*/
$wgForeignUploadTargets = [];
+/**
+ * Configuration for file uploads using the embeddable upload dialog
+ * (https://www.mediawiki.org/wiki/Upload_dialog).
+ *
+ * This applies also to foreign uploads to this wiki (the configuration is loaded by remote wikis
+ * using the action=query&meta=siteinfo API).
+ *
+ * See below for documentation of each property. None of the properties may be omitted.
+ */
+$wgUploadDialog = [
+ // Fields to make available in the dialog. `true` means that this field is visible, `false` means
+ // that it is hidden. The "Name" field can't be hidden. Note that you also have to add the
+ // matching replacement to the 'filepage' format key below to make use of these.
+ 'fields' => [
+ 'description' => true,
+ 'date' => false,
+ 'categories' => false,
+ ],
+ // Suffix of localisation messages used to describe the license under which the uploaded file will
+ // be released. The same value may be set for both 'local' and 'foreign' uploads.
+ 'licensemessages' => [
+ // The 'local' messages are used for local uploads on this wiki:
+ // * upload-form-label-own-work-message-generic-local
+ // * upload-form-label-not-own-work-message-generic-local
+ // * upload-form-label-not-own-work-local-generic-local
+ 'local' => 'generic-local',
+ // The 'foreign' messages are used for cross-wiki uploads from other wikis to this wiki:
+ // * upload-form-label-own-work-message-generic-foreign
+ // * upload-form-label-not-own-work-message-generic-foreign
+ // * upload-form-label-not-own-work-local-generic-foreign
+ 'foreign' => 'generic-foreign',
+ ],
+ // Upload comment to use. Available replacements:
+ // * $HOST - domain name from which a cross-wiki upload originates
+ // * $PAGENAME - wiki page name from which an upload originates
+ 'comment' => '',
+ // Format of the file page wikitext to be generated from the fields input by the user.
+ 'format' => [
+ // Wrapper for the whole page. Available replacements:
+ // * $DESCRIPTION - file description, as input by the user (only if the 'description' field is
+ // enabled), wrapped as defined below in the 'description' key
+ // * $DATE - file creation date, as input by the user (only if the 'date' field is enabled)
+ // * $SOURCE - as defined below in the 'ownwork' key, may be extended in the future
+ // * $AUTHOR - linked user name, may be extended in the future
+ // * $LICENSE - as defined below in the 'license' key, may be extended in the future
+ // * $CATEGORIES - file categories wikitext, as input by the user (only if the 'categories'
+ // field is enabled), or if no input, as defined below in the 'uncategorized' key
+ 'filepage' => '$DESCRIPTION',
+ // Wrapped for file description. Available replacements:
+ // * $LANGUAGE - source wiki's content language
+ // * $TEXT - input by the user
+ 'description' => '$TEXT',
+ 'ownwork' => '',
+ 'license' => '',
+ 'uncategorized' => '',
+ ],
+];
+
/**
* File backend structure configuration.
*
* if available
*
* - max lag: (optional) Maximum replication lag before a slave will taken out of rotation
+ * - is static: (optional) Set to true if the dataset is static and no replication is used.
*
* These and any other user-defined properties will be assigned to the mLBInfo member
* variable of the Database object.
$wgRawHtml = false;
/**
- * Set a default target for external links, e.g. _blank to pop up a new window
+ * Set a default target for external links, e.g. _blank to pop up a new window.
+ *
+ * This will also set the "noreferrer" and "noopener" link rel to prevent the
+ * attack described at https://mathiasbynens.github.io/rel-noopener/ .
+ * Some older browsers may not support these link attributes, hence
+ * setting $wgExternalLinkTarget to _blank may represent a security risk
+ * to some of your users.
*/
$wgExternalLinkTarget = false;
],
];
+/**
+ * Disable AuthManager
+ * @since 1.27
+ * @deprecated since 1.27, for use during development only
+ */
+$wgDisableAuthManager = true;
+
+/**
+ * Configure AuthManager
+ *
+ * All providers are constructed using ObjectFactory, see that for the general
+ * structure. The array may also contain a key "sort" used to order providers:
+ * providers are stably sorted by this value, which should be an integer
+ * (default is 0).
+ *
+ * Elements are:
+ * - preauth: Array (keys ignored) of specifications for PreAuthenticationProviders
+ * - primaryauth: Array (keys ignored) of specifications for PrimaryAuthenticationProviders
+ * - secondaryauth: Array (keys ignored) of specifications for SecondaryAuthenticationProviders
+ *
+ * @since 1.27
+ * @note If this is null or empty, the value from $wgAuthManagerAutoConfig is
+ * used instead. Local customization should generally set this variable from
+ * scratch to the desired configuration. Extensions that want to
+ * auto-configure themselves should use $wgAuthManagerAutoConfig instead.
+ */
+$wgAuthManagerConfig = null;
+
+/**
+ * @see $wgAuthManagerConfig
+ * @since 1.27
+ */
+$wgAuthManagerAutoConfig = [
+ 'preauth' => [
+ MediaWiki\Auth\LegacyHookPreAuthenticationProvider::class => [
+ 'class' => MediaWiki\Auth\LegacyHookPreAuthenticationProvider::class,
+ 'sort' => 0,
+ ],
+ MediaWiki\Auth\ThrottlePreAuthenticationProvider::class => [
+ 'class' => MediaWiki\Auth\ThrottlePreAuthenticationProvider::class,
+ 'sort' => 0,
+ ],
+ ],
+ 'primaryauth' => [
+ // TemporaryPasswordPrimaryAuthenticationProvider should come before
+ // any other PasswordAuthenticationRequest-based
+ // PrimaryAuthenticationProvider (or at least any that might return
+ // FAIL rather than ABSTAIN for a wrong password), or password reset
+ // won't work right. Do not remove this (or change the key) or
+ // auto-configuration of other such providers in extensions will
+ // probably auto-insert themselves in the wrong place.
+ MediaWiki\Auth\TemporaryPasswordPrimaryAuthenticationProvider::class => [
+ 'class' => MediaWiki\Auth\TemporaryPasswordPrimaryAuthenticationProvider::class,
+ 'args' => [ [
+ // Fall through to LocalPasswordPrimaryAuthenticationProvider
+ 'authoritative' => false,
+ ] ],
+ 'sort' => 0,
+ ],
+ MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider::class => [
+ 'class' => MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider::class,
+ 'args' => [ [
+ // Last one should be authoritative, or else the user will get
+ // a less-than-helpful error message (something like "supplied
+ // authentication info not supported" rather than "wrong
+ // password") if it too fails.
+ 'authoritative' => true,
+ ] ],
+ 'sort' => 100,
+ ],
+ ],
+ 'secondaryauth' => [
+ MediaWiki\Auth\CheckBlocksSecondaryAuthenticationProvider::class => [
+ 'class' => MediaWiki\Auth\CheckBlocksSecondaryAuthenticationProvider::class,
+ 'sort' => 0,
+ ],
+ MediaWiki\Auth\ResetPasswordSecondaryAuthenticationProvider::class => [
+ 'class' => MediaWiki\Auth\ResetPasswordSecondaryAuthenticationProvider::class,
+ 'sort' => 100,
+ ],
+ // Linking during login is experimental, enable at your own risk - T134952
+ // MediaWiki\Auth\ConfirmLinkSecondaryAuthenticationProvider::class => [
+ // 'class' => MediaWiki\Auth\ConfirmLinkSecondaryAuthenticationProvider::class,
+ // 'sort' => 100,
+ // ],
+ MediaWiki\Auth\EmailNotificationSecondaryAuthenticationProvider::class => [
+ 'class' => MediaWiki\Auth\EmailNotificationSecondaryAuthenticationProvider::class,
+ 'sort' => 200,
+ ],
+ ],
+];
+
+/**
+ * Time frame for re-authentication.
+ *
+ * With only password-based authentication, you'd just ask the user to re-enter
+ * their password to verify certain operations like changing the password or
+ * changing the account's email address. But under AuthManager, the user might
+ * not have a password (you might even have to redirect the browser to a
+ * third-party service or something complex like that), you might want to have
+ * both factors of a two-factor authentication, and so on. So, the options are:
+ * - Incorporate the whole multi-step authentication flow within everything
+ * that needs to do this.
+ * - Consider it good if they used Special:UserLogin during this session within
+ * the last X seconds.
+ * - Come up with a third option.
+ *
+ * MediaWiki currently takes the second option. This setting configures the
+ * "X seconds".
+ *
+ * This allows for configuring different time frames for different
+ * "operations". The operations used in MediaWiki core include:
+ * - LinkAccounts
+ * - UnlinkAccount
+ * - ChangeCredentials
+ * - RemoveCredentials
+ * - ChangeEmail
+ *
+ * Additional operations may be used by extensions, either explicitly by
+ * calling AuthManager::securitySensitiveOperationStatus(),
+ * ApiAuthManagerHelper::securitySensitiveOperation() or
+ * SpecialPage::checkLoginSecurityLevel(), or implicitly by overriding
+ * SpecialPage::getLoginSecurityLevel() or by subclassing
+ * AuthManagerSpecialPage.
+ *
+ * The key 'default' is used if a requested operation isn't defined in the array.
+ *
+ * @since 1.27
+ * @var int[] operation => time in seconds. A 'default' key must always be provided.
+ */
+$wgReauthenticateTime = [
+ 'default' => 300,
+];
+
+/**
+ * Whether to allow security-sensitive operations when re-authentication is not possible.
+ *
+ * If AuthManager::canAuthenticateNow() is false (e.g. the current
+ * SessionProvider is not able to change users, such as when OAuth is in use),
+ * AuthManager::securitySensitiveOperationStatus() cannot sensibly return
+ * SEC_REAUTH. Setting an operation true here will have it return SEC_OK in
+ * that case, while setting it false will have it return SEC_FAIL.
+ *
+ * The key 'default' is used if a requested operation isn't defined in the array.
+ *
+ * @since 1.27
+ * @see $wgReauthenticateTime
+ * @var bool[] operation => boolean. A 'default' key must always be provided.
+ */
+$wgAllowSecuritySensitiveOperationIfCannotReauthenticate = [
+ 'default' => true,
+];
+
+/**
+ * List of AuthenticationRequest class names which are not changeable through
+ * Special:ChangeCredentials and the changeauthenticationdata API.
+ * This is only enforced on the client level; AuthManager itself (e.g.
+ * AuthManager::allowsAuthenticationDataChange calls) is not affected.
+ * Class names are checked for exact match (not for subclasses).
+ * @since 1.27
+ * @var string[]
+ */
+$wgChangeCredentialsBlacklist = [
+ \MediaWiki\Auth\TemporaryPasswordAuthenticationRequest::class
+];
+
+/**
+ * List of AuthenticationRequest class names which are not removable through
+ * Special:RemoveCredentials and the removeauthenticationdata API.
+ * This is only enforced on the client level; AuthManager itself (e.g.
+ * AuthManager::allowsAuthenticationDataChange calls) is not affected.
+ * Class names are checked for exact match (not for subclasses).
+ * @since 1.27
+ * @var string[]
+ */
+$wgRemoveCredentialsBlacklist = [
+ \MediaWiki\Auth\PasswordAuthenticationRequest::class,
+];
+
/**
* For compatibility with old installations set to false
* @deprecated since 1.24 will be removed in future
MediaWiki\Session\BotPasswordSessionProvider::class => [
'class' => MediaWiki\Session\BotPasswordSessionProvider::class,
'args' => [ [
- 'priority' => 40,
+ 'priority' => 75,
] ],
],
];
/**
* Authentication plugin.
* @var $wgAuth AuthPlugin
+ * @deprecated since 1.27 use $wgAuthManagerConfig instead
*/
$wgAuth = null;