new “Access denied to this file” error

  • Resolved rdzman

    (@rdzman)


    1 year, 2 months ago

    I have a WordPress site (currently 6.3.1) that uses the latest Download Monitor (4.8.9) and has been working wonderfully until recently.

    I have two kinds of download links (1) those that point to a file URL (e.g. /matpower/downloads/6.0/matpower6.0.zip) and (2) those that point to a GitHub URL (e.g. https://github.com/MATPOWER/matpower/releases/download/7.0/matpower7.0.zip).

    The first kind have all recently started giving me “Access denied to this file” errors when I click a download link. I suspect an update to the plug-in broke something, but I don’t know exactly which update since these are older, less accessed downloads. I double-checked and a direct link to the file (e.g. https:/matpower.org/matpower/downloads/6.0/matpower6.0.zip) works just fine with no permission errors, so it’s not that the web server can’t access the file.

    I tried saving the permalink settings (as suggested in another thread), disabling any caching plug-ins, disabling all other plugins. Still no luck.

    Any suggestions?

    (The second type of download has recently started exhibiting a different issue, but I’ll use a separate thread for that).

    The page I need help with: [log in to see the link]

Viewing 10 replies - 1 through 10 (of 10 total)
  • Plugin Support beatrice12

    (@beatrice12)

    Hello @rdzman,

    Thanks for reaching out to us!

    Can you please let us know where are your downloads located? Are they in the wp-content/root folder or in another folder?

    Warmly,

    Beatrice.

    Thread Starter rdzman

    (@rdzman)

    The files are in /matpower/downloads/ which is outside of the /wp-content folder.

    Plugin Author Razvan Aldea

    (@raldea89)

    Hello @rdzman ,

    That seems to be the problem. Please go to Downloads > Settings > Advanced > Miscellaneous > Other downloads path and add that path there ( /matpower/downloads/ ).

    Please let us know if this fixed your issue.

    Warmly,
    Razvan

    Thread Starter rdzman

    (@rdzman)

    Thank you! This does look like it’s probably the issue. Just a quick clarification before I make the change …

    My downloads specify their path relative to the web server root (e.g. /matpower/downloads/6.0/matpower6.0.zip). So the corresponding absolute file system path is something like /home/username/public_html/matpower/downloads/6.0/matpower6.0.zip.

    It appears from the docs that this “Other download path” is looking for a full absolute file system path of the directory that serves as the base for the path specified in the individual downloads (e.g. in my case /home/username/public_html/), not the path relative to the web server root (e.g. /matpower/downloads/). Can someone confirm that is correct before I do it?

    Also, according to the docs, this change was introduced in 4.5.92, so I guess these links have been broken on my site for over a year and I never knew it.

    Thread Starter rdzman

    (@rdzman)

    Unfortunately, I was not able to get it to work. I’m still getting the “Access denied to this file” error. My current settings are:

    • Other downloads path: /home/username/public_html/
    • Path specified in download: /matpower/downloads/6.0/matpower6.0.zip
    • Full file system path: /home/username/public_html/matpower/downloads/6.0/matpower6.0.zip

    I also tried specifying the full file system path in the download, but no change.

    What am I doing wrong?

    Thread Starter rdzman

    (@rdzman)

    In case it’s relevant, /home/username/public_html/matpower is a symbolic link to a directory outside the web root. And I can confirm that the web server is able to serve files in that directory just fine via the symlink.

    Plugin Author Razvan Aldea

    (@raldea89)

    Hello @rdzman ,

    You’ll need to put in the “Other downloads path” setting the full absolute true path. Or, you can create a new Download and add a file from that path. The plugin should automatically see that the file is located outside and should offer the possibility to add the path to the “Other downloads path” setting.

    Please let me know after you’ve put the real path if the download works.

    Warmly,
    Razvan

    Thread Starter rdzman

    (@rdzman)

    Ok, using the true path (as opposed to the one with the symlink) does work. But I’m not too comfortable with it. Let me explain why.

    My setup now looks like this …

    • Web root: /home/username/public_html/
    • Other downloads path: /home/username/outside/
    • Symlink: /home/username/public_html/matpower/ points to /home/username/outside/matpower/
    • All download references were created as absolute paths from web root, so they look like: /matpower/<subdir>/<somefile>.zip

    And all of this worked fine before “Other downloads path” was introduced.

    But now, unless I’m willing to go back and edit every single download (no thank you!), I have a situation where I’m forced to give Download Monitor plugin access to directories it should not touch and ones that the web server does not have access to, namely anything inside /home/username/outside/ but outside /home/username/outside/matpower/.

    If Download Monitor could handle a symlinked path in “Other downloads path”, I could avoid giving it access to directories it should not have access to. Is that something that could be added?

    In any case, thanks for Download Monitor and for the help in getting my downloads back online!

    • This reply was modified 1 year, 2 months ago by rdzman.
    Plugin Author Razvan Aldea

    (@raldea89)

    Hello @rdzman ,

    That setting along with the security functionality that was introduced in version 4.5.92 was introduced for the exact purpose of what you said: to not allow download access to outside of root/wp-content files. If you permit visitors, with the help of the “Other downloads path”, download access to files from a directory, the plugin will only allow access to that directory and its files and folders, nothing more. What is outside of that directory will be denied.

    So, in your case, if you point to /home/username/outside/matpower/ in the “Other downloads path” Download Monitor will only allow downloads from that directory, everything from the outside that is not included in matpower will be given access denied.

    Hope this clears things out.

    Warmly,
    Razvan

    Thread Starter rdzman

    (@rdzman)

    Ah … thanks! That’s working just fine.

    I had thought of that, but was under the assumption that an absolute path specified in an individual download was now “based” at the “Other downloads path”, not at the web root. Hence my comment about not wanting to go back and edit all of my downloads.

    The piece I was missing is that, for existing downloads, “Other downloads path” does not change anything about the path needed to address a particular file. It only affects whether access to that file is permitted or not.

    Thanks again for your help.

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘new “Access denied to this file” error’ is closed to new replies.