Default the "watchlisttoken" value to a derived HMAC value

[lhc/web/wiklou.git] / RELEASE-NOTES-1.26

Security reminder: If you have PHP's register_globals option set, you must
turn it off. MediaWiki will not work with it enabled.

== MediaWiki 1.26 ==

THIS IS NOT A RELEASE YET

MediaWiki 1.26 is an alpha-quality branch and is not recommended for use in
production.

=== Configuration changes in 1.26 ===
* $wgPasswordResetRoutes['email'] = true by default.
* $wgEnableParserCache was deprecated, set $wgParserCacheType to CACHE_NONE
  instead if you want to disable the parser cache.
* New-style continuation is now the default for API action=continue. Clients may
  use the 'rawcontinue' parameter to receive raw query-continue data, but the
  new style is encouraged as it's harder to implement incorrectly.
* Deprecated API formats dump and wddx have been completely removed.
* (T7645) The "Signature" button on the edit toolbar is now hidden by default
  in non-talk namespaces. A new configuration variable,
  $wgExtraSignatureNamespaces, controls in which subject (non-talk) namespaces
  the "Signature" button on the edit toolbar will be displayed.
* $wgResourceLoaderUseESI was deprecated and removed. This was an experimental
  feature that was never enabled by default.
* $wgResourceLoaderExperimentalAsyncLoading was deprecated and removed.
  This experimental feature was never enabled by default and is obsolete as of
  MediaWiki 1.26, in where ResourceLoader became fully asynchronous.
* $wgMasterWaitTimeout was removed (deprecated in 1.24).
* Fields in ParserOptions are now private. Use the accessors instead.

=== New features in 1.26 ===
* (T51506) Now action=info gives estimates of actual watchers for a page.
  See $wgRCMaxAge, $wgWatchersMaxAge and $wgUnwatchedPageSecret
  to learn how to configure if needed.
* Change tags can now be hidden in the interface by disabling the associated
  "tag-<id>" interface message.
* ':' (colon) is now invalid in usernames for new accounts. Existing accounts
  are not affected.
* Added a new hook, 'LogException', to log exceptions in nonstandard ways.
* Revive the 'SpecialSearchResultsAppend' hook which occurs after the list of
  search results are rendered. The initial use case is to append a "give us
  feedback" link beneath the search results.
* Added a new hook, 'RejectParserCacheValue', which allows extensions to
  reject an otherwise-successful parser cache lookup. The intent is to allow
  extensions to manage the eviction of archaic HTML output from the cache.
* (T68699) The expiration of the UserID and Token login cookies
  ($wgExtendedLoginCookieExpiration) can be configured independently of the
  expiration of all other cookies ($wgCookieExpiration).
* (T50519) Support for generating JPEG/PNG thumbnails from WebP images added
  if ImageMagick is used as image scaler ($wgUseImageMagick = true). Uploading
  of WebP images still disabled by default. Add $wgFileExtensions[] =
  'webp'; to LocalSettings.php to enable uploading of WebP images.
* Added new hooks 'EnhancedChangesListModifyLineData' &
  'EnhancedChangesListModifyBlockLineData', to modify the data used to build
  lines in enhanced recentchanges and watchlist.
* Caches that need purging ability now use the WANObjectCache interface.
  This corresponds to a new $wgMainWANCache setting, which defaults to using
  the $wgMainCacheType settings.
* Callers needing fast light-weight data stores use $wgMainStash to select
  the store type from $wgObjectCaches. The default is the local database.
* Interface message overrides in the MediaWiki namespace will now be cached in
  memcached and APC (if available), rather than memcached and local files.
* Added a new hook, 'RandomPageQuery', to allow modification of the query used
  by Special:Random to select random pages.
* $wgTransactionalTimeLimit was added, which controls the request time limit
  for potentially slow POST requests that need to be as atomic as possible.
* ResourceLoader now loads all scripts asynchronously. The top-queue and
  startup modules are no longer synchronously loaded.
* 'mediawiki.ui.button' styles are no longer unconditionally loaded on every
  page. During the deprecation period, the styles will only be loaded on pages
  which contain 'mw-ui-button' in their HTML. Starting in 1.28, the styles will
  only be loaded if explicitly required.

==== External libraries ====
* Update es5-shim from v4.0.0 to v4.1.5.
* Update json2 from revision 2014-02-04 to 2015-05-03.
* Update Sinon.JS from 1.10.3 to 1.15.4.
* Upgrade jQuery Client from v1.0.0 to v2.0.0.
* Added mediawiki/at-ease 1.0.0.
* Update QUnit from v1.17.1 to v1.18.0.

=== Bug fixes in 1.26 ===
* (T53283) load.php sometimes sends 304 response without full headers
* (T65198) Talk page tabs now have a "rel=discussion" attribute
* (T98841) {{msgnw:}} now preserves comments even when subst: is not used.

=== Action API changes in 1.26 ===
* New-style continuation is now the default for action=continue. Clients may
  use the 'rawcontinue' parameter to receive raw query-continue data, but the
  new style is encouraged as it's harder to implement incorrectly.
* Deprecated API formats dump and wddx have been completely removed.
* API action=query&list=tags: The displayname can now be boolean false if the
  tag is meant to be hidden from user interfaces.
* action=import no longer allows both the namespace= and rootpage= parameters
  to be set. If they are both set, the value of rootpage= will be ignored.
* prop=revision output in enum mode is now sorted by timestamp rather than
  revision ID. This usually won't make any difference.
* (T102645) Namespace list from meta=siteinfo&siprop=namespaces is now an array
  with formatversion=2.
* Various other output from meta=siteinfo will now always be arrays instead of
  sometimes being numerically-indexed objects with formatversion=2.
* When errors about users being blocked are returned, they now include
  information about the relevant block.

=== Action API internal changes in 1.26 ===
* New metadata item ApiResult::META_KVP_MERGE to allow for merging the KVP key
  into the value when the value is an assoc.

=== Languages updated in 1.26 ===

MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.

* Languages added:
** ase (American sign language), thanks to translator Icemandeaf
** dty (डोटेली/Doteli), thanks to translators जनक राज भट्ट, बिप्लब आनन्द,
   मेश सिंह बोहरा, and राम प्रसाद जोशी
** luz (لئری دوٙمینی / Southern Luri)

=== Other changes in 1.26 ===
* ChangeTags::tagDescription() will return false if the interface message
  for the tag is disabled.
* Added PageHistoryPager::doBatchLookups hook.
* Added ParserCacheSaveComplete to ParserCache
* supportsDirectEditing and supportsDirectApiEditing methods added to
  ContentHandler, to provide a way for ApiEditPage and EditPage to check
  if direct editing of content is allowed. These methods return false,
  by default for the ContentHandler base class and true for TextContentHandler
  and it's derivative classes (everything in core). For Content types that
  do not support direct editing, an alternative mechanism should be provided
  for editing, such as action overrides or specific api modules.
* mediaWiki.confirmCloseWindow now returns an object of functions, instead of
  one function. The callback can't be called directly any more. The callback
  function is replaced with confirmCloseWindow.release().
* BREAKING CHANGE: Added an optional ResouceLoaderContext parameter to
  ResourceLoaderModule::getDependencies(). Extension classes that override that
  method should be updated. If they aren't updated, PHP Strict standards
  warnings will appear when E_STRICT error reporting is enabled. Note: in the
  near future, this parameter will probably become non-optional.
* Removed maintenance script deleteImageMemcached.php.
* MWFunction::newObj() was removed (deprecated in 1.25).
  ObjectFactory::getObjectFromSpec() should be used instead.
* The parser will no longer randomize the string it uses to mark the place of
  items that were stripped during parsing. It will use a fixed string instead.
  This causes the parser to re-use the regular expressions it uses to search
  and replace markers rather than generate novel expressions on each parse.
  Re-using regular expressions will improve performance on HHVM and the
  forthcoming PHP 7. The interfaces changes accompanying this change are:
  - Parser::getRandomString() and Parser::uniqPrefix() have been deprecated.
  - The $uniq_prefix argument for Parser::extractTagsAndParams() and the
    $prefix argument for StripState::_construct() are deprecated and their
    value is ignored.
* wfSuppressWarnings() and wfRestoreWarnings() were split into a separate library,
  mediawiki/at-ease, and are now deprecated. Callers should use
  MediaWiki\suppressWarnings() and MediaWiki\restoreWarnings() directly.
* The Block class constructor now takes an associative array of parameters
  instead of many optional positional arguments. Calling the constructor the old
  way will issue a deprecation warning.
* The jquery.mwExtension module was deprecated.
* $wgSpecialPageGroups was removed (deprecated in 1.21).
* SpecialPageFactory::setGroup was removed (deprecated in 1.21).
* SpecialPageFactory::getGroup was removed (deprecated in 1.21).
* DatabaseBase::ignoreErrors() is now protected.
* BREAKING CHANGE: mediawiki.legacy.ajax has been removed, following
  a lengthy deprecation period.
* The ScopedPHPTimeout class was removed.
* Removed maintenance script fixSlaveDesync.php.
* Watchlist tokens, SpecialResetTokens, and User::getTokenFromOption()
  are deprecated. Applications using those can work via the OAuth
  extension instead. New tokens types should not be added.

== Compatibility ==

MediaWiki 1.26 requires PHP 5.3.3 or later. There is experimental support for
HHVM 3.3.0.

MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but
support for them is somewhat less mature. There is experimental support for
Oracle and Microsoft SQL Server.

The supported versions are:

* MySQL 5.0.3 or later
* PostgreSQL 8.3 or later
* SQLite 3.3.7 or later
* Oracle 9.0.1 or later
* Microsoft SQL Server 2005 (9.00.1399)

== Upgrading ==

1.26 has several database changes since 1.25, and will not work without schema
updates. Note that due to changes to some very large tables like the revision
table, the schema update may take quite long (minutes on a medium sized site,
many hours on a large site).

If upgrading from before 1.11, and you are using a wiki as a commons
repository, make sure that it is updated as well. Otherwise, errors may arise
due to database schema changes.

If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
new database fields are filled with data.

If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to
1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed
with MediaWiki 1.21.

Don't forget to always back up your database before upgrading!

See the file UPGRADE for more detailed upgrade instructions.

For notes on 1.25.x and older releases, see HISTORY.

== Online documentation ==

Documentation for both end-users and site administrators is available on
MediaWiki.org, and is covered under the GNU Free Documentation License (except
for pages that explicitly state that their contents are in the public domain):

        https://www.mediawiki.org/wiki/Documentation

== Mailing list ==

A mailing list is available for MediaWiki user support and discussion:

        https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

A low-traffic announcements-only list is also available:

        https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

It's highly recommended that you sign up for one of these lists if you're
going to run a public MediaWiki, so you can be notified of security fixes.

== IRC help ==

There's usually someone online in #mediawiki on irc.freenode.net.