We do not encourage people to use these groups, they are not widely used,
and this is just forcing cruft into code for no value.
Change-Id: Ia58aa62ea6a1694694fb54acbd717181cd36e051
self::$filterIDsCache caches database state, it gets out of whack when
we reset the database between test cases.
The cache was originally introduced to fix T140302.
Change-Id: I9a05c60d84d92f6798154bfa77c6288576dc53bc
Add an optional parameter to doApiRequest/doApiRequestWithToken to automatically prefix parameters.
Change-Id: If69074b12fb4682490e05243ae808c39a17c697b
Bug: T310008
Removes deprecated API endpoints and modules for dealing with
CSRF tokens.
Note: i18n messages are removed in a followup for ease of revert.
Bug: T280806
Depends-On: Ic83f44587db119ff2e3e6d5ff33a10894e0695e7
Change-Id: I58aedec6942ac5d3c21574cb0072f00ef365098c
AuthManager has been converted to a service in 1.35.
AuthManager::$instance is only used in AuthManager::resetCache(),
where it is set to null.
This patch also removes AuthManager::resetCache() because with
removing AuthManager::$instance AuthManager::resetCache() has no
longer any effect.
Change-Id: I8b27f9a2d0d3f7acec6b93f64f9c256084990026
This is a demo, a lot of tests could be rewritten as a followup
to pass proper Authority when executing tests instead of writing
globals. Much cleaner imho.
An improvement idea is to allow overriding 'default permissions'
when creating a mock Authority.
Change-Id: I38570024e0d5a67a8e1c52f7456c458090ec2b6e
And use it in core
Avoid direct use of super global $_FILES
This can breaks all FauxRequest relaying on $_FILES
in tests or production code via FauxRequest::getUpload.
Falls back to $_FILES for the moment
Bug: T48163
Change-Id: I7392acc9bb682ec6b7025dbed0734c142f45c91a
Follows-up 5e6cccc3a4.
- Let PHPUnit do the diffing instead of exporting expected value
into the description.
- Use a stricter and complete assertion of the result, not just
one key existence only. Specifically, this means the value (true)
is asserted, and any additional or unexpected properties result in
failure. For example, if all of them were marked as missing+invalid
the old test would pass as it wasn't checking absence. In general,
assertArrayHasKey() is almost always indicates a lax test that can
be improved, or a redundant assertion (such as here, where it was
used to check 'purge' exists before use, but PHP and PHPUnit naturally
validate that already).
Change-Id: Ie7067633e4df0b9a1b451ce4c53a98e8ee3c3ae7
Replaces calls directly to PermissionManager with calls to
the Authority object available from Context or the
GroupPermissionLookup service.
This patch does not address use of PermissionManager for
blocks.
Deprecations:
- ApiBase::checkUserRightsAny deprecated passing optional
User parameter
- ApiBase::checkTitleUserPermissions deprecated passing
LinkTarget as first parameter, takes PageIdentity instead
Bug: T271462
Bug: T271854
Change-Id: I5d7cac1c28a37e074750c46cda03283980a07fca
Some User methods fail if they are called before $wgRequest is
set. But according to the Setup.php comment, it is only set for b/c.
The global request object can be lazy-initialised at any time.
This is sufficient to avoid T263911 (loss/obfuscation of the $wgServer
error message).
In tests, try to keep $wgRequest and RequestContext::$request in sync.
Introduce MediaWikiIntegrationTestCase::setRequest() which sets both at
once, and use that instead of setMwGlobals() or direct assignment.
BlockManagerTest was accidentally exploiting the fact that the global
context request and $wgRequest were separate objects. Making them the
same causes session cookies to appear in the response, breaking the
cookie counts. Use a new response for the test.
Bug: T263911
Bug: T245940
Change-Id: I2be99f7251a837bc6b62be0b152038157dec10f2
This allows setting the expected exception message by the message key,
not text, so it remains correct if the message is updated. This
function could be defined to work with other exception types too, but it
seems useful to have shortcuts for common types like ApiUsageException
or MWException.
Change-Id: Ic86278e9e1e91eea0c045d2b93342f018e1d8e66
Fixed bug: in PHP versions less than 5.6.0, any request that didn't
attempt to add any groups would warn, because it would call array_fill()
with the second argument (num) equal to 0. From PHP 5.6.0, the num
argument to array_fill() is allowed to be 0.
Change-Id: I0c5772f15d8f550dc43fb37c3c58d15dd73ea584
Also removed a sketchy-looking usage of ?: with a string in
ApiParse.php. In this case I think it was fine, because it would only
cause a bug if a page's display title was '0' but its actual title was
not '0', which is only possible if $wgRestrictDisplayTitle is false,
which is broken by design anyway and I don't think is worth testing.
But ?: used for something that should be interpreted as a string is
generally not a good idea.
One bug fixed: an error message that used an undefined variable.
Depends-On: Id0e6184aff8f9d7e8f32558e1de14faa0168cc1d
Change-Id: I0904bff0f9d80892d0db2ebb590c24fb862f2418
These tests apply to things that are not relevant to PHP code coverage,
such as testing presence of messages, JSON files, or the PHPUnit tests
themselves.
Using @coversNothing indicates that there is no code here to be covered,
and prevents warnings when using --strict-coverage mode (T152923).
Change-Id: Id89ee2c15a3ce3f10e34b13fb677cd1af75af9e6
API warnings and error messages are currently hard-coded English
strings. This patch changes that.
With a few exceptions, this patch should be compatible with non-updated
extensions:
* The change to ApiBase::$messageMap will blow up anything trying to
mess with it.
* The changes to the 'ApiCheckCanExecute' hook will cause a wrong
(probably unparsed) error message to be emitted for extensions not
already using an ApiMessage. Unless they're currently broken like
Wikibase.
Bug: T37074
Bug: T47843
Depends-On: Ia2b66b57cd4eaddc30b3ffdd7b97d6ca3e02d898
Depends-On: I2e1bb975bb0045476c03ebe6cdec00259bae22ec
Depends-On: I53987bf87c48f6c00deec17a8e957d24fcc3eaa6
Depends-On: Ibf93a459eb62d30f7c70d20e91ec9faeb80d10ed
Depends-On: I3cf889811f44a15935e454dd42f081164d4a098c
Depends-On: Ieae527de86735ddcba34724730e8730fb277b99b
Depends-On: I535344c29d51521147c2a26c341dae38cec3e931
Change-Id: Iae0e2ce3bd42dd4776a9779664086119ac188412
The unit tests spend nearly half of their run time resetting the user table for
each test. But the majority of tests do not depend on the user table having the
exact value that the setup code resets it to, and do not need to modify the
user objects they require to run.
Fix that by providing an API for tests to get User objects, and to indicate
whether the User object will be subject to destructive modification or not.
This allows User objects to be reused across multiple unit tests.
Change-Id: I17ef1f519759c5e7796c259282afe730ef722e96
Changes here are:
* action=login is deprecated for use other than bot passwords
* list=users will indicate if a missing user name is creatable.
* Added action=query&meta=authmanagerinfo
* Added action=clientlogin is to be used to log into the main account
* action=createaccount is changed in a non-BC manner
* Added action=linkaccount
* Added action=unlinkaccount
* Added action=changeauthenticationdata
* Added action=removeauthenticationdata
* Added action=resetpassword
Bug: T110276
Bug: T110747
Bug: T110751
Bug: T32788
Bug: T67857
Bug: T28597
Bug: T76103
Change-Id: I244fa9b1e0623247d6d9fa30990411c6df94a496
This implements the AuthManager class and its needed interfaces and
subclasses, and integrates them into the backend portion of MediaWiki.
Integration with frontend portions of MediaWiki (e.g. ApiLogin,
Special:Login) is left for a followup.
Bug: T91699
Bug: T71589
Bug: T111299
Co-Authored-By: Gergő Tisza <gtisza@wikimedia.org>
Change-Id: If89d24838e326fe25fe867d02181eebcfbb0e196
Iec4ed4c8 made it so addCoreDBData() only gets called once. Which is
nice, except for the fact that it means any test that puts
'user_groups' into $this->tablesUsed is going to cause UTSysop to no
longer be a sysop, so any later test that expects it to be one is going
to mysteriously fail.
The fix is to make resetDB() actually clear out the 'user' table when
requested, but then to re-call addCoreDBData() so UTSysop is still
there.
This might break extension tests if they're relying on the 'user' table
never being cleared even if it's specified in $this->tablesUsed, but
hopefully that's not often the case.
Bug: T132411
Change-Id: If251739fd486544f54a0c07edcc24aeef0998342
Depends-On: I0546a4f18e0751d209b6b7c6cd42973f25828313
Depends-On: I4924ae941b3844b39dd3f44c6986c3bf29b0d62a
The plan here is to take it out of 1.27.0-wmf.12 and put it back in
1.27.0-wmf.13.
Since BotPasswords depends on SessionManager, that's getting temporarily
removed too.
This reverts the following commits:
* 6acd424e0d SessionManager: Notify AuthPlugin before calling hooks
* 4d1ad32d8a Close a loophole in CookieSessionProvider
* fcdd643a46 SessionManager: Don't save non-persisted sessions to backend storage
* 058aec4c76 MessageCache: Don't get a ParserOptions for $wgUser before the end of Setup.php
* b5c0c03bb7 SessionManager: Save user name to metadata even if the user doesn't exist locally
* 13f2f09a19 SECURITY: Fix User::setToken() call on User::newSystemUser
* 305bc75b27 SessionManager: Don't generate user tokens when checking the tokens
* 7c4bd85d21 RequestContext::exportSession() should only export persisted session IDs
* 296ccfd4a9 SessionManager: Save 'persisted' flag in session metadata
* 94ba53f677 Move CSRF token handling into MediaWiki\Session\Session
* 46a565d6b0 Avoid false "added in both Session and $_SESSION" when value is null
* c00d0b5d94 Log backtrace for "User::loadFromSession called before the end of Setup.php"
* 4eeff5b559 Use $wgSecureCookie to decide whether to actually mark secure cookies as 'secure'
* 7491b52f70 Call session_cache_limiter() before starting a session
* 2c34aeea72 SessionManager: Abstract forceHTTPS cookie setting
* 9aa53627a5 Ignore auth cookies with value 'deleted'
* 43f904b51a SessionManager: Kill getPersistedSessionId()
* 50c5256352 SessionManager: Add SessionBackend::setProviderMetadata()
* f640d40315 SessionManager: Notify AuthPlugin when auto-creating accounts
* 70b05d1ac1 Add checks of $wgEnableBotPasswords in more places
* bfed32eb78 Do not raise a PHP warning when session write fails
* 722a7331ad Only check LoggedOut timestamp on the user loaded from session
* 4f5057b84b SessionManager: Change behavior of getSessionById()
* 66e82e614e Fix typo in [[MediaWiki:Botpasswords-editexisting/en]]
* f9fd9516d9 Add "bot passwords"
* d7716f1df0 Add missing argument for wfDebugLog
* a73c5b7395 Add SessionManager
Change-Id: I2389a8133e25ab929e9f27f41fa9a05df8147a50
User keeps most of its token-related methods because anon edit tokens
are special. Login and createaccount tokens are completely moved.
Change-Id: I524218fab7e2d78fd24482ad364428e98dc48bdf
SessionManager is a general-purpose session management framework, rather
than the cookie-based sessions that PHP wants to provide us.
While fallback is provided for using $_SESSION and other PHP session
management functions, they should be avoided in favor of using
SessionManager directly.
For proof-of-concept extensions, see OAuth change Ib40b221 and
CentralAuth change I27ccabdb.
Bug: T111296
Change-Id: Ic1ffea74f3ccc8f93c8a23b795ecab6f06abca72
