43 $permissionManager = $services->getPermissionManager();
46 $publicWiki = $services->getGroupPermissionsLookup()->groupHasPermission(
'*',
'read' );
49 $baseUrl = $services->getRepoGroup()->getLocalRepo()->getZoneUrl(
'public' );
50 if ( $baseUrl[0] ===
'/' ) {
53 $basePath = parse_url( $baseUrl, PHP_URL_PATH );
57 if (
$path ===
false ) {
64 if (
$path ===
false ) {
65 $this->forbidden(
'img-auth-accessdenied',
'img-auth-notindir' );
79 foreach ( $pathMap as $prefix => $storageDir ) {
80 $prefix = rtrim( $prefix,
'/' ) .
'/';
81 if ( strpos(
$path, $prefix ) === 0 ) {
82 $be = $services->getFileBackendGroup()->backendFromPath( $storageDir );
83 $filename = $storageDir . substr(
$path, strlen( $prefix ) );
85 $isAllowedUser = $permissionManager->userHasRight( $user,
'read' );
86 if ( !$isAllowedUser ) {
87 $this->forbidden(
'img-auth-accessdenied',
'img-auth-noread',
$path );
90 if ( $be && $be->fileExists( [
'src' => $filename ] ) ) {
91 wfDebugLog(
'img_auth',
"Streaming `" . $filename .
"`." );
94 'headers' => [
'Cache-Control: private',
'Vary: Cookie' ]
97 $this->forbidden(
'img-auth-accessdenied',
'img-auth-nofile',
$path );
105 $repo = $services->getRepoGroup()->getLocalRepo();
106 $zone = strstr( ltrim(
$path,
'/' ),
'/',
true );
112 if ( $zone ===
'thumb' || $zone ===
'transcoded' ) {
114 $filename = $repo->getZonePath( $zone ) . substr(
$path, strlen(
"/" . $zone ) );
116 if ( !$repo->fileExists( $filename ) ) {
117 $this->forbidden(
'img-auth-accessdenied',
'img-auth-nofile', $filename );
122 $filename = $repo->getZonePath(
'public' ) .
$path;
124 $bits = explode(
'!', $name, 2 );
125 if ( str_starts_with(
$path,
'/archive/' ) && count( $bits ) == 2 ) {
126 $file = $repo->newFromArchiveName( $bits[1], $name );
128 $file = $repo->newFile( $name );
130 if ( !$file || !$file->exists() || $file->isDeleted( File::DELETED_FILE ) ) {
131 $this->forbidden(
'img-auth-accessdenied',
'img-auth-nofile', $filename );
138 $title = Title::makeTitleSafe(
NS_FILE, $name );
140 $hookRunner =
new HookRunner( $services->getHookContainer() );
141 if ( !$publicWiki ) {
143 $headers[
'Cache-Control'] =
'private';
144 $headers[
'Vary'] =
'Cookie';
146 if ( !$title instanceof
Title ) {
147 $this->forbidden(
'img-auth-accessdenied',
'img-auth-badtitle', $name );
153 if ( !$hookRunner->onImgAuthBeforeStream( $title,
$path, $name, $authResult ) ) {
154 $this->forbidden( $authResult[0], $authResult[1], array_slice( $authResult, 2 ) );
161 if ( !$permissionManager->userCan(
'read', $user, $title ) ) {
162 $this->forbidden(
'img-auth-accessdenied',
'img-auth-noread', $name );
167 $range = $this->environment->getServerInfo(
'HTTP_RANGE' );
168 $ims = $this->environment->getServerInfo(
'HTTP_IF_MODIFIED_SINCE' );
170 if ( $range !==
null ) {
171 $headers[
'Range'] = $range;
173 if ( $ims !==
null ) {
174 $headers[
'If-Modified-Since'] = $ims;
177 if ( $request->getCheck(
'download' ) ) {
178 $headers[
'Content-Disposition'] =
'attachment';
182 $hookRunner->onImgAuthModifyHeaders( $title->getTitleValue(), $headers );
188 wfDebugLog(
'img_auth',
"Streaming `" . $filename .
"`." );
189 $repo->streamFileWithStatus( $filename, $headers, $options );