User:Robchurch/CGI-supporting image authorisation

When MediaWiki is in a restricted read configuration ($wgGroupPermissions['*']['read'] = false;), etc. then the img_auth.php script is used to protect access to non-whitelisted images. This is fine, provided the wiki is installed in a configuration which supports proper PATH_INFO values; CGI-based configurations do not.

The workaround involves a configuration variable set in LocalSettings.php, a rewrite rule, and a modified version of img_auth.php. Most of this is simple; the hardest part for a lot of people will be setting up the correct rewrite rule.

The instructions below assume an Apache web server environment with mod_rewrite available.

Make images inaccessibleEdit

Add a .htaccess file in the images directory containing the following line:

Deny from all

This will forbid clients from accessing images directly.

Customised img_auth.php scriptEdit

/img_auth.php patch

Use the patch above to alter the img_auth.php script, which can be found in the MediaWiki directory. The modifications cause the script to depend on a named request variable, rather than consulting the PATH_INFO information from the server.

Rewrite ruleEdit

You need to add a rewrite rule that rewrites requests for ^img_auth.php/(.*)$ to img_auth.php?path=/$1. The additional slash prior to the $1 is required.

The example here assumes that MediaWiki is installed in the wiki directory:

RewriteEngine On
RewriteRule    ^wiki/img_auth.php/(.*)$    wiki/img_auth.php?path=/$1

MediaWiki configurationEdit

The final step is to set $wgUploadPath in the LocalSettings.php file to point to the img_auth.php script, e.g.:

$wgUploadPath = "/wiki/img_auth.php";

This will cause MediaWiki to attempt to access image files via the rewrite, which will trigger the authorisation script to check that the user is logged in and is allowed to view the image before streaming it to the client.