jpowell490
Member
Posted 2 years ago #
Hello All,
Fantastic plug in Gary! I have one question. When I am emailed that a new application has been submitted, I receive information in the email along with a link like this:
Upload your Resume / CV: http://www.yourwebsite.com/wp-content/uploads/2010/08/Joe_Blow_resume_09-10.doc
Now if I click on that, I can view the full resume and not even be logged in as admin. There could be a way to turn that off, but as you can imagine, that is a severe security breech for my company if someone were to use a link grabber and figure out where these are stored.
How can I make this only viewable by a contributor, admin, etc.
Thanks!
Well, this is a fun problem - I thought WordPress protected these files, but evidently not.
I'll have to think about this some more, as it uses WordPress' Media manager, which doesn't seem to have a 'private' option for files.
jpowell490
Member
Posted 2 years ago #
ouch, that is a big problem there. Hmmm, in the mean time, is there anyway to remove that link from the email that it sends out so that I can create an "image" that it is secure.
On another note, do you know of a plugin that could make that directory secure or how should I go about not allowing access to that unless someone is logged in as admin?
Thanks,
Here's a solution that someone found:
http://wordpress.org/support/topic/how-to-protect-media-library-uploads-folder-within-a-membership-site?replies=9#post-1287619
Note that this will block *all* direct links to items in your uploads directory, and may break Save As in IE.
With regards to removing the link from the email, you can do so by opening frontend-application.php, and removing line 941:
$msg .= $field['label'] . ': ' . wp_get_attachment_url( $appdata["data$id"] ) . PHP_EOL;
jpowell490
Member
Posted 2 years ago #
Gary,
I like both of those options actually. Thank You very much for following up on this for me. I will be making a donation for the add on this week. Thanks for putting out such a useful and quality add on.
Glad I could help, and great to hear that you're liking it! :)
jpowell490
Member
Posted 2 years ago #
Gary,
I removed the link from the email that it sends out. I also followed the .htaccess method above, but that method locks out the normal person's ability to see any pictures on the site. I took out the .jpg,.gif, etc. from the .htaccess and it still blocked them.
I was wondering if another idea might work. Would there be a way to redirect where the applications are uploaded? For instance, you could create a folder in another directory and add the .htaccess file to that directory where the apps are going to?
This is how I originally had it working prior to 0.6 - the problem was that it required users to make another writeable directory. This caused significant problems, so I switched over to using the builtin Media system.
Currently, WordPress works by automatically allowing requests for files that exist. I think the best option would be to change this so it checks for permission before doing that. This will require extra database hits and a modification of .htaccess, so I think I'll have to make it optional.
joelmoney
Member
Posted 1 year ago #
Anyway to configure the plugin to store resumes elsewhere.
Putting them in the media library for a busy site (10-20 per day) doesn't make sense an would much rather offload these to a CDN or Amazon?
Any solutions for that?
