In SpecialBlock, ignore restrictions if the 'sitewide' radio was
selected. In ApiBlock, ignore restrictions if the 'partial' parameter
was falsey.
In both cases, ignoring restrictions means not passing them to
BlockUser.
This restores the behaviour prior to a656d03597, that a block is
sitewide unless it is marked as partial, even if restrictions options
are set.
Bug: T189073
Change-Id: I4d2e08b744b9d59909ce24cc5f167b676478970d
Deprecated in 1.35. However, if you look closely,
the deprecation warning emitting code was passing
numeric 1.35 instead of a string '1.35' which caused
the deprecation function to throw an exception.
Thus, this code has not been deprecated in 1.35, but
was accidentally broken. Instead of fixing the deprecation,
just remove the fallback.
Change-Id: I369f03d6b01053fc0396beb635c7b7d49bd249da
* Makes ParserCache take the root of the key
as a constructor argument
* Introduces a ParserCacheFactory
Next steps:
- convert FlaggedRevs to using this.
- cleanup
This assumes that we wouldn't want to differentiate
the parser cache settings per use-case, as it is now
for default vs flaggedrevs caches. There are only two settings:
$wgParserCacheType - name of the BagOStuff to use
$wgParserCacheExpireTime - the expiration time.
I think if we wanted to have different settings for different
caches, we could add that as a next step.
Bug: T263583
Change-Id: I188772da541a95c95a5ecece7c7dd748395506c2
In order to apply numeric formatting to the limitreport for $key, the
message $key and $key-value (or $key-value-html) needs to be defined.
The core parser doesn't define messages for non-numeric limitreport
data (so it is suppressed in the EditPage preview), but Scribunto
does.
Bug: T263592
Change-Id: Ib775739fbe3cadb28913ae61002622e80490056b
Without this, a user created from an invalid user ID would end up
representing the current requests IP address, which may lead to
confusion. Using the reserved name "Unknown user" seems safer.
Change-Id: Icbfe7c3a561ac927713b610ac9a0b5e6b88bf2f0
This builds on top of Urbanecm's patch, now also covering the case
where the actor ID does not exist in the target DB, but does exist in
the local DB.
Bug: T260485
Change-Id: I2336954c665366a99f9995df9b08071d4de6db79
(cherry picked from commit ca4094db9e7f6f5e330d89db6bf70a8af48e1561)
In ActorMigration::getInsertValues, when creating a User object, calling
User::getActorId triggers a call to User::load, which ignores
the database passed to getInsertValues, meaning incorrect actor IDs
are returned.
To ensure that the correct (foreign) database is used, try
to get the actor ID from the correct database within ActorMigration
service, and if that fails, let User class handle the actor ID creation.
Todo notes are left in the patch to fix the issue properly,
by making User object wiki-aware.
Bug: T260485
Change-Id: Iaa886a1824e5a74f4501ca7e28917c780222aac0
This basically makes it equivalent to .escaped() and not .text().
Does not affect the mediawiki.jqueryMsg version, which still accepts
whitelisted HTML tags.
CVE-2020-25828
Bug: T115888
Change-Id: I6513dfb480024309e1594abc6f07bbd3b0c5a10e
Previously you could leverage the style attribute, and external
links to execute javascript.
CVE-2020-25814
Bug: T86738
Change-Id: I6f15ece1db136369e06dfeee34d1a0c5bc03e32b
Co-Authored-By: Roan Kattouw <roan.kattouw@gmail.com>
Co-Authored-By: Lucas Werkmeister <lucas.werkmeister@wikimedia.de>
