X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=img_auth.php;h=914014d85f8d44996567f3eceee4f9915d1bbfeb;hb=b5f384f943fc67c6601d4959dcfb9774766e1156;hp=ba4ed748348235de108f382d4cee24dc906d2d10;hpb=34d2b3aa238754621462cfaa10aa45c7751bf9a8;p=lhc%2Fweb%2Fwiklou.git

diff --git a/img_auth.php b/img_auth.php
index ba4ed74834..914014d85f 100644
--- a/img_auth.php
+++ b/img_auth.php
@@ -79,6 +79,8 @@ function wfImageAuthMain() {
 		return;
 	}
 
+	$user = RequestContext::getMain()->getUser();
+
 	// Various extensions may have their own backends that need access.
 	// Check if there is a special backend and storage base path for this file.
 	foreach ( $wgImgAuthUrlPathMap as $prefix => $storageDir ) {
@@ -87,7 +89,7 @@ function wfImageAuthMain() {
 			$be = FileBackendGroup::singleton()->backendFromPath( $storageDir );
 			$filename = $storageDir . substr( $path, strlen( $prefix ) ); // strip prefix
 			// Check basic user authorization
-			if ( !RequestContext::getMain()->getUser()->isAllowed( 'read' ) ) {
+			if ( !$user->isAllowed( 'read' ) ) {
 				wfForbidden( 'img-auth-accessdenied', 'img-auth-noread', $path );
 				return;
 			}
@@ -136,12 +138,13 @@ function wfImageAuthMain() {
 
 	$headers = []; // extra HTTP headers to send
 
+	$title = Title::makeTitleSafe( NS_FILE, $name );
+
 	if ( !$publicWiki ) {
 		// For private wikis, run extra auth checks and set cache control headers
-		$headers[] = 'Cache-Control: private';
-		$headers[] = 'Vary: Cookie';
+		$headers['Cache-Control'] = 'private';
+		$headers['Vary'] = 'Cookie';
 
-		$title = Title::makeTitleSafe( NS_FILE, $name );
 		if ( !$title instanceof Title ) { // files have valid titles
 			wfForbidden( 'img-auth-accessdenied', 'img-auth-badtitle', $name );
 			return;
@@ -157,25 +160,30 @@ function wfImageAuthMain() {
 
 		// Check user authorization for this title
 		// Checks Whitelist too
-		if ( !$title->userCan( 'read' ) ) {
+		$permissionManager = \MediaWiki\MediaWikiServices::getInstance()->getPermissionManager();
+
+		if ( !$permissionManager->userCan( 'read', $user, $title ) ) {
 			wfForbidden( 'img-auth-accessdenied', 'img-auth-noread', $name );
 			return;
 		}
 	}
 
-	$options = []; // HTTP header options
 	if ( isset( $_SERVER['HTTP_RANGE'] ) ) {
-		$options['range'] = $_SERVER['HTTP_RANGE'];
+		$headers['Range'] = $_SERVER['HTTP_RANGE'];
 	}
 	if ( isset( $_SERVER['HTTP_IF_MODIFIED_SINCE'] ) ) {
-		$options['if-modified-since'] = $_SERVER['HTTP_IF_MODIFIED_SINCE'];
+		$headers['If-Modified-Since'] = $_SERVER['HTTP_IF_MODIFIED_SINCE'];
 	}
 
 	if ( $request->getCheck( 'download' ) ) {
-		$headers[] = 'Content-Disposition: attachment';
+		$headers['Content-Disposition'] = 'attachment';
 	}
 
+	// Allow modification of headers before streaming a file
+	Hooks::run( 'ImgAuthModifyHeaders', [ $title->getTitleValue(), &$headers ] );
+
 	// Stream the requested file
+	list( $headers, $options ) = HTTPFileStreamer::preprocessHeaders( $headers );
 	wfDebugLog( 'img_auth', "Streaming `" . $filename . "`." );
 	$repo->streamFileWithStatus( $filename, $headers, $options );
 }