X-Git-Url: http://git.heureux-cyclage.org/?a=blobdiff_plain;f=img_auth.php;h=1434125af991df0cdff797465ca37c894796b923;hb=d7451a03e98568652ba8b0a1c31034c04d5a7992;hp=fa1609f96398c83a68034e1e04d8fb21a238fde3;hpb=2d98fe5e2c582ea45256c3e0afa69cb6b51b852b;p=lhc%2Fweb%2Fwiklou.git diff --git a/img_auth.php b/img_auth.php index fa1609f963..1434125af9 100644 --- a/img_auth.php +++ b/img_auth.php @@ -17,7 +17,8 @@ * just that it was. If you want to change this, you can set $wgImgAuthDetails to 'true' * in localsettings.php and it will give the user the reason why access was denied. * - * Your server needs to support PATH_INFO; CGI-based configurations usually don't. + * Your server needs to support REQUEST_URI or PATH_INFO; CGI-based + * configurations sometimes don't. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -68,7 +69,7 @@ function wfImageAuthMain() { $path = "/" . $path; } - // Check for bug 28235: QUERY_STRING overriding the correct extension + // Check for T30235: QUERY_STRING overriding the correct extension $whitelist = []; $extension = FileBackend::extensionFromPath( $path, 'rawcase' ); if ( $extension != '' ) { @@ -78,6 +79,8 @@ function wfImageAuthMain() { return; } + $user = RequestContext::getMain()->getUser(); + // Various extensions may have their own backends that need access. // Check if there is a special backend and storage base path for this file. foreach ( $wgImgAuthUrlPathMap as $prefix => $storageDir ) { @@ -86,7 +89,7 @@ function wfImageAuthMain() { $be = FileBackendGroup::singleton()->backendFromPath( $storageDir ); $filename = $storageDir . substr( $path, strlen( $prefix ) ); // strip prefix // Check basic user authorization - if ( !RequestContext::getMain()->getUser()->isAllowed( 'read' ) ) { + if ( !$user->isAllowed( 'read' ) ) { wfForbidden( 'img-auth-accessdenied', 'img-auth-noread', $path ); return; } @@ -147,7 +150,7 @@ function wfImageAuthMain() { } // Run hook for extension authorization plugins - /** @var $result array */ + /** @var array $result */ $result = null; if ( !Hooks::run( 'ImgAuthBeforeStream', [ &$title, &$path, &$name, &$result ] ) ) { wfForbidden( $result[0], $result[1], array_slice( $result, 2 ) ); @@ -156,7 +159,9 @@ function wfImageAuthMain() { // Check user authorization for this title // Checks Whitelist too - if ( !$title->userCan( 'read' ) ) { + $permissionManager = \MediaWiki\MediaWikiServices::getInstance()->getPermissionManager(); + + if ( !$permissionManager->userCan( 'read', $user, $title ) ) { wfForbidden( 'img-auth-accessdenied', 'img-auth-noread', $name ); return; } @@ -176,7 +181,7 @@ function wfImageAuthMain() { // Stream the requested file wfDebugLog( 'img_auth', "Streaming `" . $filename . "`." ); - $repo->streamFile( $filename, $headers, $options ); + $repo->streamFileWithStatus( $filename, $headers, $options ); } /** @@ -185,13 +190,12 @@ function wfImageAuthMain() { * subsequent arguments to $msg2 will be passed as parameters only for replacing in $msg2 * @param string $msg1 * @param string $msg2 + * @param mixed ...$args To pass as params to wfMessage() with $msg2. Either variadic, or a single + * array argument. */ -function wfForbidden( $msg1, $msg2 ) { +function wfForbidden( $msg1, $msg2, ...$args ) { global $wgImgAuthDetails; - $args = func_get_args(); - array_shift( $args ); - array_shift( $args ); $args = ( isset( $args[0] ) && is_array( $args[0] ) ) ? $args[0] : $args; $msgHdr = wfMessage( $msg1 )->escaped();