How to restrict attachment download to a specific user?

What needs to happen is that you need to proxy download requests for the file types you want through WordPress. Let’s assume you’re going to restrict access to “.doc” files.

1. Define a query variable that indicates the requested file

function add_get_file_query_var( $vars ) {
    $vars[] = 'get_file';
    return $vars;
}
add_filter( 'query_vars', 'add_get_file_query_var' );

2. Update .htaccess to forward requests for restricted files to WordPress

This will capture requests to the files you want to restrict and send them back to WordPress using the custom query variable above. Insert the following rule before the RewriteCond lines.

RewriteRule ^wp-content/uploads/(.*\.docx)$ /index.php?get_file=$1

3. Capture the requested file name in custom query variable; and verify access to the file:

function intercept_file_request( $wp ) {
    if( !isset( $wp->query_vars['get_file'] ) )
        return;

    global $wpdb, $current_user;

    // Find attachment entry for this file in the database:
    $query = $wpdb->prepare("SELECT ID FROM {$wpdb->posts} WHERE guid='%s'", $_SERVER['REQUEST_URI'] );
    $attachment_id = $wpdb->get_var( $query );

    // No attachment found. 404 error.  
    if( !$attachment_id ) {
        $wp->query_vars['error'] = '404';
        return;
    }

    // Get post from database 
    $file_post = get_post( $attachment_id );
    $file_path = get_attached_file( $attachment_id );

    if( !$file_post || !$file_path || !file_exists( $file_path ) ) {
        $wp->query_vars['error'] = '404';
        return;
    }

    // Logic for validating current user's access to this file...
    // Option A: check for user capability
    if( !current_user_can( 'required_capability' ) ) {
        $wp->query_vars['error'] = '404';
        return;
    }

    // Option B: check against current user
    if( $current_user->user_login == "authorized_user" ) {
        $wp->query_vars['error'] = '404';
        return;
    }

    // Everything checks out, user can see this file. Simulate headers and go:
    header( 'Content-Type: ' . $file_post->post_mime_type );
    header( 'Content-Dispositon: attachment; filename="'. basename( $file_path ) .'"' );
    header( 'Content-Length: ' . filesize( $file_path ) );

    echo file_get_contents( $file_path );
    die(0);
}
add_action( 'wp', 'intercept_file_request' );

NB This solution works for single-site installs only! This is because WordPress MU already forwards uploaded file requests in sub-sites through wp-includes/ms-files.php. There is a solution for WordPress MU as well, but it’s a bit more involved.

Related Posts:

  1. How to restrict logged user to view only certain pages?
  2. Limit post display to post authors and create an exception for specific pages
  3. How to give members access to their own protected page?
  4. Using JWT to authenticate a user with an external system?
  5. Allow anonymous user to access Themes Customizer
  6. How to restrict a page [without plugin]
  7. Is there an existing capability to allow editing of only pre-existing pages? If not, a good way to implement this?
  8. Restrict the user access in multi site for non-assigned blogs
  9. How to make user inactive by default while registering?
  10. Restrict certain posts from being sent to the feed subscribers
  11. How to set privilege to wordpress subscriber for private page
  12. Restrict access to specific users
  13. authenticate user without password from email activation link [duplicate]
  14. User Access Manager plugin
  15. Hide everything on site for visitors except specific page IDs
  16. How can we Restrict to access a certain wordpress page to all ip address except some which we allow
  17. Restrict post to user_id
  18. add_option_page capability behaving strange
  19. Access denied on Published Pages but not on WordPress /wp-admin/
  20. Allow non logged users to visit only login page and password reset page
  21. How can I allow users to make groupings of posts
  22. Is user listing on wordpress private?
  23. How to “Global Ignore” / “Hell Ban” someone, restrict post visibility to the author only?
  24. Conditional menu for registerd users/guests (Genesis framework)
  25. How can I create an upload page for (and only visible to) specific users?
  26. User restricted only show posts assigned to current user
  27. remove wp admin menu by customer user role
  28. One Site as a part of Multisite to be hidden (Un-published) from Public?
  29. Custom Roles for access to specific term(s)
  30. Restrict access to trash, only admin
  31. ‘post’ only for editor and administrator
  32. Why: sticky front page code, shows latest non-sticky on logged-in front page
  33. Access denied error when logged in as admin
  34. Disable all admin UI access to authors (except to custom post type add, edit and modify)
  35. Hide all pages except landing page
  36. Hide front-end from every logged out user and redirect them to the default login page
  37. Restrict the list of parent pages to only those which are created by current user
  38. How to restrict access to a page?
  39. How to restrict an admin page, if the user is not superadmin?
  40. How to restrict access to a single for users I’ve authorized? [closed]
  41. How can I change access permissions across many pages?
  42. How do I get the access type in WordPress?
  43. How can I restrict a custom WordPress role access to only a specific plugin?
  44. Profiles site with access levels
  45. User access control in sidebar archive and categorires
  46. Plugins that restrict access based on user group/roles
  47. Is there a way to create folders restricted to specific users to open?
  48. Restrict access for wp-admin panel
  49. Specify the level of access to different pages at the time of user creation
  50. When add analytics script, wordpress user login not working
  51. Hide WordPress “wp-admin” dashboard to User IDS
  52. How to show private pages based on a user’s role?
  53. I cannot access but but wp-admin works normally
  54. about visibility in wordpress regarding of roles
  55. How to use url formatter with integer
  56. Can access main URL and Dashboard but not any posts or pages [closed]
  57. Restrict access to custom post type and filter from every query
  58. How to List only the users created by a particular user
  59. How to enable to the user send content and save as draft entry?
  60. Hide page link in main menu from anonymous users
  61. Use WordPress engine for user registration and management
  62. How to make future posts visible to selected visitors without login
  63. Add existing user as administrator
  64. Split post edit screen into sub-edit screens for users, is this good or bad, and is it possible?
  65. Suggestions for allowing basic users to view their own posts?
  66. How to restrict posts only from a certain category
  67. Multisite Login Access Restrictions
  68. Two users attempt to modify a page
  69. Allowing users to edit only their page and nobody else’s
  70. User redirect to destination URL after login
  71. How to assign specific users the capability to edit specific pages / posts / custom post types
  72. Website Visible only to Registered users
  73. Theoretical Multi-Server WordPress Setup with Shared Users
  74. Show custom post type endpoint in REST API just if user has capability
  75. The ‘user_has_cap’ hook seems to take two page loads to trigger
  76. how to make author to write comment on only his own posts?
  77. How to automatically apply a password to all posts within a custom post type
  78. setting a specific home page for logged in users
  79. How to add another user to this remove_menu function?
  80. Restricting access to content
  81. Only allow administrators and editors to access wp-admin
  82. Redirecting or displaying a message on first login
  83. show text If special user is logged
  84. Allow user access to Dashboard only!
  85. How to restrict access to image folder depending on whether product is purchased or not?
  86. Restrict certain character combinations in username during registration
  87. Users can only view their content from the front end
  88. access control for assets in a website powered by wordpress
  89. Redirect admin 403 “Cheatin uh?” admin pages
  90. Is it possible to restrict files from your wordpress uploads (not logged-in users or guest)?
  91. Usage of var keyword in the core
  92. How to create a front facing user sign up, log in and profile pages like FoodGawker.Com [closed]
  93. Is WordPress secure enough for a multi-user article directory?
  94. User generated content and security
  95. define two login page url
  96. Admin Page access
  97. How to generate expiring URL of the page?
  98. Wordress admin page is fetching error You do not have sufficient permissions to access this page.
  99. throttle/limit a logged in user’s http requests to specific page on a per day basis
  100. Restrict access to specific content

Leave a Comment