60 $services = \MediaWiki\MediaWikiServices::getInstance();
61 $permissionManager = $services->getPermissionManager();
63 $request = RequestContext::getMain()->getRequest();
64 $publicWiki = $services->getGroupPermissionsLookup()->groupHasPermission(
'*',
'read' );
67 $baseUrl = $services->getRepoGroup()->getLocalRepo()->getZoneUrl(
'public' );
68 if ( $baseUrl[0] ===
'/' ) {
71 $basePath = parse_url( $baseUrl, PHP_URL_PATH );
73 $path = WebRequest::getRequestPathSuffix( $basePath );
75 if (
$path ===
false ) {
78 $path = WebRequest::getRequestPathSuffix( $basePath );
81 if (
$path ===
false ) {
82 wfForbidden(
'img-auth-accessdenied',
'img-auth-notindir' );
91 $user = RequestContext::getMain()->getUser();
96 $prefix = rtrim( $prefix,
'/' ) .
'/';
97 if ( strpos(
$path, $prefix ) === 0 ) {
98 $be = $services->getFileBackendGroup()->backendFromPath( $storageDir );
99 $filename = $storageDir . substr(
$path, strlen( $prefix ) );
101 $isAllowedUser = $permissionManager->userHasRight( $user,
'read' );
102 if ( !$isAllowedUser ) {
106 if ( $be->fileExists( [
'src' => $filename ] ) ) {
107 wfDebugLog(
'img_auth',
"Streaming `" . $filename .
"`." );
110 'headers' => [
'Cache-Control: private',
'Vary: Cookie' ]
120 $repo = $services->getRepoGroup()->getRepo(
'local' );
121 $zone = strstr( ltrim(
$path,
'/' ),
'/',
true );
127 if ( $zone ===
'thumb' || $zone ===
'transcoded' ) {
129 $filename = $repo->getZonePath( $zone ) . substr(
$path, strlen(
"/" . $zone ) );
131 if ( !$repo->fileExists( $filename ) ) {
132 wfForbidden(
'img-auth-accessdenied',
'img-auth-nofile', $filename );
137 $filename = $repo->getZonePath(
'public' ) .
$path;
139 $bits = explode(
'!', $name, 2 );
140 if ( str_starts_with(
$path,
'/archive/' ) && count( $bits ) == 2 ) {
141 $file = $repo->newFromArchiveName( $bits[1], $name );
143 $file = $repo->newFile( $name );
145 if ( !$file->exists() || $file->isDeleted( File::DELETED_FILE ) ) {
146 wfForbidden(
'img-auth-accessdenied',
'img-auth-nofile', $filename );
153 $title = Title::makeTitleSafe(
NS_FILE, $name );
155 $hookRunner =
new HookRunner( $services->getHookContainer() );
156 if ( !$publicWiki ) {
158 $headers[
'Cache-Control'] =
'private';
159 $headers[
'Vary'] =
'Cookie';
161 if ( !$title instanceof
Title ) {
162 wfForbidden(
'img-auth-accessdenied',
'img-auth-badtitle', $name );
169 if ( !$hookRunner->onImgAuthBeforeStream( $title,
$path, $name, $result ) ) {
170 wfForbidden( $result[0], $result[1], array_slice( $result, 2 ) );
177 if ( !$permissionManager->userCan(
'read', $user, $title ) ) {
178 wfForbidden(
'img-auth-accessdenied',
'img-auth-noread', $name );
183 if ( isset( $_SERVER[
'HTTP_RANGE'] ) ) {
184 $headers[
'Range'] = $_SERVER[
'HTTP_RANGE'];
186 if ( isset( $_SERVER[
'HTTP_IF_MODIFIED_SINCE'] ) ) {
187 $headers[
'If-Modified-Since'] = $_SERVER[
'HTTP_IF_MODIFIED_SINCE'];
190 if ( $request->getCheck(
'download' ) ) {
191 $headers[
'Content-Disposition'] =
'attachment';
195 $hookRunner->onImgAuthModifyHeaders( $title->getTitleValue(), $headers );
198 [ $headers, $options ] = HTTPFileStreamer::preprocessHeaders( $headers );
199 wfDebugLog(
'img_auth',
"Streaming `" . $filename .
"`." );
200 $repo->streamFileWithStatus( $filename, $headers, $options );
215 $args = ( isset( $args[0] ) && is_array( $args[0] ) ) ? $args[0] : $args;
219 $detailMsg =
wfMessage( $detailMsgKey, $args )->text();
222 "wfForbidden Hdr: " .
wfMessage( $msg1 )->inLanguage(
'en' )->text() .
" Msg: " .
223 wfMessage( $msg2, $args )->inLanguage(
'en' )->text()
226 HttpStatus::header( 403 );
227 header(
'Cache-Control: no-cache' );
228 header(
'Content-Type: text/html; charset=utf-8' );
232 'detailMsg' => $detailMsg,
wfDebugLog( $logGroup, $text, $dest='all', array $context=[])
Send a line to a supplementary debug log file, if configured, or main debug log if not.
wfForbidden( $msg1, $msg2,... $args)
Issue a standard HTTP 403 Forbidden header ($msg1-a message index, not a message) and an error messag...