[wp-edu] Making media library files private

Fri Jun 1 19:19:32 UTC 2012

I belatedly realized I had basically repeated what Mark had already written when he wrote:

"This is correct - our ACL plugin generates .htaccess files for ACL'd media.  However I should point out that this works in our case because we also bypass ms-files.php for serving uploads, and let Apache serve files directly.  If your uploads are coming from ms-files.php (typical behavior), I don't think this approach would work without a new hook in ms-files.php to test access to the file being requested."

There's no hope for there ever being a hook into ms-files.php -- because SHORTINIT gets defined as true, it does a very basic initialization without defining any actions that can be hooked into. So I made a copy of the file that does do a full initialization and put it in my plugin folder. Then I added a field to the Edit Media and Upload Media forms that lets a user pick a predefined rule to use to restrict access to it. '/protected' is then inserted into the guid value for the file between the blog and file paths (not ideal, but I couldn't find a better way). I added

RewriteRule ^([_0-9a-zA-Z-]+/)?protected/(.+) wp-content/plugins/vcu_access_control/protected.php?file=$2 [L]

to the .htaccess file, and added a check to the modified ms-files.php copy (protected.php) for the relevant rule: if the test passes, the file gets delivered; if not, it returns a 401 (could be a 404). You can remove a rule from the uploaded file, and the '/protected' is removed, so it's handled like a normal file. There's a little more to it than that, but that's the gist.

I should add that the impetus for this on our end comes from a number of requests to create access restrictions by LDAP group, university department or affiliation, etc., without requiring that every member of such a group be added as a user to a specific site at any role level. When a file is restricted, a visitor is forced to log in through CAS, and I'm using phpCAS to check these attributes. I had initially set up a version that involved mod_auth_cas, mod_authnz_ldap and location matches, but this way, I don't have to touch the Apache conf files every time someone wants a restricted site -- the site administrator creates the rules, and access should be in sync with a user's latest university attributes. I kind of put the cart before the horse, as I'm just now getting back to the rule creation component of the plugin, but it's working so far with requiring a valid sign-in or any user on a list. 

Jonathan Cox
VCU Webmaster
Technology Services
(804) 827-0067

On Jun 1, 2012, at 11:16 AM, Shawn Miller wrote:

> Not sure if this is helpful - but we've been recommending that people use Sakai for files that need to be truly private (as a stopgap measure for now anyway). At Duke, we use a homegrown group management tool called Toolkits to add course rosters to WordPress sites, so the users in a Sakai course are the same users in a WordPress site. They just end up having to login via Shib when they want to access the Sakai-restricted content.
> 
> ***********************
> Shawn J. Miller
> Academic Technology Consultant
> Center for Instructional Technology
> 
> http://cit.duke.edu/about/staff/miller/
> shawn.miller at duke.edu
> http://twitter.com/shawnj55 or @shawnj55
> 
> 
> _______________________________________________
> wp-edu mailing list
> wp-edu at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-edu

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.automattic.com/pipermail/wp-edu/attachments/20120601/a950e446/attachment.htm>