[PATCH] hgweb, config: make search restrictions configurable with web.restrictsearch

[Alexander Plavin]

24.09.2013, 00:29, "Kevin Bullock" <kbullock+mercurial at ringworld.org>:
> On 22 Sep 2013, at 3:12 AM, Alexander Plavin wrote:
>
>>  22.09.2013, 02:52, "Kevin Bullock" <kbullock+mercurial at ringworld.org>:
>>>  On 11 Sep 2013, at 11:52 AM, Alexander Plavin wrote:
>>>>   # HG changeset patch
>>>>   # User Alexander Plavin <alexander at plav.in>
>>>>   # Date 1378459856 -14400
>>>>   #      Fri Sep 06 13:30:56 2013 +0400
>>>>   # Node ID ab7d6890e62500ad220ba733db2af7edf055c5f4
>>>>   # Parent  763804a97b788beaad3c9edb05634e068dc17529
>>>>   hgweb, config: make search restrictions configurable with web.restrictsearch
>>>>
>>>>   Add boolean config option to allow disabling all search restrictions.
>>>  I'm not convinced this is ever desirable.
>>  For local/trusted team use people may want to make regular expressions and all functions allowed in the search (as sometimes it can be more convenient), so it makes sense in my opinion.
>
> Yeah, I ran through that same argument in my head. It's generally not convincing enough for me -- particularly since if you're on a LAN with the repo, it's likely to be fast enough to just clone it and run your own local revsets on it.

As for me, exploring repo history and diffs is much more convenient through hgweb even for local repos, so I use log/log -G very rarely (in favor of local hgweb instance log/graphlog). So, it would make sense to disable the restrictions globally on a developer machine which doesn't open hgweb to the whole internet. Also, team repositories aren't always on the same LAN as the team is - I think that having hgweb on a remote server, behind some authentication, is quite common.

>
> In other words, I'm not sure the utility of this outweighs the inevitable risk of having people blindly setting this to True, opening themselves to DoS, and blaming us for it.
>
> pacem in terris / мир / शान्ति / ‎‫سَلاَم‬ / 平和
> Kevin R. Bullock