/** * Show a private file requested by the visitor. * @param $key string */ protected function showFile($key) { global $wgConfirmAccountFSRepos; $out = $this->getOutput(); $request = $this->getRequest(); $out->disable(); # We mustn't allow the output to be Squid cached, otherwise # if an admin previews a private image, and it's cached, then # a user without appropriate permissions can toddle off and # nab the image, and Squid will serve it $request->response()->header('Expires: ' . gmdate('D, d M Y H:i:s', 0) . ' GMT'); $request->response()->header('Cache-Control: no-cache, no-store, max-age=0, must-revalidate'); $request->response()->header('Pragma: no-cache'); $repo = new FSRepo($wgConfirmAccountFSRepos['accountreqs']); $path = $repo->getZonePath('public') . '/' . UserAccountRequest::relPathFromKey($key); $repo->streamFile($path); }