Thread:Project:Support desk/File Access Security Gap/reply (3)

> Do you copy?

Yes. My first thought would be that the access check should not be based on MediaWiki, because what people would request is the file directly and this is by default delivered without any interaction of MediaWiki. But as you noted, it is not very convenient, if the user basically has to login twice.

So maybe it would be better to run the request through MediaWiki: MediaWiki has an API, which tells you, if the user is currently logged in. So: Redirect the request to files to MediaWiki, let MediaWiki check, if the user is logged in and if he is, return the file. Otherwise only show the login screen. Maybe there already is an extension for that?

I am sure you are not the first one who wants to apply access restrictions of a CMS to uploaded userfiles in the filesystem.