Make a loop to keep them really deleted.

[lhc/web/wiklou.git] / thumb.php

diff --git a/thumb.php b/thumb.php
index 6af0698..64f24c1 100644 (file)
--- a/thumb.php
+++ b/thumb.php
@@ -20,6 +20,9 @@ wfLogProfilingData();
 
 function wfThumbMain() {
        wfProfileIn( __METHOD__ );
+
+       $headers = array();
+
        // Get input parameters
        if ( get_magic_quotes_gpc() ) {
                $params = array_map( 'stripslashes', $_REQUEST );
@@ -55,7 +58,7 @@ function wfThumbMain() {
                        wfThumbError( 404, wfMsg( 'badtitletext' ) );
                        return;
                }
-               $title = Title::makeTitleSafe( NS_IMAGE, $bits[1] );
+               $title = Title::makeTitleSafe( NS_FILE, $bits[1] );
                if( is_null($title) ) {
                        wfThumbError( 404, wfMsg( 'badtitletext' ) );
                        return;
@@ -65,6 +68,17 @@ function wfThumbMain() {
                $img = wfLocalFile( $fileName );
        }
 
+       // Check permissions if there are read restrictions
+       if ( !in_array( 'read', User::getGroupPermissions( array( '*' ) ), true ) ) {
+               if ( !$img->getTitle()->userCanRead() ) {
+                       wfThumbError( 403, 'Access denied. You do not have permission to access ' . 
+                               'the source file.' );
+                       return;
+               }
+               $headers[] = 'Cache-Control: private';
+               $headers[] = 'Vary: Cookie';
+       }
+
        if ( !$img ) {
                wfThumbError( 404, wfMsg( 'badtitletext' ) );
                return;
@@ -73,7 +87,7 @@ function wfThumbMain() {
                wfThumbError( 404, 'The source file for the specified thumbnail does not exist.' );
                return;
        }
-       $sourcePath = $isOld ? $img->getArchivePath() : $img->getPath();
+       $sourcePath = $img->getPath();
        if ( $sourcePath === false ) {
                wfThumbError( 500, 'The source file is not locally accessible.' );
                return;
@@ -87,8 +101,8 @@ function wfThumbMain() {
                // Calculate time
                wfSuppressWarnings();
                $imsUnix = strtotime( $imsString );
+               $stat = stat( $sourcePath );
                wfRestoreWarnings();
-               $stat = @stat( $sourcePath );
                if ( $stat['mtime'] <= $imsUnix ) {
                        header( 'HTTP/1.1 304 Not Modified' );
                        return;
@@ -101,7 +115,7 @@ function wfThumbMain() {
                        $thumbPath = $img->getThumbPath( $thumbName );
 
                        if ( is_file( $thumbPath ) ) {
-                               wfStreamFile( $thumbPath );
+                               wfStreamFile( $thumbPath, $headers );
                                return;
                        }
                }
@@ -128,7 +142,7 @@ function wfThumbMain() {
                $errorMsg = wfMsgHtml( 'thumbnail_error', 'Image was not scaled, ' .
                        'is the requested width bigger than the source?' );
        } else {
-               wfStreamFile( $thumb->getPath() );
+               wfStreamFile( $thumb->getPath(), $headers );
        }
        if ( $errorMsg !== false ) {
                wfThumbError( 500, $errorMsg );
@@ -143,11 +157,14 @@ function wfThumbError( $status, $msg ) {
        header( 'Content-Type: text/html; charset=utf-8' );
        if ( $status == 404 ) {
                header( 'HTTP/1.1 404 Not found' );
+       } elseif ( $status == 403 ) {
+               header( 'HTTP/1.1 403 Forbidden' );
+               header( 'Vary: Cookie' );
        } else {
                header( 'HTTP/1.1 500 Internal server error' );
        }
        if( $wgShowHostnames ) {
-               $url = htmlspecialchars( @$_SERVER['REQUEST_URI'] );
+               $url = htmlspecialchars( isset( $_SERVER['REQUEST_URI'] ) ? $_SERVER['REQUEST_URI'] : '' );
                $hostname = htmlspecialchars( wfHostname() );
                $debug = "<!-- $url -->\n<!-- $hostname -->\n";
        } else {