By only updating the user row in the database, if needed
and by making use of md5 for passwords instead of slower
hashing.
This cut down run time of some Wikibase API tests to 20%
of the original value for me!
Also it reduces the run time of MediaWiki's test suite
by about 45s on jenkins.
Change-Id: I7024b287a71fe9b327dbcdc5427cd8edb5047606
Tokens returned from User::getEditToken will now include an encoded
timestamp (and therefore will be up to 16 bytes longer).
User::matchEditToken and User::matchEditTokenNoSuffix are gaining a
"maxage" parameter: when specified, only tokens with an encoded timestamp
within $maxage seconds will be accepted.
Change-Id: Ic4cf148cc1fa9d0561aac0bd2d68a09c7851896d
Various code passes null around to mean "an invalid password". It
shouldn't all have to test for null and specially handle that.
This also fixes a codepath where User::$mNewpassword could get set to an
empty string rather than a password object, which would cause problems
later when anything else tries to use it.
Bug: 71421
Change-Id: Ib5f94b52c07e7dba89328b98fb43c86db95ee09f
This way, outside code can load data from cache only if present. E.g. when data
for a lot of users is needed, it'd be preferable to batch-load all that is not
yet in cache.
Since there's currently no way to check for data in cache, one would have to
load all User objects separately (which may result in lots of DB queries if
nothing is in cache) or batch-load all of them (which may result in few DB
queries, but ones that may not be needed if all data is already in cache)
Change-Id: Ia22d04744760c3b6f3264786434e218b8aa88d53
Call loadPasswords when expiring the user's password, otherwise the
change is overwritten with the previous value.
This lets you do:
$u = User::newFromName( 'User' );
$u->expirePassword();
And the user will have to reset their password on the next login.
Change-Id: I47325dde1ce14280088efdc90ce7887b45e0dc6a
Change I4049b666 changed the way Preferences combines the prefix with
the row and column for HTMLCheckMatrix, but did not adjust the
corresponding code in User::getOptionFromUser().
Bug: 69146
Change-Id: I69ed9c875443ba44d1a5e12e51165ebf8d6d6a06
In User::setPassword() and User::setNewpassword(), added
calls to loadPasswords() so that the passwords are not
overridden when they are eventually actually loaded.
Bug: 69102
Change-Id: I0b881986323051abed7d1af816eae9eafdbd6782
In I0a9c972931a, User::load() no longer loaded the
mPassword and mNewpassword member variables, and
User::loadPasswords() is private. So this lets
things that need to access the Password objects directly.
Change-Id: Ib79ce01a47f90af681e376ce918eda559b4b94a6
- Two global constants unused outside of this class so removed
- Shorten name since MW and USER are redundant since it's in a class
- Use class constant instead of global define consistently
Change-Id: I0e8b05372512de568a230a6e5026751aa37c4c4e
Otherwise mNewpassword could be null.
Mlpearc reports on irc getting fatals about mNewpassword not
being an object. I couldn't reproduce, but loadPasswords() should
definitely be called here.
Change-Id: I6d1b74b79c87d1a1870971aafd1349255170123d
Deprecated the old User::crypt, et. al password hashing
system and implemented an extensible password hashing
API.
The new Password class allows registering of child classes
and provides factory functions for creating new Password
objects. The built-in hash types are the old MediaWiki MD5
types, which are for backwards-compatibility only, and bcrypt.
Also included is support for wrapping existing hashes as well
as encrypting passwords with a configured encryption key.
Bug: 54948
Bug: 28419
Change-Id: I0a9c972931a0eff0cfb2619cef3ddffd03710285
With r41328 the title validation was changed to allow rename of invalid
user names, by always creating a title object.
That removes the title validation for validation of 'usable' and
'creatable', but in that case it is also a good idea to apply title
rules to normalize spaces and reject user names which can not have a
valid title. At the moment that is done in User::isValidUserName.
Change-Id: I27c488e4008a924117ff6bac2216f148cd5e7abd
- Swap "$variable type" to "type $variable"
- Added missing types
- Fixed spacing inside docs
- Makes beginning of @param/@return/@var/@throws in capital
- Changed some types to match the more common spelling
Change-Id: I783e4dbfe5f6f98b32b9a03ccf6439e13e132bcc
$wgDefaultSkin is allowed not to actually be a valid key (although
doing that is obviously very unwise), which in turn can cause
exceptions from Preferences::loadPreferenceValues()
(MWException "Global default…"), which in turn causes failure of
SpecialPreferencesTest::testBug41337() test.
Change-Id: I8f8ae9ba301337b2e6facd3dcfadbf2ab12ac605
- use tab as indent instead of spaces
- Added space after closures "function"
- Added spaces around string_concat
- Added newline inside empty blocks
- Removed four spaces after comma
Change-Id: I4425b0c6a69b36f40acfea6511b8950cf09ce2b2
In this change, a new passive user right named "viewsuppressed"
which can be used in order to view suppressed page content was added
to MediaWiki core.
Furthermore, this right was also added to the list of available rights,
to qqq.json and to en.json where also the description of the
"suppressrevision" right was adjusted in order to reflect reality.
Bug: 20476
Change-Id: Id1baacb9c782763db5e05ef8b5c1b761997efcc9
Location is a tad bit different now than on the wikiHow codebase and some
arguments have been added, as per code review.
Because sometimes you have things that are stored in the user_properties
database table that should *not* be reset even when the user has requested
to reset all prefs back to the site defaults.
Live example of a thing using this hook (well, its previous iteration) is
wikiHow's WikihowPreferences extension.
Change-Id: I1da936c786adb21e2c1802ef405bb904c9cf4918
Special page PageLanguage to set the page language of a page.
To enable the feature, set $wgPageLanguageUseDB to true
and assign the 'pagelang' user right to a user group.
Bug: 35489
Change-Id: I0f82b146fbe948f917c1c5d29f7469644d797e80
* Avoid doing the DELETE for unchanged rows. This method is often
called when one new preference (e.g. watchlist token) is set.
These cases will now simple result in an INSERT, even if the
user already has some preferences set.
bug: 36116
Change-Id: Ib7c558e7c06927875086b86ea719ac1323a7b4a8
* Moved the code from User::decodeOptions() to the maintenance script,
the only place it is (indirectly) used.
* Changed the script to insert new rows itself rather than calling
User::saveSettings(), avoiding bug 63677.
* Removed FOR UPDATE and COMMIT lacking a matching BEGIN.
* Made ORDER BY explicit.
* Removed pointless "Do each user sequentially [...]" comment dating
back to r48732, in which the script would increment a user's ID
to get the next one.
Bug: 63677
Change-Id: I86365a7363af3376cc4f55fa528b050b44378656
* Checkbox on own row below power search checkboxes per MatmaRex;
avoiding a mw-search-ns* id leaves it untouched by All/None JS.
* The option searcheverything is removed: a "shortcut" which is no
longer necessary now that options can be (un)selected at once
with All/None buttons on search page itself.
* Require a token for saving: no accidental preferences changes.
* Keep the searchoptions/advancedsearchoptions prefs section in case
something is using it (no known extension does though); options
are converted to "api" type so it's empty and hidden by default.
* Add minimal documentation for saveSettings() and friends
(@todo since 155ddf6de, 2009!).
Bug: 52817
Change-Id: I514cee835988600cc013658049e88a10b670e64a
Two classes (User and SpecialRunJobs) currently contain string
equality checks that purport to be timing-attack resistant.
Reduce code duplication by adding and using a fallback for the
hash_equals() function from PHP 5.6 (currently in beta), in a way
addressing the comment "@todo: make a common method for this".
Change-Id: Iece006ec0216edb3fc5fbef7cc6ec00a6d182775
We had an outage beginning of may that involved rate limiting of the
'renderfile-nonstandard' action. This makes User::pingLimiter() to
record a per action profiling point in addition to the generic one, that
would let us finely graph actions being throttled.
Ref:
https://wikitech.wikimedia.org/wiki/Incident_documentation/20140503-Thumbnails#What_can_be_improved
Bug: 65477
Change-Id: Iac7930e85f7d9101663656ccb2bccdbebf908693
Allow category pages to be moved. This is to preserve attribution of the
page only and does not cause pages in the category to recategorize to the
new one. A warning explains this when such a move is attempted. The new
right move-categorypages is required to do this, which is assigned to user
and sysop by default (the same as other move-related rights). The message
category-move-redirect-override can be used to cause custom text to be
placed on the "old" category page in lieu of a redirect.
Bug: 28569
Bug: 5451
Change-Id: Ic93616a54c8e98e3dc71daee3c92c466d64daffc
Swapped some "$var type" to "type $var" or added missing types
before the $var. Changed some other types to match the more common
spelling. Makes beginning of some text in capital.
Change-Id: If8c0cf4627fc62ff288d33658e327ae80548f5c5
