45 $permissionManager = $services->getPermissionManager();
48 $publicWiki = $services->getGroupPermissionsLookup()->groupHasPermission(
'*',
'read' );
51 $baseUrl = $services->getRepoGroup()->getLocalRepo()->getZoneUrl(
'public' );
52 if ( $baseUrl[0] ===
'/' ) {
55 $basePath = parse_url( $baseUrl, PHP_URL_PATH );
59 if (
$path ===
false ) {
66 if (
$path ===
false ) {
67 $this->forbidden(
'img-auth-accessdenied',
'img-auth-notindir' );
81 foreach ( $pathMap as $prefix => $storageDir ) {
82 $prefix = rtrim( $prefix,
'/' ) .
'/';
83 if ( strpos(
$path, $prefix ) === 0 ) {
84 $be = $services->getFileBackendGroup()->backendFromPath( $storageDir );
85 $filename = $storageDir . substr(
$path, strlen( $prefix ) );
87 $isAllowedUser = $permissionManager->userHasRight( $user,
'read' );
88 if ( !$isAllowedUser ) {
89 $this->forbidden(
'img-auth-accessdenied',
'img-auth-noread',
$path );
92 if ( $be && $be->fileExists( [
'src' => $filename ] ) ) {
93 wfDebugLog(
'img_auth',
"Streaming `" . $filename .
"`." );
96 'headers' => [
'Cache-Control: private',
'Vary: Cookie' ]
99 $this->forbidden(
'img-auth-accessdenied',
'img-auth-nofile',
$path );
107 $repo = $services->getRepoGroup()->getLocalRepo();
108 $zone = strstr( ltrim(
$path,
'/' ),
'/',
true );
114 if ( $zone ===
'thumb' || $zone ===
'transcoded' ) {
116 $filename = $repo->getZonePath( $zone ) . substr(
$path, strlen(
"/" . $zone ) );
118 if ( !$repo->fileExists( $filename ) ) {
119 $this->forbidden(
'img-auth-accessdenied',
'img-auth-nofile', $filename );
124 $filename = $repo->getZonePath(
'public' ) .
$path;
126 $bits = explode(
'!', $name, 2 );
127 if ( str_starts_with(
$path,
'/archive/' ) && count( $bits ) == 2 ) {
128 $file = $repo->newFromArchiveName( $bits[1], $name );
130 $file = $repo->newFile( $name );
132 if ( !$file || !$file->exists() || $file->isDeleted( File::DELETED_FILE ) ) {
133 $this->forbidden(
'img-auth-accessdenied',
'img-auth-nofile', $filename );
140 $title = Title::makeTitleSafe(
NS_FILE, $name );
142 $hookRunner =
new HookRunner( $services->getHookContainer() );
143 if ( !$publicWiki ) {
145 $headers[
'Cache-Control'] =
'private';
146 $headers[
'Vary'] =
'Cookie';
148 if ( !$title instanceof
Title ) {
149 $this->forbidden(
'img-auth-accessdenied',
'img-auth-badtitle', $name );
155 if ( !$hookRunner->onImgAuthBeforeStream( $title,
$path, $name, $authResult ) ) {
156 $this->forbidden( $authResult[0], $authResult[1], array_slice( $authResult, 2 ) );
163 if ( !$permissionManager->userCan(
'read', $user, $title ) ) {
164 $this->forbidden(
'img-auth-accessdenied',
'img-auth-noread', $name );
169 $range = $this->environment->getServerInfo(
'HTTP_RANGE' );
170 $ims = $this->environment->getServerInfo(
'HTTP_IF_MODIFIED_SINCE' );
172 if ( $range !==
null ) {
173 $headers[
'Range'] = $range;
175 if ( $ims !==
null ) {
176 $headers[
'If-Modified-Since'] = $ims;
179 if ( $request->getCheck(
'download' ) ) {
180 $headers[
'Content-Disposition'] =
'attachment';
184 $hookRunner->onImgAuthModifyHeaders( $title->getTitleValue(), $headers );
190 wfDebugLog(
'img_auth',
"Streaming `" . $filename .
"`." );
191 $repo->streamFileWithStatus( $filename, $headers, $options );