X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2Flibs%2Ffilebackend%2FSwiftFileBackend.php;h=997974e7f2c74c8889dcc6d93493842259fdac0b;hb=339adab63a1e6016446743f2003d42fbfc1fbace;hp=27ce212bad025dd160018a5ba8ec8c250896205f;hpb=2917f7b6cd3b16068309c5ee369f946c17bfe0bb;p=lhc%2Fweb%2Fwiklou.git

diff --git a/includes/libs/filebackend/SwiftFileBackend.php b/includes/libs/filebackend/SwiftFileBackend.php
index 27ce212bad..997974e7f2 100644
--- a/includes/libs/filebackend/SwiftFileBackend.php
+++ b/includes/libs/filebackend/SwiftFileBackend.php
@@ -50,10 +50,14 @@ class SwiftFileBackend extends FileBackendStore {
 	protected $rgwS3AccessKey;
 	/** @var string S3 authentication key (RADOS Gateway) */
 	protected $rgwS3SecretKey;
-	/** @var array Additional users (account:user) to open read permissions for */
+	/** @var array Additional users (account:user) with read permissions on public containers */
 	protected $readUsers;
-	/** @var array Additional users (account:user) to open write permissions for */
+	/** @var array Additional users (account:user) with write permissions on public containers */
 	protected $writeUsers;
+	/** @var array Additional users (account:user) with read permissions on private containers */
+	protected $secureReadUsers;
+	/** @var array Additional users (account:user) with write permissions on private containers */
+	protected $secureWriteUsers;
 
 	/** @var BagOStuff */
 	protected $srvCache;
@@ -87,7 +91,7 @@ class SwiftFileBackend extends FileBackendStore {
 	 *                             - levels : the number of hash levels (and digits)
 	 *                             - repeat : hash subdirectories are prefixed with all the
 	 *                                        parent hash directory names (e.g. "a/ab/abc")
-	 *   - cacheAuthInfo      : Whether to cache authentication tokens in APC, XCache, ect.
+	 *   - cacheAuthInfo      : Whether to cache authentication tokens in APC, etc.
 	 *                          If those are not available, then the main cache will be used.
 	 *                          This is probably insecure in shared hosting environments.
 	 *   - rgwS3AccessKey     : Rados Gateway S3 "access key" value on the account.
@@ -100,8 +104,10 @@ class SwiftFileBackend extends FileBackendStore {
 	 *                          This is used for generating expiring pre-authenticated URLs.
 	 *                          Only use this when using rgw and to work around
 	 *                          http://tracker.newdream.net/issues/3454.
-	 *   - readUsers           : Swift users that should have read access (account:username)
-	 *   - writeUsers          : Swift users that should have write access (account:username)
+	 *   - readUsers           : Swift users with read access to public containers (account:username)
+	 *   - writeUsers          : Swift users with write access to public containers (account:username)
+	 *   - secureReadUsers     : Swift users with read access to private containers (account:username)
+	 *   - secureWriteUsers    : Swift users with write access to private containers (account:username)
 	 */
 	public function __construct( array $config ) {
 		parent::__construct( $config );
@@ -148,6 +154,12 @@ class SwiftFileBackend extends FileBackendStore {
 		$this->writeUsers = isset( $config['writeUsers'] )
 			? $config['writeUsers']
 			: [];
+		$this->secureReadUsers = isset( $config['secureReadUsers'] )
+			? $config['secureReadUsers']
+			: [];
+		$this->secureWriteUsers = isset( $config['secureWriteUsers'] )
+			? $config['secureWriteUsers']
+			: [];
 	}
 
 	public function getFeatures() {
@@ -335,9 +347,9 @@ class SwiftFileBackend extends FileBackendStore {
 			return $status;
 		}
 
-		MediaWiki\suppressWarnings();
+		Wikimedia\suppressWarnings();
 		$sha1Hash = sha1_file( $params['src'] );
-		MediaWiki\restoreWarnings();
+		Wikimedia\restoreWarnings();
 		if ( $sha1Hash === false ) { // source doesn't exist?
 			$status->fatal( 'backend-fail-store', $params['src'], $params['dst'] );
 
@@ -625,8 +637,8 @@ class SwiftFileBackend extends FileBackendStore {
 
 		$stat = $this->getContainerStat( $fullCont );
 		if ( is_array( $stat ) ) {
-			$readUsers = array_merge( $this->readUsers, [ $this->swiftUser ] );
-			$writeUsers = array_merge( $this->writeUsers, [ $this->swiftUser ] );
+			$readUsers = array_merge( $this->secureReadUsers, [ $this->swiftUser ] );
+			$writeUsers = array_merge( $this->secureWriteUsers, [ $this->swiftUser ] );
 			// Make container private to end-users...
 			$status->merge( $this->setContainerAccess(
 				$fullCont,
@@ -1463,13 +1475,15 @@ class SwiftFileBackend extends FileBackendStore {
 
 		// @see SwiftFileBackend::setContainerAccess()
 		if ( empty( $params['noAccess'] ) ) {
-			$readUsers = array_merge( $this->readUsers, [ '.r:*', $this->swiftUser ] ); // public
+			// public
+			$readUsers = array_merge( $this->readUsers, [ '.r:*', $this->swiftUser ] );
+			$writeUsers = array_merge( $this->writeUsers, [ $this->swiftUser ] );
 		} else {
-			$readUsers = array_merge( $this->readUsers, [ $this->swiftUser ] ); // private
+			// private
+			$readUsers = array_merge( $this->secureReadUsers, [ $this->swiftUser ] );
+			$writeUsers = array_merge( $this->secureWriteUsers, [ $this->swiftUser ] );
 		}
 
-		$writeUsers = array_merge( $this->writeUsers, [ $this->swiftUser ] ); // sanity
-
 		list( $rcode, $rdesc, $rhdrs, $rbody, $rerr ) = $this->http->run( [
 			'method' => 'PUT',
 			'url' => $this->storageUrl( $auth, $container ),
@@ -1797,7 +1811,7 @@ class SwiftFileBackend extends FileBackendStore {
 		if ( $code == 401 ) { // possibly a stale token
 			$this->srvCache->delete( $this->getCredsCacheKey( $this->swiftUser ) );
 		}
-		$msg = "HTTP {code} ({desc}) in '{func}' (given '{params}')";
+		$msg = "HTTP {code} ({desc}) in '{func}' (given '{req_params}')";
 		$msgParams = [
 			'code'   => $code,
 			'desc'   => $desc,