[wp-edu] Making media library files private

Jonathan Cox jcox9 at vcu.edu
Fri Mar 23 13:01:06 UTC 2012

I'm trying to accomplish the same thing. Yesterday I had the idea of prepending something like 'protected' to the path in the guid of an uploaded file, and then putting a redirect in the .htaccess file that passes requests for ^protected/file/image.jpg to a script that will deliver the file only under certain conditions.

Some or most of you may have known this, but I just realized yesterday that this is how WordPress handles all uploaded file requests in a network installation. The relevant line in the .htaccess file is

RewriteRule ^([_0-9a-zA-Z-]+/)?files/(.+) wp-includes/ms-files.php?file=$2 [L]

The ms-files script adds some headers and serves the file. Ideally, there would be an action hook like 'pre_serve_file' where you could just add a function to check conditions before serving the file, but it doesn't look like one exists. I'm going to continue trying to make this work in a similar fashion, probably using a redirect to a plugin script, which will include ms-files.php if certain conditions are met.

Also, having noticed the above rewrite rule, I added a second one to the .htaccess file to prevent those 'blogs.dir' URLs from displaying images and other files from the wrong blog:

RewriteRule ^([_0-9a-zA-Z-]+/)?wp-content/blogs.dir/[0-9]+/files/(.+) wp-includes/ms-files.php?file=$2 [L]

Jonathan Cox
VCU Webmaster
Technology Services
(804) 827-0067

On Mar 6, 2012, at 11:13 AM, Grogan, David wrote:

> Thanks Bill. I'll bring back any solutions we find that works.
> David
> -----Original Message-----
> From: wp-edu-bounces at lists.automattic.com [mailto:wp-edu-bounces at lists.automattic.com] On Behalf Of Bill Dennen
> Sent: Monday, March 05, 2012 9:31 AM
> To: wp-edu at lists.automattic.com
> Subject: Re: [wp-edu] Making media library files private
> This might be worth looking into:
> WP Document Revisions
> http://wordpress.org/extend/plugins/wp-document-revisions/
> "Access Control - Each document is given a persistent URL (e.g.,
> yourcompany.com/documents/2011/08/TPS-Report.doc) which can be private
> (securely delivered only to members of your organization), password
> protected (available only to those you select such as clients or
> contractors), or public (published and hosted for the world to see).
> If you catch a typo and upload a new version, that URL will continue
> to point to the latest version, regardless of how many changes you
> make."
> However, given the way WP Multisite media files are served, it may
> take additional apache rules to completely block access.
> Boston University has written some custom code to do this -- I believe
> it writes htaccess files to protect media uploads. You can see their
> documentation (but not their code), here for some ideas:
> http://www.bu.edu/tech/web/departments/wordpress/management/access/content-protection/
> -Bill
> On Mon, Mar 5, 2012 at 9:24 AM, Grogan, David <David.Grogan at tufts.edu> wrote:
>> Hello all,
>> We have a large multi-site instance of WP 3.3.1 and although you can make your WordPress site private to individual named accounts (e.g. try accessing http://sites.tufts.edu/dgtest) it's really only the posts and pages content that is private. Any content uploaded to the sites Media Library (e.g. documents, images, audio etc) is still publicly accessible (e.g. try accessing: http://sites.tufts.edu/dgtest/wp-content/blogs.dir/856/files/2012/03/FCKeditor.png).
>> Has anyone come across a solution that will provide privacy to the media library files?
>> David
>> --------------------------------------------------------------
>> David Grogan
>> Senior Solutions Specialist
>> Educational & Scholarly Technology Services (ESTS)
>> University Information Technology (UIT) Tufts University
>> 108 Bromfield Rd
>> Somerville, MA  02144
>> Phone: 617.627.2859
>> Fax: 617.627.3082
>> http://uit.tufts.edu/at/
>> http://sites.tufts.edu/davidgrogan
>> _______________________________________________
>> wp-edu mailing list
>> wp-edu at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-edu

More information about the wp-edu mailing list