Add config/kernel/auth_check.php; fix .gitignore path anchoringHEADmaster

auth_check.php is generic (includes site-specific auth_config.php)
and belongs in the config package so server-pull-all.sh deploys it.

.gitignore package entries were missing leading / so kernel/ matched
config/kernel/ as well as the root kernel/ package directory. Fixed
all package and externals entries to use root-anchored /name/ form.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

1 files changed, 32 insertions, 0 deletions

diff --git a/config/kernel/auth_check.php b/config/kernel/auth_check.php
new file mode 100755
index 0000000..15b7ebc
--- /dev/null
+++ b/config/kernel/auth_check.php
@@ -0,0 +1,32 @@
+<?php
+// Minimal session check - no framework bootstrap
+include 'auth_config.php';
+
+preg_match( '|/attachments/\d+/(\d+)/|', $_SERVER['REQUEST_URI'], $matches );
+
+if( !empty( $matches[1] ) ) {
+	$contentId = (int)$matches[1];
+	try {
+		$pdo = new PDO( $gBitDbHost, $gBitDbUser, $gBitDbPassword );
+
+		// get the role restriction for this content, if any
+		$stmt = $pdo->prepare( "SELECT ROLE_ID FROM LIBERTY_CONTENT_ROLE_MAP WHERE CONTENT_ID = ?" );
+		$stmt->execute( [$contentId] );
+		$requiredRoleId = $stmt->fetchColumn();
+
+		if( $requiredRoleId === false ) {
+			// no restriction - public content
+			http_response_code( 200 );
+		} elseif( in_array( (int)$requiredRoleId, $_SESSION['user_role'] ?? [] ) ) {
+			http_response_code( 200 );
+		} else {
+			http_response_code( 403 );
+		}
+	} catch( PDOException $e ) {
+		http_response_code( 403 );
+	}
+	exit;
+}
+
+// no content_id in URI - nothing to restrict
+http_response_code( 200 );
\ No newline at end of file