FILE CONDITIONSRead configuring-access before you read this.mercurial-server supports file and branch conditions, which restrict anoperation depending on what files it modifies and what branch the work ison. However, the way these conditions work is subtle and can becounterintuitive - if you want to keep things simple, stick to user andrepo conditions, and then things are likely to work the way you wouldexpect.File and branch conditions are added to the conditions against which a rulematches, just like user and repo conditions; they have this form: file=<globpattern> - file in the repo branch=<globpattern> - name of the branchHowever, in order to understand what effect adding these conditions willhave, it helps to understand how and when these rules are applied.The rules file is used to make four decisions:- Whether to allow a repository to be created- Whether to allow access to a repository- Whether to allow a changeset on a particular branch at all- Whether to allow a changeset to change a particular fileWhen the first two of these decisions are being made, nothing is knownabout what files might be changed, and so all file conditions automaticallysucceed for the purpose of such decisions. This means that doing trickythings with file conditions can have counterintuitive consequences:- You cannot limit read access to a subset of a repository with a "read"rule and a file condition: any user who has access to a repository can readall of it and its full history. Such a rule can only have the effect ofmasking a later "write" rule, as in this example: read repo=specialrepo file=dontwritethis write repo=specialrepoallows all users to read specialrepo, and to write to all files *except*that any changeset which writes to "dontwritethis" will be rejected.- For similar reasons, don't give "init" rules file conditions.- Don't try to deny write access to a particular file on a particularbranch - a developer can write to the file on another branch and then mergeit in. Either deny all writes to the branch from that user, or allow themto write to all the files they can write to on any branch. In other words,something like this will have the intended effect: write user=docs/* branch=docs file=docs/*But something like this will not have the intended effect; it willeffectively allow these users to write to any file on any branch, bywriting it to "docs" first: write user=docs/* branch=docs write user=docs/* file=docs/* read user=docs/*