doc/how-it-works
branchdebian
changeset 115 731a72b742db
parent 112 3035990989ee
--- a/doc/how-it-works	Thu May 28 10:43:30 2009 +0100
+++ b/doc/how-it-works	Tue Oct 13 15:30:03 2009 +0100
@@ -1,22 +1,24 @@
 HOW IT WORKS
 
-When a developer attempts to connect to a repository via ssh, the SSH daemon
-searches for a match for that user's key in ~hg/.ssh/authorized_keys. If the
-developer is authorised to connect to the repository they will have an entry
-in this file. The entry includes a "command" prefix which specifies that the
-restricted shell "/usr/local/lib/mercurial-server/hg-ssh" should be used; this
-shell is passed an argument identifying the developer. The shell parses the
-command the developer is trying to execute, and consults a rules file to see
-if that developer is allowed to perform that action on that repository.
+When a developer attempts to connect to a repository via ssh, the SSH
+daemon searches for a match for that user's key in
+~hg/.ssh/authorized_keys. If the developer is authorised to connect to the
+repository they will have an entry in this file. The entry includes a
+"command" prefix which specifies that the restricted shell
+"/usr/local/share/mercurial-server/hg-ssh" should be used; this shell is
+passed an argument identifying the developer. The shell parses the command
+the developer is trying to execute, and consults a rules file to see if
+that developer is allowed to perform that action on that repository.
 
 The file ~hg/.ssh/authorized_keys is generated by "refresh-auth", which
-recurses through two directories of files containing SSH keys and generates an
-entry in authorized_keys for each one, using the name of the key file as the
-identifier for the developer. These keys will live in the "keys" subdirectory
-"/etc/mercurial-server" and the "keys" subdirectory of a repository called
-"hgadmin". A hook in this repository re-runs "refresh-auth" on the most recent
-version after every push.
+recurses through two directories of files containing SSH keys and generates
+an entry in authorized_keys for each one, using the name of the key file as
+the identifier for the developer. These keys will live in the "keys"
+subdirectory "/etc/mercurial-server" and the "keys" subdirectory of a
+repository called "hgadmin". A hook in this repository re-runs
+"refresh-auth" on the most recent version after every push.
 
-Finally, hook in an extension is run for each changeset that is remotely
-committed, which uses the rules file to determine whether to allow the
-changeset.
+When users try to commit new changesets, a hook is run which consults the
+rules file to decide whether to allow the changeset into the repository.
+This can depend not only on the user and the repository, but also the
+branch and files in the changeset.