Protect direct access to uploaded files

I’m not sure how it works with virtual (rewritten) directories, but one classic approach to trying to protect files from being downloaded by people that aren’t logged in is to use .htaccess to check for a specific cookie before serving the file.

The .htaccess code would look something like:

RewriteCond %{HTTP_COOKIE} !CookieName=
RewriteRule ^document-directory.*$ /login-page [L,R=301]

A little more info can be found at https://www.willmaster.com/blog/contentprotection/htaccess-cookie.php.

In order to signify that the access is forbidden, you might even want to change “R=301” to “R=403”, but I’ve never used that, so I don’t know exactly how it works.

Also, in order for this to work properly, all of the files that you want forbidden will need to reside in a directory separate from the files that you want available to the public. You can’t selectively (not easily, at least) specify which files within a directory should be protected and which shouldn’t. Good luck.

One can easily download these files with the full url known. I need to be able to prevent people from getting access to these files without being logged in.

Funnily enough, we’re working on a buddypress plugins that does this. No ETA.

Hey Curtis, thank you for the tip; I will try it out in a few hours and let you know how it works out. Thanks again.

Andrea, I was hoping for a plugin from you guys on this one. I hope you all work it out soon as it would be a welcome for this and many projects. Thanks.

Justin

Well, couldn’t get it to work. I couldn’t get the subsite’s files directory to follow the htaccess rules, so I had to utilize the root htaccess file. Here’s what I used in case anyone else would like to try:

RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_YOURUNIQUESTRING.*$ [NC]
RewriteCond %{REQUEST_URI} !^/wp-login.php$
RewriteCond %{REQUEST_URI} !^/wp-admin/css/*.css*$
RewriteCond %{REQUEST_URI} !^/wp-content/themes/YOURTHEME/style.css$
RewriteRule .* YOURDOMAIN/wp-login.php [NC,L]

It basically protects everything, so it’s not perfect, but if protecting your assets is important, then it works.

Justin

Andrea, good luck on your plugin and let me know when it is live. It is very needed. Thanks.

Justin

Andrea_r, do you have any news re that buddypress protection plugin?!?

I too would love to know of any progress with the plugin.

3.1 is almost ready to drop, and it has changes in the super/network admin we have to account for

AND

Buddypress is also undergoing significant changes to some structure & getting ready for 3.1,

SO

Just a wee bit longer. ?? Then we’ll have it out after 3.1 & the next BP as best we can. Right now we’re elbow-deep getting everything else we have ready for 3.1.

Thanks for the update Andrea. We are all looking forward to your plugin!

Justin

If it helps, i’ve been using it at wpebooks. ??

What are you using at wpebooks? wp-content/uploads/… seems to be accessible. Pls help…

I’m using the plugin I mentioned above, the one I am working on and is not yet released.

yes, the uploads folder is accessible, but that doesn’t mean I’m putting file downloads there. ??

https://dev.commons.gc.cuny.edu/2011/02/05/hardening-buddypress-group-documents/

Thanks a lot, Andrea!

https://dev.commons.gc.cuny.edu/2011/02/05/hardening-buddypress-group-documents/
EDITED Feb 8, 2011 by Boone Gorges to include the code for creating directories when none exist!