master/php/img__auth_8php_source.html

 <?php

 define( 'MW_NO_OUTPUT_COMPRESSION', 1 );

 define( 'MW_ENTRY_POINT', 'img_auth' );

 require __DIR__ . '/includes/WebStart.php';


 wfImageAuthMain();


 $mediawiki = new MediaWiki();

 $mediawiki->doPostOutputShutdown();


 function wfImageAuthMain() {

     global $wgImgAuthUrlPathMap, $wgScriptPath, $wgImgAuthPath;


     $services = \MediaWiki\MediaWikiServices::getInstance();

     $permissionManager = $services->getPermissionManager();


     $request = RequestContext::getMain()->getRequest();

     $publicWiki = in_array( 'read', $permissionManager->getGroupPermissions( [ '*' ] ), true );


     // Find the path assuming the request URL is relative to the local public zone URL

     $baseUrl = $services->getRepoGroup()->getLocalRepo()->getZoneUrl( 'public' );

     if ( $baseUrl[0] === '/' ) {

         $basePath = $baseUrl;

     } else {

         $basePath = parse_url( $baseUrl, PHP_URL_PATH );

     }

     $path = WebRequest::getRequestPathSuffix( $basePath );


     if ( $path === false ) {

         // Try instead assuming img_auth.php is the base path

         $basePath = $wgImgAuthPath ?: "$wgScriptPath/img_auth.php";

         $path = WebRequest::getRequestPathSuffix( $basePath );

     }


     if ( $path === false ) {

         wfForbidden( 'img-auth-accessdenied', 'img-auth-notindir' );

         return;

     }


     if ( $path === '' || $path[0] !== '/' ) {

         // Make sure $path has a leading /

         $path = "/" . $path;

     }


     $user = RequestContext::getMain()->getUser();


     // Various extensions may have their own backends that need access.

     // Check if there is a special backend and storage base path for this file.

     foreach ( $wgImgAuthUrlPathMap as $prefix => $storageDir ) {

         $prefix = rtrim( $prefix, '/' ) . '/'; // implicit trailing slash

         if ( strpos( $path, $prefix ) === 0 ) {

             $be = $services->getFileBackendGroup()->backendFromPath( $storageDir );

             $filename = $storageDir . substr( $path, strlen( $prefix ) ); // strip prefix

             // Check basic user authorization

             $isAllowedUser = $permissionManager->userHasRight( $user, 'read' );

             if ( !$isAllowedUser ) {

                 wfForbidden( 'img-auth-accessdenied', 'img-auth-noread', $path );

                 return;

             }

             if ( $be->fileExists( [ 'src' => $filename ] ) ) {

                 wfDebugLog( 'img_auth', "Streaming `" . $filename . "`." );

                 $be->streamFile( [

                     'src' => $filename,

                     'headers' => [ 'Cache-Control: private', 'Vary: Cookie' ]

                 ] );

             } else {

                 wfForbidden( 'img-auth-accessdenied', 'img-auth-nofile', $path );

             }

             return;

         }

     }


     // Get the local file repository

     $repo = $services->getRepoGroup()->getRepo( 'local' );

     $zone = strstr( ltrim( $path, '/' ), '/', true );


     // Get the full file storage path and extract the source file name.

     // (e.g. 120px-Foo.png => Foo.png or page2-120px-Foo.png => Foo.png).

     // This only applies to thumbnails/transcoded, and each of them should

     // be under a folder that has the source file name.

     if ( $zone === 'thumb' || $zone === 'transcoded' ) {

         $name = wfBaseName( dirname( $path ) );

         $filename = $repo->getZonePath( $zone ) . substr( $path, strlen( "/" . $zone ) );

         // Check to see if the file exists

         if ( !$repo->fileExists( $filename ) ) {

             wfForbidden( 'img-auth-accessdenied', 'img-auth-nofile', $filename );

             return;

         }

     } else {

         $name = wfBaseName( $path ); // file is a source file

         $filename = $repo->getZonePath( 'public' ) . $path;

         // Check to see if the file exists and is not deleted

         $bits = explode( '!', $name, 2 );

         if ( substr( $path, 0, 9 ) === '/archive/' && count( $bits ) == 2 ) {

             $file = $repo->newFromArchiveName( $bits[1], $name );

         } else {

             $file = $repo->newFile( $name );

         }

         if ( !$file->exists() || $file->isDeleted( File::DELETED_FILE ) ) {

             wfForbidden( 'img-auth-accessdenied', 'img-auth-nofile', $filename );

             return;

         }

     }


     $headers = []; // extra HTTP headers to send


     $title = Title::makeTitleSafe( NS_FILE, $name );


     if ( !$publicWiki ) {

         // For private wikis, run extra auth checks and set cache control headers

         $headers['Cache-Control'] = 'private';

         $headers['Vary'] = 'Cookie';


         if ( !$title instanceof Title ) { // files have valid titles

             wfForbidden( 'img-auth-accessdenied', 'img-auth-badtitle', $name );

             return;

         }


         // Run hook for extension authorization plugins

         $result = null;

         if ( !Hooks::runner()->onImgAuthBeforeStream( $title, $path, $name, $result ) ) {

             wfForbidden( $result[0], $result[1], array_slice( $result, 2 ) );

             return;

         }


         // Check user authorization for this title

         // Checks Whitelist too


         if ( !$permissionManager->userCan( 'read', $user, $title ) ) {

             wfForbidden( 'img-auth-accessdenied', 'img-auth-noread', $name );

             return;

         }

     }


     if ( isset( $_SERVER['HTTP_RANGE'] ) ) {

         $headers['Range'] = $_SERVER['HTTP_RANGE'];

     }

     if ( isset( $_SERVER['HTTP_IF_MODIFIED_SINCE'] ) ) {

         $headers['If-Modified-Since'] = $_SERVER['HTTP_IF_MODIFIED_SINCE'];

     }


     if ( $request->getCheck( 'download' ) ) {

         $headers['Content-Disposition'] = 'attachment';

     }


     // Allow modification of headers before streaming a file

     Hooks::runner()->onImgAuthModifyHeaders( $title->getTitleValue(), $headers );


     // Stream the requested file

     list( $headers, $options ) = HTTPFileStreamer::preprocessHeaders( $headers );

     wfDebugLog( 'img_auth', "Streaming `" . $filename . "`." );

     $repo->streamFileWithStatus( $filename, $headers, $options );

 }


 function wfForbidden( $msg1, $msg2, ...$args ) {

     global $wgImgAuthDetails;


     $args = ( isset( $args[0] ) && is_array( $args[0] ) ) ? $args[0] : $args;


     $msgHdr = wfMessage( $msg1 )->text();

     $detailMsgKey = $wgImgAuthDetails ? $msg2 : 'badaccess-group0';

     $detailMsg = wfMessage( $detailMsgKey, $args )->text();


     wfDebugLog( 'img_auth',

         "wfForbidden Hdr: " . wfMessage( $msg1 )->inLanguage( 'en' )->text() . " Msg: " .

             wfMessage( $msg2, $args )->inLanguage( 'en' )->text()

     );


     HttpStatus::header( 403 );

     header( 'Cache-Control: no-cache' );

     header( 'Content-Type: text/html; charset=utf-8' );

     $templateParser = new TemplateParser();

     echo $templateParser->processTemplate( 'ImageAuthForbidden', [

         'msgHdr' => $msgHdr,

         'detailMsg' => $detailMsg,

     ] );

 }

NS_FILE
const NS_FILE
Definition: Defines.php:70

wfBaseName
wfBaseName( $path, $suffix='')
Return the final portion of a pathname.
Definition: GlobalFunctions.php:1852

wfDebugLog
wfDebugLog( $logGroup, $text, $dest='all', array $context=[])
Send a line to a supplementary debug log file, if configured, or main debug log if not.
Definition: GlobalFunctions.php:723

wfMessage
wfMessage( $key,... $params)
This is the function for getting translated interface messages.
Definition: GlobalFunctions.php:937

$path
$path
Definition: NoLocalSettings.php:25

$templateParser
$templateParser
Definition: NoLocalSettings.php:47

File\DELETED_FILE
const DELETED_FILE
Definition: File.php:72

HTTPFileStreamer\preprocessHeaders
static preprocessHeaders( $headers)
Takes HTTP headers in a name => value format and converts them to the weird format expected by stream...
Definition: HTTPFileStreamer.php:51

Hooks\runner
static runner()
Get a HookRunner instance for calling hooks using the new interfaces.
Definition: Hooks.php:173

HttpStatus\header
static header( $code)
Output an HTTP status code header.
Definition: HttpStatus.php:96

MediaWiki
The MediaWiki class is the helper class for the index.php entry point.
Definition: MediaWiki.php:38

RequestContext\getMain
static getMain()
Get the RequestContext object associated with the main request.
Definition: RequestContext.php:556

TemplateParser
Definition: TemplateParser.php:28

Title
Represents a title within MediaWiki.
Definition: Title.php:49

Title\makeTitleSafe
static makeTitleSafe( $ns, $title, $fragment='', $interwiki='')
Create a new Title from a namespace index and a DB key.
Definition: Title.php:664

WebRequest\getRequestPathSuffix
static getRequestPathSuffix( $basePath)
If the request URL matches a given base path, extract the path part of the request URL after that bas...
Definition: WebRequest.php:238

$wgImgAuthPath
$wgImgAuthPath
Config variable stub for the ImgAuthPath setting, for use by phpdoc and IDEs.
Definition: config-vars.php:139

$wgImgAuthDetails
$wgImgAuthDetails
Config variable stub for the ImgAuthDetails setting, for use by phpdoc and IDEs.
Definition: config-vars.php:269

$wgImgAuthUrlPathMap
$wgImgAuthUrlPathMap
Config variable stub for the ImgAuthUrlPathMap setting, for use by phpdoc and IDEs.
Definition: config-vars.php:275

$wgScriptPath
$wgScriptPath
Config variable stub for the ScriptPath setting, for use by phpdoc and IDEs.
Definition: config-vars.php:61

wfForbidden
wfForbidden( $msg1, $msg2,... $args)
Issue a standard HTTP 403 Forbidden header ($msg1-a message index, not a message) and an error messag...
Definition: img_auth.php:205

wfImageAuthMain
wfImageAuthMain()
Definition: img_auth.php:51

$mediawiki
$mediawiki
Definition: img_auth.php:48

$args
if( $line===false) $args
Definition: mcc.php:124

$file
if(PHP_SAPI !='cli-server') if(!isset( $_SERVER['SCRIPT_FILENAME'])) $file
Item class for a filearchive table row.
Definition: router.php:42

$title
$title
Definition: testCompression.php:38