I’m looking to hopefully write a function that protects WordPress media files (or more specifically pdf files).
I would like this function to run when a user attempts to access a specific file.
What I would like to happen is:
User attempts to access url of specified file/files
Function/Action runs the following checks
Check to see if user is logged in
Checks to see if user is either subscribed to a specific WooCommerce product, or has purchased a specific product.
If user meets the requirements, access is granted to files
If user does not meet the requirements they are directed to 404.
I realise WooCommerce already has a system for connecting files to products however having a function like this would be easier, as I plan to tie it in to ACF. I have a variation of this code working on the front-end however this does not protect the media files. Any help would be greatly appreciated.
<?php if (is_user_logged_in()) {
if (wc_memberships_is_user_active_member($user_id, 'gold-membership') || ( wc_customer_bought_product( '', get_current_user_id(), 999 ) ) ) {
} } ?>
Better upload pdf to outside uploads folder of the Wordpress.
In the wp-content/uploads the files will stay public access.
Only read and offer files via script, this mode you can control the access of files.
Related
My application uses the google realtime API to define a custom document type, and includes a feature that allows you to create a copy of a document, using the API's document.saveAs. One purpose of this is to allow users to make and edit personal copies of document templates that have been shared with them as read-only files. I create a new document then use saveAs to copy the realtime document into it, something like this:
gapi.client.drive.files.create({
resource: {
mimeType: 'application/vnd.google-apps.drive-sdk',
name: NEWNAME
}).then((response) => {
MYDOCUMENT.saveAs(response.result.id);
});
This works perfectly with read-write files, but if the original file is read only it does not appear to save the realtime document into the new file. No error is reported but the resulting new file is empty.
Is this is a bug or known limitation, or am I doing something wrong?
You may want to check Collaborators and sharing wherein it was stated that the Realtime API uses Google Drive to manage permissions and sharing.
Reading further,
Access to files & folders is determined by an access control list (ACL). An ACL is a list of permissions that determine whether or not users can perform actions on a file such as read or write. See the permissions guide for additional details about permissions and roles.
The role gives these users the ability to do something to the file, like read it. As far as I've read, here are the permitted operations for read-only:
Read the metadata (e.g. name, description) of the file or folder
Read the content of the file
Read the list of items in the folder
I have Yii2 application where users can upload and share files of different types. Once a file is uploaded, it could be downloaded only by certain other users and there are a whole bunch of checks that go behind this process.
My problem is that the files are stored on the server and if someone has the link directly to the file then they can easily be downloaded without going through any kind of authorization or security checks. How can I prevent this?
P.S. It could be any kind of solution, not one related to Yii2.
The following approach comes to my mind.
Store the files at a location in file system that is not made publicly accessible by a web server.
Make them available by reading them from file system and sending them to browser when the user retrieves the URL that also does the security checks. A redirect to another URL that does not do security checks has to be avoided.
If you give more details about a more specific problem or question people can give you more specific information.
My app uses the Drive rest API and the Drive Realtime API in combination. We set the file's permissions so that the public has view access, and then emailed a link to it to a few thousand customers.
The file's permissions are set so that the public has view access, but:
When a user tries to open the realtime document, we get Drive Realtime API Error: not_found: File not found.
When a user tries to copy the non-realtime file, we get The authenticated user has not granted the app 689742286244 write access to the file 0B-NHh5QARZiUUFctN0Zjc3RKdWs (of course we are not asking to write
You can see the effects for yourself at https://peardeck.com/editor/0B-NHh5QARZiUUFctN0Zjc3RKdWs , and our embarrassing attempts to cover for the errors.
Interesting notes:
Sharing the file directly with a particular google account seems to lift the curse, and then that google account can find the file like normal. No extra permissions, just an explicit reference to a google account.
Setting the file so that the public has full write access seems to have no effect
Other files with the exact same settings in the exact same Drive folder can be opened successfully (but presumably have not been opened by so many people in the past). This makes me think there is some broken state within Google.
How can I avoid this? What's going on?(!?!?) Thanks for any help!
The realtime API does not support anonymous access. All users must have a Google account and be explicitly authorized to view or write to the file.
Using PHP, does anyone know how to make it so that when someone registers on a website (and therefore enters data into a database), a folder with a default php file is created on the web root/server???
This is not a good design. Rather, you should have your PHP files look at the session to find the logged in user's id, and query the necessary data about that user id. You don't need a file for each user. You can make your table auto-increment a user id.
I have a static file that I don't want to be publicly available. Is there a way to limit access with app.yaml so that it can only be loaded by its own domain?
web2py based solutions are also welcomed as I'm using it on top of GAE.
Thanks!
You can limit access to it with 'login: required' to require login with a Google account, or 'login: admin' to restrict it to admins only. If you're only concerned about abuse, you probably want to look into the DOS API instead.
I assume you want to use web2py authentication for this. You have to follow a few simple rules. 1) files in app/static are public files. 2) files that you want to subject to authentication go in app/private. Then create you own web2py action to server the content of private/
#auth.requires()
def private():
import os
file = os.path.join(request.folder, 'private', request.args(0))
return response.stream(open(file,'rb'))
If you want to use the role based access control you need to store the filename in a database table and auth.add_permission to the group to the record.
You get faster responses and more competent responses if you ask questions to the web2py mailing list.