Mercurial > public > mercurial-scm > hg-stable
comparison mercurial/hgweb/common.py @ 36883:02bea04b4c54
hgweb: transition permissions hooks to modern request type (API)
We're trying to remove ``wsgirequest``. The permissions hooks don't
do anything they can't do with our new request type. So let's
pass that in.
This was the last use of ``wsgirequest`` in the wire protocol code!
.. api::
hgweb.hgweb_mod.permhooks no longer take a ``wsgirequest`` instance
as an argument.
Differential Revision: https://phab.mercurial-scm.org/D2793
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Sat, 10 Mar 2018 18:19:27 -0800 |
| parents | 98baf8dea553 |
| children | a2566597acb5 |
comparison
equal
deleted
inserted
replaced
| 36882:97f44b0720e2 | 36883:02bea04b4c54 |
|---|---|
| 44 def checkauthz(hgweb, req, op): | 44 def checkauthz(hgweb, req, op): |
| 45 '''Check permission for operation based on request data (including | 45 '''Check permission for operation based on request data (including |
| 46 authentication info). Return if op allowed, else raise an ErrorResponse | 46 authentication info). Return if op allowed, else raise an ErrorResponse |
| 47 exception.''' | 47 exception.''' |
| 48 | 48 |
| 49 user = req.env.get(r'REMOTE_USER') | 49 user = req.remoteuser |
| 50 | 50 |
| 51 deny_read = hgweb.configlist('web', 'deny_read') | 51 deny_read = hgweb.configlist('web', 'deny_read') |
| 52 if deny_read and (not user or ismember(hgweb.repo.ui, user, deny_read)): | 52 if deny_read and (not user or ismember(hgweb.repo.ui, user, deny_read)): |
| 53 raise ErrorResponse(HTTP_UNAUTHORIZED, 'read not authorized') | 53 raise ErrorResponse(HTTP_UNAUTHORIZED, 'read not authorized') |
| 54 | 54 |
| 60 raise ErrorResponse(HTTP_UNAUTHORIZED, 'pull not authorized') | 60 raise ErrorResponse(HTTP_UNAUTHORIZED, 'pull not authorized') |
| 61 elif op == 'pull' or op is None: # op is None for interface requests | 61 elif op == 'pull' or op is None: # op is None for interface requests |
| 62 return | 62 return |
| 63 | 63 |
| 64 # enforce that you can only push using POST requests | 64 # enforce that you can only push using POST requests |
| 65 if req.env[r'REQUEST_METHOD'] != r'POST': | 65 if req.method != 'POST': |
| 66 msg = 'push requires POST request' | 66 msg = 'push requires POST request' |
| 67 raise ErrorResponse(HTTP_METHOD_NOT_ALLOWED, msg) | 67 raise ErrorResponse(HTTP_METHOD_NOT_ALLOWED, msg) |
| 68 | 68 |
| 69 # require ssl by default for pushing, auth info cannot be sniffed | 69 # require ssl by default for pushing, auth info cannot be sniffed |
| 70 # and replayed | 70 # and replayed |
| 71 scheme = req.env.get('wsgi.url_scheme') | 71 if hgweb.configbool('web', 'push_ssl') and req.urlscheme != 'https': |
| 72 if hgweb.configbool('web', 'push_ssl') and scheme != 'https': | |
| 73 raise ErrorResponse(HTTP_FORBIDDEN, 'ssl required') | 72 raise ErrorResponse(HTTP_FORBIDDEN, 'ssl required') |
| 74 | 73 |
| 75 deny = hgweb.configlist('web', 'deny_push') | 74 deny = hgweb.configlist('web', 'deny_push') |
| 76 if deny and (not user or ismember(hgweb.repo.ui, user, deny)): | 75 if deny and (not user or ismember(hgweb.repo.ui, user, deny)): |
| 77 raise ErrorResponse(HTTP_UNAUTHORIZED, 'push not authorized') | 76 raise ErrorResponse(HTTP_UNAUTHORIZED, 'push not authorized') |