Show More
| @@ -8,18 +8,19 b'' | |||||
| 8 |
|
8 | |||
| 9 | '''hooks for controlling repository access |
|
9 | '''hooks for controlling repository access | |
| 10 |
|
10 | |||
| 11 |
This hook makes it possible to allow or deny write access to portions |
|
11 | This hook makes it possible to allow or deny write access to portions | |
| 12 | repository when receiving incoming changesets. |
|
12 | of a repository when receiving incoming changesets. | |
|
|
13 | ||||
|
|
14 | The authorization is matched based on the local user name on the | |||
|
|
15 | system where the hook runs, and not the committer of the original | |||
|
|
16 | changeset (since the latter is merely informative). | |||
| 13 |
|
17 | |||
| 14 | The authorization is matched based on the local user name on the system where |
|
18 | The acl hook is best used along with a restricted shell like hgsh, | |
| 15 | the hook runs, and not the committer of the original changeset (since the |
|
19 | preventing authenticating users from doing anything other than | |
| 16 | latter is merely informative). |
|
20 | pushing or pulling. The hook is not safe to use if users have | |
| 17 |
|
21 | interactive shell access, as they can then disable the hook. | ||
| 18 | The acl hook is best used along with a restricted shell like hgsh, preventing |
|
22 | Nor is it safe if remote users share an account, because then there | |
| 19 | authenticating users from doing anything other than pushing or pulling. The |
|
23 | is no way to distinguish them. | |
| 20 | hook is not safe to use if users have interactive shell access, as they can |
|
|||
| 21 | then disable the hook. Nor is it safe if remote users share an account, |
|
|||
| 22 | because then there is no way to distinguish them. |
|
|||
| 23 |
|
24 | |||
| 24 | To use this hook, configure the acl extension in your hgrc like this:: |
|
25 | To use this hook, configure the acl extension in your hgrc like this:: | |
| 25 |
|
26 | |||
| @@ -34,9 +35,10 b' To use this hook, configure the acl exte' | |||||
| 34 | # ("serve" == ssh or http, "push", "pull", "bundle") |
|
35 | # ("serve" == ssh or http, "push", "pull", "bundle") | |
| 35 | sources = serve |
|
36 | sources = serve | |
| 36 |
|
37 | |||
| 37 |
The allow and deny sections take a subtree pattern as key (with a glob |
|
38 | The allow and deny sections take a subtree pattern as key (with a glob | |
| 38 |
by default), and a comma separated list of users as the |
|
39 | syntax by default), and a comma separated list of users as the | |
| 39 |
The deny list is checked before the allow list |
|
40 | corresponding value. The deny list is checked before the allow list | |
|
|
41 | is. :: | |||
| 40 |
|
42 | |||
| 41 | [acl.allow] |
|
43 | [acl.allow] | |
| 42 | # If acl.allow is not present, all users are allowed by default. |
|
44 | # If acl.allow is not present, all users are allowed by default. | |
General Comments 0
You need to be logged in to leave comments.
Login now