I'm trying to host multiple hg repositories to use for my clients. I need to control access to each repository individually - not just push access, but clone as well.

I've got an .htaccess set which requires authentication globally:

AuthUserFile /path/to/hgweb.passwd
AuthGroupFile /dev/null
AuthName "Chris Lawlor Client Mercurial Repositories"
AuthType Basic
<Limit GET POST PUT>
 Require valid-user
</Limit>
<FilesMatch "\.(htaccess|passwd|config|bak)$">
Order Allow,Deny
Deny from all
</FilesMatch>

Then in each repository, I've got a .hg/hgrc file requiring a valid user

[web]
allow_push = <comma seperated user list> 

This almost does what I need. The problem is that I need to add ALL my clients to hgweb.passwd, which gives them clone access to ALL of the repositories.

The only solution I can think of is to have another .htaccess and .passwd file in EACH repository. I don't really want to do that though, seems a little convoluted. I can already specify a list of authorized users for each repository in that repos' hgrc file with the allow_push setting. If only there were an allow_clone setting as well...

All the documentation I've found for hgwebdir.cgi is incomplete. I've read: http://mercurial.selenic.com/wiki/HgWebDirStepByStep

http://hgbook.red-bean.com/read/collaborating-with-other-people.html#sec:collab:cgi

http://hgbook.red-bean.com/read/collaborating-with-other-people.html

And others. I've yet to find a comprehensive list of hgrc settings.

I guess this is as much an Apache question than a mercurial question.

Unless I can find a better approach, I'll be going with a seperate .htaccess and .passwd file for each repo.

This is a virtual host on Webfaction if it matters - set up roughly like this http://docs.webfaction.com/software/mercurial.html