-
Notifications
You must be signed in to change notification settings - Fork 1.6k
Comparing changes
Open a pull request
base repository: wikimedia/mediawiki
base: master@{1day}
head repository: wikimedia/mediawiki
compare: master
- 10 commits
- 149 files changed
- 8 contributors
Commits on Jul 13, 2026
-
Localisation updates from https://translatewiki.net.
Change-Id: Ifcf0acd502aba281796b88b51143ec56b8b04c5e
Configuration menu - View commit details
-
Copy full SHA for a24e349 - Browse repository at this point
Copy the full SHA a24e349View commit details -
Replace deprecated class alias usages with canonical names
Several classes have been moved to new namespaces with the old names kept as runtime class_alias() shims. Update callsites to reference the canonical class name directly so phan can verify them without relying on its enable_class_alias_support behaviour: * MediaWiki\Cache\LinkBatchFactory -> MediaWiki\Page\LinkBatchFactory in UserCache (also unblocks the ServiceWiring type-mismatch warning). * MediaWiki\Cache\CacheKeyHelper -> MediaWiki\Page\CacheKeyHelper in BacklinkCache and HTMLFileCache. * CrhConverter -> MediaWiki\Language\Converters\CrhConverter in the CrhExceptions data file (one use-as import covers all references). * \LockManager and \NullLockManager -> Wikimedia\LockManager\* in ServiceWiring (imported alongside the already-namespaced DatabaseLockManager). * \LogEntryBase -> MediaWiki\Logging\LogEntryBase in purgeChangedFiles. * \MediaWiki\ResourceLoader\LessVarFileModule -> FileModule in Resources.php. This alias is intentionally kept and not deprecated (T398827), but it is a plain class_alias() that phan cannot follow once alias support is disabled, so reference FileModule directly. * ExternalStoreDB lookup in ExternalStoreFactory now uses the ::class constant. The dynamic ExternalStore<Proto> lookup deliberately keeps the bare, non-namespaced class name: custom stores are registered under that name (and core's own keep a class_alias() for it), as the ExternalStoreForTesting fixture documents. * The old-alias compatibility checks in FileBackendGroup (for FileBackendMultiWrite) and DefaultPreferencesFactory (for HTMLInfoField / HTMLMultiSelectField / HTMLCheckMatrix) now compare against a plain string literal instead of \OldName::class, preserving the behaviour for unchanged extension/config inputs without leaving a dangling reference to the deprecated alias symbol. FileBackendGroup normalises a matched compat alias to FileBackendMultiWrite::class before instantiation, so the later `new $class` resolves without relying on the runtime alias. Assisted-by: Claude Opus 4.8 Change-Id: Ic63659fc4aac5d016aafb68e887da9012bdaf8c8
Configuration menu - View commit details
-
Copy full SHA for 4ef31c6 - Browse repository at this point
Copy the full SHA 4ef31c6View commit details -
ChangeTags: Support restricted tags in tag summary queries
Why? - Rights-restricted change tags (mw-private-*) must not leak through the SQL built by ChangeTagsStore query methods - The ts_tags GROUP_CONCAT subquery included restricted tag names for every viewer, and filtering by a restricted tag revealed which rows carry it (row-membership oracle) What? - Add an optional Authority $performer parameter to makeTagSummarySubquery(); null hides all restricted tags (fail-closed) and is soft-deprecated - Add addTagsToDisplayQuery(), superseding modifyDisplayQueryBuilder(): it requires an Authority $performer placed before the optional filter arguments, so the parameter order needs no future break when null goes away; the old method stays as a soft-deprecated wrapper whose output always hides restricted tags - Exclude restricted tags from the tag summary subquery by the mw-private- name prefix, re-including the ones the performer may view, so unmapped private tags are excluded in SQL as well - Drop unviewable restricted tags from the tag filter so they behave like nonexistent tags: filtering by one returns no rows, excluding one is a no-op - Keep the deprecated modifyDisplayQuery() Authority-free: its output always hides restricted tags - Add tests Assisted-by: Claude Fable 5 Bug: T431667 Change-Id: I92e8082c78d2f1ef05c2d45c8789e55fcf4e9ef7
Configuration menu - View commit details
-
Copy full SHA for 1bfd792 - Browse repository at this point
Copy the full SHA 1bfd792View commit details -
pagers: Use ChangeTagsStore::addTagsToDisplayQuery
Why? - HistoryPager, NewPagesPager and ContributionsPager were the last core callers of the deprecated array-based ChangeTagsStore::modifyDisplayQuery() - addTagsToDisplayQuery() takes the viewing user's Authority, so these surfaces can show restricted tags to the users who are allowed to view them What? - HistoryPager: apply the tag query changes on its existing SelectQueryBuilder before exporting the query info arrays - NewPagesPager and ContributionsPager: wrap the assembled query info in a SelectQueryBuilder, apply the tag changes, and export it back (the LogPager pattern) - Pass the viewer's Authority everywhere; DeletedContributions targets the archive table Assisted-by: Claude Fable 5 Bug: T431667 Change-Id: I4f05ff0a2b5f31946d74cd081b2863e0ff46905d
Configuration menu - View commit details
-
Copy full SHA for f3925f6 - Browse repository at this point
Copy the full SHA f3925f6View commit details -
ApiEditPage: Add null coalescing to prevent potential undefined array…
… key warning Use null coalescing when accessing $result['spam'] for defensive programming, since a hook handler for the EditPage::attemptSave:after hook could return a bad status with AS_SPAM_ERROR as the value while not setting $result['spam']. Change-Id: Ic1fd18d42686f47fc2b38792977612b8b5a5c776
Configuration menu - View commit details
-
Copy full SHA for 21036b9 - Browse repository at this point
Copy the full SHA 21036b9View commit details -
Add new tracking category "media-limit-reached"
Add a new core tracking category, media-limit-reached, for pages where Parsoid reaches the configured media limit while rendering content. This makes affected pages discoverable through MediaWiki’s tracking category infrastructure and allows editors and site administrators to identify pages where media output may have been limited. The category is registered as a core tracking category and includes the required i18n messages for the category name and description. Bug: T430854 Change-Id: I07461b7ed05fd4414f1f83d6a86e902b2ce2e819
Otto Sleger authored and jenkins-bot committedJul 13, 2026 Configuration menu - View commit details
-
Copy full SHA for 022e0a5 - Browse repository at this point
Copy the full SHA 022e0a5View commit details -
Html: add role=alert to Html::errorBox
And add aria-live polite to the warningbox. This mirrors what we do for the Codex components and solves several accessibilitiy concerns with inline errors caused by failed actions. Bug: T411853 Change-Id: I91c1630ae59506c22e803d9ef2b2b7a9f75337ce
Configuration menu - View commit details
-
Copy full SHA for 1e3fcda - Browse repository at this point
Copy the full SHA 1e3fcdaView commit details -
OutputPage: Strip carriage return in redirect URL sanitization
The redirect() method strips newline characters (\n) to prevent HTTP header injection, but left carriage return (\r) intact. Both \r and \n are needed to inject headers via response splitting. Update the test to also verify \r stripping and add test cases covering \r and \r\n. This is a defense-in-depth improvement; modern PHP's header() function internally rejects multi-line headers since PHP 5.1.2. Change-Id: Ifc227e811c68529f3429dae76215ffeb48b93eff
Configuration menu - View commit details
-
Copy full SHA for 5aca5f8 - Browse repository at this point
Copy the full SHA 5aca5f8View commit details -
docs: Remove wrong @inheritdoc and add documentation instead
Found by new phan v6.0.5: Saw an @inheritdoc annotation for method ..., but could not find an overridden method and it is not a magic method Change-Id: I40fcf727a554e2ced36e7fcbf91c64fb228abf1f
Configuration menu - View commit details
-
Copy full SHA for 24060b8 - Browse repository at this point
Copy the full SHA 24060b8View commit details
Commits on Jul 14, 2026
-
LogPager: Disentangle wildcard interwiki user right queries from norm…
…al path There is an old obscure feature where, when viewing the user rights log, the query syntax for interwiki user rights changes (e.g. 'User:Foo@plwiki') allows wildcards in the database part (e.g. 'User:Foo@*', 'User:Foo@pl*', or 'User:Foo@*wiki'). Even multiple wildcards are allowed. (T12545) This can also be used together with the recently added ability to query by multiple pages. (T389355) The logic for this in LogPager was intertwined with normal queries for target user/page. Pull it out to a separate function. Change-Id: I673c25f8ccc2d92579b19ad35c3c0db716203881
Configuration menu - View commit details
-
Copy full SHA for 2764ca8 - Browse repository at this point
Copy the full SHA 2764ca8View commit details
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff master@{1day}...master