Show More
| @@ -18,6 +18,15 b' HTTP_METHOD_NOT_ALLOWED = 405' | |||||
| 18 | HTTP_SERVER_ERROR = 500 |
|
18 | HTTP_SERVER_ERROR = 500 | |
| 19 |
|
19 | |||
| 20 |
|
20 | |||
|
|
21 | def ismember(ui, username, userlist): | |||
|
|
22 | """Check if username is a member of userlist. | |||
|
|
23 | ||||
|
|
24 | If userlist has a single '*' member, all users are considered members. | |||
|
|
25 | Can be overriden by extensions to provide more complex authorization | |||
|
|
26 | schemes. | |||
|
|
27 | """ | |||
|
|
28 | return userlist == ['*'] or username in userlist | |||
|
|
29 | ||||
| 21 | def checkauthz(hgweb, req, op): |
|
30 | def checkauthz(hgweb, req, op): | |
| 22 | '''Check permission for operation based on request data (including |
|
31 | '''Check permission for operation based on request data (including | |
| 23 | authentication info). Return if op allowed, else raise an ErrorResponse |
|
32 | authentication info). Return if op allowed, else raise an ErrorResponse | |
| @@ -26,12 +35,11 b' def checkauthz(hgweb, req, op):' | |||||
| 26 | user = req.env.get('REMOTE_USER') |
|
35 | user = req.env.get('REMOTE_USER') | |
| 27 |
|
36 | |||
| 28 | deny_read = hgweb.configlist('web', 'deny_read') |
|
37 | deny_read = hgweb.configlist('web', 'deny_read') | |
| 29 |
if deny_read and (not user or |
|
38 | if deny_read and (not user or ismember(hgweb.repo.ui, user, deny_read)): | |
| 30 | raise ErrorResponse(HTTP_UNAUTHORIZED, 'read not authorized') |
|
39 | raise ErrorResponse(HTTP_UNAUTHORIZED, 'read not authorized') | |
| 31 |
|
40 | |||
| 32 | allow_read = hgweb.configlist('web', 'allow_read') |
|
41 | allow_read = hgweb.configlist('web', 'allow_read') | |
| 33 | result = (not allow_read) or (allow_read == ['*']) |
|
42 | if allow_read and (not ismember(hgweb.repo.ui, user, allow_read)): | |
| 34 | if not (result or user in allow_read): |
|
|||
| 35 | raise ErrorResponse(HTTP_UNAUTHORIZED, 'read not authorized') |
|
43 | raise ErrorResponse(HTTP_UNAUTHORIZED, 'read not authorized') | |
| 36 |
|
44 | |||
| 37 | if op == 'pull' and not hgweb.allowpull: |
|
45 | if op == 'pull' and not hgweb.allowpull: | |
| @@ -51,12 +59,11 b' def checkauthz(hgweb, req, op):' | |||||
| 51 | raise ErrorResponse(HTTP_FORBIDDEN, 'ssl required') |
|
59 | raise ErrorResponse(HTTP_FORBIDDEN, 'ssl required') | |
| 52 |
|
60 | |||
| 53 | deny = hgweb.configlist('web', 'deny_push') |
|
61 | deny = hgweb.configlist('web', 'deny_push') | |
| 54 |
if deny and (not user or |
|
62 | if deny and (not user or ismember(hgweb.repo.ui, user, deny)): | |
| 55 | raise ErrorResponse(HTTP_UNAUTHORIZED, 'push not authorized') |
|
63 | raise ErrorResponse(HTTP_UNAUTHORIZED, 'push not authorized') | |
| 56 |
|
64 | |||
| 57 | allow = hgweb.configlist('web', 'allow_push') |
|
65 | allow = hgweb.configlist('web', 'allow_push') | |
| 58 | result = allow and (allow == ['*'] or user in allow) |
|
66 | if not (allow and ismember(hgweb.repo.ui, user, allow)): | |
| 59 | if not result: |
|
|||
| 60 | raise ErrorResponse(HTTP_UNAUTHORIZED, 'push not authorized') |
|
67 | raise ErrorResponse(HTTP_UNAUTHORIZED, 'push not authorized') | |
| 61 |
|
68 | |||
| 62 | # Hooks for hgweb permission checks; extensions can add hooks here. |
|
69 | # Hooks for hgweb permission checks; extensions can add hooks here. | |
| @@ -10,7 +10,7 b' import os, re, time' | |||||
| 10 | from mercurial.i18n import _ |
|
10 | from mercurial.i18n import _ | |
| 11 | from mercurial import ui, hg, scmutil, util, templater |
|
11 | from mercurial import ui, hg, scmutil, util, templater | |
| 12 | from mercurial import error, encoding |
|
12 | from mercurial import error, encoding | |
| 13 | from common import ErrorResponse, get_mtime, staticfile, paritygen, \ |
|
13 | from common import ErrorResponse, get_mtime, staticfile, paritygen, ismember, \ | |
| 14 | get_contact, HTTP_OK, HTTP_NOT_FOUND, HTTP_SERVER_ERROR |
|
14 | get_contact, HTTP_OK, HTTP_NOT_FOUND, HTTP_SERVER_ERROR | |
| 15 | from hgweb_mod import hgweb, makebreadcrumb |
|
15 | from hgweb_mod import hgweb, makebreadcrumb | |
| 16 | from request import wsgirequest |
|
16 | from request import wsgirequest | |
| @@ -164,12 +164,12 b' class hgwebdir(object):' | |||||
| 164 | user = req.env.get('REMOTE_USER') |
|
164 | user = req.env.get('REMOTE_USER') | |
| 165 |
|
165 | |||
| 166 | deny_read = ui.configlist('web', 'deny_read', untrusted=True) |
|
166 | deny_read = ui.configlist('web', 'deny_read', untrusted=True) | |
| 167 |
if deny_read and (not user or |
|
167 | if deny_read and (not user or ismember(ui, user, deny_read)): | |
| 168 | return False |
|
168 | return False | |
| 169 |
|
169 | |||
| 170 | allow_read = ui.configlist('web', 'allow_read', untrusted=True) |
|
170 | allow_read = ui.configlist('web', 'allow_read', untrusted=True) | |
| 171 | # by default, allow reading if no allow_read option has been set |
|
171 | # by default, allow reading if no allow_read option has been set | |
| 172 |
if (not allow_read) or ( |
|
172 | if (not allow_read) or ismember(ui, user, allow_read): | |
| 173 | return True |
|
173 | return True | |
| 174 |
|
174 | |||
| 175 | return False |
|
175 | return False | |
General Comments 0
You need to be logged in to leave comments.
Login now