diff -r 866d2715aff5 -r 2dc868712dcc mercurial/hgweb/hgweb_mod.py --- a/mercurial/hgweb/hgweb_mod.py Fri Nov 07 18:42:43 2008 +0100 +++ b/mercurial/hgweb/hgweb_mod.py Fri Oct 31 15:28:06 2008 +0100 @@ -161,11 +161,13 @@ # process the web interface request try: - tmpl = self.templater(req) ctype = tmpl('mimetype', encoding=self.encoding) ctype = templater.stringify(ctype) + # check allow_read / deny_read config options + self.check_perm(req, None) + if cmd == '': req.form['cmd'] = [tmpl.cache['default']] cmd = req.form['cmd'][0] @@ -278,11 +280,24 @@ def check_perm(self, req, op): '''Check permission for operation based on request data (including - authentication info. Return true if op allowed, else false.''' + authentication info). Return if op allowed, else raise an ErrorResponse + exception.''' + + user = req.env.get('REMOTE_USER') + + deny_read = self.configlist('web', 'deny_read') + if deny_read and (not user or deny_read == ['*'] or user in deny_read): + raise ErrorResponse(HTTP_UNAUTHORIZED, 'read not authorized') + + allow_read = self.configlist('web', 'allow_read') + result = (not allow_read) or (allow_read == ['*']) or (user in allow_read) + if not result: + raise ErrorResponse(HTTP_UNAUTHORIZED, 'read not authorized') if op == 'pull' and not self.allowpull: raise ErrorResponse(HTTP_OK, '') - elif op == 'pull': + # op is None when checking allow/deny_read permissions for a web-browser request + elif op == 'pull' or op is None: return # enforce that you can only push using POST requests @@ -296,8 +311,6 @@ if self.configbool('web', 'push_ssl', True) and scheme != 'https': raise ErrorResponse(HTTP_OK, 'ssl required') - user = req.env.get('REMOTE_USER') - deny = self.configlist('web', 'deny_push') if deny and (not user or deny == ['*'] or user in deny): raise ErrorResponse(HTTP_UNAUTHORIZED, 'push not authorized')