We have central repository via http on Apache with digest authentication for two users 'One' and 'Two'.
User 'One' can do:
hg commit -uTwo -mText
hg push http://central-repo/hg/project
How to prevent that fake on the central repository?
Or how to know who makes that push to the central repository?
Best Solution
You can install a pushlog extension to keep track of who pushes what. See the Mozilla hgpoller repo for the pushlog extension they use (they have a separate set of templates as well). An alternative solution would be to write a hook to deny pushing changesets authored by someone else than the authenticating user. Since that can also be a very valid scenario, the pushlog solution might be best.