This is a list of known events and parameters; please add to it if you're going
to add events to the MediaWiki code.
-'AbortAutoAccount': Return false to cancel automated local account creation,
-where normally authentication against an external auth plugin would be creating
-a local account.
+'AbortAutoAccount': DEPRECATED! Create a PreAuthenticationProvider instead.
+Return false to cancel automated local account creation, where normally
+authentication against an external auth plugin would be creating a local
+account.
$user: the User object about to be created (read-only, incomplete)
&$abortMsg: out parameter: name of error message to be displayed to user
$autoblockip: The IP going to be autoblocked.
&$block: The block from which the autoblock is coming.
-'AbortChangePassword': Return false to cancel password change.
-$user: the User object to which the password change is occuring
-$mOldpass: the old password provided by the user
-$newpass: the new password provided by the user
-&$abortMsg: the message identifier for abort reason
-
'AbortDiffCache': Can be used to cancel the caching of a diff.
&$diffEngine: DifferenceEngine object
$title: The Title of the page that was edited.
$rc: The current RecentChange object.
-'AbortLogin': Return false to cancel account login.
+'AbortLogin': DEPRECATED! Create a PreAuthenticationProvider instead.
+Return false to cancel account login.
$user: the User object being authenticated against
$password: the password being submitted, not yet checked for validity
&$retval: a LoginForm class constant to return from authenticateUserData();
&$msg: the message identifier for abort reason (new in 1.18, not available
before 1.18)
-'AbortNewAccount': Return false to cancel explicit account creation.
+'AbortNewAccount': DEPRECATED! Create a PreAuthenticationProvider instead.
+Return false to cancel explicit account creation.
$user: the User object about to be created (read-only, incomplete)
&$msg: out parameter: HTML to display on abort
&$status: out parameter: Status object to return, replaces the older $msg param
&$fields: HTMLForm descriptor array
$article: Article object
-'AddNewAccount': After a user account is created.
+'AddNewAccount': DEPRECATED! Use LocalUserCreated.
+After a user account is created.
$user: the User object that was created. (Parameter added in 1.7)
$byEmail: true when account was created "by email" (added in 1.12)
redirect was followed.
&$article: target article (object)
+'AuthChangeFormFields': After converting a field information array obtained
+from a set of AuthenticationRequest classes into a form descriptor; hooks
+can tweak the array to change how login etc. forms should look.
+$requests: array of AuthenticationRequests the fields are created from
+$fieldInfo: field information array (union of all AuthenticationRequest::getFieldInfo() responses).
+&$formDescriptor: HTMLForm descriptor. The special key 'weight' can be set
+ to change the order of the fields.
+$action: one of the AuthManager::ACTION_* constants.
+
+'AuthManagerLoginAuthenticateAudit': A login attempt either succeeded or failed
+for a reason other than misconfiguration or session loss. No return data is
+accepted; this hook is for auditing only.
+$response: The MediaWiki\Auth\AuthenticationResponse in either a PASS or FAIL state.
+$user: The User object being authenticated against, or null if authentication
+ failed before getting that far.
+$username: A guess at the user name being authenticated, or null if we can't
+ even determine that.
+
'AuthPluginAutoCreate': DEPRECATED! Use the 'LocalUserCreated' hook instead.
Called when creating a local account for an user logged in from an external
authentication method.
$user: User object created locally
-'AuthPluginSetup': Update or replace authentication plugin object ($wgAuth).
-Gives a chance for an extension to set it programmatically to a variable class.
+'AuthPluginSetup': DEPRECATED! Extensions should be updated to use AuthManager.
+Update or replace authentication plugin object ($wgAuth). Gives a chance for an
+extension to set it programmatically to a variable class.
&$auth: the $wgAuth object, probably a stub
'AutopromoteCondition': Check autopromote condition for user.
&$link: Returned value. When set to a non-null value by a hook subscriber
this value will be used as the anchor instead of Linker::link
-'ChangePasswordForm': For extensions that need to add a field to the
-ChangePassword form via the Preferences form.
+'ChangeAuthenticationDataAudit': Called when user changes his password.
+No return data is accepted; this hook is for auditing only.
+$req: AuthenticationRequest object describing the change (and target user)
+$status: StatusValue with the result of the action
+
+'ChangePasswordForm': DEPRECATED! Use AuthChangeFormFields or security levels.
+For extensions that need to add a field to the ChangePassword form via the
+Preferences form.
&$extraFields: An array of arrays that hold fields like would be passed to the
pretty function.
&$messages: Already added messages (inclusive messages from
LoginForm::$validErrorMessages)
-'LoginPasswordResetMessage': User is being requested to reset their password on
-login. Use this hook to change the Message that will be output on
-Special:ChangePassword.
-&$msg: Message object that will be shown to the user
-$username: Username of the user who's password was expired.
-
-'LoginUserMigrated': Called during login to allow extensions the opportunity to
-inform a user that their username doesn't exist for a specific reason, instead
-of letting the login form give the generic error message that the account does
-not exist. For example, when the account has been renamed or deleted.
+'LoginUserMigrated': DEPRECATED! Create a PreAuthenticationProvider instead.
+Called during login to allow extensions the opportunity to inform a user that
+their username doesn't exist for a specific reason, instead of letting the
+login form give the generic error message that the account does not exist. For
+example, when the account has been renamed or deleted.
$user: the User object being authenticated against.
&$msg: the message identifier for abort reason, or an array to pass a message
key and parameters.
$request: $wgRequest
$mediaWiki: The $mediawiki object
-'MediaWikiServices': Override services in the default MediaWikiServices instance.
-Extensions may use this to define, replace, or wrap existing services.
-However, the preferred way to define a new service is the $wgServiceWiringFiles array.
+'MediaWikiServices': Called when a global MediaWikiServices instance is
+initialized. Extensions may use this to define, replace, or wrap services.
+However, the preferred way to define a new service is
+the $wgServiceWiringFiles array.
$services: MediaWikiServices
'MessageCache::get': When fetching a message. Can be used to override the key
since the last visit.
&$modifiedTimes: array of timestamps.
The following keys are set: page, user, epoch
+$out: OutputPage object (since 1.28)
'OutputPageMakeCategoryLinks': Links are about to be generated for the page's
categories. Implementations should return false if they generate the category
$oldaddr: old email address (string)
$newaddr: new email address (string)
-'PrefsPasswordAudit': Called when user changes his password.
-$user: User (object) changing his password
-$newPass: new password
-$error: error (string) 'badretype', 'wrongpassword', 'error' or 'success'
-
'ProtectionForm::buildForm': Called after all protection type fieldsets are made
in the form.
$article: the title being (un)protected
&$updates: a list of DataUpdate objects, to be modified or replaced by
the hook handler.
+'SecuritySensitiveOperationStatus': Affect the return value from
+MediaWiki\Auth\AuthManager::securitySensitiveOperationStatus().
+&$status: (string) The status to be returned. One of the AuthManager::SEC_*
+ constants. SEC_REAUTH will be automatically changed to SEC_FAIL if
+ authentication isn't possible for the current session type.
+$operation: (string) The operation being checked.
+$session: (MediaWiki\Session\Session) The current session. The
+ currently-authenticated user may be retrieved as $session->getUser().
+$timeSinceAuth: (int) The time since last authentication. PHP_INT_MAX if
+ the time of last auth is unknown, or -1 if authentication is not possible.
+
'SelfLinkBegin': Called before a link to the current article is displayed to
allow the display of the link to be customized.
$nt: the Title object
representing the problem with the file, where the first element is the message
key and the remaining elements are used as parameters to the message.
+'UserIsBot': when determining whether a user is a bot account
+$user: the user
+&$isBot: whether this is user a bot or not (boolean)
+
'User::mailPasswordInternal': before creation and mailing of a user's new
temporary password
&$user: the user who sent the message out
&$user: User (object) that will clear the message
$oldid: ID of the talk page revision being viewed (0 means the most recent one)
-'UserCreateForm': change to manipulate the login form
+'UserCreateForm': DEPRECATED! Create an AuthenticationProvider instead.
+Manipulate the login form.
&$template: SimpleTemplate instance for the form
'UserEffectiveGroups': Called in User::getEffectiveGroups().
'UserLoggedIn': Called after a user is logged in
$user: User object for the logged-in user
-'UserLoginComplete': After a user has logged in.
+'UserLoginComplete': Show custom content after a user has logged in via the web interface.
+For functionality that needs to run after any login (API or web) use UserLoggedIn.
&$user: the user object that was created on login
&$inject_html: Any HTML to inject after the "logged in" message.
-'UserLoginForm': change to manipulate the login form
-&$template: SimpleTemplate instance for the form
+'UserLoginForm': DEPRECATED! Create an AuthenticationProvider instead.
+Manipulate the login form.
+&$template: QuickTemplate instance for the form
'UserLogout': Before a user logs out.
&$user: the user object that is about to be logged out