X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=RELEASE-NOTES-1.27;h=50b5006dbd04e92dedde671ba96247564de0e770;hb=6ad9e97182af88f349163063c7a379fe627fe85a;hp=f4e4815c2998c2ff236ec366e20be5b355d25e52;hpb=920c06e42c307fcaea47d9b65e09303aded2d1c9;p=lhc%2Fweb%2Fwiklou.git

diff --git a/RELEASE-NOTES-1.27 b/RELEASE-NOTES-1.27
index f4e4815c29..50b5006dbd 100644
--- a/RELEASE-NOTES-1.27
+++ b/RELEASE-NOTES-1.27
@@ -1,6 +1,3 @@
-Security reminder: If you have PHP's register_globals option set, you must
-turn it off. MediaWiki will not work with it enabled.
-
 == MediaWiki 1.27 ==
 
 THIS IS NOT A RELEASE YET
@@ -8,6 +5,10 @@ THIS IS NOT A RELEASE YET
 MediaWiki 1.27 is an alpha-quality branch and is not recommended for use in
 production.
 
+=== PHP version requirement ===
+As of 1.27, MediaWiki now requires PHP 5.5.9 or higher. This corresponds with
+HHVM 3.1.
+
 === Configuration changes in 1.27 ===
 * $wgUseLinkNamespaceDBFields was removed.
 * Deprecated $wgResourceLoaderMinifierStatementsOnOwnLine and
@@ -62,9 +63,41 @@ production.
   $wgSharedDB and $wgSharedTables are properly set even on the "central" wiki
   that all others are sharing from and that $wgLocalDatabases is set to the
   full list of sharing wikis on all those wikis.
+* Massive overhaul to session handling:
+** $wgSessionsInObjectCache is no longer supported and must be true, due to
+   MediaWiki\Session\SessionManager. $wgSessionHandler is similarly no longer
+   used.
+** ObjectCacheSessionHandler is removed, replaced with
+   MediaWiki\Session\PhpSessionHandler.
+** PHP session handling in general ($_SESSION, session_id(), and so on) is
+   deprecated. Use MediaWiki\Session\SessionManager instead. A new config
+   variable, $wgPHPSessionHandling, is available to cause use of $_SESSION to
+   issue a deprecation warning or to cause most PHP session handling to throw
+   exceptions.
+** Deprecated UserSetCookies hook. Session-handling extensions should generally
+   be creating a custom subclass of CookieSessionProvider. Other extensions
+   messing with cookies can no longer count on user data being saved in cookies
+   versus other methods.
+** Deprecated UserLoadFromSession hook, extensions should create a
+   MediaWiki\Session\SessionProvider.
+** The User cannot be loaded from session until after Setup.php completes.
+   Attempts to do so will be ignored and the User will remain unloaded.
+** CSRF tokens may be fetched from the MediaWiki\Session\Session, which uses
+   the MediaWiki\Session\Token class.
+* MediaWiki will now auto-create users as necessary, removing the need for
+  extensions to do so. An 'autocreateaccount' right is added to allow
+  auto-creation when 'createaccount' is not granted to all users.
+* Deprecated AuthPluginAutoCreate hook in favor of LocalUserCreated.
+* Most cookie-handling methods in User are deprecated.
 * $wgAllowAsyncCopyUploads and $CopyUploadAsyncTimeout were removed. This was an
   experimental feature that has never worked.
+* Login and createaccount tokens now vary by timestamp.
+* LoginForm::getLoginToken() and LoginForm::getCreateaccountToken()
+  return a MediaWiki\Session\Token, and tokens must be checked using that
+  class's methods.
 * $wgEnotifUseJobQ was removed and the job queue is always used.
+* The functionality of the ApiSandbox extension has been merged into core. The
+  extension should no longer be used.
 
 === New features in 1.27 ===
 * $wgDataCenterUpdateStickTTL was also added. This decides how long a user
@@ -108,6 +141,10 @@ production.
 * It is now possible to patrol file uploads (both for new files and new versions
   of existing files). Special:NewFiles has gained an option to filter by patrol
   status. This functionality can be disabled using $wgUseFilePatrol.
+* MediaWiki\Session infrastructure allows for easier use of session mechanisms
+  other than the usual cookies.
+** SessionMetadata and SessionCheckInfo hooks allow for setting and checking
+   custom session metadata.
 * Added MWGrants and associated configuration settings $wgGrantPermissions and
   $wgGrantPermissionGroups to hold configuration for authentication features
   such as OAuth that want to allow restricting the user rights a user may make
@@ -117,10 +154,18 @@ production.
    $wgMWOAuthGrantPermissionGroups.
 * Added MWRestrictions as a class to check restrictions on a WebRequest, e.g.
   to assert that the request comes from a particular IP range.
+* Added bot passwords, a rights-restricted login mechanism for API-using bots.
 * Whitelisted the following HTML attributes for all elements in wikitext:
   aria-describedby, aria-flowto, aria-label, aria-labelledby, aria-owns.
 * Removed "presentation" restriction on the HTML role attribute in wikitext.
   All values are now allowed for the role attribute.
+* $wgContentHandlers now also supports callbacks to create an instance of the
+  appropriate ContentHandler subclass.
+* Added $wgAuthenticationTokenVersion, which if non-null prevents the
+  user_token database field from being exposed in cookies. Setting this would
+  be a good idea, but will log out all current sessions.
+* $wgEventRelayerConfig was added, for managing PubSub event relay configuration,
+  specifically for reliable CDN url purges.
 
 === External library changes in 1.27 ===
 
@@ -134,6 +179,7 @@ production.
 * Added wikimedia/cldr-plural-rule-parser v1.0.0.
 * Added wikimedia/relpath v1.0.3.
 * Added wikimedia/running-stat v1.1.0.
+* Added wikimedia/php-session-serializer v1.0.3.
 
 ==== Removed and replaced external libraries ====
 
@@ -156,6 +202,9 @@ production.
 * The following response properties from action=login are deprecated, and may
   be removed in the future: lgtoken, cookieprefix, sessionid. Clients should
   handle cookies to properly manage session state.
+* action=login transparently allows login using bot passwords. Clients should
+  merely need to change the username and password used after setting up a bot
+  password.
 * action=upload no longer understands statuskey, asyncdownload or leavemessage.
 
 === Action API internal changes in 1.27 ===
@@ -268,10 +317,11 @@ changes to languages because of Phabricator reports.
   rather than consume everything until the end of the page.
 * New maintenance script resetUserEmail.php allows sysadmins to reset user emails in case
   a user forgot password/account was stolen.
+* wfCheckEntropy() was removed (deprecated in 1.27).
 
 == Compatibility ==
 
-MediaWiki 1.27 requires PHP 5.3.3 or later. There is experimental support for
+MediaWiki 1.27 requires PHP 5.5.9 or later. There is experimental support for
 HHVM 3.6.5 or later.
 
 MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but