| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
In MediaWiki/Exception, to follow PSR-4 per plural vs. singular (this can be
changed later if people really care). Also, move the couple of exceptions in
here that were already namespaced in the MW-top-level into the new space.
Bug: T353458
Change-Id: I12ed850ae99effb699a6d7ada173f54e72f0570e
|
| |\ |
|
| | |
| |
| |
| |
| | |
Bug: T322944
Change-Id: I4e142ec5eba2dc05afe947f138bea043e0667151
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Main change:
* Add a class hierarchy representing block targets, representing a
target and type.
* Add BlockTargetFactory, replacing BlockUtils.
* Add CrossWikiBlockTargetFactory, replacing BlockUtilsFactory.
* Construct a BlockTarget object early in the request flow and pass it
down through the layers, instead of having every layer interpret
UserIdentity|string target specifications.
Also:
* Remove Block::TYPE_ID. Nothing uses it in code search, so there's
no point in porting it to the new system.
* Stop using the type constants as specificity scores. Add
BlockTarget::getSpecificity().
* Add DatabaseBlockStore::newUnsaved() to replace direct construction of
DatabaseBlock in insertBlock() callers. There are many such callers in
tests. This is part of the effort to remove the service container
usage in DatabaseBlock::__construct().
* Make DatabaseBlock::getRangeStart() and getRangeEnd() return null if
the block is not a range, since that is convenient for their only
caller following the resolution of T51504.
* Add DatabaseBlock::getIpHex() which similarly maps to a DB field in
the new schema.
* In ApiBlock and ApiUnblock, have ParamValidator provide UserIdentity
objects instead of converting to a string and back to a UserIdentity
again.
Bug: T382106
Change-Id: I2ce1a82f3fbb3cf18aa2d17986d46dbdcc70c761
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a session provider is safe against CSRF (e.g. OAuth), we can allow
cross-origin requests to be non-anonymous. This makes it possible to
have fully client-side web applications that authenticate users via an
OAuth 2.0 client (necessarily a non-confidential client) and then make
authorized requests against wikis using the Authorization header.
To opt into this new mode of CORS requests, we use a new boolean
parameter called "crossorigin". (An earlier version of this change
reused the existing "origin=*" parameter for this, but the change to its
previous “always anonymous” behavior was not welcomed during code
review.) The parameter is disabled by default via a config setting,
which is currently declared experimental; if this works out in practice,
we’ll presumably want to at least change it to non-experimental, though
I don’t know if we want to enable the feature by default (or even
unconditionally) or keep the setting as it is.
Note that the preflight request doesn’t send the real Authorization
header (it just includes its name in Access-Control-Request-Headers), so
the session provider in the preflight request is still the normal cookie
provider (which is why handleCORS() has to bypass the safeAgainstCsrf()
check in that case). This shouldn’t be an issue, because
executeActionWithErrorHandling() returns quite early if the request is
an OPTIONS request (immediately after handleCORS()), but to be sure that
the unsafe session isn’t used during the preflight request, I added a
"crossorigin" check to lacksSameOriginSecurity(). (That method is called
by the constructor before the param validator has been set up, so
$this->getParameter() is not available – hence the call to
$request->getCheck() instead, just as for the 'callback' parameter.)
Bug: T322944
Change-Id: I41200852ee5d22a36429ffadb049ec3076804c78
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Same as Ia294bf4 did for 1-line comments. This patch removes slightly
more complex 2-line PHPDoc comments that don't add any new information
to the code, but literally repeat what the code already says.
They say "don't document the code, code the documentation", and we
are doing this more and more. We just tend to forget to remove the
obsolete comments.
Note I'm also removing a line of text in a few cases when it's very
short and literally says the same as the method name. Again, such
comments add zero new information.
Change-Id: I01535404bab458c6c47e48e5456403b7a64198ed
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Re-purpose the existing id parameter to support block ID. If both id,
and username are provided the request will fail
* If a target has more than one block and a specific block is not
provided it will fail with ipb_cant_unblock_multiple_blocks
Bug: T378148
Change-Id: I04928d989e6764ac93ec243a5fec9c7fe2b0b9b0
|
| |/
|
|
|
|
|
|
| |
If the value is compared against a static ASCII string.
The UTF-8 normalization of getVal is not needed here.
Change-Id: Id85f1218a9d76b9ca69fb833348e531387089711
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
isset() should only be used to suppress errors, not for null check.
When the property is always defined, there is no need to use isset.
Found by a new phan plugin (2efea9f989)
https://www.mediawiki.org/wiki/Manual:Coding_conventions/PHP#isset
Change-Id: Ib84b7d71e8308a36409f30ecfd16e9de149e97b3
|
| |/
|
|
|
|
|
|
|
| |
isset() should only be used to suppress errors, not for null check.
When the property is always defined, there is no need to use isset.
Found by a new phan plugin (2efea9f989)
https://www.mediawiki.org/wiki/Manual:Coding_conventions/PHP#isset
Change-Id: I186e799256fbaf5ee77558bd146f9418dd5eaacc
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In ApiBlock:
* Add an "id" parameter. If this is given, update the specified block.
* Add a "newblock" parameter. If this is given, always add a new block,
don't check if the target is already blocked.
* If "reblock" is given and the target has more than one block, fail
with an "ambiguous-block" error.
Supporting changes:
* Add BlockUserFactory::newUpdateBlock(), which takes a DatabaseBlock
instead of a target union to act on. The block is passed through to
the BlockUser constructor.
* Rename the first parameter to BlockUser::placeBlock() from $reblock to
$conflictMode, and style it like an enum. Add the CONFLICT_NEW value,
to support the "newblock" API option.
* In DatabaseBlockStore::newFromId(), add $fromPrimary, so that ApiBlock
can pass data to BlockUserFactory with equivalent freshness to the
LHS.
Also:
* In BlockUser, memoize prior blocks loaded from the DB
* Move T287798 autoblock check to the memoized accessor. Just don't
return autoblocks.
* Move "TODO handle failure" comment in BlockUser to the called method.
It really can't fail.
* In DatabaseBlockStore::newFromId(), add an $includeExpired parameter
and default to false although it was previously implicitly true.
Based on a brief review of callers, I think this is beneficial.
Bug: T378147
Change-Id: Iea5b77cb27006b33f3dde61660be5ad2c374a425
|
| |
|
|
|
|
|
| |
Improving coupling.
Bug: T376565
Change-Id: I109662cc957e1a64396348d7c2f5d2eadedb9722
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This should allow us to track which logins/account creations
come from temp and named users.
For convenience added a internal method in UserIdentityUtils
to not copy paste same code all over again.
Bug: T341650
Bug: T375510
Bug: T375505
Change-Id: I967d69a04c4435bb6b1398c94dbef91bde2022d3
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
php documentation:
If the size of post data is greater than post_max_size, the $_POST and
$_FILES superglobals are empty.
When the action= and format= are not in the GET data,
the help page is returned in html, breaking the clients expected format.
Return api error with http status 413
Bug: T291754
Change-Id: I5906fb6b4412b161b198df0b51e2476e7e1079b8
|
| |
|
|
|
|
|
|
|
|
|
| |
Implicitly marking parameter $... as nullable is deprecated in php8.4,
the explicit nullable type must be used instead
Created with autofix from Ide15839e98a6229c22584d1c1c88c690982e1d7a
Break one long line in SpecialPage.php
Bug: T376276
Change-Id: I807257b2ba1ab2744ab74d9572c9c3d3ac2a968e
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use
$request->getRawVal( 'key' ) ?? 'default'
instead of
$request->getRawVal( 'key', 'default' )
The ?? is more flexible, avoids a wrong type detection by phan and
avoids the evaluation of the default value if not needed.
Bug: T376245
Depends-On: I3ed6b85c0d117ed7cb3a8b79f73a3eb42977891e
Change-Id: I8b02f9297b76d04e21f8cb9194f3b85631956eca
|
| |
|
|
|
| |
Bug: T353458
Change-Id: I3ea6b08c5018ba03ba45c5766e1f46e12f6b8597
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add doc-typehints to class properties found by the PropertyDocumentation
sniff to improve the documentation.
Once the sniff is enabled it avoids that new code is missing type
declarations. This is focused on documentation and does not change code.
Change-Id: I8b33b5f4d91c1935228e7010327dbc6ce138fc00
|
| | |
| |
| |
| |
| | |
Bug: T359465
Change-Id: Id5aa4000e8b8bbb13b0ccd4d7cdf8bb355963ad7
|
| | |
| |
| |
| | |
Change-Id: Idd0f98ccb449735b5244bb7531327be763daceb8
|
| |/
|
|
|
|
|
|
|
|
| |
* Remove StatsdAwareInterface
* Remove setStatsdDataFactory()
* Add setStatsFactory()
* Migrate api and action setStatsdDataFactory() usage.
Bug: T359366
Change-Id: Ic4e82c24d3b1cdca638b22885902cc441d8510b8
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This avoids data bloat in feature usage logging and tracking,
reducing the chance of truncation, and makes it easier to search
these records.
Note that all uses of this method are tied to deprecated API
feature use reporting.
Bug: T313731
Change-Id: Ie097ad21959fbcedc33da407145a7aad573a361e
|
| |
|
|
|
|
| |
Bug: T294397
Depends-On: Ib34228a18917e404517d45e539bd786419d9c401
Change-Id: Ifad2edc782b36d21c8c67fecde7f011dce02c11b
|
| |
|
|
|
|
|
|
|
|
| |
In change I625a48a6ecd3fad5c2ed76b23343a0fef91e1b83 I am planning to
make Wikimedia\Message\MessageValue use it, and we try to pretend that
it is a library separate from MediaWiki, so it makes sense to move
MessageSpecifier to the same namespace under Wikimedia\.
Bug: T353458
Change-Id: I9ff4ff7beb098b60c92f564591937c7d789c6684
|
| |
|
|
|
|
| |
Changes to the use statements done automatically via script
Change-Id: Icc5b59f9ef6319d1fb785fcda17f43c94f94cc38
|
| |
|
|
| |
Change-Id: I770a98e7cc3e2bc78e363dd73439ab8b8599e0da
|
| |
|
|
|
|
|
|
|
| |
This commit replaces some of the uses of getErrorsArray(),
getWarningsArray(), getErrorsByType(), and getErrors().
In many cases the code becomes shorter and clearer.
Follow-up to Ibc4ce11594cf36ce7b2495d2636ee080d3443b04.
Change-Id: Id0ebeac26ae62231edb48458dbd2e13ddcbd0a9e
|
| |
|
|
|
|
|
| |
Removes usage of various deprecated SpecialEmailUser classes.
Bug: T362636
Change-Id: Ieb71a3741348ca9dae8c5bf32e891fee458ed5b2
|
| |
|
|
| |
Change-Id: I0c57684b30365b9e5e3f2346bd342122c9d45309
|
| |
|
|
|
| |
Bug: T353458
Change-Id: I99d728bd111ff882220cd175ff09d4da20b81eae
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Why:
* Modules that extend ApiQueryBase are loaded using the ApiQuery
module. This defines an override to the ApiBase::isWriteMode
method that loads the modules.
* Using the mModule when $isError is true could lead to the
exception that was thrown in ::executeAction being thrown again.
* Therefore, ApiMain::sendCacheHeaders should only call the
ApiBase::isWriteMode method if the request did not fail
with an error that caused $isError to be true.
* Without this fix, ApiUsageExceptions appear in logstash as
exceptions, as described in T363133.
What:
* Only interact with $this->mModule if the $isError argument
is false. If $isError is true, assume that ::isWriteMode
would return true. Assuming this will also avoid error
responses being marked as fresh for any amount of time, as
the error may be temporary.
* Add a test that verifies that the method does not throw if
ApiBase::isWriteMode throws an ApiUsageException.
Bug: T363133
Change-Id: I41d869c257878b8a94d6c40332e2028405de8729
|
| |
|
|
|
|
|
|
| |
Instead of globally ignoring this sniff, convert the current violations
(which set the variable so can't be fixed easily yet) to use local phpcs
comments to silence the errors.
Change-Id: I490cbf4915e2705383edb4a2fc5ddc1efd55c960
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Why:
* Since 1941f28f609e88da1677f0beb99468bb77748040, the
recentchangesfeed API (ApiFeedRecentChanges) has treated
temporary accounts as being anon users for the purposes of the
'hideanons' parameter.
* However, the help text does not describe that temporary accounts
are treated in this way and as such the help text needs to be
modified depending on whether temporary accounts are enabled.
What:
* Add 'apihelp-feedrecentchanges-param-hideanons-temp' as a i18n
message which duplicates the existing 'apihelp-feedrecentchanges
-param-hideanons' but includes temporary accounts.
* Update ApiFeedRecentChanges::getAllowedParams to use the new
message if TempUserConfig::isEnabled returns true.
* Add the TempUserConfig as a injected dependency for
ApiFeedRecentChanges.
* Add an integration test to verify that the correct help message
is used for the 'hideanons' parameter in ApiFeedRecentChanges.
Bug: T358249
Change-Id: I516c1a563a81777217cda998efaeda7967dd224d
|
| |
|
|
|
|
|
|
|
|
|
| |
* Switch out raw Exceptions, mostly for InvalidArgumentExceptions.
* Fake exceptions triggered to give Monolog a backtrace are for
some reason "traditionally" RuntimeExceptions, instead, so we
continue to use that pattern in remaining locations.
* Just entirely give up on PostgresResultWrapper's resource vs. object mess.
* Drop now-unneeded false positive hits.
Change-Id: Id183ab60994cd9c6dc80401d4ce4de0ddf2b3da0
|
| |
|
|
|
| |
Bug: T353458
Change-Id: I4dbef138fd0110c14c70214282519189d70c94fb
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This adds significant complexity and provides very little value.
As far as I can tell, we've never linked to those IDs. Other headings
in generated documentation don't have fallback IDs (in ApiHelp).
I'm mostly doing this because I want to deprecate and remove
Linker::makeHeadline(), which is a function with really silly
parameters that grew out of a regexp replacement callback in
Parser.php, and which – except for these usages I'm removing
– is only used there.
Change-Id: If793f5023fca744f109f5a1f0f0ad3857375db8c
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The goal is to unify the high level control flow in entry points by
making them use a shared base class. Eventually, this will allow
us to test all aspects of request handling, including response
headers and output buffer handling. That will however require
us to move quite a bit of logic from ApiMain into ApiEntryPoint.
Bug: T354216
Change-Id: I4ea1cbb8b2786c24deade7d5029d95fe0c2abc57
|
| | |
| |
| |
| |
| | |
Bug: T325686
Change-Id: Ia7ce7df94c233a4534625d250229806fb21d8017
|
| |/
|
|
|
| |
Bug: T350592
Change-Id: I12681e3d069bdcaf184952d692d36bf71697e4d8
|
| |
|
|
|
|
|
|
|
| |
When we format API output as HTML, that HTML may contain user secrets
and should not be cacheable, even if the API output would ordinarily be
cacheable.
Bug: T354045
Change-Id: I94fe5f7bfae580e8bda8af1971b9448db8201c22
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Why:
* Before this task, when an API parameter specifies allowed user
types, temporary users and permanent users are in the same
category: 'name'.
* However, it is useful to separate them out, and sometimes
allow a permanent user but not a temporary user (e.g.
ApiResetPassword, since temporary users don't have passwords).
* We therefore re-defined the 'name' type only to refer to
permanent (named) users, and add a new 'temp' type.
* This fixes params that currently intend to allow temp users,
and that use 'name' to do so, by adding 'temp'.
What:
* Based on a search for `UserDef::PARAM_ALLOWED_USER_TYPES`,
add the 'temp' type where necessary.
* The following were not updated, because they shouldn't apply
to temporary users:
- owners for includes/api/ApiQueryWatchlist.php,
includes/api/ApiQueryWatchlistRaw.php
- users for includes/api/ApiResetPassword.php,
includes/api/ApiUserrights.php,
includes/api/ApiValidatePassword.php
Bug: T350701
Change-Id: If5ccf1d469327791acff74d013343307e411cca9
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Deprecated methods are:
* WebRequest::isSafeRequest()
* WebRequest::markAsSafeRequest()
Introduced in I43f4bc06c19d823d7d1f (549af8bf) and used in
I01ae2f045726208d2af7 (ce3a25be), then later removed in I4eb10817cccb40aa255
(e34fd634) which became unused in core.
As a result, it made markAsSafeRequest useless as there is really no
consumer at this point.
No known usage (confirmation) per our code search tool today. See below:
https://codesearch.wmcloud.org/search/?q=isSafeRequest&files=&excludeFiles=&repos=
Change-Id: I39cfb04c46374153d374fe0bb88690fa48ad7250
|
| |
|
|
|
| |
Bug: T166010
Change-Id: Id13dcbf7a0372017495958dbc4f601f40c122508
|
| |
|
|
|
| |
Bug: T166010
Change-Id: I7257302b485588af31384d4f7fc8e30551f161f1
|
| |
|
|
|
|
|
| |
This has been approved as part of RFC T166010
Bug: T321882
Change-Id: I6bbdbbe6ea48cc1f50bc568bb8780fc7c5361a6f
|
| |\ |
|
