Controlling access to blogs.dir

  • frisco

    (@frisco)


    12 years, 7 months ago

    I am working with a plugin that stores certain site-specific files like uploads, user images, etc in /blogs.dir/3/files/some-folder-name, where 3 is the blog ID.

    These folder locations are part of the plugin setup.

    Is there something in WP multisite that insures that a site admin for blog ID only enters that ID #? Or is that something that the plugin author has to control? Or did I mess something up in my multisite config?

    In my tests, a site admin for blog ID 3 could change the folder locations to that of 4 and using the plugin-provided features, change the files for blog ID 4, even though he’s not a user of that site.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Advisor and Activist

    12 years, 7 months ago

    These folder locations are part of the plugin setup.

    Then you need to lock down the plugin better. Or just have it go to the local /files/some-folder-name path, and let WP parse it for you.

    Andrea Rennick

    (@andrea_r)

    12 years, 7 months ago

    The plugin shuld just be grabbing the default folder – in this cause it;d be the same folder, but I can’t see a good reason as to why they’d make it editable in the backend.

    Thread Starter frisco

    (@frisco)

    12 years, 7 months ago

    @ipstenu, if I understand your response correctly, if I am an admin on blog ID 3, and my path is ../files/some-folder-name, WP will put the files in /blogs.dir/3/files/some-folder-name ?

    @andrea, it is grabbing the default folder for code, and you’re probably right that there really isn’t a good reason to edit folder locations for things like uploaded files. I’ll pass that along to the plugin developer.

    Both, thanks for the ultra-speedy responses.

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Advisor and Activist

    12 years, 7 months ago

    if I am an admin on blog ID 3, and my path is ../files/some-folder-name, WP will put the files in /blogs.dir/3/files/some-folder-name ?

    That’s how it works in the media folder 🙂 Look at your images on site.com/subsite/ 🙂 You’ll see them linked to /files/2011/08/image.jpg – The .htaccess is what parses them.

    I don’t know if that would work with images NOT in the media tool, mind, but it’s something to test, certainly. I think it should, based on how some BuddyPress plugins worked.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Controlling access to blogs.dir’ is closed to new replies.