Show More
| @@ -18,6 +18,15 b' HTTP_METHOD_NOT_ALLOWED = 405' | |||
|
|
18 | 18 | HTTP_SERVER_ERROR = 500 |
|
|
19 | 19 | |
|
|
20 | 20 | |
|
|
21 | def ismember(ui, username, userlist): | |
|
|
22 | """Check if username is a member of userlist. | |
|
|
23 | ||
|
|
24 | If userlist has a single '*' member, all users are considered members. | |
|
|
25 | Can be overriden by extensions to provide more complex authorization | |
|
|
26 | schemes. | |
|
|
27 | """ | |
|
|
28 | return userlist == ['*'] or username in userlist | |
|
|
29 | ||
|
|
21 | 30 | def checkauthz(hgweb, req, op): |
|
|
22 | 31 | '''Check permission for operation based on request data (including |
|
|
23 | 32 | authentication info). Return if op allowed, else raise an ErrorResponse |
| @@ -26,12 +35,11 b' def checkauthz(hgweb, req, op):' | |||
|
|
26 | 35 | user = req.env.get('REMOTE_USER') |
|
|
27 | 36 | |
|
|
28 | 37 | deny_read = hgweb.configlist('web', 'deny_read') |
|
|
29 |
if deny_read and (not user or |
|
|
|
38 | if deny_read and (not user or ismember(hgweb.repo.ui, user, deny_read)): | |
|
|
30 | 39 | raise ErrorResponse(HTTP_UNAUTHORIZED, 'read not authorized') |
|
|
31 | 40 | |
|
|
32 | 41 | allow_read = hgweb.configlist('web', 'allow_read') |
|
|
33 | result = (not allow_read) or (allow_read == ['*']) | |
|
|
34 | if not (result or user in allow_read): | |
|
|
42 | if allow_read and (not ismember(hgweb.repo.ui, user, allow_read)): | |
|
|
35 | 43 | raise ErrorResponse(HTTP_UNAUTHORIZED, 'read not authorized') |
|
|
36 | 44 | |
|
|
37 | 45 | if op == 'pull' and not hgweb.allowpull: |
| @@ -51,12 +59,11 b' def checkauthz(hgweb, req, op):' | |||
|
|
51 | 59 | raise ErrorResponse(HTTP_FORBIDDEN, 'ssl required') |
|
|
52 | 60 | |
|
|
53 | 61 | deny = hgweb.configlist('web', 'deny_push') |
|
|
54 |
if deny and (not user or |
|
|
|
62 | if deny and (not user or ismember(hgweb.repo.ui, user, deny)): | |
|
|
55 | 63 | raise ErrorResponse(HTTP_UNAUTHORIZED, 'push not authorized') |
|
|
56 | 64 | |
|
|
57 | 65 | allow = hgweb.configlist('web', 'allow_push') |
|
|
58 | result = allow and (allow == ['*'] or user in allow) | |
|
|
59 | if not result: | |
|
|
66 | if not (allow and ismember(hgweb.repo.ui, user, allow)): | |
|
|
60 | 67 | raise ErrorResponse(HTTP_UNAUTHORIZED, 'push not authorized') |
|
|
61 | 68 | |
|
|
62 | 69 | # Hooks for hgweb permission checks; extensions can add hooks here. |
| @@ -10,7 +10,7 b' import os, re, time' | |||
|
|
10 | 10 | from mercurial.i18n import _ |
|
|
11 | 11 | from mercurial import ui, hg, scmutil, util, templater |
|
|
12 | 12 | from mercurial import error, encoding |
|
|
13 | from common import ErrorResponse, get_mtime, staticfile, paritygen, \ | |
|
|
13 | from common import ErrorResponse, get_mtime, staticfile, paritygen, ismember, \ | |
|
|
14 | 14 | get_contact, HTTP_OK, HTTP_NOT_FOUND, HTTP_SERVER_ERROR |
|
|
15 | 15 | from hgweb_mod import hgweb, makebreadcrumb |
|
|
16 | 16 | from request import wsgirequest |
| @@ -164,12 +164,12 b' class hgwebdir(object):' | |||
|
|
164 | 164 | user = req.env.get('REMOTE_USER') |
|
|
165 | 165 | |
|
|
166 | 166 | deny_read = ui.configlist('web', 'deny_read', untrusted=True) |
|
|
167 |
if deny_read and (not user or |
|
|
|
167 | if deny_read and (not user or ismember(ui, user, deny_read)): | |
|
|
168 | 168 | return False |
|
|
169 | 169 | |
|
|
170 | 170 | allow_read = ui.configlist('web', 'allow_read', untrusted=True) |
|
|
171 | 171 | # by default, allow reading if no allow_read option has been set |
|
|
172 |
if (not allow_read) or ( |
|
|
|
172 | if (not allow_read) or ismember(ui, user, allow_read): | |
|
|
173 | 173 | return True |
|
|
174 | 174 | |
|
|
175 | 175 | return False |
General Comments 0
You need to be logged in to leave comments.
Login now