How to restrict file downloads to specific users?

  • For the Web site of a design firm, I want to create a Client Support page that is dynamically built especially for the logged-in client, and that contains all info (text, calendar, deadlines, and especially file downloads) pertaining to that client, and which *only* that client should see. I envision this user scenario:

    1. User goes to a static front-end “Client” page and logs in with a username and password.
    2. The page uses the now-authenticated username to dynamically build on the fly a custom page for that user, listing all information relevant to him/her, including a list of available file-downloads which have been uploaded by the company and associated somehow with that user. And this info is visible only if you’re logged in.

    In WP, can you in fact:

    A) Associate uploaded files with a specific user, maybe by using categories?
    B) Make these files not visible to all users?
    C) Get the username and supply it as a parameter to a function that will return a linked list of files that have that username as a category? Make such a file-list visible only if the user is logged in?

    Something like that? Thanks.

Viewing 6 replies - 16 through 21 (of 21 total)

  • The below program would be a good plugin to use for this but it doesn’t work for wordpress 2.5.X

    https://bluesome.net/post/2006/01/01/121/

    If the content you are posting as downloads has a commercial value then you really should use .htaccess

    I thought there was a way to authenticate wp users with htaccess so if you have them logged in then .htaccess should be valid for the downloads too

    look for a private wp website plugin I think thats where i saw the auth by htaccess for login

    This is Private WP, although this plugin (AskApache Password Protect) looks pretty useful as well.

    Maybe you should combine the plugins

    User Permissions

    https://urbangiraffe.com/plugins/user-permissions/

    and use drain hole as download manager

    https://urbangiraffe.com/plugins/drain-hole/

    @hunter4: Drain Hole looks really good. Thanks ??

    Interesting project…

    I have only just started tinkering with WP code and just from quickly reading the docs and playing with the source for the last 45 minutes.

    I would say it’s possible but would require some interesting work arounds.

    1. Files do not appear to be stored in database but instead in publically accessible folders wp-content/uploads to be exact.

    2. WP has quite an extensive API so one should be able to call:

    – is_user_logged_in()
    – wp_get_current_user()
    – auth_redirect()

    Assuming one of the API functions returns the user ID of the currently logged in individual — which I am willing to bet one does.

    This code would be relatively trivial to implement in the template using the above API. The problem is, the files are publically available/accessible so anyone could access that file.

    I see two ways around that:

    1. Each page/post would have its associated owner and would need to use a template with a list of client ID’s allowed to access the content and attached files. Because files need to be publically accessible (otherwise they would have to login again with .htaccess) you could maybe use random names which are not easily guessed or copied.

    This is of course not bullet proof because if Apache is configured to show directory listings and the directory doesn’t have a index.html your files are shown anyways.

    2. The better approach but more difficult would be to .htaccess the directory and use a proxy script to actually fetch the files and have the same checks as the template does to verify that the file is allowed to be viewed by allowed members only.

    Here is the problem with the above approach. When you insert the link to the file using the image browser the files are accessed via HTTP so the .htaccess login prompt would be visible. You would need to hack WP to use the proxy script as well and then the checks are unnessecary from the admin backend. But you could probably avoid hacking WP actually by using some mod_rewrite trickery to have requests forwarded to the proxy.

    Then you could check to see if the user logged in is admin in which case checks are ignored…and the file is simply returned.

    Hmmm…yea sorry for babbling…just putting it out there. If anyone has any critique for my approach and it’s validity I’d love to hear it…as I begin to poke around the WP codebase.

    Cheers ??

Viewing 6 replies - 16 through 21 (of 21 total)
  • The topic ‘How to restrict file downloads to specific users?’ is closed to new replies.