Extension:NSFileRepo

The NSFileRepo restricts access to upload and read files and images to a given set of user groups associated with protected namespaces. Using this extension (within the security limitations noted above), you can protect not only pages and areas of your wiki, but also any uploaded images or files within those namespaces.

Namespaces are mechanism for grouping/separating wiki pages.


 * See Help:Namespaces for more user help documentation on what they are and how they are used.
 * See Manual:Namespace for system administration details on Mediawiki's namespace feature
 * See Project:Namespaces for an explanation of how namespaces are used on mediawiki.org

Usage
Generically, you use the same syntax as a normal file/image reference link, adding the namespace between the file specifier ("File","Image", or "Media"), and the file name:

{FILE_NS}:{Namespace}:{Filename}

Example(Where "Project" is the protected namespace and "ProjectFile.pdf" is the file to which you wish to limit access):

The standard for accessing files/images is generally: [[Media:Filename.pdf]]

This extension allows you to protect access to files/images, by adding the namespace text identifier after the file namespace identifier, for example(Where "Project" is the protected namespace and "ProjectFile.xxx" is the file to which you wish to limit access): [[Media:Project:Filename.pdf]]

It may be helpful to understand the default security model used by MediaWiki using the instructions below:


 * Manual:User rights
 * Manual:$wgGroupPermissions

Limitations of security are the same as for Extension Lockdown. To review these limitations, please reference here.

To use the full capabilities of this extension (e.g., specific namespace protections), you will need to install and use the namespace protections provided through Extension:Lockdown.

This extension was made possible by the introduction of Repository Classes by Tim Starling - an elegant and brilliant implementation. It uses a new Local Repository class mechanism. Technical details on how this extension works can be found here.

Announcements

 * Starting with version 1.16.0, this extension will require no patching. Updates were made to make more efficient and easier to use.
 * The first version of this (Rel 0.0) was released 2009-07-11. The following activities were completed to make this extension easier to install and use, including:
 * 1.16.0 - img_auth.php was rewritten which has the required hook and global messages for image authorization failures and this extension.
 * 1.16.0+ - has global variable $wgIllegalFileChars.  By default this extension modifies it to allow ":" for namespaces.

NSFileRepo 1.4

 * Bug Fixes - Thumbnails did not display properly in History (and even in uploads of past files). The problem is fixed with 1.16 (and the current trunk version of NSFileRepo), but in versions of MW before 1.16, archived thumbnails still break because LocalFile.php uses hard-coded class of OldLocalFile instead of $repo->oldFileFactory which would instantiate the correct NSLocalFile class.


 * Works with all namespaces > 1000 (used to only work with NS >=11 and <1000)


 * Use NS_IMAGE instead of NS_FILE for backward compatibility


 * Upgrades - Now works completely with >1.16. Changes were made for 100% backward compatibility.  Even though it can be used all the way back to 1.13, the thumbnails probably will not display correctly because of issues with FileRepo before 1.16.  This is a cosmetic versus a functional issue - if it bothers you, just disable thumbnails.  If you're not using automatically generated thumbnails, you wouldn't notice the difference.

NSFileRepo 1.3

 * Allow files with namespace protection (e.g. File:ns:yourfile.txt) to be whitelisted using standard $wgWhitelistRead in localsettings.

NSFileRepo 1.2

 * Fixed bug with reuploads and versioning
 * Added protection to archived files and thumbs
 * Known bug - deleted files are removed from protected Namespace and can be accessed - working on fix, but for now, recommend do not delete files.

NSFileRepo 1.1

 * First fully tested version, works with MW 1.13.1, 1.14.1, 1.15.1 with patches
 * Works with 1.16.0 (trunk) without patches.

Tagged Releases
There were issues with image thumbnails that require modification to both NSFileRepo and the standard FileRepo. These revisions have been tested for MW Rev 1.15.0 and should also work with 1.14.0. It is doubtful they will work before 1.14.0. If someone could test the 1.14.0 patches, I would be glad to assist in any issues you may have. --jdpond 15:02, 13 May 2010 (UTC)

Tagged Release 1.14.0 Phase 3
This tagged branch has not been tested. It corrects the Thumbnail issues but requires:


 * Replacement/patching of LocalFile.php
 * Replacement/patching of GlobalFunctions.php
 * Alternate branched versions of the core NSFileRepo code.

If you do not mind messed up thumbnails with problems in the following areas, you can stay with the HEAD version:


 * Visual - displays broken impage link for thumbnails, especially in upload history
 * Security - without this patch, it loads thumbnails into 'public' area which could (theoretically) be viewed regardless of NS protection

SVN available here

Tagged Release 1.15.0 Phase 3
This tagged branch has been tested. It corrects the thumbnail issues but requires:


 * Replacement/patching of LocalFile.php
 * Replacement/patching of GlobalFunctions.php
 * Alternate branched versions of the core NSFileRepo code.

If you do not mind messed up thumbnails with problems in the following areas, you can stay with the HEAD version:


 * Visual - displays broken impage link for thumbnails, especially in upload history
 * Security - without this patch, it loads thumbnails into 'public' area which could (theoretically) be viewed regardless of NS protection

SVN available here

Download instructions
Copy all files and directories into directory:

$IP/extensions/NSFileRepo

Installation
You will need to read and understand two other required enhancements to MediaWiki:


 * Image Authorization.
 * Extension Lockdown

Please read and understand before executing the following instructions


 * 1) Download and install  Extension Lockdown.  If you have not installed
 * 2) Download and copy the NSFileRepo extension into directory $IP/extensions/NSFileRepo
 * 3) Activate the Image Authorization according to instructions found in  Image Authorization

Installation on versions 1.13.0 through 1.15.1
Up until 1.16.0, MediaWiki required a small patch to includes/GlobalFunctions.php. After that time, no patches are required, so you can skip to Activating NSFileRepo if you are using MW version 1.16.0 and higher. NO PATCHES ARE NEEDED FOR MW Version 1.16.0 and higher.


 * 1) Copy the img_auth.php the distribution in directory {release}/phase3/ to your wiki code base directory ($IP).  This will overwrite the existing img_auth.php file.  Alternately you could copy img_auth.php to another name in the same directory, then use that file name instead of img_auth.php (but still must be in the $IP directory).
 * 2) $IP/include/GlobalFunctions.php Must be patched.  This is a very minor patch to remove the disabling of colons (':').  You can do this one of three ways (whichever you're most comfortable with):
 * 3) Edit the file according to instructions  below
 * 4) If you have not otherwise patched the file, you may want to copy it from the distribution, which will be in a directory corresponding to the release you are using under {release}/phase3/includes/GlobalFunctions.php
 * 5) Apply the patch which will be in a directory corresponding to the release you are using under {release}/phase3/includes/GlobalFunctions.patch

Activating NSFileRepo

 * 1) To activate this extension, add the following to LocalSettings.php:

Configuration parameters
The user rights and configuration requiremements are are the same as described in Extension Lockdown.

Patch GlobalFunctions.php (only MW versions between 1.13.0 and 1.16)
In version 1_13_0, a new function wfStripIllegalFilenameChars was added to includes/GlobalFunctions.php. This prevents the extension from determining the namespace associated with the file/image. For this extension to work in versions 1_13_0 through 1_15_1, you will need to make a minor patch to includes/GlobalFunctions.php as follows:

You need to remove the "or :" clause from the REGEX expression by deleting the characters "|:"