Last modified: 2013-12-20 21:03:09 UTC
Running code from CentralAuth, AbuseFilter, TitleBlacklist etc. which collectively call half the codebase does not seem like a good thing to be doing while the main context user is half-initialised and has lots of methods which will fail horribly if you try to call them (e.g. bug 41198). Perhaps initialisation of the User object from the session can be moved to a function called from Setup.php, such as RequestContext::getUser(). It's not lazy-loaded anyway, User::newFromSession() has always been called unconditionally. Then CentralAuth (and anything else that uses the UserLoadFromSession hook) can be called without User::load() in its call stack.
Looking at WMF-deployed extensions, I see that OAuth and CentralAuth use this hook. OAuth checks the request's Title object to avoid running on Special:OAuth itself (Special:OAuth needs to do special stuff). To be able to call UserLoadFromSession in Setup.php, we'd either have to change this check or create Title in Setup.php too, before the $wgExtensionFunctions hooks. CentralAuth doesn't seem to directly do anything that would blow up if called from Setup.php. But it might call the AbortAutoAccount and AuthPluginAutoCreate hooks, which might have the same sort of expectations of being called after Setup.php as OAuth.