WordPress.org

Ready to get started?Download WordPress

Forums

Protect direct access to uploaded files (16 posts)

  1. Cerebral ideas
    Member
    Posted 3 years ago #

    I am running a multisite with the latest WP3 and BuddyPress. I have it protected with Private BuddyPress and have disallowed robots to the site. Unfortunately, Google has picked up some of the files in my sub-site's files folder. One can easily download these files with the full url known. I need to be able to prevent people from getting access to these files without being logged in.

    If they are logged in, I don't care if they can download them; I just want to prevent non-members from getting access to the files. There is a great plugin called Private Files (seen here -- http://wordpress.org/extend/plugins/private-files/) that works wonderfully on non-multisite WP installations. Unfortunately, it fails on all multisite sub-sites.

    I believe this is due to the rewrite of the url from '/blogs.dir/2/files' to 'sub-site_name/files.' This is more than I can handle without some expert help. Can someone out there help me out? Thanks in advance for any assistance.

    Justin

  2. Curtiss Grymala
    Member
    Posted 3 years ago #

    I'm not sure how it works with virtual (rewritten) directories, but one classic approach to trying to protect files from being downloaded by people that aren't logged in is to use .htaccess to check for a specific cookie before serving the file.

    The .htaccess code would look something like:

    RewriteCond %{HTTP_COOKIE} !CookieName=
    RewriteRule ^document-directory.*$ /login-page [L,R=301]

    A little more info can be found at http://www.willmaster.com/blog/contentprotection/htaccess-cookie.php.

    In order to signify that the access is forbidden, you might even want to change "R=301" to "R=403", but I've never used that, so I don't know exactly how it works.

    Also, in order for this to work properly, all of the files that you want forbidden will need to reside in a directory separate from the files that you want available to the public. You can't selectively (not easily, at least) specify which files within a directory should be protected and which shouldn't. Good luck.

  3. One can easily download these files with the full url known. I need to be able to prevent people from getting access to these files without being logged in.

    Funnily enough, we're working on a buddypress plugins that does this. No ETA.

  4. Cerebral ideas
    Member
    Posted 3 years ago #

    Hey Curtis, thank you for the tip; I will try it out in a few hours and let you know how it works out. Thanks again.

    Andrea, I was hoping for a plugin from you guys on this one. I hope you all work it out soon as it would be a welcome for this and many projects. Thanks.

    Justin

  5. Cerebral ideas
    Member
    Posted 3 years ago #

    Well, couldn't get it to work. I couldn't get the subsite's files directory to follow the htaccess rules, so I had to utilize the root htaccess file. Here's what I used in case anyone else would like to try:

    RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_YOURUNIQUESTRING.*$ [NC]
    RewriteCond %{REQUEST_URI} !^/wp-login.php$
    RewriteCond %{REQUEST_URI} !^/wp-admin/css/*.css*$
    RewriteCond %{REQUEST_URI} !^/wp-content/themes/YOURTHEME/style.css$
    RewriteRule .* YOURDOMAIN/wp-login.php [NC,L]

    It basically protects everything, so it's not perfect, but if protecting your assets is important, then it works.

    Justin

  6. Cerebral ideas
    Member
    Posted 3 years ago #

    Andrea, good luck on your plugin and let me know when it is live. It is very needed. Thanks.

    Justin

  7. HansRuedi
    Member
    Posted 3 years ago #

    Andrea_r, do you have any news re that buddypress protection plugin?!?

  8. Cerebral ideas
    Member
    Posted 3 years ago #

    I too would love to know of any progress with the plugin.

  9. 3.1 is almost ready to drop, and it has changes in the super/network admin we have to account for

    AND

    Buddypress is also undergoing significant changes to some structure & getting ready for 3.1,

    SO

    Just a wee bit longer. :) Then we'll have it out after 3.1 & the next BP as best we can. Right now we're elbow-deep getting everything else we have ready for 3.1.

  10. Cerebral ideas
    Member
    Posted 3 years ago #

    Thanks for the update Andrea. We are all looking forward to your plugin!

    Justin

  11. If it helps, i've been using it at wpebooks. :)

  12. HansRuedi
    Member
    Posted 3 years ago #

    What are you using at wpebooks? wp-content/uploads/... seems to be accessible. Pls help...

  13. I'm using the plugin I mentioned above, the one I am working on and is not yet released.

    yes, the uploads folder is accessible, but that doesn't mean I'm putting file downloads there. ;)

  14. HansRuedi
    Member
    Posted 3 years ago #

    Thanks a lot, Andrea!

  15. HansRuedi
    Member
    Posted 3 years ago #

    http://dev.commons.gc.cuny.edu/2011/02/05/hardening-buddypress-group-documents/
    EDITED Feb 8, 2011 by Boone Gorges to include the code for creating directories when none exist!

Topic Closed

This topic has been closed to new replies.

About this Topic