* Array of foreign file repo names (set in $wgForeignFileRepos above) that
* are allowable upload targets. These wikis must have some method of
* authentication (i.e. CentralAuth), and be CORS-enabled for this wiki.
+ * The string 'local' signifies the default local file repository.
*
* Example:
* $wgForeignUploadTargets = array( 'shared' );
*/
-$wgForeignUploadTargets = [];
+$wgForeignUploadTargets = [ 'local' ];
/**
* Configuration for file uploads using the embeddable upload dialog
// * upload-form-label-not-own-work-local-generic-foreign
'foreign' => 'generic-foreign',
],
- // Upload comment to use. Available replacements:
+ // Upload comments to use for 'local' and 'foreign' uploads. This can also be set to a single
+ // string value, in which case it is used for both kinds of uploads. Available replacements:
// * $HOST - domain name from which a cross-wiki upload originates
// * $PAGENAME - wiki page name from which an upload originates
- 'comment' => '',
+ 'comment' => [
+ 'local' => '',
+ 'foreign' => '',
+ ],
// Format of the file page wikitext to be generated from the fields input by the user.
'format' => [
// Wrapper for the whole page. Available replacements:
* if available
*
* - max lag: (optional) Maximum replication lag before a slave will taken out of rotation
+ * - is static: (optional) Set to true if the dataset is static and no replication is used.
*
* These and any other user-defined properties will be assigned to the mLBInfo member
* variable of the Database object.
*/
$wgPHPSessionHandling = 'enable';
+/**
+ * Number of internal PBKDF2 iterations to use when deriving session secrets.
+ *
+ * @since 1.28
+ */
+$wgSessionPbkdf2Iterations = 10001;
+
/**
* If enabled, will send MemCached debugging information to $wgDebugLogFile
*/
$wgRawHtml = false;
/**
- * Set a default target for external links, e.g. _blank to pop up a new window
+ * Set a default target for external links, e.g. _blank to pop up a new window.
+ *
+ * This will also set the "noreferrer" and "noopener" link rel to prevent the
+ * attack described at https://mathiasbynens.github.io/rel-noopener/ .
+ * Some older browsers may not support these link attributes, hence
+ * setting $wgExternalLinkTarget to _blank may represent a security risk
+ * to some of your users.
*/
$wgExternalLinkTarget = false;
* @since 1.27
* @deprecated since 1.27, for use during development only
*/
-$wgDisableAuthManager = true;
+$wgDisableAuthManager = false;
/**
* Configure AuthManager
];
/**
- * If it has been this long since the last authentication, recommend
- * re-authentication before security-sensitive operations (e.g. password or
- * email changes). Set negative to disable.
+ * Time frame for re-authentication.
+ *
+ * With only password-based authentication, you'd just ask the user to re-enter
+ * their password to verify certain operations like changing the password or
+ * changing the account's email address. But under AuthManager, the user might
+ * not have a password (you might even have to redirect the browser to a
+ * third-party service or something complex like that), you might want to have
+ * both factors of a two-factor authentication, and so on. So, the options are:
+ * - Incorporate the whole multi-step authentication flow within everything
+ * that needs to do this.
+ * - Consider it good if they used Special:UserLogin during this session within
+ * the last X seconds.
+ * - Come up with a third option.
+ *
+ * MediaWiki currently takes the second option. This setting configures the
+ * "X seconds".
+ *
+ * This allows for configuring different time frames for different
+ * "operations". The operations used in MediaWiki core include:
+ * - LinkAccounts
+ * - UnlinkAccount
+ * - ChangeCredentials
+ * - RemoveCredentials
+ * - ChangeEmail
+ *
+ * Additional operations may be used by extensions, either explicitly by
+ * calling AuthManager::securitySensitiveOperationStatus(),
+ * ApiAuthManagerHelper::securitySensitiveOperation() or
+ * SpecialPage::checkLoginSecurityLevel(), or implicitly by overriding
+ * SpecialPage::getLoginSecurityLevel() or by subclassing
+ * AuthManagerSpecialPage.
+ *
+ * The key 'default' is used if a requested operation isn't defined in the array.
+ *
* @since 1.27
* @var int[] operation => time in seconds. A 'default' key must always be provided.
*/
];
/**
- * Whether to allow security-sensitive operations when authentication is not possible.
+ * Whether to allow security-sensitive operations when re-authentication is not possible.
+ *
+ * If AuthManager::canAuthenticateNow() is false (e.g. the current
+ * SessionProvider is not able to change users, such as when OAuth is in use),
+ * AuthManager::securitySensitiveOperationStatus() cannot sensibly return
+ * SEC_REAUTH. Setting an operation true here will have it return SEC_OK in
+ * that case, while setting it false will have it return SEC_FAIL.
+ *
+ * The key 'default' is used if a requested operation isn't defined in the array.
+ *
* @since 1.27
+ * @see $wgReauthenticateTime
* @var bool[] operation => boolean. A 'default' key must always be provided.
*/
$wgAllowSecuritySensitiveOperationIfCannotReauthenticate = [
MediaWiki\Session\BotPasswordSessionProvider::class => [
'class' => MediaWiki\Session\BotPasswordSessionProvider::class,
'args' => [ [
- 'priority' => 40,
+ 'priority' => 75,
] ],
],
];
$wgGrantPermissions['basic']['autoconfirmed'] = true;
$wgGrantPermissions['basic']['autopatrol'] = true;
-$wgGrantPermissions['basic']['autoreview'] = true;
$wgGrantPermissions['basic']['editsemiprotected'] = true;
$wgGrantPermissions['basic']['ipblock-exempt'] = true;
$wgGrantPermissions['basic']['nominornewtalk'] = true;
$wgGrantPermissions['basic']['purge'] = true;
$wgGrantPermissions['basic']['read'] = true;
$wgGrantPermissions['basic']['skipcaptcha'] = true;
-$wgGrantPermissions['basic']['torunblocked'] = true;
$wgGrantPermissions['basic']['writeapi'] = true;
$wgGrantPermissions['highvolume']['bot'] = true;
'writes' => 0,
'readQueryTime' => 5
],
+ // Deferred updates that run after HTTP response is sent
+ 'PostSend' => [
+ 'readQueryTime' => 5,
+ 'writeQueryTime' => 1,
+ 'maxAffected' => 500
+ ],
// Background job runner
'JobRunner' => [
'readQueryTime' => 30,
/**
* Authentication plugin.
* @var $wgAuth AuthPlugin
+ * @deprecated since 1.27 use $wgAuthManagerConfig instead
*/
$wgAuth = null;