0

I want to use the ACL extension in order to allow only the QA team to make pushes and commits to the stable branch, while putting no restriction on other branches. However, I don't see how to do that with the deny and allow lists, since it seems to me I'd need to be able to specify in [acl.deny.branches] an entity that is equivalent to "all users except group ____", which I don't think is possible. The set of all users and other branches is open and not known in advance (just the set of QA people is known, and the one restricted branch), so I can't just list all the users in a deny list for the restricted branch, or all the branches = * in an allow list.

Also, when using the ACL extension should I disable allow_push = * in the hgweb.config / hgrc? I don't know if that, or the ACL extension, takes precedence. I've seen on a mailing list from 2011 that the hgrc directive takes precedence, but that may be wrong or outdated, so I'd like to confirm.

[Edit]

I see others have come across this type of issue: http://mercurial.808500.n3.nabble.com/PATCH-acl-support-negating-the-list-of-users-groups-with-leading-quot-quot-td2447281.html By the end of this thread, it doesn't look like anything was decided.

Display Name
  • 761
  • 1
  • 8
  • 13

1 Answers1

0

By recommendation of the #mercurial channel, I looked at the source for the extension. And, sure enough, negation is supported with the ! operator. The solution then was a simple as:

[extensions]
hgext.acl =

[hooks]
pretxncommit.acl = python:hgext.acl.hook
pretxnchangegroup.acl = python:hgext.acl.hook

[acl.groups]
reviewers = Max, Moritz

[acl.deny.branches]
stable = !@reviewers

I've edited the wiki documentation at http://mercurial.selenic.com/wiki/AclExtension to note the ability to negate.

Display Name
  • 761
  • 1
  • 8
  • 13