I am running MediaWiki 1.10.0 on a shared hosting server with PHP 5.2.1 (cgi). I have restricted read/create/edit access to logged-in users only. '$wgHashedUploadDirectory = true;' was defined in LocalSettings.php. To block access from a non-Wiki user who figures out the path/filename of an uploaded file, I have been following the directions in http://www.mediawiki.org/wiki/Manual:Image_Authorisation.

MediaWki is installed in a '/MyWiki' subdirectory. Steps completed so far: * created a .htaccess file in '/MyWiki/images' containing 'Deny from All * tested access to an existing file in '/MyWiki/images/f/f2/Fields.png' and received: 'Error 403 - Forbidden: You tried to access a document for which you don't have privileges.' * downloaded CGI-supporting image authorization script, renamed it as 'cgi-img_auth.php' and installed it in '/MyWiki' * added '$wgUploadPath = "/MyWiki/cgi_img_auth.php";' to 'Localsettings.php' * added the following lines to .htaccess in '/MyWiki': RewriteEngine on RewriteBase / RewriteRule ^cgi_img_auth.php(.*)$ cgi_img_auth.php?path=/$1

The instructions called for adding the following lines: RewriteEngine on RewriteRule ^/path/to/images(.*)$ /path/to/cgi_img_auth.php/$1 [R] RewriteRule ^path/to/cgi_img_auth.php/(.*)$ path/to/cgi_img_auth.php?path=/$1 I suspect that these RewriteRules assumed that the .htaccess file was in the root directory of the server, rather than in the Wiki directory. Since I wanted to limit the scope of the change to the Wiki directory, I removed the Wiki directory path (that appears to be stripped off by Apache). I also had to add the 'RewriteBase /' statement, probably because I am on a shared server.

Question 1: what is the purpose of the first RewriteRule in the instructions? The $wgUploadPath statement should cause MediaWiki to send all image requests to 'cgi_img_auth.php', which the second RewriteRule fixes up to have the right syntax. Any requests outside of the Wiki to the image directory itself should fail due to the 'Deny from All' statement. Are there cases where MediaWiki tries to access an image through the Apache server?

I found that 'cgi_img_auth.php' was not preventing access to images if the user was logged out. In other words, direct access to ' http://.../MyWiki/cgi_img_auth.php/f/f2/Fields.png' worked. I think the problem occurred because I did not have a $wgWhitelistRead array defined, causing the first test to fail and bypassing the login check. if ( is_array( $wgWhitelistRead ) && !in_array( $imageName, $wgWhitelistRead ) && !$wgUser->getID() ) { wfDebugLog( 'img_auth', "not logged in and requested file not in whitelist: $imageName" ); I changed the test to read: if ( !( is_array( $wgWhitelistRead ) && in_array( $imageName, $wgWhitelistRead ) ) && !$wgUser->getID() ) {

Does this make sense? I have not had a chance to verify that the $wgWhitelistRead override works. Thanks, Norbert