You have a lot of repos, their URLs are known and have already been used to clone them, and you just decided you want to turn off push access to them. Is this about right?

If the repos are accessed over ssh, you can do it by simply reassigning ownership of the repo files to a new account, with free read access but no write access by other users. The file locations stay the same, the current access credentials remain valid, but pushing to the repos is no longer possible.

If you're on a unix system, you can probably do everything in bash with a for loop and chown -R. If you're not... good luck. Give us more information about your configuration, and one of the approaches proposed in the answers will fit best.

For disabling push over http or https, you can try one of the following in your hgrc file. Note, this doesn't disable pushing over the filesystem.

allow_push

Whether to allow pushing to the repository. If empty or not set, push is not allowed. If the special value * is used, any remote user can push, including unauthenticated users. Otherwise, the remote user must have been authenticated, and the authenticated user name must be present in this list (separated by whitespace or ","). The contents of the allow_push list are examined after the deny_push list.

[web]
allow_push =

deny_push

Whether to deny pushing to the repository. If empty or not set, push is not denied. If the special value *, all remote users are denied push. Otherwise, unauthenticated users are all denied, and any authenticated user name present in this list (separated by whitespace or ",") is also denied. The contents of the deny_push list are examined before the allow_push list.

[web]
deny_push = *

You can do this like this in .hg/hgrc:

[hooks]
prechangegroup = false

Make them available over http only (hg serve, kallithea,...) and don't give them login credentials.

This depends on how you're publishing your repositories but here's a few things you can try, depending on this:

1. If you're publishing your repositories on network shares or mounted volumes, simply set access rights on the mercurial folder in such a way that they only have read access to the folder and its files
2. If you're publishing your repositories using any of the available http server options, like hg serve or any of the 3rd party websites you can install, make sure you set up users that doesn't have write/push access
3. If you're publishing your repositories using any of the online cloud-based solutions, like bitbucket, kiln, etc. then simply don't hand out push access to anyone that shouldn't have it, again you can set up users and access specifically