WordPress.org

Ready to get started?Download WordPress

Forums

WP Document Revisions
[resolved] Direct access to the file under Multisite (6 posts)

  1. Bill Dennen
    Member
    Posted 2 years ago #

    Hi,

    I'm wondering if it's possible to block direct access to the files. That is, if a document is set "private" and I use the WP Document Revisions-generated URL, it works fine.

    But, I am still able to download the file directly using the direct URL. Something like:

    http://somesite.com/subsite/files/2012/03/b55d9ace19d0a54e91f1ea56cd077638.pdf

    Anyone can download the file this way.

    In your doc, you note:

    "For additional security, you can move the document upload folder above the web root, (via settings->media->document upload folder)."

    This option is not available via Multisite.

    Do you have any advice?

    Thanks.

    http://wordpress.org/extend/plugins/wp-document-revisions/

  2. Ben Balter
    Member
    Plugin Author

    Posted 2 years ago #

    You may have to network activate the plugin so that it can add the location option to the network settings page. I just tested and it appeared on a multisite install.

    As for direct file URL, how did you / how would user get that URL? It should be designed to prevent the true location from ever being displayed. no?

  3. Bill Dennen
    Member
    Posted 2 years ago #

    Thanks. I will try network-activating it, however, I really only want to use it on one or two subsites, not the whole network.

    Yes, the direct access URL is not displayed, and it's not easily guessed. But, I'd rather not rely on security through obscurity like this, if it can be avoided.

  4. Ben Balter
    Member
    Plugin Author

    Posted 2 years ago #

    You should be able to do that. The original idea was to prevent a non-super admin from changing their upload directory on a multisite install (and in theory putting it some strange place on the server that a super admin wouldn't want), but the option should be exposed to super admins on a site-by-site basis as well.

    I opened ticket #4, and will look to get a fix in in the next release.

    In the mean time, I'd have to check the code, but I think you may be able to network activate to get the UI, save the upload directory, and then network deactivate, as strange as it may sound (or set the setting in the options table directly). The functionality's there... it's just a matter of the UI not displaying properly.

    Thanks for the heads up, and hope to have a fix soon...

    - Ben

  5. Ben Balter
    Member
    Plugin Author

    Posted 2 years ago #

    Really tricky to be done in core, because the plugin isn't activated on the network admin.

    Added a stand-alone fix in the code cookbook here:

    https://github.com/benbalter/WP-Document-Revisions-Code-Cookbook/blob/master/wprdr-network-admin.php

    any enhanced support for network admin in the development version here:

    https://github.com/benbalter/WP-Document-Revisions/tree/develop

  6. Bill Dennen
    Member
    Posted 2 years ago #

    thanks!

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic