upstream/mercurial-mirror Commit - r51308:4077d622

hgweb: add support to explicitly access hidden changesets...

marmoute -

r51308:4077d622 default

parent child

mercurial/configitems.py

0 +5 0

             )
             coreconfigitem(
                 b'experimental',
+                b'server.allow-hidden-access',
+                default=list,
+            )
+            coreconfigitem(
+                b'experimental',
                 b'server.filesdata.recommended-batch-size',
                 default=50000,
             )

mercurial/hgweb/common.py

0 +27 0

@@ -13,6 +13,7 b' import mimetypes'
13	import os	13	import os
14	import stat	14	import stat
15		15
		16	from ..i18n import _
16	from ..pycompat import (	17	from ..pycompat import (
17	getattr,	18	getattr,
18	open,	19	open,
@@ -49,6 +50,32 b' def ismember(ui, username, userlist):'
49	return userlist == [b'*'] or username in userlist	50	return userlist == [b'*'] or username in userlist
50		51
51		52
		53	def hashiddenaccess(repo, req):
		54	if bool(req.qsparams.get(b'access-hidden')):
		55	# Disable this by default for now. Main risk is to get critical
		56	# information exposed through this. This is expecially risky if
		57	# someone decided to make a changeset secret for good reason, but
		58	# its predecessors are still draft.
		59	#
		60	# The feature is currently experimental, so we can still decide to
		61	# change the default.
		62	ui = repo.ui
		63	allow = ui.configlist(b'experimental', b'server.allow-hidden-access')
		64	user = req.remoteuser
		65	if allow and ismember(ui, user, allow):
		66	return True
		67	else:
		68	msg = (
		69	_(
		70	b'ignoring request to access hidden changeset by '
		71	b'unauthorized user: %r\n'
		72	)
		73	% user
		74	)
		75	ui.warn(msg)
		76	return False
		77
		78
52	def checkauthz(hgweb, req, op):	79	def checkauthz(hgweb, req, op):
53	"""Check permission for operation based on request data (including	80	"""Check permission for operation based on request data (including
54	authentication info). Return if op allowed, else raise an ErrorResponse	81	authentication info). Return if op allowed, else raise an ErrorResponse

mercurial/hgweb/hgweb_mod.py

0 +11 0

             )
             from . import (
+                common,
                 request as requestmod,
                 webcommands,
                 webutil,
                     self.req = req
                     self.res = res
+                    # Only works if the filter actually support being upgraded to show
+                    # visible changesets
+                    current_filter = repo.filtername
+                    if (
+                        common.hashiddenaccess(repo, req)
+                        and current_filter is not None
+                        and current_filter + b'.hidden' in repoview.filtertable
+                    ):
+                        self.repo = self.repo.filtered(repo.filtername + b'.hidden')
                     self.maxchanges = self.configint(b'web', b'maxchanges')
                     self.stripecount = self.configint(b'web', b'stripes')
                     self.maxshortchanges = self.configint(b'web', b'maxshortchanges')

tests/test-remote-hidden.t

0 +44 0

@@ -111,3 +111,47 b' changesets in secret and higher phases a'
111	revision: 0	111	revision: 0
112		112
113	$ killdaemons.py	113	$ killdaemons.py
		114
		115	Test accessing hidden changeset through hgweb
		116	---------------------------------------------
		117
		118	$ hg -R repo-with-hidden serve -p $HGPORT -d --pid-file hg.pid --config "experimental.server.allow-hidden-access=*" -E error.log --accesslog access.log
		119	$ cat hg.pid >> $DAEMON_PIDS
		120
		121	Hidden changeset are hidden by default:
		122
		123	$ get-with-headers.py localhost:$HGPORT 'log?style=raw' \| grep revision:
		124	revision: 2
		125	revision: 0
		126
		127	Hidden changeset are visible when requested:
		128
		129	$ get-with-headers.py localhost:$HGPORT 'log?style=raw&access-hidden=1' \| grep revision:
		130	revision: 3
		131	revision: 2
		132	revision: 1
		133	revision: 0
		134
		135	Same check on a server that do not allow hidden access:
		136	```````````````````````````````````````````````````````
		137
		138	$ hg -R repo-with-hidden serve -p $HGPORT1 -d --pid-file hg2.pid --config "experimental.server.allow-hidden-access=" -E error.log --accesslog access.log
		139	$ cat hg2.pid >> $DAEMON_PIDS
		140
		141	Hidden changeset are hidden by default:
		142
		143	$ get-with-headers.py localhost:$HGPORT1 'log?style=raw' \| grep revision:
		144	revision: 2
		145	revision: 0
		146
		147	Hidden changeset are still hidden despite being the hidden access request:
		148
		149	$ get-with-headers.py localhost:$HGPORT1 'log?style=raw&access-hidden=1' \| grep revision:
		150	revision: 2
		151	revision: 0
		152
		153	=============
		154	Final cleanup
		155	=============
		156
		157	$ killdaemons.py

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages