Support » Plugin: Content Control - User Access Restriction Plugin » Extra steps needed to protect files-but more control options than other plugins

  • The guidelines say to report issues in the support forum instead. I’ve done this, but this issue is the basis for my review. It is a very important security issue of which potential users of this plugin should be aware. These reviews are where potential users are most likely to find the abilities and shortcomings. So I am repeating the issue here….

    The permalink is protected, but the file URL is not. Because of this I must give it only 2 stars. Since other aspects work well, I’m giving it more than one.

    Example:

    {domain}/{filename} — this is protected
    {domain}/wp-content/uploads/{filename} — this is still accessible

    I am disabling this plugin and searching for another. I’ll check back to see if this is fixed, because this plugin would replace two others (if it worked), and I’d like to minimize the number of plugins I’m using.

    • This topic was modified 1 year, 1 month ago by hrsms.
    • This topic was modified 1 year ago by hrsms.
    • This topic was modified 1 year ago by hrsms.
Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Daniel Iser

    (@danieliser)

    @hrsms – Very much appreciate the feedback, but as we have followed up on this in great detail, we never mention protecting files in our feature description, and the plugin’s name heavily implies we offer protection for content, not assets, I would greatly appreciate if you reconsider this review.

    What you’re asking for is a complex beast with no simple way for you or us to set it up or maintain it. We don’t build plugins for complexity, but to solve issues in simple/elegant ways. If you want to block access to those files on your server, your host would be able to help provide you a much simpler solution than we could in that they can modify the access permissions on the server directly, something we could only guide you to do, and in all likely-hood would have to guide you to do each time you wanted to protect a new asset unless you blocked them all.

    That is to say, we can’t build a more elegant way of doing it than manually doing it yourself, so why bother.

    It would be unreasonable for us to expect all of our users to be able to handle manual server file modifications for a plugin meant to simplify things around protecting content. And I believe content can and should clearly be delineated from assets in this case.

    Either way hope you found the solution you needed.

    Thread Starter hrsms

    (@hrsms)

    The distinction between “Content” and “Asset” is probably clearer to a developer than a user. When your description says “Restrict access to media…to logged in/out users or specific user roles”, it implies to me that the files are protected – without any distinction. I know I’m not the only one that has taken this interpretation.

    However, I have since learned this is more of a WordPress limitation. Some other CMS systems provide better “asset” protection. I moved my website from one such system to WordPress to get better overall functionality and, more importantly, to make it easier for someone else to take over, when that time comes. There are so many more WordPress users…

    So I’ll have to deal with the limitation. I’ve only found one other plugin that provides this level of protection, and only via a rather expensive pro option. I’ve also learned how to prevent the url from being found by browsing. So I can use your plugin to at least prevent access to pages that include the file urls. That will have to be good enough. If someone passes a url around (unlikely, in my case), at least I have nothing truly “top-secret”. And since there is no plugin offering this for free, I’m happy to bump it up to 4-stars.

    One star is deducted for what I’ll call “ease of use”. I prefer the way the “Members” plugin and Code Atlantic’s own “User Menus” plugin allow the roles to be set directly on the page/menu. It is easier (my opinion, of course) to set them when creating the page/menu/category/etc rather than later going to the plug-in settings. It is also easier to confirm at any later time, by going directly to the page/menu/category/etc to view the allowed roles, rather than to the plug-in settings.

    As your plugin provides access by page and/or category, and “Members” only to specific pages, I’m using yours and have deactivated “Members” – despite my view on “ease of use”. Thank you for the added functionality.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Extra steps needed to protect files-but more control options than other plugins’ is closed to new replies.