[PATCH] hgweb: refactor checks for granting and revoking user permissions
Wagner Bruna
wagner.bruna+mercurial at gmail.com
Mon Apr 15 22:15:49 UTC 2013
# HG changeset patch
# User Wagner Bruna <wbruna at softwareexpress.com.br>
# Date 1366063024 10800
# Node ID a1959edc4c404c14adb500a9f38d74bf7d48f7db
# Parent 8086b530e2ac23f60ee01e6fa274aec1bb32d988
hgweb: refactor checks for granting and revoking user permissions
Provides an entry point for extensions implementing more complex
authorization schemes.
Original patch proposed by Markus Zapke-Gründemann.
diff --git a/mercurial/hgweb/common.py b/mercurial/hgweb/common.py
--- a/mercurial/hgweb/common.py
+++ b/mercurial/hgweb/common.py
@@ -18,6 +18,15 @@ HTTP_METHOD_NOT_ALLOWED = 405
HTTP_SERVER_ERROR = 500
+def ismember(ui, username, userlist):
+ """Check if username is a member of userlist.
+
+ If userlist has a single '*' member, all users are considered members.
+ Can be overriden by extensions to provide more complex authorization
+ schemes.
+ """
+ return userlist == ['*'] or username in userlist
+
def checkauthz(hgweb, req, op):
'''Check permission for operation based on request data (including
authentication info). Return if op allowed, else raise an ErrorResponse
@@ -26,12 +35,11 @@ def checkauthz(hgweb, req, op):
user = req.env.get('REMOTE_USER')
deny_read = hgweb.configlist('web', 'deny_read')
- if deny_read and (not user or deny_read == ['*'] or user in deny_read):
+ if deny_read and (not user or ismember(hgweb.repo.ui, user, deny_read)):
raise ErrorResponse(HTTP_UNAUTHORIZED, 'read not authorized')
allow_read = hgweb.configlist('web', 'allow_read')
- result = (not allow_read) or (allow_read == ['*'])
- if not (result or user in allow_read):
+ if allow_read and (not ismember(hgweb.repo.ui, user, allow_read)):
raise ErrorResponse(HTTP_UNAUTHORIZED, 'read not authorized')
if op == 'pull' and not hgweb.allowpull:
@@ -51,12 +59,11 @@ def checkauthz(hgweb, req, op):
raise ErrorResponse(HTTP_FORBIDDEN, 'ssl required')
deny = hgweb.configlist('web', 'deny_push')
- if deny and (not user or deny == ['*'] or user in deny):
+ if deny and (not user or ismember(hgweb.repo.ui, user, deny)):
raise ErrorResponse(HTTP_UNAUTHORIZED, 'push not authorized')
allow = hgweb.configlist('web', 'allow_push')
- result = allow and (allow == ['*'] or user in allow)
- if not result:
+ if not (allow and ismember(hgweb.repo.ui, user, allow)):
raise ErrorResponse(HTTP_UNAUTHORIZED, 'push not authorized')
# Hooks for hgweb permission checks; extensions can add hooks here.
diff --git a/mercurial/hgweb/hgwebdir_mod.py b/mercurial/hgweb/hgwebdir_mod.py
--- a/mercurial/hgweb/hgwebdir_mod.py
+++ b/mercurial/hgweb/hgwebdir_mod.py
@@ -10,7 +10,7 @@ import os, re, time
from mercurial.i18n import _
from mercurial import ui, hg, scmutil, util, templater
from mercurial import error, encoding
-from common import ErrorResponse, get_mtime, staticfile, paritygen, \
+from common import ErrorResponse, get_mtime, staticfile, paritygen, ismember, \
get_contact, HTTP_OK, HTTP_NOT_FOUND, HTTP_SERVER_ERROR
from hgweb_mod import hgweb, makebreadcrumb
from request import wsgirequest
@@ -164,12 +164,12 @@ class hgwebdir(object):
user = req.env.get('REMOTE_USER')
deny_read = ui.configlist('web', 'deny_read', untrusted=True)
- if deny_read and (not user or deny_read == ['*'] or user in deny_read):
+ if deny_read and (not user or ismember(ui, user, deny_read)):
return False
allow_read = ui.configlist('web', 'allow_read', untrusted=True)
# by default, allow reading if no allow_read option has been set
- if (not allow_read) or (allow_read == ['*']) or (user in allow_read):
+ if (not allow_read) or ismember(ui, user, allow_read):
return True
return False
More information about the Mercurial-devel
mailing list