Patchwork hgweb, config: make search restrictions configurable with web.restrictsearch

login
register
mail settings
Submitter Alexander Plavin
Date Sept. 11, 2013, 4:52 p.m.
Message ID <ab7d6890e62500ad220b.1378918353@debian-alexander.dolgopa>
Download mbox | patch
Permalink /patch/2422/
State Deferred
Headers show

Comments

Alexander Plavin - Sept. 11, 2013, 4:52 p.m.
# HG changeset patch
# User Alexander Plavin <alexander@plav.in>
# Date 1378459856 -14400
#      Fri Sep 06 13:30:56 2013 +0400
# Node ID ab7d6890e62500ad220ba733db2af7edf055c5f4
# Parent  763804a97b788beaad3c9edb05634e068dc17529
hgweb, config: make search restrictions configurable with web.restrictsearch

Add boolean config option to allow disabling all search restrictions.
Martin Geisler - Sept. 24, 2013, 6:56 a.m.
Kevin Bullock <kbullock+mercurial@ringworld.org> writes:

> On 22 Sep 2013, at 3:12 AM, Alexander Plavin wrote:
>
>> 22.09.2013, 02:52, "Kevin Bullock" <kbullock+mercurial@ringworld.org>:
>>> On 11 Sep 2013, at 11:52 AM, Alexander Plavin wrote:
>>> 
>>>>  # HG changeset patch
>>>>  # User Alexander Plavin <alexander@plav.in>
>>>>  # Date 1378459856 -14400
>>>>  #      Fri Sep 06 13:30:56 2013 +0400
>>>>  # Node ID ab7d6890e62500ad220ba733db2af7edf055c5f4
>>>>  # Parent  763804a97b788beaad3c9edb05634e068dc17529
>>>>  hgweb, config: make search restrictions configurable with web.restrictsearch
>>>> 
>>>>  Add boolean config option to allow disabling all search restrictions.
>>> 
>>> I'm not convinced this is ever desirable.
>> 
>> For local/trusted team use people may want to make regular
>> expressions and all functions allowed in the search (as sometimes it
>> can be more convenient), so it makes sense in my opinion.
>
> Yeah, I ran through that same argument in my head. It's generally not
> convincing enough for me -- particularly since if you're on a LAN with
> the repo, it's likely to be fast enough to just clone it and run your
> own local revsets on it.

Yes, but where do you run those revsets? If I don't have TortoiseHg at
hand, then I would want to use hgweb to get a graph with the results and
so I would expect to be able to run all revsets.

Better yet: I would expect the Mercurial admin to have given me access
to run all revsets on the shared repository where the source lives.

Patch

diff -r 763804a97b78 -r ab7d6890e625 mercurial/help/config.txt
--- a/mercurial/help/config.txt	Fri Sep 06 13:30:56 2013 +0400
+++ b/mercurial/help/config.txt	Fri Sep 06 13:30:56 2013 +0400
@@ -1461,6 +1461,10 @@ 
     Whether to require that inbound pushes be transported over SSL to
     prevent password sniffing. Default is True.
 
+``restrictsearch``
+    Whether to restrict usage of regular expressions and
+    heavyweight revset functions in search. Default is True.
+
 ``staticurl``
     Base URL to use for static files. If unset, static files (e.g. the
     hgicon.png favicon) will be served by the CGI script itself. Use
diff -r 763804a97b78 -r ab7d6890e625 mercurial/hgweb/webcommands.py
--- a/mercurial/hgweb/webcommands.py	Fri Sep 06 13:30:56 2013 +0400
+++ b/mercurial/hgweb/webcommands.py	Fri Sep 06 13:30:56 2013 +0400
@@ -177,13 +177,14 @@ 
             # no revset syntax used
             return MODE_KEYWORD, query
 
-        if util.any((token, (value or '')[:3]) == ('string', 're:')
-                    for token, value, pos in revset.tokenize(revdef)):
-            return MODE_KEYWORD, query
+        if web.configbool('web', 'restrictsearch', True):
+            if util.any((token, (value or '')[:3]) == ('string', 're:')
+                        for token, value, pos in revset.tokenize(revdef)):
+                return MODE_KEYWORD, query
 
-        funcsused = revset.funcsused(tree)
-        if not funcsused.issubset(revset.safesymbols):
-            return MODE_KEYWORD, query
+            funcsused = revset.funcsused(tree)
+            if not funcsused.issubset(revset.safesymbols):
+                return MODE_KEYWORD, query
 
         mfunc = revset.match(web.repo.ui, revdef)
         try: