Nice Question!
Poking around it a little bit, this seems to be working (further tests and a more qualified look are much welcome:). Tested only in a localhost development install with subdomains. No domain mapping.
Change the following .htaccess
rewrite rule:
# uploaded files
# RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L]
RewriteRule ^files/(.+) dl-files.php?file=$1 [L]
Make a copy of /wp-includes/ms-files.php
and place it on the root with the name dl-files.php
.
Disable SHORTINIT
, modify the wp-load.php
path and add a current_user_can()
check at the very beginning, so it becomes:
<?php
/**
* Modified Multisite upload handler.
*
* @since 3.0.0
*
* @package WordPress
* @subpackage Multisite
*/
//define( 'SHORTINIT', true );
require_once( 'wp-load.php' );
if( !is_multisite() )
die( 'Multisite support not enabled' );
if( !current_user_can( 'subscriber' ) ) {
status_header( 403 );
die( '403 — Forbidden.' );
}
ms_file_constants();
/* ... rest of the original file ... */
Note that removing the SHORTINIT
increases loading time and memory consumption. Read somewhere that it could be a ten fold increase (!?).
Interesting discussions in wp-edu list (haven’t found nothing in wp-hackers):