resources: Also add jQuery Migrate to foreign-resources.yaml

[lhc/web/wiklou.git] / img_auth.php

diff --git a/img_auth.php b/img_auth.php
index ba4ed74..6e45e4e 100644 (file)
--- a/img_auth.php
+++ b/img_auth.php
@@ -53,9 +53,10 @@ $mediawiki->doPostOutputShutdown( 'fast' );
 
 function wfImageAuthMain() {
        global $wgImgAuthUrlPathMap;
+       $permissionManager = \MediaWiki\MediaWikiServices::getInstance()->getPermissionManager();
 
        $request = RequestContext::getMain()->getRequest();
-       $publicWiki = in_array( 'read', User::getGroupPermissions( [ '*' ] ), true );
+       $publicWiki = in_array( 'read', $permissionManager->getGroupPermissions( [ '*' ] ), true );
 
        // Get the requested file path (source file or thumbnail)
        $matches = WebRequest::getPathInfo();
@@ -79,6 +80,8 @@ function wfImageAuthMain() {
                return;
        }
 
+       $user = RequestContext::getMain()->getUser();
+
        // Various extensions may have their own backends that need access.
        // Check if there is a special backend and storage base path for this file.
        foreach ( $wgImgAuthUrlPathMap as $prefix => $storageDir ) {
@@ -87,7 +90,7 @@ function wfImageAuthMain() {
                        $be = FileBackendGroup::singleton()->backendFromPath( $storageDir );
                        $filename = $storageDir . substr( $path, strlen( $prefix ) ); // strip prefix
                        // Check basic user authorization
-                       if ( !RequestContext::getMain()->getUser()->isAllowed( 'read' ) ) {
+                       if ( !$user->isAllowed( 'read' ) ) {
                                wfForbidden( 'img-auth-accessdenied', 'img-auth-noread', $path );
                                return;
                        }
@@ -136,12 +139,13 @@ function wfImageAuthMain() {
 
        $headers = []; // extra HTTP headers to send
 
+       $title = Title::makeTitleSafe( NS_FILE, $name );
+
        if ( !$publicWiki ) {
                // For private wikis, run extra auth checks and set cache control headers
-               $headers[] = 'Cache-Control: private';
-               $headers[] = 'Vary: Cookie';
+               $headers['Cache-Control'] = 'private';
+               $headers['Vary'] = 'Cookie';
 
-               $title = Title::makeTitleSafe( NS_FILE, $name );
                if ( !$title instanceof Title ) { // files have valid titles
                        wfForbidden( 'img-auth-accessdenied', 'img-auth-badtitle', $name );
                        return;
@@ -157,25 +161,29 @@ function wfImageAuthMain() {
 
                // Check user authorization for this title
                // Checks Whitelist too
-               if ( !$title->userCan( 'read' ) ) {
+
+               if ( !$permissionManager->userCan( 'read', $user, $title ) ) {
                        wfForbidden( 'img-auth-accessdenied', 'img-auth-noread', $name );
                        return;
                }
        }
 
-       $options = []; // HTTP header options
        if ( isset( $_SERVER['HTTP_RANGE'] ) ) {
-               $options['range'] = $_SERVER['HTTP_RANGE'];
+               $headers['Range'] = $_SERVER['HTTP_RANGE'];
        }
        if ( isset( $_SERVER['HTTP_IF_MODIFIED_SINCE'] ) ) {
-               $options['if-modified-since'] = $_SERVER['HTTP_IF_MODIFIED_SINCE'];
+               $headers['If-Modified-Since'] = $_SERVER['HTTP_IF_MODIFIED_SINCE'];
        }
 
        if ( $request->getCheck( 'download' ) ) {
-               $headers[] = 'Content-Disposition: attachment';
+               $headers['Content-Disposition'] = 'attachment';
        }
 
+       // Allow modification of headers before streaming a file
+       Hooks::run( 'ImgAuthModifyHeaders', [ $title->getTitleValue(), &$headers ] );
+
        // Stream the requested file
+       list( $headers, $options ) = HTTPFileStreamer::preprocessHeaders( $headers );
        wfDebugLog( 'img_auth', "Streaming `" . $filename . "`." );
        $repo->streamFileWithStatus( $filename, $headers, $options );
 }