upstream/mercurial-mirror Commit - r51308:4077d622

hgweb: add support to explicitly access hidden changesets...

marmoute -

r51308:4077d622 default

parent child

mercurial/configitems.py

0 +5 0

              )
              coreconfigitem(
                  b'experimental',
+                 b'server.allow-hidden-access',
+                 default=list,
+             )
+             coreconfigitem(
+                 b'experimental',
                  b'server.filesdata.recommended-batch-size',
                  default=50000,
              )

mercurial/hgweb/common.py

0 +27 0

              import os
              import stat
+             from ..i18n import _
              from ..pycompat import (
                  getattr,
                  open,
                  return userlist == [b'*'] or username in userlist
+             def hashiddenaccess(repo, req):
+                 if bool(req.qsparams.get(b'access-hidden')):
+                     # Disable this by default for now. Main risk is to get critical
+                     # information exposed through this. This is expecially risky if
+                     # someone decided to make a changeset secret for good reason, but
+                     # its predecessors are still draft.
+                     #
+                     # The feature is currently experimental, so we can still decide to
+                     # change the default.
+                     ui = repo.ui
+                     allow = ui.configlist(b'experimental', b'server.allow-hidden-access')
+                     user = req.remoteuser
+                     if allow and ismember(ui, user, allow):
+                         return True
+                     else:
+                         msg = (
+                             _(
+                                 b'ignoring request to access hidden changeset by '
+                                 b'unauthorized user: %r\n'
+                             )
+                             % user
+                         )
+                         ui.warn(msg)
+                 return False
              def checkauthz(hgweb, req, op):
                  """Check permission for operation based on request data (including
                  authentication info). Return if op allowed, else raise an ErrorResponse

mercurial/hgweb/hgweb_mod.py

0 +11 0

              )
              from . import (
+                 common,
                  request as requestmod,
                  webcommands,
                  webutil,
                      self.req = req
                      self.res = res
+                     # Only works if the filter actually support being upgraded to show
+                     # visible changesets
+                     current_filter = repo.filtername
+                     if (
+                         common.hashiddenaccess(repo, req)
+                         and current_filter is not None
+                         and current_filter + b'.hidden' in repoview.filtertable
+                     ):
+                         self.repo = self.repo.filtered(repo.filtername + b'.hidden')
                      self.maxchanges = self.configint(b'web', b'maxchanges')
                      self.stripecount = self.configint(b'web', b'stripes')
                      self.maxshortchanges = self.configint(b'web', b'maxshortchanges')

tests/test-remote-hidden.t

0 +44 0

		@@ -111,3 +111,47 b' changesets in secret and higher phases a'
111	111	revision: 0
112	112
113	113	$ killdaemons.py
	114
	115	Test accessing hidden changeset through hgweb
	116	---------------------------------------------
	117
	118	$ hg -R repo-with-hidden serve -p $HGPORT -d --pid-file hg.pid --config "experimental.server.allow-hidden-access=*" -E error.log --accesslog access.log
	119	$ cat hg.pid >> $DAEMON_PIDS
	120
	121	Hidden changeset are hidden by default:
	122
	123	$ get-with-headers.py localhost:$HGPORT 'log?style=raw' \| grep revision:
	124	revision: 2
	125	revision: 0
	126
	127	Hidden changeset are visible when requested:
	128
	129	$ get-with-headers.py localhost:$HGPORT 'log?style=raw&access-hidden=1' \| grep revision:
	130	revision: 3
	131	revision: 2
	132	revision: 1
	133	revision: 0
	134
	135	Same check on a server that do not allow hidden access:
	136	```````````````````````````````````````````````````````
	137
	138	$ hg -R repo-with-hidden serve -p $HGPORT1 -d --pid-file hg2.pid --config "experimental.server.allow-hidden-access=" -E error.log --accesslog access.log
	139	$ cat hg2.pid >> $DAEMON_PIDS
	140
	141	Hidden changeset are hidden by default:
	142
	143	$ get-with-headers.py localhost:$HGPORT1 'log?style=raw' \| grep revision:
	144	revision: 2
	145	revision: 0
	146
	147	Hidden changeset are still hidden despite being the hidden access request:
	148
	149	$ get-with-headers.py localhost:$HGPORT1 'log?style=raw&access-hidden=1' \| grep revision:
	150	revision: 2
	151	revision: 0
	152
	153	=============
	154	Final cleanup
	155	=============
	156
	157	$ killdaemons.py

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages