Rating: 1 star
I spent untold hours trying to solve the seemingly simple task of restricting access to certain media uploads to logged in users. All I needed was a way to check a box that would keep people from using a direct url to view private documents, and this finally gave me that function. However, my celebration was short-lived because I realized it was blocking the media url for everyone – including logged in users. So close…
]]>Rating: 1 star
This plugin no longer works, but it WOULD do everything I need it to do.
Broken things:
Doesn’t protect PDFs
Doesn’t protect media files by default
Can still access files through a direct link
Rating: 5 stars
Use it to secure some of my contents on a mid sized Page.
Did some additional stuff to it:
If requested i’ll assist on similar topics.
If anybody is interested in the rewritten file serving php thing:
the following code is a part of the “mv-file-handler.php” file – there where no actions to overrule so i had to modify the original source:
function mgjp_mv_get_file($rel_file, $action = ''){
// $rel_file = path to the file to view/download,
// relative to the WP uploads folder
// (eg:'/media-vault/2013/10/media-vault-150x150.jpg')
$upload_dir = wp_upload_dir();
// only files in the WP uploads directory are allowed to be accessed:
$file = rtrim($upload_dir['basedir'], '/').str_replace('..', '', isset($rel_file)?$rel_file:'');
//---Basic Checks----------------------------------------------------//
if(!$upload_dir['basedir'] || !is_file($file)){
status_header(404);
wp_die('404. File not found.');
}
$mime = wp_check_filetype($file); // Check filetype against allowed filetypes
if(isset($mime['type']) && $mime['type']){
$mimetype = $mime['type'];
}else{
status_header(403);
wp_die(__('403. Forbidden.<br/>You cannot directly access files of this type in this directory on this server. Please contact the website administrator.'));
}
//---Permission Checks-----------------------------------------------//
$file_info = pathinfo($rel_file);
// check if file is protected by checking
// if it is in the protected folder before
// doing any permission checks
if(0 === stripos($file_info['dirname'].'/', mgjp_mv_upload_dir('/', true))){
// disable caching of this page by caching plugins ------//
if(!defined('DONOTCACHEPAGE'))
define('DONOTCACHEPAGE', 1);
if(!defined('DONOTCACHEOBJECT'))
define('DONOTCACHEOBJECT', 1);
if(!defined('DONOTMINIFY'))
define('DONOTMINIFY', 1);
//-------------------------------------------------------//
// try and get attachment id from url -------------------//
global $wpdb;
$attachments = $wpdb->get_results(
$wpdb->prepare(
"
SELECT post_id, meta_value
FROM $wpdb->postmeta
WHERE meta_key = %s
AND meta_value LIKE %s
",
'_wp_attachment_metadata',
'%'.$file_info['basename'].'%'
), ARRAY_A
);
$attachment_id = false;
foreach($attachments as $attachment){
$meta_value = unserialize($attachment['meta_value']);
if(ltrim(dirname($meta_value['file']), '/') == ltrim($file_info['dirname'], '/')){
$attachment_id = $attachment['post_id'];
break;
}
}
// ------------------------------------------------------//
if(!$permission = mgjp_mv_get_the_permission($attachment_id))
$permission = get_option('mgjp_mv_default_permission', 'logged-in');
$permissions = mgjp_mv_get_the_permissions();
// permission set up error detection
$standard_error_txt = ' '.esc_html__('Therefore for safety and privacy reasons this file is unavailable. Please contact the website administrator.', 'media-vault').'<p><a href="'.home_url().'">←'.esc_html__('Return to homepage', 'media-vault').'</a></p>';
if(!isset($permissions[$permission]))
wp_die(__('The permissions set for this file are not recognized.', 'media-vault').$standard_error_txt);
if(!isset($permissions[$permission]['logged_in']))
$errors[] = 'logged_in';
if(!isset($permissions[$permission]['cb']))
$errors[] = 'cb';
if(isset($errors)){
$error_txt = __('The permissions set for this file have left the following important parameters undefined:', 'media-vault')
.'<ul><li>\''.implode('\'</li><li>\'', $errors).'\'</li></ul>'
.'<p>'.$standard_error_txt.'</p>';
wp_die($error_txt);
}
if($permissions[$permission]['logged_in'])
is_user_logged_in() || auth_redirect(); // using is_user_logged_in is lighter than using just auth_redirect
if(false !== $permissions[$permission]['cb']){
if(!is_callable($permissions[$permission]['cb']))
wp_die(__('The permission checking function set in this file\'s permissions is not callable.', 'media-vault').$standard_error_txt);
$permission_check = call_user_func_array($permissions[$permission]['cb'], array($attachment_id, $rel_file, $file));
if(is_wp_error($permission_check))
wp_die($permission_check->get_error_message().$standard_error_txt);
if(true !== $permission_check)
wp_die(__('You do not have sufficient permissions to view this file.', 'media-vault').$standard_error_txt);
}
if(function_exists('attachment_get_remote_url') && $remote_url = attachment_get_remote_url($attachment_id)){
header("Location: ".$remote_url,TRUE,307);
}
} // end of permission checks
//-------------------------------------------------------------------//
$filesize = filesize($file);
header('Content-Type: '.$mimetype); // always send this
if(false === strpos($_SERVER['SERVER_SOFTWARE'], 'Microsoft-IIS'))
header('Content-Length: '.$filesize);
if('safeforce' !== $action){
//--OPEN FILE IN BROWSER functions-------------//
$last_modified = gmdate('D, d M Y H:i:s', filemtime($file));
$etag = '"'.md5($last_modified).'"';
header("Last-Modified: $last_modified GMT");
header('ETag: '.$etag);
header('Cache-Control: no-store, no-cache, must-revalidate'); // HTTP 1.1.
header('Pragma: no-cache'); // HTTP 1.0.
header('Expires: Thu, 01 Dec 1994 16:00:00 GMT'); // Proxies
// Support for Conditional GET
$client_etag = isset($_SERVER['HTTP_IF_NONE_MATCH'])?stripslashes($_SERVER['HTTP_IF_NONE_MATCH']):false;
if(!isset($_SERVER['HTTP_IF_MODIFIED_SINCE']))
$_SERVER['HTTP_IF_MODIFIED_SINCE'] = false;
$client_last_modified = trim($_SERVER['HTTP_IF_MODIFIED_SINCE']);
// If string is empty, return 0. If not, attempt to parse into a timestamp
$client_modified_timestamp = $client_last_modified?strtotime($client_last_modified):0;
// Make a timestamp for our most recent modification...
$modified_timestamp = strtotime($last_modified);
if(($client_last_modified && $client_etag)
?(($client_modified_timestamp >= $modified_timestamp) && ($client_etag == $etag))
:(($client_modified_timestamp >= $modified_timestamp) || ($client_etag == $etag))
){
status_header(304);
exit;
}
}else{
//--FORCE DOWNLOAD Functions-----------------------//
// required for IE, otherwise Content-disposition is ignored
if(ini_get('zlib.output_compression'))
ini_set('zlib.output_compression', 'Off');
header('Pragma: public'); // required
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Cache-Control: private', false); // required for certain browsers
header('Content-Disposition: attachment; filename="'.$file_info['basename'].'";');
header('Content-Transfer-Encoding: binary');
}
// If we made it this far, just serve the file
if(ob_get_length())
ob_clean();
$filesize = filesize($file);
//Handel partial request
header("Accept-Ranges: 0-$filesize");
$buffer_size = 1024 * 1024; //1MB #bigger = more ram usage but less cpu
if(isset($_SERVER['HTTP_RANGE'])){
preg_match('/bytes=(\d+)-(\d+)?/', $_SERVER['HTTP_RANGE'], $matches);
$offset = intval($matches[1]);
$length = intval(isset($matches[2])?intval($matches[2]) - $offset:$filesize - $offset);
if($length < 1) $length = $filesize - $offset;
if($length > $buffer_size*10) $length = $buffer_size*10;//limit max partial *will trigger a ERR_CONTENT_LENGTH_MISMATCH on client but will perform better...
header('HTTP/1.1 206 Partial Content');
header('Content-Range: bytes '.$offset.'-'.($offset + $length).'/'.$filesize);
$file = fopen($file, 'r');
// seek to the requested offset, this is 0 if it's not a partial content request
fseek($file, $offset);
//split the file so we could <code>stream</code> just the range we need
while($length > 0 && !feof($file)){
if($length > $buffer_size)
$bytes_to_read = $buffer_size;
else
$bytes_to_read = $length;
$length -= $bytes_to_read;
echo fread($file, $bytes_to_read);
flush();
}
fclose($file);
exit;
}
flush();
readfile($file);
exit;
}Rating: 5 stars
Found it while looking for restriction view access – it’s just what I needed, thanks a lot!
]]>Rating: 5 stars
Recently installed and started using this plugin and it works wonderfully. But, seeing how long it has been since last being updated, I do worry if it will break in some future WP update. For now, all good. Let’s hope someone keeps this plugin active as I didn’t see any other plugin trying to solve this problem (which, itself, was a huge surprise).
]]>Rating: 4 stars
Good plugin for securing / hiding media files (PDF’s and images) that are only to be seen in the member area by logged-in users. Member management plugins like Ultimate Member don’t offer this option. Result is that files which are imported into a member page are still publicly visible and accessable. Not good, because the member area and all its components should be visible by logged on members only. A big flaw in WordPress, as far as I’m concerned. But this plugin solves the problem easy and in an intuitive way.
Why not a 5 star rating? Because I think it’s a pitty that this plugin hasn’t been updated for a long time. Really hope the developer will restart his project. I would wanna pay for this plugin.
]]>Rating: 5 stars
I installed this plug-in 2 minutes ago, it was absolutely straigh forward and does exactly what I expected. This plug-in deserves more attention from the WordPress community since it solves a major security problem of WordPress. Hopefully the developer continues his work. And yes: We would pay for this plug-in as well!
]]>Rating: 1 star
I would gladly pay for a working version of this plugin. If someone resurrects it, please let me know. In the meantime, it’s totally unreliable. Works for some files, not others. Works for a little while, then you notice the next week that it has stopped working. It’s problems are probably mostly related to being 2 years and many updates behind the development of WP core. In any case, don’t waste your time unless you have a lot of time to waste.
]]>Rating: 4 stars
Initially I had problems with it not protecting any of the files I marked for protection. After some sleuthing on the support pages I realized my installation did not seem to proceed as normal as that part that instructs me to edit the .htaccess file didn’t appear. And so I deactivated and activated the plugin again and that fixed the installation.
I don’t know but maybe the fact that I’m using Bulletproof Security might have had something to do with it.
Anyway once I got the installation working it worked like a charm. Thanks!
]]>Rating: 5 stars
Everyone has this problem, you want to actually truly hide images or pdfs or other binary files and frankly, wordpress is terrible at this.
Not anymore, Media Vault nails it.
It takes a little bit to get in the groove of how it works but once you experiment with it for 10m you will be happily protecting all of your content!
I use the custom role type hooks to do specially checking before I provide access which has been fantastic since we do a ton of custom theme and wordpress application development.
Well worth it.
]]>Rating: 5 stars
Does exactly what is says and does exactly what I need. Thanks
]]>Rating: 5 stars
very easy and customizable easy like 1,2,3
]]>Rating: 5 stars
I’m glad that I tried this plugin! Its nice to know that you can click a button and all uploaded files to wp-content/uploads will be secured as they upload. Its also nice to have a selection option for files already in the library. My Zip files and mp4 files can be protected using another plugin and I can restrict these types of files from being viewed by different membership levels for each page I protect but before I found this plug in… uploading to the library was not secure! All anyone has to do is just access your wordpress library and there is the photo or video! So thanks so much for that and well… I am giving you an excellent review!
(There is always a but)
In my case, I have different levels of members and each level can view different photos. It sure would be nice to be able to integrate those levels into the protection scheme. As it stands now, all you have to be is a “logged on member” and doing so… level 1 members can view the files available for levels 2, 3, 4, ect. That is the only downside I have seen. Other than that… great plug in and so nice to be able to trust it… it seems like everything else wordpress related often has an issue and waking up the next morning and turning on my computer to see what exploded overnight is always an experience. Thanks ~Kelly
]]>Rating: 5 stars
This plug-in provides what I really want to do.
I can create secure closed community site.
Rating: 5 stars
Very simple to use.
]]>Rating: 5 stars
Works simply out of the box. Great plugin, and great support.
Highly recommended.
]]>Rating: 5 stars
Was able to create my own custom rule for my client profile pages documents, using my own log in rules. Now search engines don’t index these files, and redirects to a 404 when not logged in.
]]>Rating: 5 stars
I want my files only accessible to myself(admin), not for other admins, does this plugin allow me to do so?
Sometime, I have to hire developer to do some work for me, I don’t prefer they can access my files.
Please update me…
Thanks a lot!
Rating: 5 stars
This is a rare plugin that simply and genuinely protects files of your choice such as .doc .pdf .jpg to allow access to specific users.
If you are looking to securely control access to private files, then this is the plugin for you! Thanks so much to the developer for this gem of a little plug-in!
Although I had a little technicality to overcome (I think mainly due to my WP install being in a sub-directory folder) I am so pleased to have this plugin working now! Hope this plugin keeps getting updated too, I will support!
Rating: 5 stars
Using alot of custom coding, and restricting access to files. This enhances what we needed, and it works flawlessly.
]]>Rating: 4 stars
I’m using Members plugin to keep certain post private, but I also want the media files of these posts to be private. Members does not offer this. Media Vault does! Thanks! Only added feature I would like to see is that it can be activated per site on a WordPress network. Currently it can only be activated network wide or for individual WP sites.
]]>Rating: 5 stars
Just what was missing from several of my WordPress sites where users want to share documents with each other.
]]>Rating: 5 stars
The plugin works great and the response time from the support team was terrific. Very help!
Thanks again Max. ??
]]>Rating: 5 stars
strange enough that there is not option to protect uploaded files on a private wordpress site included, Media Vault gives strong protection without making things complicated. Thank you Max!
]]>Rating: 5 stars
For people who are not familiar with php and code writing this is a solution for protecting your media files.
A nice plugin to protect your media files. Much easier than the option that is offered by s2Member or other plugin providers.
Rating: 5 stars
Should be WP Standard ??
]]>Rating: 5 stars
I was looking for a plugin that could give me control over the media folder.
This plugin does the work in a couple of clicks! Fast support from the developer. Great!