Attachments not protected and extra div

  • Resolved perfectweb

    (@perfectweb)


    9 years, 10 months ago

    Restricting access to pages is working great. Restricting access to downloading attachments is not working. I attached some files to a page using the wpc “Manage File Attachments” area, and set all of them to be visible and downloadable by “Members Only”. I then viewed the page, copied the download URL, and pasted the URL in another browser where I was not logged in. The file downloaded although it should not have. I tried several other browsers and computers with the same result, downloading a protected file without logging in.

    The download link looked like this:
    http://mydomain.com/documents/?wppcp_file_download=yes&wppcp_file_id=56&wppcp_post_id=77

    Also, the attachments list opens one div,
    <div class='wppcp-attachments-display-panel'>
    but closes 2 divs, which causes havoc on my theme.
    </div></div>

    https://wordpress.org/plugins/wp-private-content-plus/

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter perfectweb

    (@perfectweb)

    9 years, 10 months ago

    I took a look at the plugin’s WPPCP_Post_Attachments class (class-wppcp-post-attachments.php) and see how you are using the permissions to show or not show the download links, but are not using the permissions to control the download. A few extra lines in file_attachment_download() would prevent unauthorized downloads. See below.

    i think users of your plugin are under the impression that managed file attachments are protected, and that someone could not post a link to the files that anyone else could use.

    foreach ($post_attachments as $key => $attach_data) {
	if($attach_data['attach_id'] == $wppcp_file_id){
		// echo "<pre>";print_r($attach_data);exit;

		if ($this->verify_download_permission($attach_data)){
			$file_mime_type = isset($attach_data['mime']) ? $attach_data['mime'] : '';
			if($file_mime_type != ''){

				header('Cache-Control: public');
				header('Content-Description: File Transfer');
				header('Content-disposition: attachment;filename='.basename($file_dir));

				header('Content-Type: '. $file_mime_type);
				header('Content-Transfer-Encoding: binary');
				header('Content-Length: '. filesize($file_dir));
				readfile($file_dir);
				exit;
			}
		} else {
			echo 'You need to <a href="'.wp_login_url().'">login</a> before downloading this file.';
			exit();
		}
	}
}
    Plugin Author nimeshrmr

    (@nimeshrmr)

    9 years, 10 months ago

    Thanks for the information and suggestions. Will get it fixed in the next version.

    Plugin Author nimeshrmr

    (@nimeshrmr)

    9 years, 9 months ago

    I have fixed this issue and hence marking this as resolved. Please let me know if you still have same issue

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Attachments not protected and extra div’ is closed to new replies.