20 pushing or pulling. The hook is not safe to use if users have |
20 pushing or pulling. The hook is not safe to use if users have |
21 interactive shell access, as they can then disable the hook. |
21 interactive shell access, as they can then disable the hook. |
22 Nor is it safe if remote users share an account, because then there |
22 Nor is it safe if remote users share an account, because then there |
23 is no way to distinguish them. |
23 is no way to distinguish them. |
24 |
24 |
25 The deny list is checked before the allow list is. |
25 The deny list is checked before the allow list. |
26 |
26 |
27 The allow and deny sections take key-value pairs, having a subtree pattern |
27 The allow and deny sections take key-value pairs, having a subtree pattern |
28 as key (with a glob syntax by default). The corresponding value can be either: |
28 as key (with a glob syntax by default). The corresponding value can be either: |
29 |
29 |
30 1) an asterisk, to match everyone; |
30 1) an asterisk, to match everyone; |
31 2) a comma-separated list containing users and groups. |
31 2) a comma-separated list containing users and groups. |
32 |
32 |
33 Group names must be prefixed with an @ symbol. |
33 Group names must be prefixed with an ``@`` symbol. |
34 Specifying a group name has the same effect as specifying all the users in |
34 Specifying a group name has the same effect as specifying all the users in |
35 that group. |
35 that group. |
36 The set of users for a group is taken from "grp.getgrnam" |
|
37 (see http://docs.python.org/library/grp.html#grp.getgrnam). |
|
38 |
36 |
39 To use this hook, configure the acl extension in your hgrc like this:: |
37 To use this hook, configure the acl extension in your hgrc like this:: |
40 |
38 |
41 [extensions] |
39 [extensions] |
42 acl = |
40 acl = |
43 |
41 |
44 [hooks] |
42 [hooks] |
45 |
43 |
46 # Use this if you want to check access restrictions at commit time |
44 # Use this if you want to check access restrictions at commit time. |
47 pretxncommit.acl = python:hgext.acl.hook |
45 pretxncommit.acl = python:hgext.acl.hook |
48 |
46 |
49 # Use this if you want to check access restrictions for pull, push, bundle |
47 # Use this if you want to check access restrictions for pull, push, bundle |
50 # and serve. |
48 # and serve. |
51 pretxnchangegroup.acl = python:hgext.acl.hook |
49 pretxnchangegroup.acl = python:hgext.acl.hook |
52 |
50 |
53 [acl] |
51 [acl] |
54 # Check whether the source of incoming changes is in this list |
52 # Check whether the source of incoming changes is in this list where |
55 # ("serve" == ssh or http, "push", "pull", "bundle") |
53 # "serve" == ssh or http, and "push", "pull" and "bundle" are the |
|
54 # corresponding hg commands. |
56 sources = serve |
55 sources = serve |
57 |
56 |
58 [acl.deny] |
57 [acl.deny] |
59 # This list is checked first. If a match is found, 'acl.allow' will not be |
58 # This list is checked first. If a match is found, 'acl.allow' will not be |
60 # checked. |
59 # checked. All users are granted access if acl.deny is not present. |
61 # if acl.deny is not present, no users denied by default |
60 # Format for both lists: glob pattern = user, ..., @group, ... |
62 # empty acl.deny = all users allowed |
|
63 # Format for both lists: glob pattern = user4, user5, @group1 |
|
64 |
61 |
65 # To match everyone, use an asterisk for the user: |
62 # To match everyone, use an asterisk for the user: |
66 # my/glob/pattern = * |
63 # my/glob/pattern = * |
67 |
64 |
68 # user6 will not have write access to any file: |
65 # user6 will not have write access to any file: |
85 # User "jack" and group "designers" have write access to any file under the |
82 # User "jack" and group "designers" have write access to any file under the |
86 # "images" folder: |
83 # "images" folder: |
87 images/** = jack, @designers |
84 images/** = jack, @designers |
88 |
85 |
89 # Everyone (except for "user6" - see "acl.deny" above) will have write access |
86 # Everyone (except for "user6" - see "acl.deny" above) will have write access |
90 to any file under the "resources" folder (except for 1 file. See "acl.deny"): |
87 # to any file under the "resources" folder (except for 1 file. See "acl.deny"): |
91 src/main/resources/** = * |
88 src/main/resources/** = * |
92 |
89 |
93 .hgtags = release_engineer |
90 .hgtags = release_engineer |
94 |
91 |
95 ''' |
92 ''' |