Would anyone know how I can restrict users from pushing to an hg repository if I give then access via hg-ssh?
Some details to help eliminate the obvious:
1) This is a for a shared hosting situation where I don't have root access to install mercurial-server nor can I create the "hg" username that it requires.
2) When I allow a user to connect via SSH to a shared hosting site, they will basically have their public key in my authorized_keys file and they will have be authenticated as me (i.e. they will have my credentials on the server). I can restrict their access to only a few hg repositories by specifying a "command=" clause in my authorized_keys file as documented here: https://www.mercurial-scm.org/repo/hg-stable/raw-file/tip/contrib/hg-ssh. However that gives the user full access to these repositories. Can I restrict this to pull-only access?
Any of these would solve my problem:
1) I know that mercurial-server solves this problem somehow because all the users their share the same user account called "hg". How do they do it? Can I do the same without root-access to set up things?
OR 2) Is there is a patch that I can add to hg-ssh such that hg-ssh can take some permissions on its command-line. Something like "hg-ssh -read-only repo1 repo2 -read-write repo3".
OR 3) Get "hg -R {repo} serve --stdio" to take a command line option such that it will not allow push.
Use the AclExtension. It lets you block access for ssh actions as well as http actions, and since it's enabled/disabled by hooks you'll be able to bypass it when you're logged in interactively.