Is it possible to allow direct media access (link) only to certain user roles?

Resolved info2
(@agnoletti)

3 years ago

Dear Staff, my aim is to allow direct media access based on user role.
I mean, also if having the direct link to a media (i.e. a PDF file), only a specific user role can actually download it – if that user is anonimous or, if logged-in, does not belong to a specific role, he should not be able to download that media.

Is that achievable with this plugin?

My media have different categories and I’m looking for allowing only specific user roles to be able to use a direct link to them (based on media category).

I unsuccesfully tried various combinations and that looked the best:

GENERAL – Who can see this content? Logged In users – And I’ve selected the only user-category that I want to be able to direct-link the category media

PROTECTION – Redirect – Login & Back

CONTENT – IS Media Categories: Selected – And I’ve selected the media category that only the above selected user-category should be able to direct link

But it does not work. The direct link keeps accessible to anyone. Thank you for any suggestion!

The page I need help with: [log in to see the link]

Viewing 2 replies - 1 through 2 (of 2 total)

kagsundaram
(@kagsundaram)

2 years, 11 months ago

I was about to start a new thread…

…good thing I looked first.

I have exactly the same problem.

I have a commerce site, software for $$, registered subscribers get a discount, and a few items are free for registered Subscribers. (Email lists are good business)

This plugin works great for restricting access to the discount price pages, however, once a person knows the URL of a free zip file in Media, it is downloadable without login, even though it is “protected” exactly as @agnoletti describes above.
Plugin Author Daniel Iser
(@danieliser)

2 years, 10 months ago
@agnoletti, @kagsundaram – Sorry for the delay, that said this has been asked and answered many times before. The “Media” conditions are for the WordPress Media content type, which is a post type like wrapper that stores the file meta info. Often these used to have their own pages under a post such as /post-abc/image-slug/ would load image-slug.jpg that was attached to the post-abc.

That /image-slug/ page would be an actual page with title, meta, menus etc, and the_content is the image itself.

To protect the media itself is can’t be done at the PHP level in an efficient way, which means it needs to be done at the server level (Apache or Nginx).

This generally means writing a huge list of media urls that must be protected along with token based redirects that cause it to go through WP for auth before serving the file: https://carlofontanos.com/restrict-access-to-wp-contentuploads-when-user-is-not-logged-in/

There is one plugin that offers this but its complex and doesn’t work with all hosts.

It is also a very taxing method on servers as every media item instead of being loaded and served directly from disk is now loading a PHP process, the entirity of WordPress, making calls to the database to then authenticate the user.

IE every page request suddenly hits your server with potentially dozens of additional requests, easily crashing servers if put under real user loads.

You will find every solution on google follows this pattern.

Its a complex problem with no simple solution, which is why we likely won’t be tackling it with this plugin which was only meant to do the simple task of restricting content from view, not preventing file access.

Best we could do in the future is mask the url with a fake one for public use that only works for authenticated users, but even that suffers from the same server load issues. But even that doesn’t really fit within what this plugin was intended for, so it would be very low priority.

Hope that clears it up.
- This reply was modified 2 years, 10 months ago by Daniel Iser.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Is it possible to allow direct media access (link) only to certain user roles?’ is closed to new replies.