| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In order to check all existing rate limits through Authority, the limit
keys must function as user rights. However, we do not want them to be
"normal" permissions, since they cannot sensibly be revoked, and they
should not clutter the user interface.
To solve this, we introduce the concept of "implicit rights", which are
always granted, but limitable.
Change-Id: I0ea6f29130da1d68d022d47d9221fe878bc9beae
|
| | |
| |
| |
| |
| | |
Bug: T208477
Change-Id: Ic7c1b02d6d6c077981599f00e443d157648a1fd8
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Remove `$wgShowDiffToggleSwitch`, ensure the inline switcher
is always shown.
Bug: T341630
Change-Id: I37d1abe0d9773654df24dd8316cd1b351e3b91a4
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This setting can be used to optimize externallinks queries for certain
domains that have many entries in the externallinks table, but also big
“gaps” where the table contains no entries for that domain. By putting
those gaps (whose el_id values would usually have been obtained on the
analytics databases) into the configuration, we can have MediaWiki tell
the database to skip those ranges of the table instead of scanning
through them. (This is only relevant for domains that have enough
entries that the database chooses to scan the table in primary key order
rather than using the el_to_domain_index_to_path index and filesorting.)
Bug: T341000
Change-Id: Iec4fe01aaa595fbaf3b427b7baa68a9d7209b117
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | | |
Bug: T345669
Change-Id: Ia099d092461aa12fc1bfac10c65cf79b391bafca
|
| |\ \ \
| |/ /
|/| | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Follows-up 7c2c016e46 (I086e275148). This separates the link from
the response such that when it gets copied elsewhere, hosted elsewhere,
saved offline, proxied, archived, or otherwise served from a different
place or with different content; the header is most likely naturally
not copied along.
This is based on upstream experience by the jQuery Team where e.g.
distributions of jQuery, or concatenations, etc would lead to
confusing errors or inability to see any source in the devtools.
In the Wikimedia community we two similar use cases:
1. people sometimes copy load.php responses to a wiki page, e.g.
as a way to "distribute" a ResoureLoader-built gadget or to
fork/debug some core code.
2. the Internet Archive stores copies of our responses, but doesn't
proactively download source map links.
For example, archiving
https://people.wikimedia.org/~krinkle/wikimedia-minify-2.5.0-test-sourcemap/combine.html
results in:
> … /~krinkle/wikimedia-minify-2.5.0-test-sourcemap/combine.html
> … /~krinkle/wikimedia-minify-2.5.0-test-sourcemap/combine.min.js
> Archived at
> http://web.archive.org/web/20230905211332/https://people.wikimedia.org/~krinkle/wikimedia-minify-2.5.0-test-sourcemap/combine.html
Bug: T47514
Change-Id: I3e85c2afb107ce1185651ab038379e4abe87a445
|
| |\ \ \
| |/ /
|/| | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Mark as deprecated now that it's false by default and deployed as such,
so that we can remove all the dead paths in a future version.
Bug: T314318
Change-Id: If514d058cc92408c67ffb7625e47f224bb510838
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Anything that writes or reads from now-dropped columns
Bug: T312666
Change-Id: Ic1c69de717bfa03bba94e97dabad9e717ba13fd6
|
| | |/
|/|
| |
| |
| |
| |
| |
| |
| |
| | |
Already dropped from production
Also dropping FixExtLinksProtocolRelative as it's not useful anymore and
it has been run in previous releases so it's not worth fixing.
Bug: T312666
Change-Id: I1dd6e704b34e685ada6e316da11243d10827d769
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
This moves the core part of wfGetPrivilegedGroups() out of Wikimedia
config and makes it possible to move functionality built on it into
core.
Bug: T208477
Change-Id: I6536ef2909caeed047447e8b6a25831d6f00d827
|
| |\ \ |
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Building blocks of CP don't really need to depend on LBF. Even the
config value for CP stash type is also different. But it's being passed
around along the rest of LB/LBF config and possibly down to the DB
object.
This is making the code much harder to understand, adds more coupling
than it needs to, and it's making pieces that don't need to rely on LFB
(like load.php) actually depend on LBF just to disable CP.
This clean up also helps improving DI of LB/LBF and building of DB
objects down the road.
Bug: T275713
Change-Id: Ic27269a1f1190ee7a03c6a422ada7ff293c3cab1
|
| |\ \
| |/
|/| |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In the debugger of Firefox and Chrome, without any special debug mode,
you will be able to see the original unminified JavaScript source, and
to set breakpoints in it and step through it.
Main visible changes:
* Add a config variable controlling the generation of source map links,
off by default for now.
* For script responses, move errors to the bottom of the response. This
avoids disturbing the source map.
* mw.loader.impl() calls will have less whitespace in debug mode,
because minification is no longer done as a post-processing step on
these calls.
Details:
* Use an index map when multiple responses are requested. This requires
an update to the minify library.
* Add a boolean "sourcemap" query parameter which causes load.php to
deliver source map output instead of regular minified content.
* Bundle sources into the source map and use two kinds of fake URL if a
real debug URL is not available. "Open in new tab" on a fake URL is
not functional.
* In the source map mode, respond with 404 if the version is mismatched
or if the content type is unimplemented.
* Fix createLoaderURL() so that $extraQuery is not ignored when there
are conflicting context parameters, so that we can successfully
override the version. The source map version should match the
delivered content, not the requested version.
* Since minification with source map tracking can't use filter(),
add a new cache for module source maps and minification. Add hit rate
stats.
Also:
* Fix unnecessary array_map() in getCombinedVersion()
Bug: T47514
Change-Id: I086e275148fdcac89f67a2fa0466d0dc063a17af
|
| |\ \
| |/
|/| |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
The global variable AjaxUploadDestCheck is deprecated and unused since
6c4ac7ddc5 included in MediaWiki 1.38.
Bug: T291375
Change-Id: Ie406adb97bf323cc54041aca2b0204db8b4da859
|
| |\ \ |
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Move parts of implementation code comments into something that is
discoverable and understable to a general audience of MW core and skin
developers (not hidden in code mostly seen by maintainers
and contributors to ResourceLoader internals).
Most notably, that the system is turned off by default (and how to
turn it on), that it is limited to requests by unregistered users,
and that the class must follow a certain pattern.
$wgResourceLoaderClientPreferences is removed as part of this.
This is not considered a breaking change as the feature is now
automatically on in the skins needs it (via skin.json), and previously
it was marked experimental and off by default.
Skins are naturally required to have knowledge of this system, as they
need to call into it to persist classes for feature toggles. By removing
the need to also enable it at the site-level we get a few benefits:
1) make skins like Vector easier to correctly install and configure.
2) ease maintenance for skin devs by removing the need to manually
export and check $wgResourceLoaderClientPreferences before calling
mw.user.clientPrefs or otherwise hinting in UI or docs that the
feature persists when it might not be turned on on a given MW site
or WMF wiki.
3) ease browser testing in CI.
Bug: T344069
Depends-On: If9b83dd559cda2dac315afcb65a4761b9e97f319
Change-Id: Ib0b5ee29ec7accb7b291830d2ab6566fe4f4c0c5
|
| |\ \
| |/
|/| |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Instead of replacing isRegistered with isNamed
in the watchlist component, (re)assign the watchlist
rights (`editmywatchlist` and `viewmywatchlist`) to
the `user` group, instead of `*`. This should hide
watchlist-related interface from temp accounts, as
those are not a member of the `user` group.
isRegistered() is kept in watchlist, as technically,
any user with an ID could have a watchlist (it is now
a matter of rights / product decision, rather than
technological reasons).
This patch partially reverts
Ib935fc04387100f25cafd75c632ac5ae7114d5d5.
This is an alternative to Ifeedbbfb520ec26680134279bd44fec98754d897.
What is left is to change the "User registration"
filters to match expectations for temp. accounts
(to be done in a follow-up patch; see T343322).
Bug: T341976
Change-Id: I1ccda3878a658d4251429ae65ebee04c09d81243
|
| |/
|
|
|
|
|
|
|
|
| |
I think we should set it back to optional since this affected XML
dumps generated after the schema ver 0.11 was published.
We can change it to non-optional in the next version if necessary,
with the exporter fixed.
Bug: T343622
Change-Id: Ic12b7c573a9fc8dc390a74dae694ff6eca3d0604
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The "nonce" CSP feature has been never been properly tested and is not
on track to be enabled at WMF or in MW by default. The use of
nonce-protected eval is not particularly meaningful. It is trivially
bypassed by mw.loader.implement, mw.loader.store, or importScript();
all of which allow any code to be executed directly, or to be stored
and loaded from a first-party origin.
The "nonce" feature is not required for the T208188 roadmap, and with
change I51b8535b2b21a3 there is now also a (small) performance reason
to keep this disabled long-term.
Until and unless there is a plan for enabling this particular aspect
of CSP, we might as well remove it so that we don't waste time our
time building abstraction layers and satisfying dependency injection
through many years for something that might never be used.
Note that this does not remove CSP support from ResourceLoader, and
does not take away from the future of enabling CSP in MediaWiki to
e.g. strictly block third-party scripts, or to require domains to
opt-in by site config or user pref (T208188).
Change-Id: I5a176c41a06a484a11e64bdacdc42b40811fe72e
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The following validation errors have been fixed:
* The "required" validation keyword must be an array.
* Remove trailing commas
* Remove improper use of "$ref".
Change-Id: I3d01ab5467d1cf496d144781ef57a221b1476347
|
| |\ \ \ |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This test was not being run because the docs directory wasn't included
in the PHPUnit XML config files. As a direct consequence, the test was
extremely broken: it used the non-namespaced DumpTestCase class which no
longer exists, it referenced XML files with the wrong path, and then the
test had other non-error failures to fix.
Change-Id: I188cbb1de68d39c7a484d4c6f808678af80d11ab
|
| |\ \ \ \
| |_|_|/
|/| | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Introduce a Telemetry singleton for propagating `tracestate` and
`traceheaders` during a MW web request. This class allows for easier
testing and mocking.
In the future we might use this as a wrapper for OpenTelemetry.
Bug: T320559
Change-Id: I3e5e54afa21f8c099877b3765c769f2d2f8f5d61
|
| |\ \ \ \
| |_|_|/
|/| | | |
|
| | | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
In https://gerrit.wikimedia.org/r/c/mediawiki/core/+/745386 and
https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/ASODV6622T4YUAY3JO5ZVBL3B5ZQDX2U/
a compelling case is made that we can drop $wgLegalTitleChars as a
configuration option. Extension::TitleBlacklist or, in the near
future, Extension:AbuseFilter can be used to restrict the character
set for those who still have that need.
Similarly, it doesn't seem compelling to make IllegalFileChars
configurable; probably most libraries don't even realize that the
set of legal title characters after a `File:` prefix is different
from the set of legal title characters, and of those that actually
implement this, probably no one is actually respecting a reconfigured
value for $wgIllegalFileChars, because it's not even exported in
siteinfo.
A patch to remove the configurability will land later (probably based
on I70b60ca548e36c676da90553ad8684507096bb28) but for now let's just
announce our intention to fix the set of legal title/file characters
for all wikis and let that ride out into the world in our next
release.
Bug: T297340
Change-Id: If48257ff6e800451b992ed0748abc878fa5e16d3
|
| |\ \ \ |
|
| | |/ /
| | |
| | |
| | |
| | |
| | |
| | | |
The current documentation is referring to the deprecated $wgExtensionCredits
extension.schema.v2.json and additional it is confusing, if not wrong.
Change-Id: Ie361bcf2f3fe874c33a29bbd8e9e9540e0e2d972
|
| |\ \ \
| |/ /
|/| | |
|
| | |/
| |
| |
| |
| | |
Bug: T341754
Change-Id: I17396985d0b26516a06df17e9bd1343054521e01
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This adds the core parts of the feature with only the minimum
possible functionality: saving while editing; restoring
when an edit form is re-opened; and deleting (on saving etc.).
Bug: T341844
Change-Id: Ie556a7c981c68e8fe98deba8bf7995bf6c27ecd3
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Add an API-only user preference for diff type
* Retain query parameter stickiness but fix it so that the diff-type
from user preferences does not leak into the query string. So the
no-JS control continues to work. If a no-JS user has the inline
preference set, respect it on the initial load, but add an explicit
diff-type=table to the query string of the table link so that the
preference can be overridden.
* Get the diff type from the initial state of the no-JS button. Infuse
the widget to access the active property using the OOUI public API.
* For a logged-in user, when the JS toggle is clicked, fetch the new
diff body and update the user preference.
* For an anonymous user, when the JS toggle is clicked, update the
prev/next links to include the correct diff-type query parameter.
Bug: T336713
Change-Id: Ie409d79ac8222dfa6ec8fd170b76be088be80b3a
|
| |\ \
| |/
|/| |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
These two messages were marked as RawHtmlMessages, but didn't have
any raw HTML, and so it was unnecessary to mark them as such. Instead
make sure they are parsed properly where they are used to avoid any
potential XSS exploits.
There is an override for one of these messages in WikimediaMessages,
and that override used to use raw HTML in order to get target="_blank"
on a link. This adds that functionality to this part of the code
instead, allowing that message to be parsed as normal wikitext
instead.
Bug: T204470
Depends-On: I075bc904a40b3ea224fa44f9627814e3f9cab051
Change-Id: I67922005288cf3fe2da43d92d49de54f88e98926
|
| | |
| |
| |
| |
| |
| | |
Bug: T341828
Depends-On: I2d4ef8fc3bffa43bc611af3eab0494f4900df557
Change-Id: Ia55cb6cbdb28484e820f9cf3d6aacac00a86ffab
|
| |\ \ |
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since the default for wgParserEnableLegacyMediaDOM is now `false`, this
config will also be set to `false` and wikis can enable it while it's
still necessary.
The plan will be to gradually roll this change out, as was done for
wgParserEnableLegacyMediaDOM, to develop a migration path for templates
and extensions that mimic the legacy media output.
We can start on officewiki.
Bug: T318433
Change-Id: I70e537b2beb99de9a41e7dc66a0d60a508009887
|
| |/
|
|
|
|
|
|
|
| |
It was so close already, it seemed like an effort was being made.
Unfortuately it is not possible to use @phpcs-require-sorted-array
since it breaks ReflectionClassConstant::getDocComment().
Change-Id: I296bb333a49adc973f65b094b727edf7f6143ba1
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
As a first pass, inject various services into the job as this is
now supported by JobFactory.
The second pass will have to survey callers of fixRedirects() and
pass in various services that would be used in the static method.
Also, we need to do same for getFinalDestination() which needs a
DBLoadBalancerFactory service.
Bug: T265942
Change-Id: If61a32b6ce32dc934533603a0e99414ab5771909
|
| |
|
|
| |
Change-Id: Ib909ef4ba380d0f9dabbd88e6ebd4594686cace9
|
