1

I'm new mercurial user. I setup the acl extension adding this into my hgrc file:

[hooks]
pretxnchangegroup.acl = python:hgext.acl.hook

[acl]
sources = serve pull push

[acl.deny]
** = mercurial

So with this code above I deny access to all files to user "mercurial". I successfully tested the acl extension and it works perfectly when I try to push to my central repository on which I put the code above. As expected I receive message that the access for the user "mercurial" is denied.

Now the problem is when I'm start pulling from central repository I don't have any restriction so I can pull anything without any restriction. What I want is to deny pull access for some files like I can do when I tried push comand. Is there any way I can do this?

Milen A. Radev
  • 60,241
  • 22
  • 105
  • 110
Danilo Puric
  • 779
  • 2
  • 13
  • 23

3 Answers3

1

Mercurial, unlike Subversion, doesn't allow controls on individual files, and for good reason. The DVCS model puts the entire repo on every developer's machine, so even if you restrict files on push and pull, the user could still just hg cat the file to get its contents.

Instead of trying to do this on the client side, I would instead break your repos based on who needs what and set permissions to individual repos. See my answer on the Kiln stack exchange Should I use more than one repository?. You can set permissions via http(s) or SSH, or if you happen to be using Kiln, through our permissions interface.

tghw
  • 25,208
  • 13
  • 70
  • 96
  • Thanks for the replay but now I don't know what to do. I have one project and I want to restrict access to specific users for some files on that project. Is there any different way to do this and keep that project in one peace? – Danilo Puric Jul 13 '10 at 13:38
  • What sorts of files are you restricting access to? And how are you going to enforce their use of your hook? – tghw Jul 13 '10 at 14:27
  • Thanks again for the answer. I want to restrict access to some php scripts. But there is one question that is the same as your second. How to enforce use of my hook and how to design that hook in order to be able recognize those files that I want to restrict? – Danilo Puric Jul 13 '10 at 14:38
  • Is there mercurial variable that I can use in my custom hook that can recognize pull command? – Danilo Puric Jul 13 '10 at 14:58
  • To the best of my knowledge, there is no way to prevent only certain files from being pulled, while allowing others. That would represent a different history, which would mean a different changeset ID, etc. It does look like a `preoutgoing` hook might get the hook in there, but I'd be surprised if you could block certain files. Do you mind posting the source for your hook? – tghw Jul 13 '10 at 15:27
1

As came out in the comments with tghw, it sounds like what you really want is partial cloning by filepath, so that a person can clone or pull down only certain files or directories, but that's not possible in Mercurial (or git). That's the case because every revision is identified by a unique hash that includes, among other things, the hash of all the file changes. If you don't have all the files, you don't have all the changes, and you can't verify the hash.

If you really need to hide read access for some files from some people you'll need to split them up into separate repositories.

Ry4an Brase
  • 78,112
  • 7
  • 148
  • 169
-3

I have a solution:

convert your repo to git:

https://git.wiki.kernel.org/index.php/Interfaces,_frontends,_and_tools#Mercurial

Bùi Việt Thành
  • 409
  • 6
  • 10
  • What Danilo is looking for is "partial cloning by filepath" which is also not possible in git: http://stackoverflow.com/questions/2586824/partial-clone-with-git-and-mercurial – Ry4an Brase Mar 04 '11 at 04:00
  • It's possible in git: http://sitaramc.github.com/gitolite/doc/gitolite.conf.html#_basic_access_control – Bùi Việt Thành Mar 05 '11 at 09:55