From 700355805759ad62b078e7cebc061ecd1b21ea61 Mon Sep 17 00:00:00 2001
From: Chad Horohoe <demon@users.mediawiki.org>
Date: Fri, 3 Jul 2009 20:06:01 +0000
Subject: [PATCH] (bug 18394) img_auth.php now respects userCan

---
 RELEASE-NOTES | 1 +
 img_auth.php  | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 19b6c4e162..6f2073a1f8 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -223,6 +223,7 @@ it from source control: http://www.mediawiki.org/wiki/Download_from_SVN
 * (bug 11242) Check for MySQL storage engines during installation now checks
   whether the engines are actually available
 * (bug 19390) Omit the "printable version" link on the printable version
+* (bug 18394) img_auth.php now respects userCan
 
 == API changes in 1.16 ==
 
diff --git a/img_auth.php b/img_auth.php
index e5d8d8880b..cd8ec43a35 100644
--- a/img_auth.php
+++ b/img_auth.php
@@ -55,6 +55,10 @@ if( !$title instanceof Title ) {
 	wfDebugLog( 'img_auth', "Unable to construct a valid Title from `{$name}`" );
 	wfForbidden();
 }
+if( !$title->userCanRead() ) {
+	wfDebugLog( 'img_auth', "User does not have access to read `{$name}`" );
+	wfForbidden();
+}
 $title = $title->getPrefixedText();
 
 // Check the whitelist if needed
-- 
2.20.1