diff -r 6542be5df719 -r b5ed0ab8cc74 mercurial/hgweb/hgweb_mod.py
--- a/mercurial/hgweb/hgweb_mod.py	Wed Mar 04 19:04:21 2009 -0600
+++ b/mercurial/hgweb/hgweb_mod.py	Sat Mar 07 00:59:41 2009 +0100
@@ -284,7 +284,7 @@
 
         allow_read = self.configlist('web', 'allow_read')
         result = (not allow_read) or (allow_read == ['*'])
-        if not result or user in allow_read:
+        if not (result or user in allow_read):
             raise ErrorResponse(HTTP_UNAUTHORIZED, 'read not authorized')
 
         if op == 'pull' and not self.allowpull: