IT Nursery
  • 1010 Avenue of the Moon
    New York, NY 10018 US.
  • Mon - Sat 8.00 - 18.00
    Sunday: Closed
  • Get A Quote
  • WordPress

    • How to protect uploads in multisite if user is not logged in?

    • IT Nursery
    • May 9, 2022
    • 0

    I am trying to set up a multisite intranet (using subdomains) where content on each sub-site is only accessible to users logged into their respective site. The problem I am having is trying to restrict access to uploaded files (e.g. http://example.org/wp-content/uploads/2011/12/dummy.pdf) to logged in users only.

    Similar to How to Protect Uploads, if User is not Logged In?, how would I enable one of the solutions proposed by hakre or Frank Bueltge for a multisite installation?

    I have been scouring the net and Wordress Answers but haven’t managed to find something that I can get to work. Related answers are:

    • How to make media upload private?

    • Protect Uploads in Multisite

    Also, I am new to PHP and still learning how WordPress works under the hood, so detailed information about what I need to do and what goes where would be much appreciated.

    Thanks!

    1 Answer
    1

    Nice Question!

    Poking around it a little bit, this seems to be working (further tests and a more qualified look are much welcome:). Tested only in a localhost development install with subdomains. No domain mapping.

    Change the following .htaccess rewrite rule:

    # uploaded files
# RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L]
RewriteRule ^files/(.+) dl-files.php?file=$1 [L]

    Make a copy of /wp-includes/ms-files.php and place it on the root with the name dl-files.php.

    Disable SHORTINIT, modify the wp-load.php path and add a current_user_can() check at the very beginning, so it becomes:

    <?php
/**
 * Modified Multisite upload handler.
 *
 * @since 3.0.0
 *
 * @package WordPress
 * @subpackage Multisite
 */

//define( 'SHORTINIT', true );
require_once( 'wp-load.php' );

if( !is_multisite() )
    die( 'Multisite support not enabled' );

if( !current_user_can( 'subscriber' ) ) {
    status_header( 403 );
    die( '403 &#8212; Forbidden.' );
}

ms_file_constants();

/* ... rest of the original file ... */

    Note that removing the SHORTINIT increases loading time and memory consumption. Read somewhere that it could be a ten fold increase (!?).

    Interesting discussions in wp-edu list (haven’t found nothing in wp-hackers):

    • http://lists.automattic.com/pipermail/wp-edu//2012-May/000545.html
    • http://lists.automattic.com/pipermail/wp-edu/2012-June/thread.html#551
    Tags:

    Leave a Reply

    Your email address will not be published. Required fields are marked *