Media not protected
-
Hi,
I enabled the restriction for ‘a media’ for ‘logged in users’.
Despithe this, when you have the exact url of the media, it will not be protected and you are allowed to view the uploaded picture for example. This seems to be a bugg in the plugin?Thank you in advance for the answer.
Filip
- This topic was modified 4 years, 11 months ago by floepkah.
-
Pages work.
Also have the problem that media can not be protected. Tried withA selected media
(selected the media from the select box)
OR
A media with ID
(took the id from wp-admin/post.php?post=8389&action=edit&lang=en, when selecting to “Edit more details” from the Media page.
OR
A post with ID
(took the id from wp-admin/post.php?post=8389&action=edit&lang=en, when selecting to “Edit more details” from the Media page.
OR
Is a mediaNo errors in debug.log
Same here.
The permalink is protected, but the file URL is not.Example:
https://<domain>/<filename> <— this is protected
https://<domain>/wp-content/uploads/<filename> <— this is still accessibleI am disabling this plugin and searching for another. I’ll check back to see if this is fixed, because this plugin would replace two others (if it worked), and I’d like to minimize the number of plugins I’m using.
@floepkah, @rolfhuiber – Not a bug, you are not choosing to block access to an actual image/media file in our options, you are choosing to block access to the WordPress media post type template pages that some sites generate. Honestly it’s a byproduct of us getting a list of all post types from WordPress core and letting you target based on each.
You can see we simply loop over post types: https://github.com/JunglePlugins/Content-Control/blob/master/classes/Conditions.php#L216-L289
Further we protect content one of 2 documented ways, content filtering & redirection. Both check if the current item has a post type of media when you use those conditions, that is all they do.
In the case of protecting actual .jpg style media files, that can only be reliably done at the server level from my knowledge. Most hosts don’t even hit WordPress in those cases. The most common hosting setup on modern WP hosts uses Nginx & Apache. Nginx loads the static files directly from the server without ever contacting PHP or WP.
So to do what your after generally requires writing to htaccess or nginx rule sets, something which may be possible, but not reliably across all sites & hosts. Nginx rules generally do not sit in a folder that a plugin in WordPress would be able to modify. That is it sits outside the application folder usually.
I will do some research, but that was never the intended use case for this plugin.
I can see how it might be useful, but at this stage if you need to lock down media from direct access specifically you will need to look at something else currently.
For confirmation of the info provided above, here is a link to another plugin which “locks down media files”: https://www.ads-software.com/plugins/prevent-direct-access/#why%20nothing%20happens%20after%20i%20activate%20the%20plugin%3F. Specifically it says:
Prevent Direct Access supports websites hosted on Apache servers out of the box.
In case you’re using WP Engine or other NGINX server, please check out this instruction on how to update the server configuration so that our plugin (both Free & Gold version) will work correctly as expected.
It links to https://preventdirectaccess.com/docs/nginx-support/
I checked just now from the top 10 results on google use Nginx with reverse proxy to Apache (because its the best/fastest stack available currently at scale). Because of that, this would honestly be a vanity feature from the perspective of we could add the options, but you would still have to manually do the work. If you have to manually do the work already, what do you need a plugin for?
Side note, I read through their Nginx code, they seem to simply be making a new /private/ folder and adding a rewrite rule to protect only that directory.
This is not ideal either, it means to protect a file you move it (which is fine), but any call to a file in that folder now gets redirected to PHP and loads up a complete call to WP. This is infinitely less performant than the direct file access provided by nginx.
May be useful for small batches of protected content, but if you load a page with 20 images all protected like that, you just made 21 page requests to your server effectively.
I don’t see how we can offer this in a useful & user friendly way currently.
@hrsms I’m with you on reducing plugins, and I’ve added this to our list for potential future options, but again it’s not really within the current bounds of what this plugin was intended to do, so it will take some deep considerations/deliberations to see a way forward for including something similar.
That said if your using nginx or apache, its simple enough to add the rules you need manually, since that is ultimately what you would be doing even if we offered this.
Thanks for your answer, which I completely understand.
>you are choosing to block access to the WordPress media post type template pages that some sites generate.
Please document/explain this in the features of the plugin.What I thought the plugin would/should do is, that it spots the media during rendering and change the URI, so that it goes through your WP code to check the authorization, either serve the file or redirect to the login page.
The created URI should be obfuscated (e.g. using postId), it should not use the media filename (as a part or complete) within the uploads folder, as that one is directly accessible and not protected.
> Please document/explain this in the features of the plugin.
Agreed.
What I thought the plugin would/should do is, that it spots the media during rendering and change the URI, so that it goes through your WP code to check the authorization, either serve the file or redirect to the login page.
The created URI should be obfuscated (e.g. using postId), it should not use the media filename (as a part or complete) within the uploads folder, as that one is directly accessible and not protected.
Documented this as a request, that type of concept we could possibly work out. This concept also prevents the direct file path from leaking in the first place bypassing the need for custom server rules.
I like it.
…you would still have to manually do the work. If you have to manually do the work already, what do you need a plugin for?
Because your plugin serves up a useful message to the user, and also provides control of pages and posts, either directly or by category.
In the meantime, I have reactivated this plugin, for which I am grateful. I did not find anything other than “Prevent Direct Access”, which requires a pro subscription for this level of protection. It is beyond my budget (non-commercial site).
I added a setting in htaccess to prevent browsing, so the urls cannot be found that way. I also put the private files under a folder with a password-like name, so the path could not be guessed at based on the context of the files. Now it is up to me to ensure the direct url does not appear anywhere on my site. For instance, I am using a plugin to display pdf files. It requires the url (does not work with the permalink). So I’m using your plugin to prevent access to the pages where this plugin is used (based on category). Only users with the required roles will be able to see the full paths, and I’ll have to trust them not to pass them on. Fortunately, I am not dealing with anything that sensitive, so that level of trust is enough.
I’ll have to take your word on the performance issue related to “Prevent Direct Access”.
I also like Rolf’s obfuscation suggestion, to prevent the path from ever being seen.
- The topic ‘Media not protected’ is closed to new replies.