X-Git-Url: https://git.heureux-cyclage.org/?p=lhc%2Fweb%2Fwiklou.git;a=blobdiff_plain;f=includes%2FDefaultSettings.php;h=4a9d8023bf192f2ccb8a26129f2a0a77ab960e2f;hp=4ae050b154fcc94bd3908f44e12ae026eca944f7;hb=5d8bb490803a45f69f8d289abe4b9eb6a118db83;hpb=279dd4156c6195be16fe497980d73cd2e5c95884 diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 4ae050b154..4a9d8023bf 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -535,6 +535,64 @@ $wgUseInstantCommons = false; */ $wgForeignUploadTargets = []; +/** + * Configuration for file uploads using the embeddable upload dialog + * (https://www.mediawiki.org/wiki/Upload_dialog). + * + * This applies also to foreign uploads to this wiki (the configuration is loaded by remote wikis + * using the action=query&meta=siteinfo API). + * + * See below for documentation of each property. None of the properties may be omitted. + */ +$wgUploadDialog = [ + // Fields to make available in the dialog. `true` means that this field is visible, `false` means + // that it is hidden. The "Name" field can't be hidden. Note that you also have to add the + // matching replacement to the 'filepage' format key below to make use of these. + 'fields' => [ + 'description' => true, + 'date' => false, + 'categories' => false, + ], + // Suffix of localisation messages used to describe the license under which the uploaded file will + // be released. The same value may be set for both 'local' and 'foreign' uploads. + 'licensemessages' => [ + // The 'local' messages are used for local uploads on this wiki: + // * upload-form-label-own-work-message-generic-local + // * upload-form-label-not-own-work-message-generic-local + // * upload-form-label-not-own-work-local-generic-local + 'local' => 'generic-local', + // The 'foreign' messages are used for cross-wiki uploads from other wikis to this wiki: + // * upload-form-label-own-work-message-generic-foreign + // * upload-form-label-not-own-work-message-generic-foreign + // * upload-form-label-not-own-work-local-generic-foreign + 'foreign' => 'generic-foreign', + ], + // Upload comment to use. Available replacements: + // * $HOST - domain name from which a cross-wiki upload originates + // * $PAGENAME - wiki page name from which an upload originates + 'comment' => '', + // Format of the file page wikitext to be generated from the fields input by the user. + 'format' => [ + // Wrapper for the whole page. Available replacements: + // * $DESCRIPTION - file description, as input by the user (only if the 'description' field is + // enabled), wrapped as defined below in the 'description' key + // * $DATE - file creation date, as input by the user (only if the 'date' field is enabled) + // * $SOURCE - as defined below in the 'ownwork' key, may be extended in the future + // * $AUTHOR - linked user name, may be extended in the future + // * $LICENSE - as defined below in the 'license' key, may be extended in the future + // * $CATEGORIES - file categories wikitext, as input by the user (only if the 'categories' + // field is enabled), or if no input, as defined below in the 'uncategorized' key + 'filepage' => '$DESCRIPTION', + // Wrapped for file description. Available replacements: + // * $LANGUAGE - source wiki's content language + // * $TEXT - input by the user + 'description' => '$TEXT', + 'ownwork' => '', + 'license' => '', + 'uncategorized' => '', + ], +]; + /** * File backend structure configuration. * @@ -1844,6 +1902,7 @@ $wgSharedSchema = false; * if available * * - max lag: (optional) Maximum replication lag before a slave will taken out of rotation + * - is static: (optional) Set to true if the dataset is static and no replication is used. * * These and any other user-defined properties will be assigned to the mLBInfo member * variable of the Database object. @@ -3130,24 +3189,6 @@ $wgHTMLFormAllowTableFormat = true; */ $wgUseMediaWikiUIEverywhere = false; -/** - * Should we try to make our HTML output well-formed XML? If set to false, - * output will be a few bytes shorter, and the HTML will arguably be more - * readable. If set to true, life will be much easier for the authors of - * screen-scraping bots, and the HTML will arguably be more readable. - * - * Setting this to false may omit quotation marks on some attributes, omit - * slashes from some self-closing tags, omit some ending tags, etc., where - * permitted by HTML5. Setting it to true will not guarantee that all pages - * will be well-formed, although non-well-formed pages should be rare and it's - * a bug if you find one. Conversely, setting it to false doesn't mean that - * all XML-y constructs will be omitted, just that they might be. - * - * Because of compatibility with screen-scraping bots, and because it's - * controversial, this is currently left to true by default. - */ -$wgWellFormedXml = true; - /** * Permit other namespaces in addition to the w3.org default. * @@ -4221,7 +4262,13 @@ $wgDebugTidy = false; $wgRawHtml = false; /** - * Set a default target for external links, e.g. _blank to pop up a new window + * Set a default target for external links, e.g. _blank to pop up a new window. + * + * This will also set the "noreferrer" and "noopener" link rel to prevent the + * attack described at https://mathiasbynens.github.io/rel-noopener/ . + * Some older browsers may not support these link attributes, hence + * setting $wgExternalLinkTarget to _blank may represent a security risk + * to some of your users. */ $wgExternalLinkTarget = false; @@ -4406,6 +4453,185 @@ $wgPasswordPolicy = [ ], ]; +/** + * Disable AuthManager + * @since 1.27 + * @deprecated since 1.27, for use during development only + */ +$wgDisableAuthManager = false; + +/** + * Configure AuthManager + * + * All providers are constructed using ObjectFactory, see that for the general + * structure. The array may also contain a key "sort" used to order providers: + * providers are stably sorted by this value, which should be an integer + * (default is 0). + * + * Elements are: + * - preauth: Array (keys ignored) of specifications for PreAuthenticationProviders + * - primaryauth: Array (keys ignored) of specifications for PrimaryAuthenticationProviders + * - secondaryauth: Array (keys ignored) of specifications for SecondaryAuthenticationProviders + * + * @since 1.27 + * @note If this is null or empty, the value from $wgAuthManagerAutoConfig is + * used instead. Local customization should generally set this variable from + * scratch to the desired configuration. Extensions that want to + * auto-configure themselves should use $wgAuthManagerAutoConfig instead. + */ +$wgAuthManagerConfig = null; + +/** + * @see $wgAuthManagerConfig + * @since 1.27 + */ +$wgAuthManagerAutoConfig = [ + 'preauth' => [ + MediaWiki\Auth\LegacyHookPreAuthenticationProvider::class => [ + 'class' => MediaWiki\Auth\LegacyHookPreAuthenticationProvider::class, + 'sort' => 0, + ], + MediaWiki\Auth\ThrottlePreAuthenticationProvider::class => [ + 'class' => MediaWiki\Auth\ThrottlePreAuthenticationProvider::class, + 'sort' => 0, + ], + ], + 'primaryauth' => [ + // TemporaryPasswordPrimaryAuthenticationProvider should come before + // any other PasswordAuthenticationRequest-based + // PrimaryAuthenticationProvider (or at least any that might return + // FAIL rather than ABSTAIN for a wrong password), or password reset + // won't work right. Do not remove this (or change the key) or + // auto-configuration of other such providers in extensions will + // probably auto-insert themselves in the wrong place. + MediaWiki\Auth\TemporaryPasswordPrimaryAuthenticationProvider::class => [ + 'class' => MediaWiki\Auth\TemporaryPasswordPrimaryAuthenticationProvider::class, + 'args' => [ [ + // Fall through to LocalPasswordPrimaryAuthenticationProvider + 'authoritative' => false, + ] ], + 'sort' => 0, + ], + MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider::class => [ + 'class' => MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider::class, + 'args' => [ [ + // Last one should be authoritative, or else the user will get + // a less-than-helpful error message (something like "supplied + // authentication info not supported" rather than "wrong + // password") if it too fails. + 'authoritative' => true, + ] ], + 'sort' => 100, + ], + ], + 'secondaryauth' => [ + MediaWiki\Auth\CheckBlocksSecondaryAuthenticationProvider::class => [ + 'class' => MediaWiki\Auth\CheckBlocksSecondaryAuthenticationProvider::class, + 'sort' => 0, + ], + MediaWiki\Auth\ResetPasswordSecondaryAuthenticationProvider::class => [ + 'class' => MediaWiki\Auth\ResetPasswordSecondaryAuthenticationProvider::class, + 'sort' => 100, + ], + // Linking during login is experimental, enable at your own risk - T134952 + // MediaWiki\Auth\ConfirmLinkSecondaryAuthenticationProvider::class => [ + // 'class' => MediaWiki\Auth\ConfirmLinkSecondaryAuthenticationProvider::class, + // 'sort' => 100, + // ], + MediaWiki\Auth\EmailNotificationSecondaryAuthenticationProvider::class => [ + 'class' => MediaWiki\Auth\EmailNotificationSecondaryAuthenticationProvider::class, + 'sort' => 200, + ], + ], +]; + +/** + * Time frame for re-authentication. + * + * With only password-based authentication, you'd just ask the user to re-enter + * their password to verify certain operations like changing the password or + * changing the account's email address. But under AuthManager, the user might + * not have a password (you might even have to redirect the browser to a + * third-party service or something complex like that), you might want to have + * both factors of a two-factor authentication, and so on. So, the options are: + * - Incorporate the whole multi-step authentication flow within everything + * that needs to do this. + * - Consider it good if they used Special:UserLogin during this session within + * the last X seconds. + * - Come up with a third option. + * + * MediaWiki currently takes the second option. This setting configures the + * "X seconds". + * + * This allows for configuring different time frames for different + * "operations". The operations used in MediaWiki core include: + * - LinkAccounts + * - UnlinkAccount + * - ChangeCredentials + * - RemoveCredentials + * - ChangeEmail + * + * Additional operations may be used by extensions, either explicitly by + * calling AuthManager::securitySensitiveOperationStatus(), + * ApiAuthManagerHelper::securitySensitiveOperation() or + * SpecialPage::checkLoginSecurityLevel(), or implicitly by overriding + * SpecialPage::getLoginSecurityLevel() or by subclassing + * AuthManagerSpecialPage. + * + * The key 'default' is used if a requested operation isn't defined in the array. + * + * @since 1.27 + * @var int[] operation => time in seconds. A 'default' key must always be provided. + */ +$wgReauthenticateTime = [ + 'default' => 300, +]; + +/** + * Whether to allow security-sensitive operations when re-authentication is not possible. + * + * If AuthManager::canAuthenticateNow() is false (e.g. the current + * SessionProvider is not able to change users, such as when OAuth is in use), + * AuthManager::securitySensitiveOperationStatus() cannot sensibly return + * SEC_REAUTH. Setting an operation true here will have it return SEC_OK in + * that case, while setting it false will have it return SEC_FAIL. + * + * The key 'default' is used if a requested operation isn't defined in the array. + * + * @since 1.27 + * @see $wgReauthenticateTime + * @var bool[] operation => boolean. A 'default' key must always be provided. + */ +$wgAllowSecuritySensitiveOperationIfCannotReauthenticate = [ + 'default' => true, +]; + +/** + * List of AuthenticationRequest class names which are not changeable through + * Special:ChangeCredentials and the changeauthenticationdata API. + * This is only enforced on the client level; AuthManager itself (e.g. + * AuthManager::allowsAuthenticationDataChange calls) is not affected. + * Class names are checked for exact match (not for subclasses). + * @since 1.27 + * @var string[] + */ +$wgChangeCredentialsBlacklist = [ + \MediaWiki\Auth\TemporaryPasswordAuthenticationRequest::class +]; + +/** + * List of AuthenticationRequest class names which are not removable through + * Special:RemoveCredentials and the removeauthenticationdata API. + * This is only enforced on the client level; AuthManager itself (e.g. + * AuthManager::allowsAuthenticationDataChange calls) is not affected. + * Class names are checked for exact match (not for subclasses). + * @since 1.27 + * @var string[] + */ +$wgRemoveCredentialsBlacklist = [ + \MediaWiki\Auth\PasswordAuthenticationRequest::class, +]; + /** * For compatibility with old installations set to false * @deprecated since 1.24 will be removed in future @@ -4666,7 +4892,7 @@ $wgSessionProviders = [ MediaWiki\Session\BotPasswordSessionProvider::class => [ 'class' => MediaWiki\Session\BotPasswordSessionProvider::class, 'args' => [ [ - 'priority' => 40, + 'priority' => 75, ] ], ], ]; @@ -5405,7 +5631,6 @@ $wgGrantPermissions = []; $wgGrantPermissions['basic']['autoconfirmed'] = true; $wgGrantPermissions['basic']['autopatrol'] = true; -$wgGrantPermissions['basic']['autoreview'] = true; $wgGrantPermissions['basic']['editsemiprotected'] = true; $wgGrantPermissions['basic']['ipblock-exempt'] = true; $wgGrantPermissions['basic']['nominornewtalk'] = true; @@ -5413,7 +5638,6 @@ $wgGrantPermissions['basic']['patrolmarks'] = true; $wgGrantPermissions['basic']['purge'] = true; $wgGrantPermissions['basic']['read'] = true; $wgGrantPermissions['basic']['skipcaptcha'] = true; -$wgGrantPermissions['basic']['torunblocked'] = true; $wgGrantPermissions['basic']['writeapi'] = true; $wgGrantPermissions['highvolume']['bot'] = true; @@ -6873,6 +7097,7 @@ $wgExtensionCredits = []; /** * Authentication plugin. * @var $wgAuth AuthPlugin + * @deprecated since 1.27 use $wgAuthManagerConfig instead */ $wgAuth = null;