Manual talk:Image authorization

For Apache Step 3.2. Edit .htaccess
Should this be the .htaccess file in the root of your public hosted folder? eg, public_html? or should it be the .htaccess in your /images/ folder? Just trying to get this working on a hosted server. Blckdmnd99 19:56, 13 June 2007 (UTC)

Re: For Apache Step 3.2. Edit .htaccess --jdpond 20:04, 13 June 2007 (UTC)

 * I can't test this, but I believe the answer is the images directory as stated in:


 * Apache Step 2. Protect Images Directory from Internet Access
 * If not, could you fix for us?


 * If I can get it working on my setup I'll be happy to tweak anything that's not quite right. So far, no luck though. I'm on a shared hosting acct through lunarpages so I believe I need to use the CGI version of the script... Blckdmnd99 13:21, 14 June 2007 (UTC)


 * I got it to work by editing the .htaccess in my public_html folder. FWIW, I also had to set my $wgUploadPath = "cgi_img_auth.php"; (instead of /wiki/cgi_img_auth.php";) -- 29 January 2008

how does img_auth.php work?
Is there a page discussing it in more detail? An extra paragraph of detail about what it does and how to tweak it would help clarify the first half of this article; especially wrt user groups. Sj 14:28, 14 July 2007 (UTC)

re: how does img_auth.php work? --jdpond 19:13, 4 September 2007 (UTC)
Added info - too confusing?

PHP ISAPI versus CGI --jdpond 19:13, 4 September 2007 (UTC)
Or how to resolve the "CGI Error: The specified CGI application misbehaved by not returning a complete set of HTTP headers".

I spent an entire weekend on this problem so I thought I would try and save the rest of us some time.

There is a great amount of opinion surrounding using the CGI versus the ISAPI technique for IIS, and I strongly suspect that many factors are influential (including an issue with math), but the bottom line I found is that you can't get the img_auth to work with CGI consistently, including playing with all the php.ini parameters (see concise article for one of the dozens I've tried. If anyone else is better than I, please correct and elaborate.

So if you're going to switch to ISAPI, how is it done?

You're going to need 3 areas:


 * 1) Environment Variables
 * 2) IIS Application Configuration
 * 3) IIS Web Services Extensions

I strongly recommend you back up your system before attempting this. Of course, the actual steps you take will vary slightly depending on which version of Windows you are using, but hopefully you'll be able to figure it out. These instructions were done on Windows 2003 Server.

Step 1, Environment Variables
You'll need to add or modify the PHPRC and the PATH system variables.

Right click on My Computer, or go to Start->Control Panel->System->Advanced(tab)->Environment Variables(button), select New (or Edit if exists)(button) in System Variables and add the PHPRC environment equal to the location of your PHP directory, in this case C:\Program Files\PHP\.

Also add the search path (if it doesn't already exist) to your PATH variable by using the Edit(button), and add your path to the PHP directory AND the extensions directory (I did it to the front). In this case, it was C:\Program Files\PHP\;C:\Program Files\PHP\ext\;

Step 2, IIS Application Configuration
Either to each virtual web you have set up, or to the top level web, you'll need to add the .php application handler by going into the IIS Manager (Start->Administrative Tools->Internet Information Services (IIS) Manager)->Web Sites(right click)->Permissions->Home Directory(tab)->Configuration(button), then scroll down to where .php is (or should be). This has to be changed to the ISAPI handler (in this case C:\Program Files\PHP\php5isapi.dll ).

Step 3, IIS Web Services Extensions
You now have to change the web services extension, which probably means add a new one, then remove the old one. I know this is slightly different between the versions of Windows, but here's how it's done on Windows 2003 Server. While you are still in IIS Manager from above, instead of right clicking on "Web Sites", right click on "Web Services Extensions", select the existing PHP extension and click on Properties button. Add the file location and name (in this case C:\Program Files\PHP\php5isapi.dll ), then remove the old file (in this case C:\Program Files\PHP\php-cgi.exe ).

Step 4, Restart the Web Services
Stop and restart the web services. Because you've changed the system environment variables, you may also need to restart your server, but this is dependent on the verion of Windows you are running.

Limitations
Despite the promises made in the article, I don't see anything in the img_auth.php script that checks for user or user group permissions. The only check made is whether the user is logged on, or whether the file is in a whitelist. Barrylb 20:57, 20 June 2008 (UTC)

re:Limitations --jdpond 10:19, 21 June 2008 (UTC)
Barry, you are correct. In order to use access restrictions you will need to use an authorization extension. If you do so, please note: there are security issues

I wrote one for 1.10.0, but was waiting for Tim Starling's updates to the file repo system before finalizing a new one.


 * Looks like the only thing missing is a userCan 'read' hook called from the img_auth.php script. That would be consistent with how it is handled in other parts of the system. Barrylb 06:39, 22 June 2008 (UTC)

What I was really interested in was the idea of namespace restrictions. Though, if I read this correctly, it's based on physical path? And no matter where you actually display pictures/files/etc., they all ultimately belong part of the Images: namespace, right? So to me it seems that if you want access to openly available image files, but want others restricted due to being linked/uploaded to a protected namespace, you would somehow have to have multiple Image:-style namespaces, then you could write whatever code necessary to check for namespace ownership and authentication, blah blah blah. Or is there another way to do this? I'm using Lockdown but don't see any way to make some uploaded images protected and some not, even if (cgi_)img_auth.php supported restriction by namespace. --Charlener 14:23, 21 August 2008 (UTC)