG_&47m?2m!}#{wX;AQF~2p}WhgZVJvJ5NFs4W71#F_U*fZs$EaVgB`TZ|<Z2Ra8
zzb%`-?ZY!w(lb>(u`+XB8>t-0qv^o+lJW8eIT1B+!a$&<K-@?C+_)QyiEpSLyWZ_W
zceYPYPt5``ijFx^caw-Y$OvB(9^Z0f1G8frCD}yLN)>7E$oov~PjiknU<u#KX^P@`
zXLxwb4%tb&-8t$o>(pvHN5kV`r*kq~+iBKi_~bMzoJN^+J%?!YObWgIrx^Ye!=GaK
zQw)EK;eQOL`4hzOIxo`!7@aYqg~OKdTQ{#p<u0v2VC*F#jPD;VFh9+or}?vL{(N!y
z_TuJW@2=p7o7X?VyAR+0^y38>P1F3x!G&pF-dw7RPRp|4CT2n637l!@F6Px6>}`*F
zO+TEWpu&9cutR!2n2BJ*bIkFGN?TDdGExnB6E@-|6=35D7YxY8=SCb3LXjAdjtU6_
zm*4F}5UQRVV3wpM;@;<I1um*GWlhUT5-n2jJ7LOqlT=ikgb6x|C_<xpsHOO@DDpjr
zkv8P~-a~sCWRz5XhS@+eJ2xo6fQ&<wD@mfUzJxeQssga6#Q**E^*nnsHOwG%rALq(
zIzCI#4F^*p!XP0krg>6~vW>ozgG5%W9>pvg8-4jxsX`optmwN^G4y<10$rxjr!qxH
zgo{U89cmvRH2c-9*0KN*DVAz3p)0rh+7U83)MK0K@O=Wz5i;4BvP)PRksaB9`$SKv
zfW^)j)u<l2JyTX9kr&Y9OI@7b8sND(dBHyoNW7o%`M^T{0lW1^=oVe*B@^cR+J3s+
z=;zAT9WMo3qyM$_4UG|M2r(m}*}O>An^FQPgT`diaOEUn1D|WT2{yZ;2m=v|J#lZz
ztSMB86|N@3iEZ>JEVzez93YxaxK#=nnT<5K&s7JZTN+yxyl;X)Sw9tkKQWC=j;Oz4
zWcFtqS=nGJ%rENoW{%k2%n{pvU`H&)FKiSRgIAhXXR}!g!59xbr{#o`0>B|+Z!&@;
zc8WQP_^6yT^IS1LKR$#p_eNuJermxWj9ng|TY%B|+{k$0P)jkxRPhzVgiMD|8F$T$
zyJDkYoAhNZPG6a?Ax)m^A11?<{X9=_g;~yK&H0&*rD-B8<ey9}T~LugWgiu+XsTue
zGF*`kWR&WOu~tt;VdUJv!Vn<FlF+RoTo#e)<EaWvQhG_Y=er~qf528UOA=-EvdCV1
z%cP}Iuq+GhA&oL8MOI*5s5C7pNylmRTcaFJuz01BYhjMND`O&k*Kk&qH{&V%odtkX
zT`w$v78`)e3w-?A4}%e~QTWZWQAlS?eXd4QTD`<yO?4VZeN~IwQiPr-m$Vt-lAgId
zkwFmS7c$RZ>hw`0O&6}YYO~BIBS2{eTzbPHO#oUlrMxm+(!=#rpi3uSFikLksXV2V
z2)+lQ4q-dKtx_TW_CbAY8fCND1k*(~4W_>Te7V)Iw<NYKJn~n|Zl|)_nQZC%dwY8@
zNKLejXeL$(K1c;0WP%S!@QWAFwDys;y>G*d7h8|3ld|t*>}3Smqf=MSQ!Z)eZD?<0
z!&YX+mbN24eKtGVt#&5AoyjlQ^3e=ww+=GN2btstHKyI_WFk75hy@1ClG>jJxGjZl
zjUD*mRROa^OgLjK{E%?9OvL9)jO$>5g^zC#=EIMdu<nTiHhITl+CEx$yR5P93aHW8
z$n%w(w#FkuJFAGRp0&4b@2Ss?#xDE~6AU6FpEll>sh`|ynRUnlFD$v2+E`^tH=f<a
zP5J|uHJUL(vnKsP=Md6ymr7HnPq=<9TraV~@4)a&wxBW$Z$Bu8pNF8?MA~RSt2~Yp
znM6$}$D^Z)Dm4p&5Y^0Un&_&U<-~knl#p~yQCw0;lN6Q_Ia<pg7<r9E&3O!w;N4YZ
z+XD8+5=lAm)<Tvd?J~@qXQ#2YX0{4m=bJc-K=!<hh{qEzkv1%f%7eumm-?=j(Xiek
z+T<|34j!wlTbN=w7G4|kN~EN6x%8hjm;ZT^__DyiMIKxOuFd5@or8Aa?JbXQJwE%~
z*9jl$+KCLA8{a$0TNSr^RN&2yH<RgP!s2^%F@;<{I|0=-jqEH?oddqsE&$gTuhRp;
z!V%x^Jup?<1=)G&CIjB$lyk*#EGlI4gV@h~#3?t4mEIot1V4jUG|6k>)juV^qOf@_
zV$Ts0SV1u|%??^&JTh<ItJ7ASnx&7;M7C+U!qs4`GSLbQ3J13GnAT_1R~|G!TpLh)
zc?diw0oo>rZX-a~9C>2K2a9oCdBgTvP0Y`BLTaurVyh!kb2&hb&<G!?n#Y?ZJ1sE_
zSO!RSpBqCzWT?oPa@?7bM>L6=a+s_1{GDo~Y^2YVSRYJC2^Jg$r3XApNn;N&1-hJa
zAIZ^xTjo#kE#)kItT1kM6jWuTPJ{}lMzWa(3F?d{OUhL(2J9C3rQL>KYao4PutjuV
zqMs)%Efz|&auHCW&K3qGO3F=Db*Jlu65Sl;t~4sF1qQKMuMp`RM*quTkVI!%f$32s
z_kFtcA)}vV=>2ZD2pAQ@#Q&$kry!gKbGzeiA4_?h(S5mdY)Kq#XWs{H{5m3}eR?bl
zJ6WM5wc3>i9Z7pqZgAAep?cfO>a0^qAz4@_8Hr+XnlqMkN9`)Or!J$SL<)VgVIT<G
zCj>@7OoFcrib)h!<Wkx&rg>FX{R-DhA-7t{tg_BL(ykm8_q@K|$HzR~&xV8LYC;#w
z3Mf6vBX)JcRq1bUu)(@v(1+5l9}ZtFi%X@0m<7(5mMS`wxqQf`zM!Rxd`Nft%FM7q
zu}yxco6_ptL6!}<uqye4!6lsG>|C<cthba}rNgh)V~cg>Y3??2#<U;Jm_?J!8&jQs
ztY@f-#tA<uJobAuzNC9AG`^%|jmC@f$ES>#Dm<iFhUu(hEK=fvncHf$suJcxL2V>h
z68;}E1Z?Xe(!ztqW_<{IR<Ca?Pr8rm2nP!tp~i6AI>C<7S7Gn*L;tp6zP!&?c7QxE
zuXc#7LTYtOb2Eq7EEd-|gx*P85*%_v7JZ<)O*V&3hhZob!mqFSsFt}Zz$>RH5aKH1
zV|6<$zp{vHj_O{oUib80RxTeRVpMzS8dFy`wsyf`5gT~EC%onVKGhGyPtz#H0HZjZ
zM#*$QSYR3qrh$vP|KXKwz54e){d})}KD^llTI(!jy!K(%E~q{%V`jlupZNV(NUP`F
zLx^7c_zbKyKWh_`g>scI8_eDRod3Ld_UzeTpZ#SQmxeKClaENVtci`>hYXF60Y#f}
z9~Z{|oq91(;N9En8~H{Dksa$0UUM-HU3e1;cu6d{iyCi4(`3A$(JoxeodJ;Zaj7Zb
z7oa)Obh#78a{b*6!hoN_Z;ckt8?2s<J;9su0()0s3|UEgPm62iRtCkZWHC(|Y>{BV
zoKK|az-?ks2;(m7xbjn=v+L=&{75>r9ZvFS1G)=GR&;j;nvluQ84f)VO}Y%(1$i}*
z$7c=5K2jG9<5Zwm_7JImTi%qfU7Jr-r_v*K6qiaE#heGSF1y^2SH@h8MIHU;<<T^b
z{8ZcN@eo$l^l^31KzA)Yj03bSj;uy!NAg3%PC0a;9SM3*DWt*ZU3O&1CZ2zfU133z
z70$R4ItYFDtbtPX<<Z4r9mlDYSt}!LGw_iOu}7t<1D8e2Pvoa=4D*U3e&)Au5l$vy
z0N<Jox~}pIOjtbfkjNq}qB~(GkkU#UJtV;AEUxm>Dbu7waJq3$JEs`iiG3@(j-2_X
zZCSg@X?2yJZE5{srCN-&Uuew-VT`^}>ln8@#@Ww&T`a<=%8kVBL#brw#ff&$c^g;T
z7paR~@c9sXkPgEO#vCWFR48icT3^R6DkoW@on(P}PEuFT>k&_^p&!+`Md~SXYpJt{
zqD7QU8pjPQ4S{y}uhQ3FfB;NW!XoMeh0=m!WzH|1tk|%XKHqP~B6mIl1#-JycBy=^
z6nXwOSGL%t>gQJ;ONYZ@t>4wjXvrM34>dJ~oiOal0;|vfX-<Lb4TnGnaB_Ual}ZZ3
zD;GV+=%_ERXw#9pfXHr#a#_UDOB&CkP~8KeSnp#Zy~W`3JU1H><aVQ=;jrMACFPcE
zkc9q}!q)Sjn=*xV;SgU?6<ugrts`{75>w<e^>^r>Aq+;6SJiWH1|}XNDd|P!K9oAA
zB^;B4-x@${<@PG^PS7Fup&-cjNY*&j>%l4J*|aN#HY-PF7X_aj%CT+G|2cu!E5sc`
z3fj+IFNu71PZ=bn4D!5?QjamXEU=gAjjhJB3s>*ozkPoVS8p!fet2_p_5SLz@qheR
B&RGBe