*/
function wfStreamThumb( array $params ) {
global $wgVaryOnXFP;
+ $permissionManager = MediaWikiServices::getInstance()->getPermissionManager();
$headers = []; // HTTP headers to send
// Check permissions if there are read restrictions
$varyHeader = [];
- if ( !in_array( 'read', User::getGroupPermissions( [ '*' ] ), true ) ) {
- if ( !$img->getTitle() || !$img->getTitle()->userCan( 'read' ) ) {
+ if ( !in_array( 'read', $permissionManager->getGroupPermissions( [ '*' ] ), true ) ) {
+ $user = RequestContext::getMain()->getUser();
+ $imgTitle = $img->getTitle();
+
+ if ( !$imgTitle || !$permissionManager->userCan( 'read', $user, $imgTitle ) ) {
wfThumbError( 403, 'Access denied. You do not have permission to access ' .
'the source file.' );
return;
// For 404 handled thumbnails, we only use the base name of the URI
// for the thumb params and the parent directory for the source file name.
- // Check that the zone relative path matches up so squid caches won't pick
+ // Check that the zone relative path matches up so CDN caches won't pick
// up thumbs that would not be purged on source file deletion (T36231).
if ( $rel404 !== null ) { // thumbnail was handled via 404
if ( rawurldecode( $rel404 ) === $img->getThumbRel( $thumbName ) ) {
// Send request to proxied service
$status = $req->execute();
+ MediaWiki\HeaderCallback::warnIfHeadersSent();
+
// Simply serve the response from the proxied service as-is
header( 'HTTP/1.1 ' . $req->getStatus() );
function wfThumbError( $status, $msgHtml, $msgText = null, $context = [] ) {
global $wgShowHostnames;
+ MediaWiki\HeaderCallback::warnIfHeadersSent();
+
header( 'Cache-Control: no-cache' );
header( 'Content-Type: text/html; charset=utf-8' );
if ( $status == 400 || $status == 404 || $status == 429 ) {