I had setup a private MediaWiki for one of my project and that allows only logged-in users to view its content or page. But my colleague came up with an issue, where the images and documents that are uploaded via MediaWiki was still accessible directly without logging-in. For example, assume that you had uploaded an image (say photo.jpg) via MediaWiki and the image has been embedded in one of the post as well. Now, the post that contains the image will be accessible only by the authorized user, but the image that was uploaded via MediaWiki can be accessed directly by typing its URL in the web browser (like, http://yoursite.com/images/7/78/photo.jpg). Well, my colleague has a point – any content (be it a page or image or document) that are stored under MediaWiki should only be accessed by authorized users. So how did I fix the issue?
Before I speak about the solution, I would like to bring to your notice that – MediaWiki is not a CMS or meant to protect any sensitive data. Instead, it was designed to be as open as possible. Moreover, the image uploaded via MediaWiki is served directly by the web server. So in order to fix this issue, we have to rely on Image Authorization extension of MediaWiki.
Warning: Before setting up Image Authorization, click on this link to understand the security issues of authorization extensions.
Check Image Authorization in MediaWiki:
The older versions of MediaWiki didn’t have Image authorization module by default. It means, you need to grab this extension from the internet and copy it into the MediaWiki folder. But I have installed MediaWiki version 1.25.2 which had image authorization module. So the first step is to check if your MediaWiki has this extension as shown below:
1. Login to your MediaWiki server and navigate to its root directory
# cd /var/www/html/wiki
2. Lookout for the file named img_auth.php – the image authorization file.
# ls -ld img_auth.php
If you don’t find img_auth.php file, then you need to grab it from the internet and copy it to the wiki directory.
Setup .htaccess to deny image access
# cd /var/www/html/wiki/images
# vim .htaccess
Create .htaccess file containing the below line:
Deny from All
Now, the web server will throw Forbidden access error when the files stored in images are folder accessed directly.
Setup Image authorization in MediaWiki:
Now, we have to setup image authorization in MediaWiki – so that it checks if the user has logged-in before allowing access to the files stored in images folder.
Open LocalSettings.php and set $wgUploadPath.
$wgUploadPath = "[/path/to]/img_auth.php";
For example, in my case, img_auth.php file is located under /var/www/html/wiki/. So the variable $wgUploadPath goes like this…
$wgUploadPath = "/img_auth.php";
That’s it. All the files located under images folder should be accessed as below:
It means, the wiki pages that contain images should also refer the above path.
Note: the images folder in the above URL is not replaced with img_auth.php file – which is responsible for verifying the authorized access.
I love bugs and I love fixing them!