+function wfImageAuthMain() {
+ global $wgImgAuthPublicTest, $wgRequest;
+
+ // See if this is a public Wiki (no protections).
+ if ( $wgImgAuthPublicTest
+ && in_array( 'read', User::getGroupPermissions( array( '*' ) ), true ) )
+ {
+ // This is a public wiki, so disable this script (for private wikis only)
+ wfForbidden( 'img-auth-accessdenied', 'img-auth-public' );
+ return;
+ }
+
+ // Get the requested file path (source file or thumbnail)
+ $matches = WebRequest::getPathInfo();
+ if ( !isset( $matches['title'] ) ) {
+ wfForbidden( 'img-auth-accessdenied', 'img-auth-nopathinfo' );
+ return;
+ }
+ $path = $matches['title'];
+ if ( $path && $path[0] !== '/' ) {
+ // Make sure $path has a leading /
+ $path = "/" . $path;
+ }
+
+ // Check for bug 28235: QUERY_STRING overriding the correct extension
+ $whitelist = array();
+ $dotPos = strrpos( $path, '.' );
+ if ( $dotPos !== false ) {
+ $whitelist[] = substr( $path, $dotPos + 1 );
+ }
+ if ( !$wgRequest->checkUrlExtension( $whitelist ) ) {
+ return;
+ }
+
+ // Get the local file repository
+ $repo = RepoGroup::singleton()->getRepo( 'local' );
+
+ // Get the full file storage path and extract the source file name.
+ // (e.g. 120px-Foo.png => Foo.png or page2-120px-Foo.png => Foo.png).
+ // This only applies to thumbnails, and all thumbnails should
+ // be under a folder that has the source file name.
+ if ( strpos( $path, '/thumb/' ) === 0 ) {
+ $name = wfBaseName( dirname( $path ) ); // file is a thumbnail
+ $filename = $repo->getZonePath( 'thumb' ) . substr( $path, 6 ); // strip "/thumb"
+ } else {
+ $name = wfBaseName( $path ); // file is a source file
+ $filename = $repo->getZonePath( 'public' ) . $path;
+ }
+
+ // Check to see if the file exists
+ if ( !$repo->fileExists( $filename ) ) {
+ wfForbidden( 'img-auth-accessdenied','img-auth-nofile', $filename );
+ return;
+ }
+
+ $title = Title::makeTitleSafe( NS_FILE, $name );
+ if ( !$title instanceof Title ) { // files have valid titles
+ wfForbidden( 'img-auth-accessdenied', 'img-auth-badtitle', $name );
+ return;
+ }
+
+ // Run hook for extension authorization plugins
+ if ( !wfRunHooks( 'ImgAuthBeforeStream', array( &$title, &$path, &$name, &$result ) ) ) {
+ wfForbidden( $result[0], $result[1], array_slice( $result, 2 ) );
+ return;
+ }
+
+ // Check user authorization for this title
+ // Checks Whitelist too
+ if ( !$title->userCan( 'read' ) ) {
+ wfForbidden( 'img-auth-accessdenied', 'img-auth-noread', $name );
+ return;
+ }
+
+ // Stream the requested file
+ wfDebugLog( 'img_auth', "Streaming `".$filename."`." );
+ $repo->streamFile( $filename, array( 'Cache-Control: private', 'Vary: Cookie' ) );
+}
+