I’m migrating a few projects from SVN to Mercurial and I’m not sure how to address this issue: because we are working with MVC 3, we have some SQL connection strings stored in our Web.config file.
Since TortoiseHg automatically starts a wide-open web-server when you click “Web Server” from the context menu, I’m looking into ways to restrict it or lock it down, but I haven’t been having any luck. We obviously don’t want anyone being able to browse or pull, which is enabled by default. While the simplest solution is just to not run it, it is entirely possible that a developer accidentally clicks it while trying to synchronize or clone, clicks X to close it, and then ends up with his local server without a clue.
How do other developers address this? Am I missing something? I’ve thought about pushing out a GPO blocking :8000 remote access, but there’s nothing stopping a dev. from scrolling up and changing the ports or something silly.
After all clarifications, I still believe you’re trying to solve the wrong problem.
hg serveis a legitimate tool that can be used to pull changesets between developers on the same network when it’s too early to push those changesets to the server. It may or may not fit into your workflow, but I don’t think the problem lies there.If you expect malice, than nothing prevents any developer to expose the sensitive information in the
Web.config(and, by the way, the source code itself) to the third party even you somehow blockhg serve.On the other hand, if you expect carelessness, then you should instruct the developers not to use
hg serve, or stop storing any sensitive information there, possibly both.