Hosting multiple mercurial repositories isn’t too tricky, there are various tutorials scattered around the web that will get you up and running. However, the security setups in these tutorials are somewhat lacking. This is particularly true if you need fine grained control over not only who gets to PUSH, but also who gets to PULL from the repositories.

Our goal here is to host as many repositories as we’d like, but only allow client access on a per-repository basis. If I set up repository A for client A, I don’t want client A to be able to pull from repository B.

Let’s start by describing our starting point. . All of the tutorials I’ve found get you set up with something like this. We’ve installed mercurial somewhere, and copied the hgwebdir.cgi file to our webroot, and configured it with a hgweb.config file.

Also, there is an .htaccess file at the web root that both limits POST and PUT access to users specified in a password file .htpasswd, which is made with the htpasswd command.

# .htaccess file at webroot
Options +ExecCGI
RewriteEngine On
# / for root directory; specify a complete path from / for others
RewriteBase /
RewriteRule ^$ hgwebdir.cgi  [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule More >