Skip to content

Instantly share code, notes, and snippets.

@gioiliop7

gioiliop7/.htaccess

Created January 5, 2023 15:47
Show Gist options
  • Save gioiliop7/039583c1fda15b2d3b0335c1782dbbee to your computer and use it in GitHub Desktop.
Save gioiliop7/039583c1fda15b2d3b0335c1782dbbee to your computer and use it in GitHub Desktop.
Download ZIP
[WORDPRESS] [PHP] Allow file download only from admins and their authors
Raw
.htaccess
# Protect all files within the uploads folder
<IfModule mod_rewrite.c>
RewriteEngine On
#RewriteCond %{HTTP_COOKIE} !.*wordpress_logged_in.*$ [NC]
#RewriteCond %{REQUEST_URI} ^(.*?/?)wp-content/uploads/sites/[0-9]+/user_uploads|answers/.* [NC]
#RewriteRule . http://%{HTTP_HOST}%1/wp-login.php?redirect_to=%{REQUEST_URI} [L,QSA]
RewriteCond %{REQUEST_FILENAME} -f
# RewriteRule needs the path of folder that we have our files. As an example the folder is on uploads folder on wp and named cv_uploads
RewriteRule "^wp-content/uploads/cv_uploads/(.*)$" singledl-file.php?file=$1 [QSA,L]
</IfModule>
# BEGIN WordPress
# Οι ντιρεκτίβες (γραμμές) ανάμεσα `BEGIN WordPress` και`END WordPress` είναι
# δυναμικά δημιουργημένες, και θα πρέπει να τροποποιούνται μόνο με την χρήση φίλτρων WordPress.
# Οποιεσδήποτε αλλαγές στις ντιρεκτίβες ανάμεσα στους δείκτες θα επανεγραφεί.
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
# add a trailing slash to /wp-admin
RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
RewriteRule . index.php [L]
# END WordPress
Raw
singledl-file.php
<?php
// Protect uploaded files with login.
ob_start();
require_once('wp-load.php');
require_once ABSPATH . WPINC . '/formatting.php';
require_once ABSPATH . WPINC . '/capabilities.php';
require_once ABSPATH . WPINC . '/user.php';
require_once ABSPATH . WPINC . '/meta.php';
require_once ABSPATH . WPINC . '/post.php';
require_once ABSPATH . WPINC . '/pluggable.php';
wp_cookie_constants();
ob_end_clean();
ob_end_flush();
$requestFile = $_REQUEST['file'];
$file_link = full_file_path;
$attachmentID = attachment_url_to_postid($file_link);
$attachment = get_post($attachmentID);
$attachmentAuthor = $attachment->post_author;
$attachmentAuthor = intval($attachmentAuthor);
$currentUser = get_current_user_id();
if ( $currentUser == $attachmentAuthor || current_user_can('administrator')) {
list($basedir) = array_values(array_intersect_key(wp_upload_dir(), array('basedir' => 1)))+array(NULL);
$file = rtrim($basedir,'/').'folder_name'.str_replace('..', '', isset($_GET[ 'file' ])?$_GET[ 'file' ]:'');
header('Content-Type: application/octet-stream');
header("Content-Transfer-Encoding: Binary");
header("Content-disposition: attachment; filename=\"" . basename($file) . "\"");
readfile($file);
} else {
wp_redirect( home_url('login'), 301 );
exit;
}
/**
* Needs this htaccess addition at the start of the htaccess file to work properly
* also the php file should be at the same directory as the htaccess
*
* # Protect all files within the uploads folder
* <IfModule mod_rewrite.c>
* RewriteEngine On
* RewriteCond %{REQUEST_FILENAME} -f
* RewriteRule "^wp-content/uploads/sites/([0-9]+)/(user_uploads|answers)/(.*)$" multidl-file.php?file=$3&folder=$2 [QSA,L]
* </IfModule>
*
*/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment