Support » Plugin: Ajax Upload for Gravity Forms » Restrict Direct Access of Files

  • Hi, is there anything to restrict direct access to the files uploaded with this plugin via URL entry?
    Basically, I have uploaded my files to a specific folder, My site is permitting upload to only logged-in users. also every contents of the site managed by Member plugin.
    Only specific user role can see specific page/form/post.

    But, I noticed that user can see any document/file uploaded by Ajax Upload plugin via typing url of that file.

    Is there any Idea to secure?

    https://wordpress.org/plugins/ajax-upload-for-gravity-forms/

Viewing 3 replies - 1 through 3 (of 3 total)
  • Hi,

    One way would be to tackle it with your .htaccess file – you could do some thing like this:

    RewriteEngine On
    RewriteCond %{REQUEST_URI} ^/wp-content/uploads/secret-folder/.*
    RewriteCond %{HTTP_REFERER} !^http(s)?://domain\.com/ [NC]
    RewriteRule .*$ / [L]

    This can be spoofed, but basically is says:

    If the URL requested includes the path to your protected uploads area,
    and if the person requesting hasn't been referred from your site,
    then send them to your homepage

    Obviously change the folder path and domain to match your site.

    Plugin Author ovann86

    (@ovann86)

    Hey,

    First, if you havent already noticed, WordPress (without customisation) doesn’t provide any sort of restrictions to uploaded files.

    I’ve played around with using HTACCESS to redirect to a PHP file to check that users are logged in then redirect to the requested file. This ensured only logged in users could access the file. I’ll see if I can find it. I didnt end up using it because it turned out that some of my users may not always be authenticated and/or would not want to authenticate.

    If you’ve been watching the code for this plugin and Gravity Forms you may have noticed that Gravity Forms have actually introduced a way of obscuring download paths (since about version 2). I started to implement this with this plugin, however it became apparent that it is not complete yet in Gravity Forms – the feature only works when the default upload path is being used.

    So yea, +1 for you – this is a very timely feature, something I want to implement ASAP but I can’t until Gravity Forms has completed it from their side.

    What I will do is check back through the GF code, see if they have made any progress and try to find my HTACCESS method.

    Plugin Author ovann86

    (@ovann86)

    I Just found my HTACCESS hack, it was based on the method mention here by hakre:
    http://wordpress.stackexchange.com/questions/37144/how-to-protect-uploads-if-user-is-not-logged-in

    I see I was actually setting it up so that files upload to a folder path that included a hashed user id – I then checked that the current user matched the same hashed user id. Meaning, the user could only access their own files.

    I take it you want any logged in user to access any uploaded file? It would be easier to do, less risk of not working.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Restrict Direct Access of Files’ is closed to new replies.