Accessing hidden commits by hash (directaccess extension)

Fri Aug 25 18:26:05 UTC 2017

One of the extensions we've been using inside Facebook, and that Pulkit 
will be helping us upstream soon, is the directaccess extension. It 
allows a user to pass the hash of hidden commits to the Mercurial 
command line and those commits will be temporarily unhidden for the 
duration of the command (instead of printing a 'abort: hidden revision' 
error).

Since this differs from the current hidden commit behavior, I wanted to 
document why we've found it useful, and what the extension does to 
prevent dumb mistakes (like pushing a hidden commit by accidentally 
pasting the wrong hash).

Motivation
===

One of the core lessons we've learned from our users is that it's 
critical to instill confidence that they can recover from mistakes. In 
our experience, allowing the user to see any commit they have the hash 
for helps give them this confidence.

The current hidden experience makes this difficult. If a commit is 
hidden and a user types 'hg log -r HIDDEN_HASH', they are blocked from 
accessing that commit, despite them knowing the commit exists and 
explicitly telling us they want to see it. Even worse, the error message 
tells them to use --hidden, which gets them in the habit of using that 
flag whenever something goes wrong, which can cause even more horrible 
issues since most users don't understand what it actually does.

directaccess works by taking any explicit hash passed to the command and 
makes that hash visible in the computehidden result set. So the command 
proceeds as if the commit was not hidden. It only works for hashes, not 
rev numbers.

Preventing Mistakes
===

One of the reasons for preventing users from accessing hidden commits is 
to prevent them from doing bad things with them (like pushing them, or 
amending them and causing divergence). To address this, directaccess 
treats read commands, recoverable-write commands, and 
unrecoverable-write commands separately.

For read commands (a whitelist of commands in the code), it allows the 
user to access the commit like normal.

For recoverable-write commands, like commit/amend/rebase, it prints 
"Warning: accessing hidden changesets %s for write operation".

For unrecoverable-write commands (a whitelist), like push and serve, it 
blocks the command like normal, with the 'abort: hidden revision' error.

Questions?
===

We think this strikes a good balance between making it easy for users to 
access the commits they care about, while preventing the most painful 
mistakes.

Let me know if you have any concerns. I wanted to get any discussion out 
of the way now, before we start sending code out.

directaccess source code: 
https://bitbucket.org/facebook/hg-experimental/src/c29e61682661e4b1eb86570ba4c2a58aa75ff7a3/hgext3rd/directaccess.py