upstream/mercurial-mirror Commit - r6779:d3147b4e

hgweb: centralize permission checks for protocol commands...

Dirkjan Ochtman -

r6779:d3147b4e default

parent child

mercurial/hgweb/hgweb_mod.py

0 +39 -7

              from request import wsgirequest
              import webcommands, protocol, webutil
+             perms = {
+                 'changegroup': 'pull',
+                 'changegroupsubset': 'pull',
+                 'unbundle': 'push',
+                 'stream_out': 'pull',
+             }
              class hgweb(object):
                  def __init__(self, repo, name=None):
                      if isinstance(repo, str):
                      cmd = req.form.get('cmd', [''])[0]
                      if cmd and cmd in protocol.__all__:
+                         if cmd in perms and not self.check_perm(req, perms[cmd]):
+                             return
                          method = getattr(protocol, cmd)
                          method(self, req)
                          return
                      'zip': ('application/zip', 'zip', '.zip', None),
                      }
-                 def check_perm(self, req, op, default):
-                     '''check permission for operation based on user auth.
-                     return true if op allowed, else false.
-                     default is policy to use if no config given.'''
+                 def check_perm(self, req, op):
+                     '''Check permission for operation based on request data (including
+                     authentication info. Return true if op allowed, else false.'''
+                     def error(status, message):
+                         req.respond(status, protocol.HGTYPE)
+                         req.write('0\n%s\n' % message)
+                     if op == 'pull':
+                         return self.allowpull
+                     # enforce that you can only push using POST requests
+                     if req.env['REQUEST_METHOD'] != 'POST':
+                         error('405 Method Not Allowed', 'push requires POST request')
+                         return False
+                     # require ssl by default for pushing, auth info cannot be sniffed
+                     # and replayed
+                     scheme = req.env.get('wsgi.url_scheme')
+                     if self.configbool('web', 'push_ssl', True) and scheme != 'https':
+                         error(HTTP_OK, 'ssl required')
+                         return False
                      user = req.env.get('REMOTE_USER')
-                     deny = self.configlist('web', 'deny_' + op)
+                     deny = self.configlist('web', 'deny_push')
                      if deny and (not user or deny == ['*'] or user in deny):
+                         error('401 Unauthorized', 'push not authorized')
                          return False
-                     allow = self.configlist('web', 'allow_' + op)
-                     return (allow and (allow == ['*'] or user in allow)) or default
+                     allow = self.configlist('web', 'allow_push')
+                     result = allow and (allow == ['*'] or user in allow)
+                     if not result:
+                         error('401 Unauthorized', 'push not authorized')
+                     return result

mercurial/hgweb/protocol.py

0 +1 -28

              def changegroup(web, req):
                  req.respond(HTTP_OK, HGTYPE)
                  nodes = []
-                 if not web.allowpull:
-                     return
                  if 'roots' in req.form:
                      nodes = map(bin, req.form['roots'][0].split(" "))
                  req.respond(HTTP_OK, HGTYPE)
                  bases = []
                  heads = []
-                 if not web.allowpull:
-                     return
                  if 'bases' in req.form:
                      bases = [bin(x) for x in req.form['bases'][0].split(' ')]
                      req.write('0\n')
                      req.write(response)
-                 # enforce that you can only unbundle with POST requests
-                 if req.env['REQUEST_METHOD'] != 'POST':
-                     headers = {'status': '405 Method Not Allowed'}
-                     bail('unbundle requires POST request\n', headers)
-                     return
-                 # require ssl by default, auth info cannot be sniffed and
-                 # replayed
-                 ssl_req = web.configbool('web', 'push_ssl', True)
-                 if ssl_req:
-                     if req.env.get('wsgi.url_scheme') != 'https':
-                         bail('ssl required\n')
-                         return
-                     proto = 'https'
-                 else:
-                     proto = 'http'
-                 # do not allow push unless explicitly allowed
-                 if not web.check_perm(req, 'push', False):
-                     bail('push not authorized\n', headers={'status': '401 Unauthorized'})
-                     return
+                 proto = req.env.get('wsgi.url_scheme') or 'http'
                  their_heads = req.form['heads'][0].split(' ')
                  def check_heads():
                      os.unlink(tempname)
              def stream_out(web, req):
-                 if not web.allowpull:
-                     return
                  req.respond(HTTP_OK, HGTYPE)
                  streamclone.stream_out(web.repo, req, untrusted=True)

tests/test-hgweb-commands.out

0 binary modified 0 0

NO CONTENT: modified file, binary diff hidden

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages