$wgSharedDB and $wgSharedTables are properly set even on the "central" wiki
that all others are sharing from and that $wgLocalDatabases is set to the
full list of sharing wikis on all those wikis.
-* Massive overhaul to session handling:
-** $wgSessionsInObjectCache is no longer supported and must be true, due to
- MediaWiki\Session\SessionManager. $wgSessionHandler is similarly no longer
- used.
-** ObjectCacheSessionHandler is removed, replaced with
- MediaWiki\Session\PhpSessionHandler.
-** PHP session handling in general ($_SESSION, session_id(), and so on) is
- deprecated. Use MediaWiki\Session\SessionManager instead. A new config
- variable, $wgPHPSessionHandling, is available to cause use of $_SESSION to
- issue a deprecation warning or to cause most PHP session handling to throw
- exceptions.
-** Deprecated UserSetCookies hook. Session-handling extensions should generally
- be creating a custom subclass of CookieSessionProvider. Other extensions
- messing with cookies can no longer count on user data being saved in cookies
- versus other methods.
-** Deprecated UserLoadFromSession hook, extensions should create a
- MediaWiki\Session\SessionProvider.
-** The User cannot be loaded from session until after Setup.php completes.
- Attempts to do so will be ignored and the User will remain unloaded.
-** CSRF tokens may be fetched from the MediaWiki\Session\Session, which uses
- the MediaWiki\Session\Token class.
-* MediaWiki will now auto-create users as necessary, removing the need for
- extensions to do so. An 'autocreateaccount' right is added to allow
- auto-creation when 'createaccount' is not granted to all users.
-* Deprecated AuthPluginAutoCreate hook in favor of LocalUserCreated.
-* Most cookie-handling methods in User are deprecated.
* $wgAllowAsyncCopyUploads and $CopyUploadAsyncTimeout were removed. This was an
experimental feature that has never worked.
-* Login and createaccount tokens now vary by timestamp.
-* LoginForm::getLoginToken() and LoginForm::getCreateaccountToken()
- return a MediaWiki\Session\Token, and tokens must be checked using that
- class's methods.
* $wgEnotifUseJobQ was removed and the job queue is always used.
=== New features in 1.27 ===
* It is now possible to patrol file uploads (both for new files and new versions
of existing files). Special:NewFiles has gained an option to filter by patrol
status. This functionality can be disabled using $wgUseFilePatrol.
-* MediaWiki\Session infrastructure allows for easier use of session mechanisms
- other than the usual cookies.
-** SessionMetadata and SessionCheckInfo hooks allow for setting and checking
- custom session metadata.
* Added MWGrants and associated configuration settings $wgGrantPermissions and
$wgGrantPermissionGroups to hold configuration for authentication features
such as OAuth that want to allow restricting the user rights a user may make
$wgMWOAuthGrantPermissionGroups.
* Added MWRestrictions as a class to check restrictions on a WebRequest, e.g.
to assert that the request comes from a particular IP range.
-* Added bot passwords, a rights-restricted login mechanism for API-using bots.
* Whitelisted the following HTML attributes for all elements in wikitext:
aria-describedby, aria-flowto, aria-label, aria-labelledby, aria-owns.
* Removed "presentation" restriction on the HTML role attribute in wikitext.
* Added wikimedia/cldr-plural-rule-parser v1.0.0.
* Added wikimedia/relpath v1.0.3.
* Added wikimedia/running-stat v1.1.0.
-* Added wikimedia/php-session-serializer v1.0.3.
==== Removed and replaced external libraries ====
* The following response properties from action=login are deprecated, and may
be removed in the future: lgtoken, cookieprefix, sessionid. Clients should
handle cookies to properly manage session state.
-* action=login transparently allows login using bot passwords. Clients should
- merely need to change the username and password used after setting up a bot
- password.
* action=upload no longer understands statuskey, asyncdownload or leavemessage.
=== Action API internal changes in 1.27 ===
* ApiQueryBase::getDirectionDescription() was removed (deprecated since 1.25).
* ApiQuery::getModules() was removed (deprecated since 1.21).
* ApiMain::getModules() was removed (deprecated since 1.21).
+* ApiBase::getVersion() was removed (deprecated since 1.21).
=== Languages updated in 1.27 ===
together but instead pick the final one, similar to image syntax.
* XML-like parser tags (such as <gallery>), when unclosed, will be left unparsed
rather than consume everything until the end of the page.
+* New maintenance script resetUserEmail.php allows sysadmins to reset user emails in case
+ a user forgot password/account was stolen.
== Compatibility ==