| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Bug: T354541
Change-Id: Id66e1710b6217d8d1fabeac5cf4bc27bc008f654
(cherry picked from commit af4c5e0f68abe71a178df71085d68ebd3e8ffea5)
|
| |
|
|
|
|
|
|
| |
This patch only adds and removes suppressions, which must be done in the
same patch as the version bump.
Bug: T298571
Change-Id: I4044d4d9ce82b3dae7ba0af85bf04f22cb1dd347
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Mainly, document some parameters as non-empty-array so that phan knows
the list of arguments won't be empty when unpacking.
In EditPage, account for hooks potentially unsetting the copyright
notice.
Also rewrite some code in LogPager, so it's hopefully easier for phan to
understand what's going on.
Change-Id: Ic0638571554424098d0743db32dd46723a08e103
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Deprecate AuthManager::checkAccountCreatePermissions in favour of
::authorizeCreateAccount, for full permissions checks and
::probablyCanCreateAccount, for quick permissions checks.
Update SpecialCreateAccount to use the appropriate checks, and
add SpecialCreateAccountTest.
Bug: T283265
Change-Id: I385f2b56ef61f64a4c61e9c97683bef564892dce
|
| |/
|
|
|
|
|
| |
The hook handler should not save the user to avoid deadlocks
Bug: T199393
Change-Id: If67b86944097350e873843a811c919e92a985eb6
|
| |\ |
|
| | |
| |
| |
| | |
Change-Id: I42aab149559e3e899cde6c77af76c66936ed0ef0
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Allows AuthenticationResponse to store, when the status is FAIL,
an array of strings that describe the reasons for the failure.
These are stored in $failReasons and are not intended for the
client. On any other status $failReasons is null. These are
optionally provided when calling AuthenticationResponse::newFail
in the parameter $failReasons.
This is implemented to allow the CentralAuth extension to store
whether the password was correct if the account is locked inside
the AuthenticationResponse. The extension CheckUser which hooks
into authentication requests then can read the failure reasons
from the AuthenticationResponse, and can then note in the CU
entry that the login attempt had the correct password.
If whether the correct password was used is stored in the I18n
message, the client would then know if the password they tried
on the locked account was correct. For comprimised accounts this
could be used by mailicious actors to verify that the password
was correct and then try it elsewhere if the account has the same
password as on other sites. This means, unless I have missed
another method, a new array is needed to store these failure reasons.
This, along with some other patches to CheckUser and CentralAuth,
will then allow Checkusers to see if a login attempt for a locked
account had the correct password. Checkusers can then use this,
with the knowledge that the account isn't comprimised, to say that
the login attempt was made by the owner of the account so in cases
of socking the creation of a new account can be more conclusively
said to be by the person who created the now locked sock account.
Bug: T303192
Change-Id: I7b2d9579a518a6c02f05281b1016e31e0d086fe7
|
| | |
| |
| |
| |
| |
| | |
Found using IntelliJ's "Typo" code inspection.
Change-Id: I746220ebe6e1e39f6cb503390ec9053e6518cf16
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add a hook "TempUserCreatedRedirect" which allows an extension to modify
the post-save redirect after a temporary user is created. CentralAuth
will handle this hook in order to redirect to loginwiki. Loginwiki will
redirect back to the page being saved.
In LoginHelper::showReturnToPage add an "anchor" parameter to specify
the URL fragment to redirect to. This is intended for section editing
with a redirect via loginwiki.
In AuthManager::autoCreateUser(), just allow any valid username, don't
require it to be creatable. Previously a non-creatable username was
allowed only with $source=AUTOCREATE_SOURCE_TEMP, but CentralAuth
depends on user autocreation from the session during refreshCookies. The
session is already validated at this point, so it's not like a user can
exploit this to create arbitrary names.
Change-Id: I623330dbf5d0573c93ae22f962618d6ddbd126d9
|
| |/
|
|
|
| |
Bug: T296083
Change-Id: Ia37704771f4fa8222d08d24656ff3c8b437cfa87
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This edition brought to you by:
grep -ERIn $(grep -o "'[A-Za-z0-9_]*'" includes/MainConfigNames.php | tr
"\n" '|' | sed 's/|$/\n/') includes/
I only corrected a fraction of the results provided by that command. I'm
submitting the partial patch now so it doesn't bitrot.
Bug: T305805
Change-Id: If1918c0b3d88cdf90403921e4310740e206d6962
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add services and utilities for automatic creation of temporary user
accounts on page save, in order to avoid exposing the user's IP
address.
* Add $wgAutoCreateTempUser, for configuring the system
* Add TempUserConfig service, which interprets the config.
* Add TempUserCreator service, which creates users during page save as
requested by EditPage. With proxy methods to TempUserConfig for
convenience.
* Add table user_autocreate_serial. Table creation is necessary before
the feature is enabled but is not necessary before deployment of this
commit.
Bug: T300263
Change-Id: Ib14a352490fc42039106523118e8d021844e3dfb
|
| |
|
|
|
|
|
|
| |
Part 1, proof of concept. Hundreds of files left to go. These changes
brought to you in large part by vim macros.
Bug: T305805
Change-Id: I44789091e9f6394c800a11b29f22528c8dcacf71
|
| |
|
|
|
|
|
|
|
| |
Make phan stricter about conditional variable declaration
Remaining false positive issues are suppressed.
The suppression and the setting change can only be done together
Bug: T259172
Change-Id: I1f200ac37df7448453688bf464a8250c97313e5d
|
| |
|
|
|
|
|
|
|
|
|
| |
Make phan stricter about array keys
Remaining false positive issues are suppressed.
The suppression and the setting change can only be done together
Bug: T304887
Depends-On: I3105a5fd4826f8667b5232834defc5ec93be32a1
Depends-On: Ie9610a6e83731468311edb3ed17f80fc509de385
Change-Id: I701f12ab94478c3b8e7fd82110ade74a8e6b04ef
|
| |
|
|
|
|
|
| |
Conventionally, public constants are accessed via their declaring
class, except for self:: which is an acceptable shortcut.
Change-Id: If05eab72140267e6ef54736710d751d7f24a7860
|
| |
|
|
|
|
|
|
|
|
|
| |
Make phan stricter about null types by setting null_casts_as_any_type to
false (the default in mediawiki-phan-config)
Remaining false positive issues are suppressed.
The suppression and the setting change can only be done together
Bug: T242536
Bug: T301991
Change-Id: I0f295382b96fb3be8037a01c10487d9d591e7e01
|
| |
|
|
|
|
|
|
|
| |
Make phan stricter about scalar types by setting scalar_implicit_cast to
false (the default in mediawiki-phan-config)
Bug: T242536
Bug: T301991
Change-Id: Ia2fe30b17804186571722e728578121c8b75d455
|
| |
|
|
|
|
|
|
| |
Adding float as type when INF is used as argument
Found by phan strict checks
Change-Id: I7e19cd0d9b09bf685e4e8387c900f303b669ad54
|
| |
|
|
|
|
|
| |
Depends-On: I99c5e5664d2401c36a9890f148eba7c25e6e8324
Depends-On: I48ab818b2965da14af15ef370aa83ad9455badd9
Depends-On: I018371e4b77911e56152ca7b2df734afc73f58a5
Change-Id: I04ebdb52102f6191d49a9cc70b1f98308299e72f
|
| |
|
|
| |
Change-Id: I43077a36c09252f79a71b69947e559e388f2851d
|
| |
|
|
|
|
| |
Both parameter have a default of false, not null.
Change-Id: I5754895347db244eee155f8cf5965df5f4fd2d1a
|
| |
|
|
|
|
|
|
|
|
| |
This helps phan to detect unreachable code and also impossible types
after the functions.
It helps phan to avoid false positives for array keys
when the keys are checked before
Bug: T240141
Change-Id: I895f70e82b3053a46cd44135b15437e6f82a07b2
|
| |
|
|
| |
Change-Id: I833052a656b1ce419c0929f6f0514f2a33c2c4cc
|
| |
|
|
|
| |
Bug: T254646
Change-Id: I5379dc79be60c99f0a30f74e5d624f81fe6f921b
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| | |
Also refactored some calls to use it.
Bug: T287485
Change-Id: If9e96ce87dc3f3641e9b3ebe093f92d8fa49b9ee
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- BotPasswordStore
- UserFactory
- UserIdentityLookup
- UserOptionsManager
Bug: T265769
Bug: T141495
Change-Id: If220a25b8dfc9105faee5c04ea17ae8487b275f0
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Use the already provided content language to get the language converter
for the content language
Bug: T252095
Change-Id: I2bc085d5ca8ce2570e6da21128ea785799c958e5
|
| |/
|
|
|
| |
Bug: T141495
Change-Id: Ibb549da3ebc2a9cb7709aaaa31407066361cbaa2
|
| |
|
|
|
|
|
| |
last usage was removed in I8d223508ccec7122eef5e0bf136964ad65d64ab7
Bug: T141495
Change-Id: I3cf9d16364b7c5c122c2cc2507ab59fa51283e02
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
composer:
* mediawiki/mediawiki-codesniffer: 36.0.0 → 37.0.0
The following sniffs now pass and were enabled:
* Generic.ControlStructures.InlineControlStructure
* MediaWiki.PHPUnit.AssertCount.NotUsed
npm:
* svgo: 2.3.0 → 2.3.1
* https://npmjs.com/advisories/1754 (CVE-2021-33587)
Change-Id: I2a9bbee2fecbf7259876d335f565ece4b3622426
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
AuthenticationRequest::getUsernameFromRequests() can return a null
$username, but AuthManager::normalizeUsername() requires a non-null
$username, so let’s check for null before calling the latter method.
(Throttler::increase() is fine to call with a null $username, so it’s
enough to skip the normalize call and put null in the array.)
Also, now that we’re handling null, use that instead of the empty string
as the default in the catch block – I assume it wouldn’t make much sense
to pass '' into the normalize method.
Bug: T284170
Change-Id: Id969a15cb9b4ead89b7caa0025d6b364318f2799
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
AuthManager has been converted to a service in 1.35.
AuthManager::$instance is only used in AuthManager::resetCache(),
where it is set to null.
This patch also removes AuthManager::resetCache() because with
removing AuthManager::$instance AuthManager::resetCache() has no
longer any effect.
Change-Id: I8b27f9a2d0d3f7acec6b93f64f9c256084990026
|
| | |
| |
| |
| |
| |
| |
| | |
hard deprecated since 1.36 and unused
Bug: T249421
Change-Id: Ibdfc5c7d755678106c36488f9a223b141ea29566
|
| |/
|
|
|
|
|
|
|
|
|
| |
The documentation of SessionProvider::init says that the method can be used in implementation tests.
Now all tests must use SessionProviderTestTrait::initProvider in order to initialize a SessionProvider.
So the entire description after @internal was rewritten. Also the
similar note was added to the documentation of
AbstractAuthenticationProvider::init.
Bug: T283931
Change-Id: I1cde6fd12666ef3a7c9b1e33a718592c11cf9e29
|
| |\
| |
| |
| | |
::isCreatableName"""
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
::isCreatableName""
This reverts commit ecf826a2ee9442ee669e8057328a0118c1a5d0f8.
Reason for revert: need to edit the patch and then it will be GTG in order to finish hard deprecating of User ::getCanonicalName, ::isUsableName, ::isCreatableName
Change-Id: I2f57f56728fcbeada96dc2228f07dc8bcaa5d4f6
|
| |/
|
|
|
| |
Bug: T281174
Change-Id: I7f9c1161de4934abebdda68dcc24cf7a0f33d7ce
|
| |
|
|
|
|
|
| |
Add a helper method for the common use case of temporarily silencing
transaction profiler warnings.
Change-Id: I40de4daf8756da693de969e5526b471b624b2cee
|
| |
|
|
|
|
|
| |
This is just a start.
Bug: T254646
Change-Id: I9213aad4660e27afe7ff9e5d2e730cbf03911068
|
| |
|
|
| |
Change-Id: Ie2407cdebf1bf565b0db2f0a6bd0f5dec043a1b9
|
| |
|
|
|
|
|
|
|
|
| |
::isCreatableName"
This reverts commit b491279268fe1769a8787cbf30b5309c8aa91363.
Reason for revert: caused CentralAuth tests to fail.
Change-Id: Icb3ed094578df427622e0da2a7462645adcc3d6f
|
| |
|
|
|
| |
Bug: T275030
Change-Id: I60689ee6519c2dbd6d000afa8ac05c3e6b7895d2
|
| |
|
|
|
|
| |
Just an auto-replace from codesniffer for now.
Change-Id: I5240dc9ac5929d291b0ef1c743ea2bfd3f428266
|
| |
|
|
| |
Change-Id: I8d223508ccec7122eef5e0bf136964ad65d64ab7
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
init() method was added to AuthenticationProvider. It helps to inject
dependecies. Overridable postInitSetup() method was added to
AbstractAuthenticationProvider. A provider can override this to do
any necessary setup.
AbstractAuthenticationProvider ::setLogger(), ::setManager(), ::setConfig(),
::setHookContainer() were soft deprecated. Now developers must use
AbstractAuthenticationProvider::init().
Bug: T275030
Change-Id: I6ca63eddac1b177eeadbdcce992e71c44a480160
|
