0

I have hgweb.wsgi setup on an ubuntu server under apache2. Furthermore I have basic authing using the apache2 htpasswd approach. This all works nicely. However, we want to control what each user have access to and ACL seems to be the best approach. So inside the repos .hg folder I've created a hgrc and modified it according to the documentation for getting ACL up and running ( I've also enabled the extension ). The problem is I get no indication that the hgrc is used at all. If I add [ui] debug = true I still get nothing from the remote client. Sadly I'm not quite sure how to go about debugging this so any help would be much appreciated.

Ylisar
  • 4,293
  • 21
  • 27

1 Answers1

1

To make sure that a .hg/hgrc file in a repository is being consulted add something noticable to the [web] section like:

[web]
description = Got this from the hgrc
style = coal
name = RENAMED

If you don't see those in the web interface your .hg/hgrc isn't being consulted, and the most common reason for that is -- permissions. Remember that the .hg/hgrc has to owned by a user or group that is trusted by the webserver user (usually apache or www-data or similar). If apache is running under the user apache then chown the .hg/hgrc file over to apache for ownership -- root won't do and htpasswd user is irrelevant.

If that file is being consulted then you need to start poking around in the apache error logs. Turning on debug and verbose will put more messages into the apache error log, not into the remote client's output.

Rudi
  • 19,366
  • 3
  • 55
  • 77
Ry4an Brase
  • 78,112
  • 7
  • 148
  • 169
  • Through your method I've confirmed that the hgrc file is used. However, even adding verbose = true under [ui] gives me no additional info in neither error.log nor access.log. Am I correct in assuming that browsing the repo in the web interface will respect ACL? – Ylisar Jan 27 '12 at 09:01
  • 1
    No, how could it? The ACLs control what parts of the repo you can _write_ to. There's no way in a DVCS (mercurial, git, etc.) for someone to read only a portion of a repository -- they can always clone it and view everything that ever was. – Ry4an Brase Jan 27 '12 at 18:12
  • Notice how when configuring ACL you do it by setting it as a `pretxnchangegroup` hook, which is trigged on `push`. – Ry4an Brase Jan 27 '12 at 18:14
  • Yeah, sadly I noticed. I tried with the other hooks as well, but as you say nothing works as mercurial always serves everything on clone. the only way to get some sub par access control going seems to be using sub repositories. I see no reason for why DVCS inherently must serve everything however, surely the DAG is per file / folder. – Ylisar Jan 30 '12 at 08:53