MediaWiki\Session\SessionProvider.
** The User cannot be loaded from session until after Setup.php completes.
Attempts to do so will be ignored and the User will remain unloaded.
+** CSRF tokens may be fetched from the MediaWiki\Session\Session, which uses
+ the MediaWiki\Session\Token class.
* MediaWiki will now auto-create users as necessary, removing the need for
extensions to do so. An 'autocreateaccount' right is added to allow
auto-creation when 'createaccount' is not granted to all users.
* Most cookie-handling methods in User are deprecated.
* $wgAllowAsyncCopyUploads and $CopyUploadAsyncTimeout were removed. This was an
experimental feature that has never worked.
+* Login and createaccount tokens now vary by timestamp.
+* LoginForm::getLoginToken() and LoginForm::getCreateaccountToken()
+ return a MediaWiki\Session\Token, and tokens must be checked using that
+ class's methods.
+* $wgEnotifUseJobQ was removed and the job queue is always used.
+* The functionality of the ApiSandbox extension has been merged into core. The
+ extension should no longer be used.
=== New features in 1.27 ===
-* $wgDataCenterId and $wgDataCenterRoles where added, which will serve as
- basic configuration settings needed for multi-datacenter setups.
- $wgDataCenterUpdateStickTTL was also added.
+* $wgDataCenterUpdateStickTTL was also added. This decides how long a user
+ sticks to the primary DC (via cookies) after they make changes to the site.
* Added a new hook, 'UserMailerTransformContent', to transform the contents
of an email. This is similar to the EmailUser hook but applies to all mail
sent via UserMailer.
* Added MWRestrictions as a class to check restrictions on a WebRequest, e.g.
to assert that the request comes from a particular IP range.
* Added bot passwords, a rights-restricted login mechanism for API-using bots.
+* Whitelisted the following HTML attributes for all elements in wikitext:
+ aria-describedby, aria-flowto, aria-label, aria-labelledby, aria-owns.
+* Removed "presentation" restriction on the HTML role attribute in wikitext.
+ All values are now allowed for the role attribute.
+* $wgContentHandlers now also supports callbacks to create an instance of the
+ appropriate ContentHandler subclass.
=== External library changes in 1.27 ===
* ApiQueryBase::getDirectionDescription() was removed (deprecated since 1.25).
* ApiQuery::getModules() was removed (deprecated since 1.21).
* ApiMain::getModules() was removed (deprecated since 1.21).
+* ApiBase::getVersion() was removed (deprecated since 1.21).
=== Languages updated in 1.27 ===
together but instead pick the final one, similar to image syntax.
* XML-like parser tags (such as <gallery>), when unclosed, will be left unparsed
rather than consume everything until the end of the page.
+* New maintenance script resetUserEmail.php allows sysadmins to reset user emails in case
+ a user forgot password/account was stolen.
== Compatibility ==