Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: wikimedia/mediawiki
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: master@{1day}
Choose a base ref
...
head repository: wikimedia/mediawiki
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: master
Choose a head ref
  • 10 commits
  • 149 files changed
  • 8 contributors

Commits on Jul 13, 2026

  1. Localisation updates from https://translatewiki.net.

    Change-Id: Ifcf0acd502aba281796b88b51143ec56b8b04c5e
    translatewiki committed Jul 13, 2026
    Configuration menu
    Copy the full SHA
    a24e349 View commit details
    Browse the repository at this point in the history
  2. Replace deprecated class alias usages with canonical names

    Several classes have been moved to new namespaces with the old names
    kept as runtime class_alias() shims. Update callsites to reference the
    canonical class name directly so phan can verify them without relying
    on its enable_class_alias_support behaviour:
    
    * MediaWiki\Cache\LinkBatchFactory -> MediaWiki\Page\LinkBatchFactory
      in UserCache (also unblocks the ServiceWiring type-mismatch warning).
    * MediaWiki\Cache\CacheKeyHelper -> MediaWiki\Page\CacheKeyHelper
      in BacklinkCache and HTMLFileCache.
    * CrhConverter -> MediaWiki\Language\Converters\CrhConverter in the
      CrhExceptions data file (one use-as import covers all references).
    * \LockManager and \NullLockManager -> Wikimedia\LockManager\* in
      ServiceWiring (imported alongside the already-namespaced
      DatabaseLockManager).
    * \LogEntryBase -> MediaWiki\Logging\LogEntryBase in purgeChangedFiles.
    * \MediaWiki\ResourceLoader\LessVarFileModule -> FileModule in
      Resources.php. This alias is intentionally kept and not deprecated
      (T398827), but it is a plain class_alias() that phan cannot follow
      once alias support is disabled, so reference FileModule directly.
    * ExternalStoreDB lookup in ExternalStoreFactory now uses the ::class
      constant. The dynamic ExternalStore<Proto> lookup deliberately keeps
      the bare, non-namespaced class name: custom stores are registered
      under that name (and core's own keep a class_alias() for it), as the
      ExternalStoreForTesting fixture documents.
    * The old-alias compatibility checks in FileBackendGroup (for
      FileBackendMultiWrite) and DefaultPreferencesFactory (for
      HTMLInfoField / HTMLMultiSelectField / HTMLCheckMatrix) now compare
      against a plain string literal instead of \OldName::class, preserving
      the behaviour for unchanged extension/config inputs without leaving
      a dangling reference to the deprecated alias symbol. FileBackendGroup
      normalises a matched compat alias to FileBackendMultiWrite::class
      before instantiation, so the later `new $class` resolves without
      relying on the runtime alias.
    
    Assisted-by: Claude Opus 4.8
    Change-Id: Ic63659fc4aac5d016aafb68e887da9012bdaf8c8
    jdforrester authored and jenkins-bot committed Jul 13, 2026
    Configuration menu
    Copy the full SHA
    4ef31c6 View commit details
    Browse the repository at this point in the history
  3. ChangeTags: Support restricted tags in tag summary queries

    Why?
    - Rights-restricted change tags (mw-private-*) must not leak
      through the SQL built by ChangeTagsStore query methods
    - The ts_tags GROUP_CONCAT subquery included restricted tag
      names for every viewer, and filtering by a restricted tag
      revealed which rows carry it (row-membership oracle)
    
    What?
    - Add an optional Authority $performer parameter to
      makeTagSummarySubquery(); null hides all restricted tags
      (fail-closed) and is soft-deprecated
    - Add addTagsToDisplayQuery(), superseding
      modifyDisplayQueryBuilder(): it requires an Authority
      $performer placed before the optional filter arguments, so
      the parameter order needs no future break when null goes
      away; the old method stays as a soft-deprecated wrapper
      whose output always hides restricted tags
    - Exclude restricted tags from the tag summary subquery by
      the mw-private- name prefix, re-including the ones the
      performer may view, so unmapped private tags are excluded
      in SQL as well
    - Drop unviewable restricted tags from the tag filter so they
      behave like nonexistent tags: filtering by one returns no
      rows, excluding one is a no-op
    - Keep the deprecated modifyDisplayQuery() Authority-free:
      its output always hides restricted tags
    - Add tests
    
    Assisted-by: Claude Fable 5
    Bug: T431667
    Change-Id: I92e8082c78d2f1ef05c2d45c8789e55fcf4e9ef7
    mpostoronca-wiki authored and jenkins-bot committed Jul 13, 2026
    Configuration menu
    Copy the full SHA
    1bfd792 View commit details
    Browse the repository at this point in the history
  4. pagers: Use ChangeTagsStore::addTagsToDisplayQuery

    Why?
    - HistoryPager, NewPagesPager and ContributionsPager were the
      last core callers of the deprecated array-based
      ChangeTagsStore::modifyDisplayQuery()
    - addTagsToDisplayQuery() takes the viewing user's Authority,
      so these surfaces can show restricted tags to the users who
      are allowed to view them
    
    What?
    - HistoryPager: apply the tag query changes on its existing
      SelectQueryBuilder before exporting the query info arrays
    - NewPagesPager and ContributionsPager: wrap the assembled
      query info in a SelectQueryBuilder, apply the tag changes,
      and export it back (the LogPager pattern)
    - Pass the viewer's Authority everywhere; DeletedContributions
      targets the archive table
    
    Assisted-by: Claude Fable 5
    Bug: T431667
    Change-Id: I4f05ff0a2b5f31946d74cd081b2863e0ff46905d
    mpostoronca-wiki authored and jenkins-bot committed Jul 13, 2026
    Configuration menu
    Copy the full SHA
    f3925f6 View commit details
    Browse the repository at this point in the history
  5. ApiEditPage: Add null coalescing to prevent potential undefined array…

    … key warning
    
    Use null coalescing when accessing $result['spam'] for defensive
    programming, since a hook handler for the EditPage::attemptSave:after
    hook could return a bad status with AS_SPAM_ERROR as the value while
    not setting $result['spam'].
    
    Change-Id: Ic1fd18d42686f47fc2b38792977612b8b5a5c776
    rodrigoheniquesouza authored and jenkins-bot committed Jul 13, 2026
    Configuration menu
    Copy the full SHA
    21036b9 View commit details
    Browse the repository at this point in the history
  6. Add new tracking category "media-limit-reached"

    Add a new core tracking category, media-limit-reached, for pages
    where Parsoid reaches the configured media limit while rendering
    content.
    
    This makes affected pages discoverable through MediaWiki’s
    tracking category infrastructure and allows editors and site
    administrators to identify pages where media output may have
    been limited. The category is registered as a core tracking
    category and includes the required i18n messages for the category
    name and description.
    
    Bug: T430854
    Change-Id: I07461b7ed05fd4414f1f83d6a86e902b2ce2e819
    Otto Sleger authored and jenkins-bot committed Jul 13, 2026
    Configuration menu
    Copy the full SHA
    022e0a5 View commit details
    Browse the repository at this point in the history
  7. Html: add role=alert to Html::errorBox

    And add aria-live polite to the warningbox.
    This mirrors what we do for the Codex components and solves several
    accessibilitiy concerns with inline errors caused by failed actions.
    
    Bug: T411853
    Change-Id: I91c1630ae59506c22e803d9ef2b2b7a9f75337ce
    hartman authored and jenkins-bot committed Jul 13, 2026
    Configuration menu
    Copy the full SHA
    1e3fcda View commit details
    Browse the repository at this point in the history
  8. OutputPage: Strip carriage return in redirect URL sanitization

    The redirect() method strips newline characters (\n) to prevent
    HTTP header injection, but left carriage return (\r) intact.
    Both \r and \n are needed to inject headers via response splitting.
    
    Update the test to also verify \r stripping and add test cases
    covering \r and \r\n.
    
    This is a defense-in-depth improvement; modern PHP's header()
    function internally rejects multi-line headers since PHP 5.1.2.
    
    Change-Id: Ifc227e811c68529f3429dae76215ffeb48b93eff
    rodrigoheniquesouza authored and jenkins-bot committed Jul 13, 2026
    Configuration menu
    Copy the full SHA
    5aca5f8 View commit details
    Browse the repository at this point in the history
  9. docs: Remove wrong @inheritdoc and add documentation instead

    Found by new phan v6.0.5:
    Saw an @inheritdoc annotation for method ..., but could not find an
    overridden method and it is not a magic method
    
    Change-Id: I40fcf727a554e2ced36e7fcbf91c64fb228abf1f
    umherirrender committed Jul 13, 2026
    Configuration menu
    Copy the full SHA
    24060b8 View commit details
    Browse the repository at this point in the history

Commits on Jul 14, 2026

  1. LogPager: Disentangle wildcard interwiki user right queries from norm…

    …al path
    
    There is an old obscure feature where, when viewing the user
    rights log, the query syntax for interwiki user rights changes
    (e.g. 'User:Foo@plwiki') allows wildcards in the database part
    (e.g. 'User:Foo@*', 'User:Foo@pl*', or 'User:Foo@*wiki').
    Even multiple wildcards are allowed. (T12545)
    This can also be used together with the recently added ability
    to query by multiple pages. (T389355)
    
    The logic for this in LogPager was intertwined with normal queries
    for target user/page. Pull it out to a separate function.
    
    Change-Id: I673c25f8ccc2d92579b19ad35c3c0db716203881
    MatmaRex authored and jenkins-bot committed Jul 14, 2026
    Configuration menu
    Copy the full SHA
    2764ca8 View commit details
    Browse the repository at this point in the history
Loading