Show More
@@ -18,6 +18,15 b' HTTP_METHOD_NOT_ALLOWED = 405' | |||||
18 | HTTP_SERVER_ERROR = 500 |
|
18 | HTTP_SERVER_ERROR = 500 | |
19 |
|
19 | |||
20 |
|
20 | |||
|
21 | def ismember(ui, username, userlist): | |||
|
22 | """Check if username is a member of userlist. | |||
|
23 | ||||
|
24 | If userlist has a single '*' member, all users are considered members. | |||
|
25 | Can be overriden by extensions to provide more complex authorization | |||
|
26 | schemes. | |||
|
27 | """ | |||
|
28 | return userlist == ['*'] or username in userlist | |||
|
29 | ||||
21 | def checkauthz(hgweb, req, op): |
|
30 | def checkauthz(hgweb, req, op): | |
22 | '''Check permission for operation based on request data (including |
|
31 | '''Check permission for operation based on request data (including | |
23 | authentication info). Return if op allowed, else raise an ErrorResponse |
|
32 | authentication info). Return if op allowed, else raise an ErrorResponse | |
@@ -26,12 +35,11 b' def checkauthz(hgweb, req, op):' | |||||
26 | user = req.env.get('REMOTE_USER') |
|
35 | user = req.env.get('REMOTE_USER') | |
27 |
|
36 | |||
28 | deny_read = hgweb.configlist('web', 'deny_read') |
|
37 | deny_read = hgweb.configlist('web', 'deny_read') | |
29 |
if deny_read and (not user or |
|
38 | if deny_read and (not user or ismember(hgweb.repo.ui, user, deny_read)): | |
30 | raise ErrorResponse(HTTP_UNAUTHORIZED, 'read not authorized') |
|
39 | raise ErrorResponse(HTTP_UNAUTHORIZED, 'read not authorized') | |
31 |
|
40 | |||
32 | allow_read = hgweb.configlist('web', 'allow_read') |
|
41 | allow_read = hgweb.configlist('web', 'allow_read') | |
33 | result = (not allow_read) or (allow_read == ['*']) |
|
42 | if allow_read and (not ismember(hgweb.repo.ui, user, allow_read)): | |
34 | if not (result or user in allow_read): |
|
|||
35 | raise ErrorResponse(HTTP_UNAUTHORIZED, 'read not authorized') |
|
43 | raise ErrorResponse(HTTP_UNAUTHORIZED, 'read not authorized') | |
36 |
|
44 | |||
37 | if op == 'pull' and not hgweb.allowpull: |
|
45 | if op == 'pull' and not hgweb.allowpull: | |
@@ -51,12 +59,11 b' def checkauthz(hgweb, req, op):' | |||||
51 | raise ErrorResponse(HTTP_FORBIDDEN, 'ssl required') |
|
59 | raise ErrorResponse(HTTP_FORBIDDEN, 'ssl required') | |
52 |
|
60 | |||
53 | deny = hgweb.configlist('web', 'deny_push') |
|
61 | deny = hgweb.configlist('web', 'deny_push') | |
54 |
if deny and (not user or |
|
62 | if deny and (not user or ismember(hgweb.repo.ui, user, deny)): | |
55 | raise ErrorResponse(HTTP_UNAUTHORIZED, 'push not authorized') |
|
63 | raise ErrorResponse(HTTP_UNAUTHORIZED, 'push not authorized') | |
56 |
|
64 | |||
57 | allow = hgweb.configlist('web', 'allow_push') |
|
65 | allow = hgweb.configlist('web', 'allow_push') | |
58 | result = allow and (allow == ['*'] or user in allow) |
|
66 | if not (allow and ismember(hgweb.repo.ui, user, allow)): | |
59 | if not result: |
|
|||
60 | raise ErrorResponse(HTTP_UNAUTHORIZED, 'push not authorized') |
|
67 | raise ErrorResponse(HTTP_UNAUTHORIZED, 'push not authorized') | |
61 |
|
68 | |||
62 | # Hooks for hgweb permission checks; extensions can add hooks here. |
|
69 | # Hooks for hgweb permission checks; extensions can add hooks here. |
@@ -10,7 +10,7 b' import os, re, time' | |||||
10 | from mercurial.i18n import _ |
|
10 | from mercurial.i18n import _ | |
11 | from mercurial import ui, hg, scmutil, util, templater |
|
11 | from mercurial import ui, hg, scmutil, util, templater | |
12 | from mercurial import error, encoding |
|
12 | from mercurial import error, encoding | |
13 | from common import ErrorResponse, get_mtime, staticfile, paritygen, \ |
|
13 | from common import ErrorResponse, get_mtime, staticfile, paritygen, ismember, \ | |
14 | get_contact, HTTP_OK, HTTP_NOT_FOUND, HTTP_SERVER_ERROR |
|
14 | get_contact, HTTP_OK, HTTP_NOT_FOUND, HTTP_SERVER_ERROR | |
15 | from hgweb_mod import hgweb, makebreadcrumb |
|
15 | from hgweb_mod import hgweb, makebreadcrumb | |
16 | from request import wsgirequest |
|
16 | from request import wsgirequest | |
@@ -164,12 +164,12 b' class hgwebdir(object):' | |||||
164 | user = req.env.get('REMOTE_USER') |
|
164 | user = req.env.get('REMOTE_USER') | |
165 |
|
165 | |||
166 | deny_read = ui.configlist('web', 'deny_read', untrusted=True) |
|
166 | deny_read = ui.configlist('web', 'deny_read', untrusted=True) | |
167 |
if deny_read and (not user or |
|
167 | if deny_read and (not user or ismember(ui, user, deny_read)): | |
168 | return False |
|
168 | return False | |
169 |
|
169 | |||
170 | allow_read = ui.configlist('web', 'allow_read', untrusted=True) |
|
170 | allow_read = ui.configlist('web', 'allow_read', untrusted=True) | |
171 | # by default, allow reading if no allow_read option has been set |
|
171 | # by default, allow reading if no allow_read option has been set | |
172 |
if (not allow_read) or ( |
|
172 | if (not allow_read) or ismember(ui, user, allow_read): | |
173 | return True |
|
173 | return True | |
174 |
|
174 | |||
175 | return False |
|
175 | return False |
General Comments 0
You need to be logged in to leave comments.
Login now