How to protect uploads in multisite if user is not logged in?

Nice Question!

Poking around it a little bit, this seems to be working (further tests and a more qualified look are much welcome:). Tested only in a localhost development install with subdomains. No domain mapping.

Change the following .htaccess rewrite rule:

# uploaded files
# RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L]
RewriteRule ^files/(.+) dl-files.php?file=$1 [L]

Make a copy of /wp-includes/ms-files.php and place it on the root with the name dl-files.php.

Disable SHORTINIT, modify the wp-load.php path and add a current_user_can() check at the very beginning, so it becomes:

<?php
/**
 * Modified Multisite upload handler.
 *
 * @since 3.0.0
 *
 * @package WordPress
 * @subpackage Multisite
 */

//define( 'SHORTINIT', true );
require_once( 'wp-load.php' );

if( !is_multisite() )
    die( 'Multisite support not enabled' );

if( !current_user_can( 'subscriber' ) ) {
    status_header( 403 );
    die( '403 &#8212; Forbidden.' );
}

ms_file_constants();

/* ... rest of the original file ... */

Note that removing the SHORTINIT increases loading time and memory consumption. Read somewhere that it could be a ten fold increase (!?).

Interesting discussions in wp-edu list (haven’t found nothing in wp-hackers):

Related Posts:

  1. Protecting direct access to PDF and ZIP unless user logged in (without plugin)
  2. Password protect some uploaded files, so only logged-in users can view them
  3. How to Protect Uploads, if User is not Logged In?
  4. Extend Media Library
  5. WordPress 3.5: Setting custom “full URL path to files” in the Media Library?
  6. How to show all available images in WP’s media library when using the Polylang plugin?
  7. Which filters or actions to use after a media upload and delete?
  8. How to wp_upload_bits() to a sub-folder?
  9. “Add Media” only shows “Full Size” under Attachment Display Settings
  10. Where do the favicons for Media Files come from
  11. Is it possible to trigger some JavaScript when Media Popup is opened?
  12. How to call WP3.5 Media Library manager?
  13. Append button to WordPress Image Details modal
  14. WP3.5 Media Uploader – how to make it accept multiple images?
  15. How to disable WordPress Media resize different size version?
  16. Media library storing files in uploads not folders within in uploads
  17. Add select field to media uploader that adds a class to the image
  18. How to host different file formats/types for a media attachment without creating multiple attachments?
  19. Site icons with alpha channel for self-hosted WordPress blog network
  20. How do I get allowed Media Library upload file extension list?
  21. Cannot upload .mp3 file to wordpress media
  22. Switch between tabs on “Insert Media” dialog
  23. Restrict WordPress Media Library for a specific user role (users can only see/select own media)
  24. Display attachments by the ID of the post being edited in the wp.media frame (frontend)
  25. move_uploaded_file() not working on wordpress front end
  26. WordPress Issue : The uploaded file could not be moved to wp-content/uploads/
  27. Convert (-) and (escape) signs to (_) when uploading files on wordpress media library automatically
  28. Using wp_enqueue_media() with switch_to_blog() issue
  29. making media URL secured
  30. How to get the return value of wp.media({ frame: ‘post’ }) in all cases?
  31. Media library only shows for admin. Doesn’t show editor or below [closed]
  32. Is it safe to allow non-admin users access to media uploader
  33. upload_max_filesize is set to 64 MB already but WordPress is still showing 2 MB
  34. PHP error when trying to upload .mp3 files via Media Library [closed]
  35. A link (not in the post) to download a specific PDF file
  36. Migrating media files (documents only) to a fresh install and maintaining the same directory structure
  37. How does wordpress handle media files?
  38. WordPress media upload issue could not insert attachment into the database
  39. Thumbnail images missing in WP media library
  40. Open Media Uploader Link in single post or page
  41. Remove Media File Items From Server That Do Not Exist in Media Library
  42. Add SWF file to wordpress through custom template
  43. What if I have a large file on the server that I want the wp library to have?
  44. Uploaded images result in a file url with full path on disk appended
  45. Using WP-CLI “wp media import” to sync files to the media library
  46. Efficient way to move media folder to another folder
  47. Make inline uploader (plupload) on options page upload to a specific folder
  48. Images not displaying on site or media library
  49. Replicate Media Galley Edit view in Add Media View
  50. How to Protect Uploads, if User is not Logged In?
  51. Front-End Upload media with category
  52. How to manually set an attachment in a post?
  53. Media Library: Remove replace images of selected author
  54. Adding attachment custom field metadata to TinyMCE tag
  55. How to upload multiple images using WP rest API to media?
  56. Media not displaying other users uploads – WordPress 4.9.2
  57. Organizing the Media Library for Cleanup
  58. Issues with WordPress 3.9.6 media libraries on XAMPP
  59. Insert media while posting is not working with new wordpress update
  60. controlling whether upload is attached to post or not
  61. How to split my uploaded media into directories?
  62. wordpress 3.6 media manager cropping timestamp
  63. Image in binary in the data to WordPress media library
  64. what happens to existing media files when I switch to year/month directory structure format?
  65. How can I batch delete all unattached images with WP-CLI or other automated process?
  66. Image upload callback in new 3.5 media
  67. Differentiate Featured Image from Post Images upon Upload
  68. What might cause a POST to wp-admin/async-upload.php to return JSON >and< HTML?
  69. Media items hogging pretty permalinks
  70. Select image sizes you want to be uploaded
  71. Plugin to Import Dropbox Files into Media Folder from the Cloud [closed]
  72. Extend the list of MIME-types supported by the builtin uploader in 3.3
  73. Setting higher upload limit
  74. WordPress won’t generate image sizes for certain images
  75. Uploading dwg files to wordpress
  76. Images not being generated at correct size
  77. Custom “Insert into Post” button
  78. Prevent a folder from being shown within the media library
  79. Duplicates and other problems in Media Library
  80. How to allow logged out users to upload media?
  81. Choosing images size when uploading
  82. upload_max_filesize in .user.ini Not Reflected in Media Upload
  83. Is it possible to import all files from a uploads DIR into WP media, retaining paths to the files
  84. How does WordPress decides how many sizes of an image to create?
  85. Big file upload give HTTP error
  86. Organizing uploaded Media in permalink-based folder structure?
  87. Image upload to media library fails. Folder won’t create, database insert fail, XAMPP Windows
  88. How to change archieve frequency of the media file in uploads folder for wordpress blog
  89. Import media (.xml) does not attribute featured images to posts
  90. Blog suddenly can’t display .jpg
  91. Modify Maximum upload file size text in WordPress Media
  92. Handle image file and save it to media
  93. Sanitizing existing media library paths and page links from foreign characters
  94. How could you allow users to upload a video in within their profile and display it on a wordpress site?
  95. How to share media between independent blogs?
  96. WP Capabilities to Add Media, Use Media, But Not Edit Them
  97. Limit attachment caption characters
  98. What is the best way to upload a temporary & sensitive file and then delete it when done
  99. Media Gallery doesn’t show (using WP-Read Only)
  100. Problem uploading files, after changing domain name

Leave a Comment