* Introduced a "cache mode" concept to simplify the header generation code, and to avoid odd results when conflicting cache header requests are received from submodules, or at least to formalise the handling of such cases.
* Made the cache mode private by default, so that code written in ignorance of caching tends to be safe. If different query modules are used in a single request, private caching is preferred over public caching.
* Removed the "must-revalidate" option from all CC headers, this is really specific to page views with a hacked squid in front, I don't think it's applicable here.
* Made the watchlist module private. This is really the definition of private data. There's nothing in the HTTP spec that says the URL for a CC:public request is private and can't be leaked. CC:private provides protection against unknown proxy behaviour.
* In ApiQueryAllmessages: avoid calling $wgLang->getCode() to check if it's necessary to make a new $wgLang when lang= is specified, since this is the only thing that unstubs $wgUser.
* Removed "FIXME: should this check $user instead of $wgUser?" Answer is no.
* Only clicktrack local, domain-relative URLs
* Validate redirect URL in ApiClickTracking with the same condition used in ClickTracking.js (local, domain-relative)
* Remove call to nonexistent function OutputPage::enable()
* Add functionality for disabling API output and use this after setting up the redirect. This fixes the issue where the body of the redirect contained an API response in xmlfm form
at; the body is now empty.
Move isset check of gettoken upto level of $salt !== false. If gettoken is set, the module isn't going to do anything else (and therefore no point seeing if there is a token set, let alone attempting to validate it)
* Made the cache expiry time configurable via $wgSearchSuggestCacheExpiry
* Removed must-revalidate from the Cache-Control of such requests. Introduced a generic interface to ApiMain for doing that.
Move token requringness check to the ApiMain
Adding an exception if we're using "gettoken" (block/unblock)
Remove array( 'missingparam', 'token' ), from the getPossibleErrors of modules that set requireToken method to true
"I wouldn't object to stylizing the API code to bring it in line with
the rest of MW on principle, but I'm not gonna bother myself." --Roan
<http://www.mediawiki.org/wiki/Special:Code/MediaWiki/60657#c5108>
If you're seeing this commit in blames, tell your blame tool to ignore
whitespace, e.g., git blame -w or svn blame -x -w.
