doc/configuring-access
author Paul Crowley <paul@lshift.net>
Tue, 13 Oct 2009 10:41:24 +0100
changeset 110 69596fffcf7d
parent 83 86ec1268d306
child 112 3035990989ee
permissions -rw-r--r--
Less canonicalisation, use os.path to check for dotfiles

ACCESS.CONF

Out of the box, there are just two kinds of users: the ones with keys in
"keys/root" and those in "keys/users". However, you can change this by editing
"access.conf". There are two "access.conf" files, one in
"/etc/mercurial-server" and one in "hgadmin"; the two are simply concatenated
before being read.

Each line of access.conf has the following syntax:

<rule> <condition> <condition> ...

Rule is one of

init - allow any operation, including the creation of new repositories
write - allow reads and writes to this file in this repository
read - allow the repo to be read but reject matching writes
deny - deny all requests

A condition is a globpattern matched against a relative path. The two most
important conditions are

    user=<globpattern> - user's key
    repo=<globpattern> - repo (as the user supplies it)

The first rule in the file which has all its conditions satisfied is used to
determine whether an action is allowed.

Paths cannot contain any special characters except "/"; glob patterns cannot
contain any special characters except "/" and "*". "*" matches zero or more
characters not including "/" while "**" matches zero or more characters
including "/".

Blank lines and lines that start with "#" are ignored.

access.conf ships with the following contents:

    init user=root/**
    deny repo=hgadmin
    write user=users/**

This means: keys in "root" can do anything; keys in "users" cannot create
repositories, cannot even read the hgadmin repository, but can read and write
any other repository; no other key has any access.

More advanced access configuration is covered in file-conditions.