Make Uploaded Files Private in MediaWiki (Logged-In Only)

From Qiki
Jump to navigation Jump to search

1. Move the images/ folder out of the web root

  • By default, uploaded files are in yourwiki/images/.
  • Move this folder outside the public web root so people can’t access it directly through a URL.
    • Example: instead of /var/www/html/wiki/images/, put it in /var/www/private/images/.


2. Configure $wgUploadDirectory and $wgUploadPath in LocalSettings.php

# Tell MediaWiki where files are stored
$wgUploadDirectory = "/var/www/private/images";

# Use a virtual URL (will be handled by MediaWiki, not the web server)
$wgUploadPath = "$wgScriptPath/img_auth.php";

3. Use img_auth.php for access control

  • MediaWiki has a built-in script called img_auth.php.
  • When you set $wgUploadPath to point to it, all file requests go through MediaWiki.
  • This script checks MediaWiki permissions before serving the file.

For example:

  • If you open an image link, it won’t be served directly.
  • img_auth.php will check if the current user has permission (user group means logged in).
  • If not logged in, the user will see a “permission denied” message.


4. Restrict viewing files to logged-in users

In LocalSettings.php, set file access permissions: 

# Block file viewing for anonymous users
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['user']['read'] = true;

This means:

  • * = anonymous users → cannot read pages/files.
  • user = logged-in users → can read.


Result: Anonymous visitors can’t access uploaded images (even with the direct URL). Logged-in users can view them normally.

Retrieved from "https://www.qfqu.com/w/index.php?title=Make_Uploaded_Files_Private_in_MediaWiki_(Logged-In_Only)&oldid=43"