summaryrefslogtreecommitdiff
path: root/thumb.php
diff options
context:
space:
mode:
authorPierre Schmitz <pierre@archlinux.de>2010-03-09 07:22:49 +0100
committerPierre Schmitz <pierre@archlinux.de>2010-03-09 07:22:49 +0100
commit6f5403ca6e8561c3dcd19284f86b4c3c8dd715ff (patch)
treee65ab3d9e3099ae8a7341f9146107966e5816686 /thumb.php
parente6475b0b814e9cb5d1b65dd76eee371875fffa9a (diff)
update to MediaWiki 1.15.2
Diffstat (limited to 'thumb.php')
-rw-r--r--thumb.php21
1 files changed, 19 insertions, 2 deletions
diff --git a/thumb.php b/thumb.php
index b973cc65..6e04f4aa 100644
--- a/thumb.php
+++ b/thumb.php
@@ -20,6 +20,9 @@ wfLogProfilingData();
function wfThumbMain() {
wfProfileIn( __METHOD__ );
+
+ $headers = array();
+
// Get input parameters
if ( get_magic_quotes_gpc() ) {
$params = array_map( 'stripslashes', $_REQUEST );
@@ -65,6 +68,17 @@ function wfThumbMain() {
$img = wfLocalFile( $fileName );
}
+ // Check permissions if there are read restrictions
+ if ( !in_array( 'read', User::getGroupPermissions( array( '*' ) ), true ) ) {
+ if ( !$img->getTitle()->userCanRead() ) {
+ wfThumbError( 403, 'Access denied. You do not have permission to access ' .
+ 'the source file.' );
+ return;
+ }
+ $headers[] = 'Cache-Control: private';
+ $headers[] = 'Vary: Cookie';
+ }
+
if ( !$img ) {
wfThumbError( 404, wfMsg( 'badtitletext' ) );
return;
@@ -101,7 +115,7 @@ function wfThumbMain() {
$thumbPath = $img->getThumbPath( $thumbName );
if ( is_file( $thumbPath ) ) {
- wfStreamFile( $thumbPath );
+ wfStreamFile( $thumbPath, $headers );
return;
}
}
@@ -128,7 +142,7 @@ function wfThumbMain() {
$errorMsg = wfMsgHtml( 'thumbnail_error', 'Image was not scaled, ' .
'is the requested width bigger than the source?' );
} else {
- wfStreamFile( $thumb->getPath() );
+ wfStreamFile( $thumb->getPath(), $headers );
}
if ( $errorMsg !== false ) {
wfThumbError( 500, $errorMsg );
@@ -143,6 +157,9 @@ function wfThumbError( $status, $msg ) {
header( 'Content-Type: text/html; charset=utf-8' );
if ( $status == 404 ) {
header( 'HTTP/1.1 404 Not found' );
+ } elseif ( $status == 403 ) {
+ header( 'HTTP/1.1 403 Forbidden' );
+ header( 'Vary: Cookie' );
} else {
header( 'HTTP/1.1 500 Internal server error' );
}