Path-based permissions support


We’re setting up a big monorepo with path-based permission support. Meaning every user can only see a subset of files.
We’re using mercurial, and permission control is based on the narrowhg extension. The setup seems to work well enough on its own.

Now I’m trying to setup rhodecode, so we can manage pull requests and code reviews, but I need to make sure it will support the permissions properly.

I’ve spent a few days looking at the code, and it seems to me I should be able to wrap the MercurialRepository instance and filter the contents of commits, diffs etc based on current user.

I’m planning to do this:

  1. In ‘RepoRoutePredicate’ wrap request.db_repo
  2. Intercept calls to scm_instance() and wrap the return value.

I’m not sure it’s as simple as that, however. For one, I see a number of places that seem to cache data from the repo, and the cache keys don’t include the userid. There may be other pitfalls as well.

I’d appreciate any input about where to start and to watch out for.



Please join our slack channel at

It would be probably easier for us to help you with achieving what you need.