Extension:NSFileRepo

MediaWiki extensions manual
NSFileRepo
Release status: stable
Implementation User rights
Description Implements per-namespace group permissions for image and file rights protection
Author(s) Jack D. Pond, Robert Vogel
Maintainer(s) Robert Vogel (Hallo Welt! GmbH)
Latest version 1.35.0
MediaWiki 1.27, 1.35
License GNU General Public License 2.0 or later
Download
  • $wgNamespaceBlacklist
  • $wgNamespaceThreshold
  • $wgForceDownload
  • $wgSkipTalk
Quarterly downloads 5 (Ranked 127th)
Translate the NSFileRepo extension if it is available at translatewiki.net
Issues Open tasks · Report a bug

The NSFileRepo extension restricts access to upload and read files and images to a given set of user groups associated with protected namespaces. Using this extension (within the security limitations noted above), you can protect not only pages and areas of your wiki, but also any uploaded images or files within those namespaces.

Namespaces are mechanism for grouping/separating wiki pages.

  • See Help:Namespaces for more user help documentation on what they are and how they are used.
  • See Manual:Namespace for system administration details on MediaWiki's namespace feature
  • See Project:Namespaces for an explanation of how namespaces are used on mediawiki.org

Usage

Generically, you use the same syntax as a normal file reference link, adding the namespace between the file specifier ("File", "Image" or "Media") and the file name:

[[{FILE_NS}:{Namespace}:{Filename}]]

Example (where Private is the protected namespace and Filename.jpg is the file to which you wish to limit access):

[[File:Private:Filename.jpg]]

The standard for accessing files is generally:

[[File:Filename.jpg]]
[[Image:Filename.jpg]]
[[Media:Filename.jpg]]

This extension allows you to protect access to files by adding the namespace text identifier after the file namespace identifier, for example (where Private is the protected namespace and Filename.jpg is the file to which you wish to limit access):

[[File:Private:Filename.jpg]]
[[Image:Private:Filename.jpg]]
[[Media:Private:Filename.jpg]]

It may be helpful to understand the default security model used by MediaWiki using the instructions below:

Limitations of security are the same as for Extension:Lockdown. To review these limitations, see here.

To use the full capabilities of this extension (for example, specific namespace protections) you will need to install and use the namespace protections provided through Extension:Lockdown.

This extension was made possible by the introduction of Repository Classes by Tim Starling - an elegant and brilliant implementation. It uses a new Local Repository class mechanism. Technical details on how this extension works can be found here.

Installation

This extension requires the Lockdown extension to be installed first.


  • Download and move the extracted NSFileRepo folder to your extensions/ directory.
    Developers and code contributors should install the extension from Git instead, using:cd extensions/
    git clone https://gerrit.wikimedia.org/r/mediawiki/extensions/NSFileRepo
  • Add the following code at the bottom of your LocalSettings.php file:
    wfLoadExtension( 'NSFileRepo' );
    
  • Activate the Image authorization according to instructions found in Image authorization
  • Configure at your convenience
  •   Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.

When working with REL1_27 and later, you will need to create a symlink of nsfr_img_auth.php within your mediawiki installation directory

On Linux use

ln -s extensions/NSFileRepo/nsfr_img_auth.php

On Windows use

mklink nsfr_img_auth.php extensions\NSFileRepo\nsfr_img_auth.php

Also make sure to set a proper value for $wgUploadPath. E.G.:

$wgUploadPath = "$wgScriptPath/nsfr_img_auth.php";

Configuration

The user rights and configuration requiremements are are the same as described in Extension Lockdown.

You will need to read and understand two other required enhancements to MediaWiki:

Troubleshooting IIS / UTF-8 encoding

In some unspecified constellations you will have problems by opening files with special characters using nsfr_img_auth.php. The problem was seen by using Windows Server 2012 R2 with IIS 8.5 and PHP 7.2.14. It seems to be a problem with UTF-8 encoding.

You can use this hook as workaround to solve this:

$wgHooks['ImgAuthBeforeCheckFileExists'][] = function( &$path, &$name, &$filename ) {
	$path = utf8_encode( $path );
	$name = utf8_encode( $name );
	$filename = utf8_encode( $filename );
	return true;
};

Just put it in the LocalSettings.php and the problem should be solved.

Release notes

Release Changes
1.27.0 This major update includes changes for compatibility to MediaWiki REL1_27
  • Build upon FileBackend architecture by Aaron Schulz
1.7 This major update includes a refactoring of the code and is the base for further development, such as a Special:Upload integration.
1.6 This major version updated the I18n to json-files.
1.5 This is a major update to incorporate several evolved changes to the core FileRepo modules into the extension and to bring the extension up to current coding and core standards. Specifically:
  • Bug Fix for 47364 - Fixed Move/Relocate issue and cleared result array for Title
  • Synchronized with changes made to the core FileRepo classes and methods. It now reflects fixes and upgrades as of 2013-2-27
  • Updated for Documentation (doxygen)
  • Cleared result array for userCan hook (NSFileRepolockdownUserCan) since Title now takes anything in that array to be an affirmative (user can)

Should be backward compatible, but only tested with HEAD, 1.19 and 1.20

Release 1.5 is available through gerrit and is tagged as NSFileRepoREL1_05

1.4
  • Bug Fixes - Thumbnails did not display properly in History (and even in uploads of past files). The problem is fixed with 1.16 (and the current trunk version of NSFileRepo), but in versions of MW before 1.16, archived thumbnails still break because LocalFile.php uses hard-coded class of OldLocalFile instead of $repo->oldFileFactory which would instantiate the correct NSLocalFile class.
  • Works with all namespaces > 1000 (used to only work with NS >=11 and <1000)
  • Use NS_IMAGE instead of NS_FILE for backward compatibility
  • Upgrades - Now works completely with >1.16. Changes were made for 100% backward compatibility. Even though it can be used all the way back to 1.13, the thumbnails probably will not display correctly because of issues with FileRepo before 1.16. This is a cosmetic versus a functional issue - if it bothers you, just disable thumbnails. If you're not using automatically generated thumbnails, you wouldn't notice the difference.
1.3 Allow files with namespace protection (e.g. File:ns:yourfile.txt) to be whitelisted using standard $wgWhitelistRead in localsettings.
1.2
  • Fixed bug with reuploads and versioning
  • Added protection to archived files and thumbs
  • Known bug - deleted files are removed from protected Namespace and can be accessed - working on fix, but for now, recommend do not delete files.
1.1
  • First fully tested version, works with MW 1.13.1, 1.14.1, 1.15.1 with patches
  • Works with 1.16.0 (trunk) without patches.