User:Robchurch/CGI-supporting image authorisation

When MediaWiki is in a restricted read configuration, etc. then the img_auth.php script is used to protect access to non-whitelisted images. This is fine, provided the wiki is installed in a configuration which supports proper PATH_INFO values; CGI-based configurations do not.

The workaround involves a configuration variable set in LocalSettings.php, a rewrite rule, and a modified version of img_auth.php. Most of this is simple; the hardest part for a lot of people will be setting up the correct rewrite rule.

The instructions below assume an Apache web server environment with mod_rewrite available.

Make images inaccessible
Add a .htaccess file in the images directory containing the following line:



This will forbid clients from accessing images directly.

Customised img_auth.php</tt> script

 * /img_auth.php patch

Use the patch above to alter the img_auth.php</tt> script, which can be found in the MediaWiki directory. The modifications cause the script to depend on a named request variable, rather than consulting the PATH_INFO</tt> information from the server.

Rewrite rule
You need to add a rewrite rule that rewrites requests for ^img_auth.php/(.*)$</tt> to img_auth.php?path=/$1</tt>. The additional slash prior to the $1</tt> is required.

The example here assumes that MediaWiki is installed in the wiki</tt> directory:

RewriteEngine On RewriteRule   ^wiki/img_auth.php/(.*)$    wiki/img_auth.php?path=/$1

MediaWiki configuration
The final step is to set $wgUploadPath</tt> in the LocalSettings.php</tt> file to point to the img_auth.php</tt> script, e.g.:



This will cause MediaWiki to attempt to access image files via the rewrite, which will trigger the authorisation script to check that the user is logged in and is allowed to view the image before streaming it to the client.