Mercurial ACL, possible to grant a group permission to one branch but deny everything else?

Basically

[ac开发者_如何学JAVAl.groups]
group1=user1,user2
group2=user3,user4

[acl.allow.branch]
default=*

[acl.deny.branch]
*=@group2

Since Mercurial looks at deny first, it ignores acl.allow...our repo has many branches which are labeled with ticket numbers. I can't possible deny each individual branch (and wild card matching on branches do not seem to work)

I would like to deny every branch to group2 but default

Is this possible?

Ok, I slept over the problem, and found the solution: You don't need to black list groups in your configuration, since you already have a white list. The white list works that way, that when it is present and no user entry matches, the user is denied (src). So you only need a white list, where default branch is permitted to all users, and all other branches are permitted to the branch people only. Since the non-branch people are not listed in the white list, they don't have permissions on them.

[acl.groups]
group1=user1,user2
group2=user3,user4

[acl.allow.branch]
default=*
*=@group1