Support » Plugin: Download Monitor » Outside Root for Download Endpoint Location?

  • Resolved Jason

    (@jj9617)


    Is is possible to add the ability to store files outside the root? This plug-in’s solution for providing secure access for logged-in users only is not exactly secure. The PDF files still exist in a folder on the server, which can be accessed by anyone if they know the URL. If I add a .htaccess file to prevent access, the php functionality of the plugin does not work and the files cannot be read by anyone.

    Maybe I am doing something wrong?

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Contributor Barry Kooij

    (@barrykooij)

    Hey,

    By default our files are uploaded to a location that contains an .htaccess file. Our plugin should be able to read files in that directory unless you have the “Redirect to file” option selected. When you edit the download, is this option checked?

    Kind Regards,

    Barry Kooij

    Thread Starter Jason

    (@jj9617)

    I had “Members only” checked, which works fine. My issue is that someone does not need to go through WordPress to access the files. All they need is the direct link, which is not secure. I did find some code for my .htaccess file that only allows WP logged-in users to download. That will suffice for now. Ideally, I would like to assign a group of files to a group of users. If a user is not in the assigned group, they cannot access the file.

    Please let me know if this kind of functionality might be available in a “pro” version. Thanks!

    Plugin Contributor Barry Kooij

    (@barrykooij)

    Hey,

    I think we’re misunderstanding each other. By default, files are uploaded to a dlm_uploads which is secured by an .htaccess by default. This security doesn’t work if you move the files to another folder, remove the .htaccess file or use a different webserver than Apache (If you use Nginx we show a message with a rule you can add).

    Are your files in the dlm_uploads folder and does this folder still contain the .htacess file? Also, is your server using Apache (if you’re unsure, you can ask your host)?

    Kind Regards,

    Barry Kooij

    Thread Starter Jason

    (@jj9617)

    My web server is Apache, and the .htaccess file is still in the dlm_uploads directory. I think one of the problems is that if I go to Upload file and choose something already in Media Library, the file stays in the original directory without any protection, which makes sense. Your plugin cannot change the permissions of an existing file in Media Library, apparently.

    Also, I cannot seem to use the permission settings in Ultimate Member (another plugin) with Download Monitor. For instance, when adding a Download and uploading to the dlm_uploads directory, I want to restrict access to members using Ultimate Member options, but those options don’t stick.

    This isn’t a problem with your plug-in, I just wanted to share what I’m trying to do. If I cannot restrict access to files on a group basis, then Document Gallery seems to be doing a better job for my particular needs. Thanks for your time!

    Plugin Contributor Barry Kooij

    (@barrykooij)

    Thanks for clearing this up. We indeed do not move already existing media library files. If you choose to upload a new file in the add/edit download screen, we automatically add it in the protected folder.

    Regarding the Ultimate Member plugin, I’m not sure what kind of access restrictions you are trying to do but you might be interested in our Advanced Access Manager extension: https://www.download-monitor.com/extensions/advanced-access-manager/

    Thread Starter Jason

    (@jj9617)

    Thanks for the tip. I have two groups: Owners and Tenants. Owners need access to all files, while Tenants only need access to some files. It is not clear to me whether the Advanced Access Manager extension can accomplish this, since it does not appear to be possible to assign access privileges per file.

    The other plugin I mentioned, Ultimate Member, does allow me to assign privileges per post. While creating a Download with your plugin, I am directed to what looks like a “post” page, with all options on the page; however, the post options for Ultimate Member do not affect Downloads at all. For example, if I add a Download and then choose to only allow Owners access to that file, I can login as Tenant and still access the file. Looks like Download Monitor is restricted to providing access to all files, or no files. What I need is access to a specific set of files based on User Role.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Outside Root for Download Endpoint Location?’ is closed to new replies.