How to protect uploads in multisite if user is not logged in?

3 Views

I am trying to set up a multisite intranet (using subdomains) where content on each sub-site is only accessible to users logged into their respective site. The problem I am having is trying to restrict access to uploaded files (e.g. http://example.org/wp-content/uploads/2011/12/dummy.pdf) to logged in users only.

Similar to How to Protect Uploads, if User is not Logged In?, how would I enable one of the solutions proposed by hakre or Frank Bueltge for a multisite installation?

Read More

I have been scouring the net and Wordress Answers but haven’t managed to find something that I can get to work. Related answers are:

Also, I am new to PHP and still learning how WordPress works under the hood, so detailed information about what I need to do and what goes where would be much appreciated.

Thanks!

Post Views: 3

Related posts

Leave a Reply

1 comment

  1. Nice Question!

    Poking around it a little bit, this seems to be working (further tests and a more qualified look are much welcome:). Tested only in a localhost development install with subdomains. No domain mapping.

    Change the following .htaccess rewrite rule:

    # uploaded files
# RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L]
RewriteRule ^files/(.+) dl-files.php?file=$1 [L]

    Make a copy of /wp-includes/ms-files.php and place it on the root with the name dl-files.php.

    Disable SHORTINIT, modify the wp-load.php path and add a current_user_can() check at the very beginning, so it becomes:

    <?php
/**
 * Modified Multisite upload handler.
 *
 * @since 3.0.0
 *
 * @package WordPress
 * @subpackage Multisite
 */

//define( 'SHORTINIT', true );
require_once( 'wp-load.php' );

if( !is_multisite() )
    die( 'Multisite support not enabled' );

if( !current_user_can( 'subscriber' ) ) {
    status_header( 403 );
    die( '403 — Forbidden.' );
}

ms_file_constants();

/* ... rest of the original file ... */

    Note that removing the SHORTINIT increases loading time and memory consumption. Read somewhere that it could be a ten fold increase (!?).

    Interesting discussions in wp-edu list (haven’t found nothing in wp-hackers):