When list=allusers is used with auactiveusers, a property 'recenteditcount'
is returned in the result. In bug 67301[1] it was pointed out that this
property is including various other logged actions, and so should really be
named something like "recentactions".
Gerrit change 130093,[2] merged today, adds the "recentactions" result
property. "recenteditcount" is also returned for backwards compatability,
but will be removed at some point during the MediaWiki 1.25 development
cycle.
Any clients using this property should be updated to use the new property
name. The new property will be available on WMF wikis with 1.24wmf12, see
https://www.mediawiki.org/wiki/MediaWiki_1.24/Roadmap for the schedule.
[1]: https://bugzilla.wikimedia.org/show_bug.cgi?id=67301
[2]: https://gerrit.wikimedia.org/r/#/c/130093/
--
Brad Jorsch (Anomie)
Software Engineer
Wikimedia Foundation
To operate correctly, action=purge needs to write to the database, which
means it should be done using a POST rather than a GET request.
As of Gerrit change 310560,[1] action=purge will begin emitting a warning
when used via GET. This should be deployed to WMF wikis with 1.28.0-wmf.20,
see https://www.mediawiki.org/wiki/MediaWiki_1.28/Roadmap for the schedule.
Clients that use action=paraminfo to determine whether to use GET or POST
for an action should automatically switch to POST; any others should
manually switch to using POST for this action as soon as possible.
To check if your client's user agent is detected making such submissions,
you can also use ApiFeatureUsage[2] and look for 'purge-via-GET' once
1.28.0-wmf.20 is rolled out to wikis your client is using.
It is planned that this warning will be changed to an error during 1.29.
Let's avoid having a repeat of T142155,[3] update your code ASAP instead of
waiting until it breaks. Thanks.
[1]: https://gerrit.wikimedia.org/r/#/c/310560/
[2]: https://meta.wikimedia.org/wiki/Special:ApiFeatureUsage
[3]: https://phabricator.wikimedia.org/T142155
--
Brad Jorsch (Anomie)
Senior Software Engineer
Wikimedia Foundation
For improved safety, passwords and other sensitive fields for
authentication should not be included in the request URI during a POST.
Instead, they should be in the POST body where they are less likely to be
included in log files. With the merge of Gerrit change 305545,[1] the API
will now produce a warning if such fields are detected in the URI. This
should be deployed to WMF wikis with 1.28.0-wmf.16, see
https://www.mediawiki.org/wiki/MediaWiki_1.28/Roadmap for the schedule.
This affects the following modules and fields:
* action=login: 'lgpassword'
* action=clientlogin, action=createaccount, action=linkaccount, and
action=changeauthenticationdata: Any fields reported as "sensitive" by
action=query&meta=authmanagerinfo or by UI or REDIRECT responses.
Currently, this affects the 'password' and 'retype' fields.
The 'lgtoken' field for action=login will now also issue a warning if
placed in the request URI. The error code for other tokens being in the
request URI has changed from 'mustposttoken' to 'mustpostparams'.
To check if your client's user agent is detected making such submissions,
you can also use ApiFeatureUsage[2] and look for
'<action>-params-in-query-string' once 1.28.0-wmf.16 is rolled out to wikis
your client is logging in to.
It is planned that these warnings will be changed to errors during 1.29.
Let's avoid having a repeat of T142155,[3] update your code ASAP instead of
waiting until it breaks. Thanks.
[1]: https://gerrit.wikimedia.org/r/#/c/305545/
[2]: https://meta.wikimedia.org/wiki/Special:ApiFeatureUsage
[3]: https://phabricator.wikimedia.org/T142155
--
Brad Jorsch (Anomie)
Senior Software Engineer
Wikimedia Foundation