+
+$title = Title::makeTitleSafe( NS_FILE, $name );
+
+// See if could create the title object
+if( !$title instanceof Title )
+ wfForbidden('img-auth-accessdenied','img-auth-badtitle',$name);
+
+// Run hook
+if (!wfRunHooks( 'ImgAuthBeforeStream', array( &$title, &$path, &$name, &$result ) ) )
+ wfForbidden($result[0],$result[1],array_slice($result,2));
+
+// Check user authorization for this title
+// UserCanRead Checks Whitelist too
+if( !$title->userCanRead() )
+ wfForbidden('img-auth-accessdenied','img-auth-noread',$name);
+
+// Stream the requested file
+wfDebugLog( 'img_auth', "Streaming `".$filename."`." );
+wfStreamFile( $filename, array( 'Cache-Control: private', 'Vary: Cookie' ) );
+wfLogProfilingData();
+
+/**
+ * Issue a standard HTTP 403 Forbidden header ($msg1-a message index, not a message) and an
+ * error message ($msg2, also a message index), (both required) then end the script
+ * subsequent arguments to $msg2 will be passed as parameters only for replacing in $msg2
+ */
+function wfForbidden($msg1,$msg2) {
+ global $wgImgAuthDetails;
+ $args = func_get_args();
+ array_shift( $args );
+ array_shift( $args );
+ $MsgHdr = htmlspecialchars(wfMsg($msg1));
+ $detailMsg = (htmlspecialchars(wfMsg(($wgImgAuthDetails ? $msg2 : 'badaccess-group0'),$args)));
+ wfDebugLog('img_auth', "wfForbidden Hdr:".wfMsgExt( $msg1, array('language' => 'en'))." Msg: ".
+ wfMsgExt($msg2,array('language' => 'en'),$args));