Thanks very much for providing a security update for the plugin. Let’s hope that Ashley Rich will accept your pull requests. Or let you take on maintaining the plugin.
I’d like to submit an Issue on your GitHub page but it’s not available.
If I enable the Folder Protection in the Advanced Settings (and this was happening before installing your update – but only started fairly recently) the files in the folder are inaccessible to anyone and produce a 403 error when trying to download them – they are also listed as inaccessible when editing the Download itself. The problem is solved if I disable the Folder Protection.
Great news!
Thanks for your work in making this plugins safe for use!
If I enable the Folder Protection in the Advanced Settings
It is working for me correct. My default setting is “enabled” and i inherit the setting on the downloadable files. open in Browser must be set to “no”, so pdf files in a protected folder cannot be shown in browser directly but must be downloaded first.
It is regardless if you upload the file via sftp or via DDL uploader. In DDL folder only downloads are allowed.
I mostly use password protection for accessing the file, cos i do not allow wordpress users to sign up.
If assessing the files in the ddl folder via deep link URL presents a 403 error – which is correct.
With my fork you can also give your users one day links to download a file without knowing the password.
All methods work with .htaccess denied for the web users. Access is only allowed by the webserver task.
If you want a file being viewed in Browser directly, upload it via wordpress to the media library (outside the ddl folder) and public can view in file in browser.