Show More
@@ -284,14 +284,13 b' class hgweb(object):' | |||||
284 | raise ErrorResponse(HTTP_UNAUTHORIZED, 'read not authorized') |
|
284 | raise ErrorResponse(HTTP_UNAUTHORIZED, 'read not authorized') | |
285 |
|
285 | |||
286 | allow_read = self.configlist('web', 'allow_read') |
|
286 | allow_read = self.configlist('web', 'allow_read') | |
287 |
result = (not allow_read) or (allow_read == ['*']) |
|
287 | result = (not allow_read) or (allow_read == ['*']) | |
288 | if not result: |
|
288 | if not result or user in allow_read: | |
289 | raise ErrorResponse(HTTP_UNAUTHORIZED, 'read not authorized') |
|
289 | raise ErrorResponse(HTTP_UNAUTHORIZED, 'read not authorized') | |
290 |
|
290 | |||
291 | if op == 'pull' and not self.allowpull: |
|
291 | if op == 'pull' and not self.allowpull: | |
292 | raise ErrorResponse(HTTP_UNAUTHORIZED, 'pull not authorized') |
|
292 | raise ErrorResponse(HTTP_UNAUTHORIZED, 'pull not authorized') | |
293 | # op is None when checking allow/deny_read permissions for a web-browser request |
|
293 | elif op == 'pull' or op is None: # op is None for interface requests | |
294 | elif op == 'pull' or op is None: |
|
|||
295 | return |
|
294 | return | |
296 |
|
295 | |||
297 | # enforce that you can only push using POST requests |
|
296 | # enforce that you can only push using POST requests |
@@ -102,11 +102,11 b' class hgwebdir(object):' | |||||
102 |
|
102 | |||
103 | user = req.env.get('REMOTE_USER') |
|
103 | user = req.env.get('REMOTE_USER') | |
104 |
|
104 | |||
105 |
deny_read = ui.configlist('web', 'deny_read', |
|
105 | deny_read = ui.configlist('web', 'deny_read', untrusted=True) | |
106 | if deny_read and (not user or deny_read == ['*'] or user in deny_read): |
|
106 | if deny_read and (not user or deny_read == ['*'] or user in deny_read): | |
107 | return False |
|
107 | return False | |
108 |
|
108 | |||
109 |
allow_read = ui.configlist('web', 'allow_read', |
|
109 | allow_read = ui.configlist('web', 'allow_read', untrusted=True) | |
110 | # by default, allow reading if no allow_read option has been set |
|
110 | # by default, allow reading if no allow_read option has been set | |
111 | if (not allow_read) or (allow_read == ['*']) or (user in allow_read): |
|
111 | if (not allow_read) or (allow_read == ['*']) or (user in allow_read): | |
112 | return True |
|
112 | return True |
General Comments 0
You need to be logged in to leave comments.
Login now