Changes to the use statements done automatically via script
Addition of missing use statement done manually
Change-Id: I8a1b268d94d7ddb4e50ded3cf44aa7a372b58a72
Changes to the use statements done automatically via script
Addition of missing use statement done manually
Change-Id: I8943e4e63fb41ca758c9ed25a4abb7664e13bb9f
Since php8.0 hash_hmac throws exception and does not return false
Reported by phan running with php8.1
Change-Id: I2374daf5e0954bef91da65454d973ef3d1eb2183
Add a table which stores a summary of each user's IP address subnet in
each time bucket, defaulting to 15 days. On edit (and other changes
causing a recentchanges row) and successful login update the table.
On attempted login, check whether the subnet is in the table in any
time bucket back to the expiry time.
Add a job and a maintenance script for purging expired rows.
Disabled by default for now. The idea is to enable it by default after
we have some experience with using it in WMF production.
If CheckUser integration is disabled (the future intended state), the
cache and LoginNotifyChecks job are suppressed since they are
unnecessary.
Details:
* Rename setCurrentAddressAsKnown() to recordKnownWithCookie() and
split off recordKnown() which does the same thing except without
sending the cookie. We use recordKnown() to store the IP address
without sending the cookie, on non-login changes.
* Reorganise isKnownSystemFast() for clarity, and return emphatic
USER_NOT_KNOWN if the user is not in the table, cache or cookie
and CheckUser integration is disabled.
* Replace time() calls with a mockable method.
Bug: T345052
Change-Id: Iea716e660353f16c47f873fe42edc2aeec1b4346
* Make LoginNotify into a service. Use a static getInstance() method
instead of a services container class, since there is only one
service.
* Removed references to $wgLoginNotifyEnableForPriv. The feature was
removed in I888c6009fffad1712.
Change-Id: I9120b470d27a0d09e508bd4e12eb2bde2f38d34d
* Remove notification attributes such as title-message, unused since the
initial commit since it used the new (2015) formatter system.
* isKnownSystemSlow() is always called with a third parameter, and it
doesn't seem to be nullable in callers.
* Yes, most of the things make sense.
* Add reason why CheckUser has no cuc_ip_hex index.
* Use foreach
* Too late to truncate the hash now
Change-Id: I310bc53ba881842845b9358309954f89c355f81c
If the IP address associated with a failed login is found in CheckUser
for the relevant user, the notification was previously omitted.
Notification of failure with a known IP was only possible when the IP
was in the cache or cookie. So, fix that.
Change-Id: I498e6b71d0fab9dd9af63c9c5f88fbcaf6a53fc3
The use of "HookHandlers" attribute in extension.json makes it possible
to inject services into hook handler classes in a future patch.
Bug: T344297
Change-Id: Icfa49dc56848c9b375f09d67ed839d0e10f57bfb
Deprecated since 1.39 (I6e7544763bd)
Remove deprecated ILB::reuseConnection() calls as well
Bug: T343277
Change-Id: I477c216fe75bb393fc892ded13f3d117b6fda4aa
Whenever a number should be put inside a message, `numParams` should
be used instead of `params` as the former considers number formatting
needed for locales having their own numerals.
Change-Id: I1d331040a6f872fbf12ebe142257e53c46f5a219
Since core change dffca06 the tableExists function is only for
maintenance database connections.
DBConnRef implements that interface, use that
Follow-Up: I282cd08d47be1e16cd05903d92561da04889768f
Change-Id: I161c39ad0fce3c48b470a5595a2c58a26c2014a1
The global function wfWikiID() is deprecated since 1.35 and it's usages
should be replaced with WikiMap::getCurrentWikiId().
Bug: T298059
Change-Id: I87140148f53266a2bc828a4fae75aa28aa098602
The following sniffs are failing and were disabled:
* MediaWiki.Commenting.FunctionComment.MissingParamName
* MediaWiki.Commenting.FunctionComment.MissingParamTag
* MediaWiki.Commenting.FunctionComment.ParamNameNoMatch
Additional changes:
* Also sorted "composer fix" command to run phpcbf last.
Change-Id: Ie0f3c44edd654994ca1aa3c55a40cbef22465c0b
gmdate would also return string, it also given a string from the caller
site (result from explode)
Change-Id: I1bf314f7ad976e590fdb021c0921dbf7de7504bd
Per Niharika's comment at T220762#5105917, "we don't want an attacker
to learn that we detected an unusual login and cause them to change
the account password or such".
This was already set in WMF's config for LoginNotify; this moves it into
the extension itself, where it belongs.
Bug: T220780
Change-Id: I5adc5a52f10f2f37ae64ff0400c8d77b35d36aa1
