I’m developing a simple “member’s only” section within a website, with the sole intention of allowing the client to post files for their members. I’ve come to realize quickly that the posts’ attachments themselves are not protected in any way within WordPress. For example, if a user was not logged in and if they knew the direct url to the file, they could access it/share it with others. This is a big problem as the documents are rather sensitive to the client’ business.
The member’s area is being built using all the tools you’d expect – a custom page template paired with current_user_can conditionals, wp_redirects, custom roles using the members plugin, and a custom post type for the “file” posts. Each file post within the custom post type has metaboxes that the client can use to attach files/documents (.jpg, .gif, .pdf to name a few). I’m using WPAlchemy and it’s Media Access class to satisfy the metabox requirements.
The member’s area will be running on 1 particular site within a multisite installation, which comprises of 3 sites in total (all related to the same company).
I’d be very grateful if someone could steer me in the right direction. I’d prefer not to have to use an array of plugins, as I like to keep things simple and like to know what the code is actually doing. I also realize that this may not necessarily be a WordPress question, and more of a .htaccess
question (as I’ve seen from the questions I’ve come across and their answers), but I can’t help thinking that my question is different in that it relates to multisite, and the possible need for a separate upload folder.
Here are my thoughts so far on protecting the attachments:
-
I could somehow create a separate media upload directory that the metaboxes upload the files to from each post within the custom post type. Because these files are separated from the rest of the sites’ media uploads (only the member’s attachments need to be protected) It would make it easier to protect just that folder using .htaccess.
1.1. Is some sort of .htaccess modification definately the way to go here?
1.2. How could I actually create the separate media upload directory, and have WPAlchemy’s metaboxes upload the files here? I’ve seen a
uploads_dir
filter hook but not sure on how to use it. -
Rather than creating a separate media upload directory as outlined above, maybe the better solution would be to only protect the attachments belonging to my custom post type? But then I have no idea how that ties in with the .htaccess solution. It seems like having a separate folder would be easier…
I’ve seen the following questions that are very similar to my own:
-
How to Protect Uploads, if user is not Logged In?
Look like it deals with a non-multisite installation of WP, and also the whole site is a member area vs a section of my site. Remember, I don’t want all uploads to be protected, just the ones attached to the custom post type. I do like the idea of passing requests through a php script? Perhaps I could use this script and modify it to use a separate upload directory on the 1 site within my multisite installation?
-
and..
Update:
Found this thread but no solution to it. Seems like the better way to go if I can get it working. I’ll work out how to upload the files to a new uploads directory after I’ve managed to protect all of the site’s files
Andrew,
In the case where your custom post type exists on only one sub-site of your Multi Site installation, you can in your template file in which controls the display and output of your custom post type work with simple conditional functions such as;
…and in-fact it might well be as simple as;
Hopefully this is along the lines of what you are looking for. If its not as simple as that for solution let me know and we’ll dig deeper.
PS. Replace wp_get_attachment_url() with whatever suits your purpose;
@Codex… HERE
NOTE
Or… in the case of using WPAlchemy you would replace the above wp_get_attachment… etc with your custom metabox code instead.