-/**
- * Issue a standard HTTP 403 Forbidden header and a basic
- * error message, then end the script
- */
-function wfForbidden() {
- header( 'HTTP/1.0 403 Forbidden' );
- header( 'Vary: Cookie' );
- header( 'Content-Type: text/html; charset=utf-8' );
- echo <<<ENDS
-<html>
-<body>
-<h1>Access Denied</h1>
-<p>You need to log in to access files on this server.</p>
-</body>
-</html>
-ENDS;
- wfLogProfilingData();
- exit();
+ // Check to see if the file exists
+ if ( !$repo->fileExists( $filename ) ) {
+ wfForbidden( 'img-auth-accessdenied','img-auth-nofile', $filename );
+ return;
+ }
+
+ $title = Title::makeTitleSafe( NS_FILE, $name );
+ if ( !$title instanceof Title ) { // files have valid titles
+ wfForbidden( 'img-auth-accessdenied', 'img-auth-badtitle', $name );
+ return;
+ }
+
+ // Run hook for extension authorization plugins
+ if ( !wfRunHooks( 'ImgAuthBeforeStream', array( &$title, &$path, &$name, &$result ) ) ) {
+ wfForbidden( $result[0], $result[1], array_slice( $result, 2 ) );
+ return;
+ }
+
+ // Check user authorization for this title
+ // Checks Whitelist too
+ if ( !$title->userCan( 'read' ) ) {
+ wfForbidden( 'img-auth-accessdenied', 'img-auth-noread', $name );
+ return;
+ }
+
+ // Stream the requested file
+ wfDebugLog( 'img_auth', "Streaming `".$filename."`." );
+ $repo->streamFile( $filename, array( 'Cache-Control: private', 'Vary: Cookie' ) );