Add PasswordFactory to MediaWikiServices

[lhc/web/wiklou.git] / RELEASE-NOTES-1.32

== MediaWiki 1.32 ==

THIS IS NOT A RELEASE YET

MediaWiki 1.32 is an alpha-quality branch and is not recommended for use in
production.

=== Configuration changes in 1.32 ===
* (T115414) The $wgEnableAPI and $wgEnableWriteAPI settings, deprecated in 1.31,
  have been removed.
* The $wgUseAjax setting, deprecated in 1.31, is now ignored.
* The $wgSiteSupportPage setting, unused since 1.5, was removed.
* The $wgBrowserBlacklist setting, deprecated in 1.30, was removed.
* The default quality of JPEG thumbnails generated by GD was reduced from 95 to
  80. The quality of JPEG thumbnails is now configurable through the new setting
  $wgJpegQuality (default 80). This aligns the quality to what ImageMagick uses.
* $wgExperimentalHtmlIds, deprecated since 1.30, has been removed. The
  'html5-legacy' value for $wgFragmentMode is no longer accepted.
* The experimental Html5Internal and Html5Depurate tidy drivers were removed.
  RemexHtml, which is the default, should be used instead.
* (T135963) You can now define a Content Security Policy for your wiki. This
  adds a defense-in-depth feature to stop an attacker who has found a bug in
  the parser allowing them to insert malicious attributes. Disabled by default,
  you can configure this via $wgCSPHeader and $wgCSPReportOnlyHeader.
* New configuration variable has been added: $wgCookieSetOnIpBlock.
  This determines whether to set a cookie when an IP user is blocked. Doing so
  means that a blocked user, even after moving to a new IP address, will still
  be blocked.
* The archive table's ar_rev_id field is now unique.
* Special:BotPasswords now requires reauthentication.
* (T194414) The default watchlist view time has been increased from 3 to 7 days.
* The right to edit sitewide Javascript (e.g. MediaWiki:Common.js), CSS or JSON
  was separated from 'editinterface' and is available under
  'editsitejs'/'editsitecss'/'editsitejson'. Having 'editinterface' is still
  necessary to edit such pages.
* A new user group, 'interface-admin', is added for controlling access to
  sitewide CSS/JS (and editing other users' CSS/JS). No other group has
  'editsitecss', 'editusercss', 'editsitejs' or 'edituserjs' by default.
* A new grant group, 'editsiteconfig', is added for granting the above rights.

=== New features in 1.32 ===
* (T112474) Generalized the ResourceLoader mechanism for overriding modules
  using a particular page during edit previews.
* (T12331) You can now log page creation events by setting $wgPageCreationLog
  to true.
* Added 'ApiParseMakeOutputPage' hook.
* (T174313) Added checkbox on Special:ListUsers to display only users in
  temporary user groups.
* (T152462) A cookie can now be set when an IP user is blocked to track that
  user if they move to a new IP address. This is disabled by default.
* (T194950) Added 'ApiMaxLagInfo' hook.
* SpecialPage::checkLoginSecurityLevel() will now preserve POST data when
  reauthenticating.
* FormSpecialPage::execute() will now call checkLoginSecurityLevel() if
  getLoginSecurityLevel() returns non-false.
* The 'ImageBeforeProduceHTML' hook is now passed three new parameters, $parser,
  &$query and &$widthOption, allowing extensions even finer control over the
  resulting HTML code.
* Added new 'ArticleShowPatrolFooter' hook, which allows extensions to determine
  if the [mark as patrolled] link should be shown at the footer of patrollable
  pages.
* The array of hidden options ($opts) passed to the 'SpecialSearchPowerBox' hook
  is now passed by reference, allowing extensions to modify or even unset it.
* Added new 'OutputPageAfterGetHeadLinksArray' hook, allowing extensions to
  modify the return value of OutputPage#getHeadLinksArray in order to add,
  remove or otherwise alter the elements to be output in the page <head>.
* (T28934) The 'HistoryPageToolLinks' hook allows extensions to append
  additional links to the subtitle of a history page.
* The 'GetLinkColours' hook now receives an additional $title parameter,
  the Title object of the page being parsed, on which the links will be shown.

=== External library changes in 1.32 ===
* …

==== Upgraded external libraries ====
* Updated QUnit from 2.4.0 to 2.6.0.
* Updated wikimedia/scoped-callback from 1.0.0 to 2.0.0.
** ScopedCallback objects can no longer be serialized.
* Updated wikimedia/wrappedstring from 2.3.0 to 3.0.1.
* Updated mediawiki/mediawiki-codesniffer from v20.0.0 to v21.0.0.
* Updated composer/spdx-licenses from 1.3.0 to 1.4.0.
* Updated jquery.i18n from 1.0.4 to 1.0.5.

==== New external libraries ====
* Added wikimedia/xmp-reader 0.5.1
* …

==== Removed and replaced external libraries ====
* …

=== Bug fixes in 1.32 ===
* SpecialPage::execute() will now only call checkLoginSecurityLevel() if
  getLoginSecurityLevel() returns non-false.

=== Action API changes in 1.32 ===
* Added templated parameters.
  * A module can define a templated parameter like "{fruit}-quantity", where
    the actual parameters recognized correspond to the values of a multi-valued
    parameter. Then clients can make requests like
    "fruits=apples|bananas&apples-quantity=1&bananas-quantity=5".
  * action=paraminfo will return templated parameter definitions separately
    from normal parameters. All parameter definitions now include an "index"
    key to allow clients to maintain parameter ordering when merging normal and
    templated parameters.
* It is now an error to submit too many values for a multi-valued parameter.
  This has generated a warning since MediaWiki 1.14.
* Assertion failures from the 'assert' and 'assertuser' parameters will no
  longer use the action module's custom response format, for the few modules
  that use custom formatters that handle errors.
* (T198935) User list preferences such as `email-blacklist` and similar
  extension preferences are no longer represented as arrays when returned by
  action=query&meta=userinfo&uiprop=options.
* 'missingparam' errors will now use the prefixed parameter name in the code
  and error text, e.g. "noxxfoo" and "The 'xxfoo' parameter must be set" rather
  than "nofoo" and "The 'foo' parameter must be set".
* action=query&prop=revisions now takes a 'rvslots' parameter to indicate the
  multi-content revision slots for which content should be returned. It also
  has a new rvprop, 'roles', to indicate which roles have slots. A deprecation
  warning will be issued if rvprop=content or rvprop=contentmodel are used
  without rvslots.
* The rvcontentformat parameter to action=query&prop=revisions has been
  deprecated. Clients should be prepared to deal with the default format for
  relevant models.
* Use of the deprecated parameters rvexpandtemplates, rvgeneratexml, rvparse,
  rvdiffto, rvdifftotext, rvdifftotextpst, rvcontentformat, or the deprecated
  rvprop=parsetree is forbidden with the new 'rvslots' parameter.
* action=query&prop=deletedrevisions, action=query&list=allrevisions, and
  action=query&list=alldeletedrevisions are changed similarly to
  &prop=revisions (see the three previous items).

=== Action API internal changes in 1.32 ===
* Added 'ApiParseMakeOutputPage' hook.
* Parameter names may no longer contain '{' or '}', as these are now used for
  templated parameters.
* (T194950) Added 'ApiMaxLagInfo' hook.
* Added 'ApiParseMakeOutputPage' hook.
* The following methods now take a RevisionRecord rather than a Revision. No
  external callers are known.
  * ApiFeedContributions::feedItemAuthor()
  * ApiFeedContributions::feedItemDesc()
  * ApiQueryRevisionsBase::extractRevisionInfo()

=== Languages updated in 1.32 ===
MediaWiki supports over 350 languages. Many localisations are updated regularly.
Below only new and removed languages are listed, as well as changes to languages
because of Phabricator reports.

* (T193566) Added language support for Ambonese Malay (abs).
* (T194047) Added language support for Shawiya, Latin script (shy-latn).
* (T195940) Added language support for Batak Mandailing (btm).
* (T137491) Added language support for Standard Moroccan Amazigh (zgh).
* (T198132) Added language support for Manipuri (mni).

=== Breaking changes in 1.32 ===
* $wgRequestTime, deprecated in 1.25, was removed. Use
  $_SERVER['REQUEST_TIME_FLOAT'] or WebRequest::getElapsedTime() instead.
* The MediaWikiI18N class, deprecated in 1.31, was removed.
* QuickTemplate::setTranslator(), deprecated in 1.31, was removed. Use
  Skin::msg() instead.
* wfInitShellLocale(), deprecated in 1.30, was removed.
* wfShellExecDisabled(), deprecated in 1.30, was removed.
* The type string for the parameter $lang of DateFormatter::getInstance,
  deprecated in 1.31, was removed.
* The EDIT_TOKEN_SUFFIX constant deprecated in 1.27, was removed. Use
  MediaWiki\Session\Token::SUFFIX instead.
* EditPage::isOouiEnabled() deprecated in 1.30, was removed.
* mw.util.wikiGetlink(), deprecated in 1.23, was removed. Use mw.util.getUrl()
  instead.
* (T61113) The following methods and constants from the Revision class, which
  were deprecated in 1.25, have now been removed:
  * Revision::getRawUser()
  * Revision::getRawUserText()
  * Revision::getRawComment()
* window.gM() from mediawiki.jqueryMsg, deprecated in 1.23, was removed. Use
  mw.msg() or mw.message() instead.
* mw.util.escapeId(), deprecated in 1.30, was removed. Use
  mw.util.escapeIdForAttribute or mw.util.escapeIdForLink instead.
* mw.util.updateTooltipAccessKeys(), deprecated in 1.24, was removed. Use
  jquery.accessKeyLabel instead.
* The SqlDataUpdate class, deprecated in 1.28, has been removed.
* The Html5Internal and Html5Depurate tidy driver classes were removed, along
  with the Balancer tidy implementation. Both implementations were experimental,
  and were replaced by RemexHtml.
* (T179624) Job::insert() and ::batchInsert(), deprecated in 1.21, were both
  removed. Use JobQueueGroup::singleton()->push() instead.
* The jquery.footHovzer module, for mediawiki.debug, was removed.
* The es5-shim module, empty and deprecated since 1.29, was removed.
* the dom-level2-shim module, empty and deprecated since 1.29, was removed.
* the json module, empty and deprecated since 1.29, was removed.
* The mediawiki.widgets.visibleByteLimit module alias, deprecated in 1.32, was
  removed. Use mediawiki.widgets.visibleLengthLimit instead.
* The jquery.farbtastic module, unused since 1.18, was removed.
* (T181318) The $wgStyleVersion setting and its appendage to various script and
  style URLs in OutputPage, deprecated in 1.31, was removed.
* The hooks 'PreferencesFormPreSave' and 'PreferencesGetLegend' may provide
  any HTMLForm object rather than PreferencesForm.
* The non namespaced TimestampException class, deprecated in 1.29, was removed.
  Use Wikimedia\Timestamp\TimestampException instead.
* The global functions codepointToUtf8, hexSequenceToUtf8, utf8ToHexSequence,
  utf8ToCodepoint, and escapeSingleString (deprecated in 1.25) were removed.
  The UtfNormal\Utils class from the utfnormal library should be used instead.
* The deprecated UTF8_ and UNICODE_ constants were removed. The class constants
  from the UtfNormal\Constants class from the utfnormal library should be used
* (T140807) The wgResourceLoaderLESSImportPaths configuration option was removed
  from ResourceLoader. Instead, use `@import` statements in LESS to import
  files directly from nearby directories within the same project.
* The protected methods PHPSessionHandler::returnSuccess() and returnFailure(),
  only needed for PHP5 compatibility, have been removed. It now uses the boolean
  values `true` and `false` respectively.
* The $parserMemc global and wfGetParserCacheStorage(), deprecated since 1.30,
  were removed. Use the ParserCache class instead.
* ScopedCallback (deprecated in 1.28) was removed. Use Wikimedia\ScopedCallback
  instead.
* Support for ResourceLoaderModule::getModifiedTime() and getModifiedHash(),
  deprecated since 1.26, was removed. Use getDefinitionSummary() instead.
* (T195256) Skins are recommended not to rely on JavaScript for the "mw-jump"
  and "jump-to-nav" accessibility links. To this end, the "jquery.mw-jump"
  is no longer loaded by default. The Vector and MonoBook skins have made a
  minor change to implement the toggle feature with CSS instead. To restore
  prior functionality, either explicitly load "jquery.mw-jump" in your skin
  or refer to T195256 for details on how to make the same change.
* Hook 'EditPageBeforeEditChecks' was removed;
  use 'EditPageGetCheckboxesDefinition' instead.
* Linker::getLinkColour() and DummyLinker::getLinkColour(), deprecated since
  1.28, were removed. LinkRenderer::getLinkClasses() should be used instead.
* Wikimedia\Rdbms\LoadBalancer::getLaggedSlaveMode(), deprecated in 1.28, has
  been removed. Use Wikimedia\Rdbms\LoadBalancer::getLaggedReplicaMode()
  instead.
* mw.widgets.CategoryMultiselectWidget now uses TagMultiselectWidget instead of
  CapsuleMultiselectWidget. The following methods may no longer be used:
  * setItemsFromData: Use setValue instead
  * getItemsData: Use getItems instead and get the data property
* Two OutputPage methods, addMetadataLink() and getMetadataAttribute(), were
  removed.  Use addLink() instead.
* Another two OutputPage methods, setPageTitleActionText() and
  getPageTitleActionText(), were removed.  They did nothing since 1.15 (almost
  ten years).  Use setHTMLTitle() directly.
* All MagicWord static member variables have been removed.  Use appropriate
  hooks or MagicWordFactory methods instead.
* MagicWord::clearCache() has been removed.  Instead, create a new
  MagicWordFactory, such as by calling
  resetServiceForTesting( 'MagicWordFactory' ) on a MediaWikiServices.

=== Deprecations in 1.32 ===
* Use of a StartProfiler.php file is deprecated in favour of placing
  configuration in LocalSettings.php.
* HTMLForm::setSubmitProgressive() is deprecated. No need to call it. Submit
  button is already marked as progressive.
* Skin::setupSkinUserCss() is deprecated. Adding of modules to load
  has been centralised to Skin::getDefaultModules(), which is now capable
  of queueing style modules as well.
* OutputPage::addModuleScripts() and ParserOutput::addModuleScripts are
  deprecated. Use addModules() instead.
* Overriding SearchEngine::{searchText,searchTitle,searchArchiveTitle}
  in extending classes is deprecated.  Extend related doSearch* methods
  instead.
* CollationFa has been removed completely as it's not needed anymore
* The following 'mediawiki.api' plugin modules were merged into mediawiki.api
  and deprecated: mediawiki.api.category, mediawiki.api.edit,
  mediawiki.api.login, mediawiki.api.options, mediawiki.api.parse,
  mediawiki.api.upload, mediawiki.api.user, mediawiki.api.watch,
  mediawiki.api.messages, and mediawiki.api.rollback.
* ApiBase::truncateArray() is deprecated. No replacement, as nothing is known
  to use it.
* WatchAction::getUnwatchToken is deprecated. Use WatchAction::getWatchToken
  with the 'unwatch' action parameter instead.
* IcuCollation::getICUVersion() is deprecated, as you can just use the PHP
  constant INTL_ICU_VERSION directly in all versions that MediaWiki supports.
* Parser::fetchFile() is deprecated. Use ::fetchFileAndTitle() instead.
* The ApiQueryContributions class has been renamed to ApiQueryUserContribs.
* The XMPInfo, XMPReader, and XMPValidate classes have been deprecated in favor
  of the namespaced classes provided by the wikimedia/xmp-reader library.
* SearchResultSet::{next,rewind} are deprecated. Calling code should
  use foreach on the SearchResultSet, or the extractResults method. Extending
  code should override extractResults.
* Instantiating SearchResultSet directly is deprecated. SearchEngine
  implementations must subclass SearchResultSet for their purposes.
* SearchResult::setExtensionData argument has been changed from accepting an
  array to accepting a Closure that returns the array when called.
* Class CryptRand, everything in MWCryptRand except generateHex() and function
  MediaWikiServices::getCryptRand() are deprecated, use random_bytes() to
  generate cryptographically secure random byte sequences.
* Parser::getConverterLanguage() is deprecated.  Use ::getTargetLanguage()
  instead.
* Language::markNoConversion() is deprecated.  It confused readers because
  it had unexpected behavior (only marking text if it looked like a URL)
  and was only used in a single place in the code.  Use
  LanguageConverter::markNoConversion() instead.
* (T197492) Language::truncate() was soft deprecated in 1.31 and is
  hard deprecated in this release.  It has been split into two similar
  methods, Language::truncateForVisual() and Language::truncateForDatabase(),
  which measure length in characters and bytes, respectively.  Use
  Language::truncateForVisual() when possible to provide equity to users
  of multibyte scripts.
* (T176526) EditPage::getContextTitle() falling back to $wgTitle when the
  context title is unset is now deprecated; anything creating an EditPage
  instance should set the context title via ::setContextTitle().
* The 'jquery.hidpi' module (polyfill for IMG srcset) is deprecated.
* ResourceLoaderStartUpModule::getStartupModules() and ::getLegacyModules()
  are deprecated. These concepts are obsolete and have no replacement.
* String type for $lang of DifferenceEngine::setTextLanguage is deprecated.
* The following methods of OutputPage are now deprecated in favour
  of using showFatalError directly: OutputPage::showFileDeleteError()
  OutputPage::showFileNotFoundError(), OutputPage::showFileRenameError()
  OutputPage::showFileCopyError() and OutputPage::showUnexpectedValueError().
* The Replacer, DoubleReplacer, HashtableReplacer, and RegexlikeReplacer
  classes are now deprecated. Use a Closure instead.
* (T194263) ContentHandler::makeParserOptions() is deprecated. Use
  WikiPage::makeParserOptions() or ParserOptions::newCanonical() instead.
* (T100681) Use of the Parsoid v1 API with the VirtualRESTService, deprecated in
  MediaWiki 1.26,  is now hard-deprecated. All known clients were converted to
  the Parsoid v3 API in May 2015.
* $input is deprecated in hook 'LogEventsListGetExtraInputs'. Use
  $formDescriptor instead.
* SearchEngine::transformSearchTerm( $term ) should no longer be called prior
  to running searchText. This method was mainly implemented to support the
  'prefix' URI param in SpecialSearch, but there are no reasons to expose this
  logic as it should be handled internally by SearchEngine implementations
  supporting this feature. SearchEngine implementations should no longer
  override this methods.
* SearchEngine::replacePrefixes( $query ) should no longer be called prior
  to running searchText/searchTitle.
* (T199657) Messages for $wgFilterLogTypes labels should be no longer be in the
  'log-show-hide-[type]' format. Instead use 'logeventslist-[type]-log'.
* Global functions  wfArrayFilter() and wfArrayFilterByKey() are deprecated.
  use array_filter() directly.
* The $wgShowSQLErrors global is deprecated and nonfunctional.
  Set $wgShowExceptionDetails and/or $wgShowHostnames instead.
* The $wgShowDBErrorBacktrace global is deprecated and nonfunctional.
  Set $wgShowExceptionDetails instead.
* Public access to the DifferenceEngine properties mOldid, mNewid, mOldPage,
  mNewPage, mOldContent, mNewContent, mRevisionsLoaded, mTextLoaded and
  mCacheHit is deprecated. Use getOldid() / getNewid() for the first two,
  do your own lookup for page/content. mNewRev / mOldRev remains public.
* The $wgExternalDiffEngine value 'wikidiff2' is deprecated. To use wikidiff2
  just enable the PHP extension, and it will be autodetected.
* The wfUseMW function, soft-deprecated in 1.26, is now hard deprecated.
* All MagicWord static methods are now deprecated.  Use the MagicWordFactory
  methods instead.
* PasswordFactory::init is deprecated. To get a password factory with the
  standard configuration, use MediaWikiServices::getPasswordFactory.

=== Other changes in 1.32 ===
* (T198811) The following tables have had their UNIQUE indexes turned into
  proper PRIMARY KEYs for increased maintainability: interwiki, page_props,
  protected_titles and site_identifiers.
* …

== Compatibility ==
MediaWiki 1.32 requires PHP 7.0.0 or later. Although HHVM 3.18.5 or later is
supported, it is generally advised to use PHP 7.0.0 or later for long term
support.

MySQL/MariaDB is the recommended DBMS. PostgreSQL or SQLite can also be used,
but support for them is somewhat less mature. There is experimental support for
Oracle and Microsoft SQL Server.

The supported versions are:

* MySQL 5.5.8 or later
* PostgreSQL 9.2 or later
* SQLite 3.3.7 or later
* Oracle 9.0.1 or later
* Microsoft SQL Server 2005 (9.00.1399)

== Upgrading ==
1.32 has several database changes since 1.31, and will not work without schema
updates. Note that due to changes to some very large tables like the revision
table, the schema update may take quite long (minutes on a medium sized site,
many hours on a large site).

Don't forget to always back up your database before upgrading!

See the file UPGRADE for more detailed upgrade instructions, including
important information when upgrading from versions prior to 1.11.

For notes on 1.31.x and older releases, see HISTORY.

== Online documentation ==
Documentation for both end-users and site administrators is available on
MediaWiki.org, and is covered under the GNU Free Documentation License (except
for pages that explicitly state that their contents are in the public domain):

       https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation

== Mailing list ==
A mailing list is available for MediaWiki user support and discussion:

       https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

A low-traffic announcements-only list is also available:

       https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

It's highly recommended that you sign up for one of these lists if you're
going to run a public MediaWiki, so you can be notified of security fixes.

== IRC help ==
There's usually someone online in #mediawiki on irc.freenode.net.