Hi,
One way would be to tackle it with your .htaccess file – you could do some thing like this:
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-content/uploads/secret-folder/.*
RewriteCond %{HTTP_REFERER} !^http(s)?://domain\.com/ [NC]
RewriteRule .*$ / [L]
This can be spoofed, but basically is says:
If the URL requested includes the path to your protected uploads area,
and if the person requesting hasn't been referred from your site,
then send them to your homepage
Obviously change the folder path and domain to match your site.
Hey,
First, if you havent already noticed, WordPress (without customisation) doesn’t provide any sort of restrictions to uploaded files.
I’ve played around with using HTACCESS to redirect to a PHP file to check that users are logged in then redirect to the requested file. This ensured only logged in users could access the file. I’ll see if I can find it. I didnt end up using it because it turned out that some of my users may not always be authenticated and/or would not want to authenticate.
If you’ve been watching the code for this plugin and Gravity Forms you may have noticed that Gravity Forms have actually introduced a way of obscuring download paths (since about version 2). I started to implement this with this plugin, however it became apparent that it is not complete yet in Gravity Forms – the feature only works when the default upload path is being used.
So yea, +1 for you – this is a very timely feature, something I want to implement ASAP but I can’t until Gravity Forms has completed it from their side.
What I will do is check back through the GF code, see if they have made any progress and try to find my HTACCESS method.
I Just found my HTACCESS hack, it was based on the method mention here by hakre:
http://wordpress.stackexchange.com/questions/37144/how-to-protect-uploads-if-user-is-not-logged-in
I see I was actually setting it up so that files upload to a folder path that included a hashed user id – I then checked that the current user matched the same hashed user id. Meaning, the user could only access their own files.
I take it you want any logged in user to access any uploaded file? It would be easier to do, less risk of not working.