WordPress plugin that protects resume uploads for the Job Manager plugin (http://pento.net/projects/wordpress-job-manager-plugin/)

README

Create this folder:
/wp-content/plugins/job-manager-private-uploads/

Put the two PHP files in there, then activate this plugin via the WordPress admin.

NOTE: your WordPress installation should be configured to allow WP_Rewrite to make modifications to the .htaccess file.

download.php

<?php

require_once "../../../wp-config.php";
require_once "job-manager-private-uploads.php";

if (current_user_can("upload_files")) {
	$filename = $_GET["f"];
	$fullFilename = ABSPATH . $filename;
	$fileExtension = strtolower(substr(strrchr($filename, "."), 1));
	$attachmentFilename = str_replace(JobManagerPrivateUploads::$privacyPrefix, "", $filename);

	switch ($fileExtension) {
		case "pdf": $contentType = "application/pdf"; break;
		case "exe": $contentType = "application/octet-stream"; break;
		case "zip": $contentType = "application/zip"; break;
		case "doc": $contentType = "application/msword"; break;
		case "xls": $contentType = "application/vnd.ms-excel"; break;
		case "ppt": $contentType = "application/vnd.ms-powerpoint"; break;
		case "gif": $contentType = "image/gif"; break;
		case "png": $contentType = "image/png"; break;
		case "jpeg":
		case "jpg": $contentType = "image/jpg"; break;
		default: $contentType = "application/force-download";
	}

	header("Pragma: public");
	header("Expires: 0");
	header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
	header("Cache-Control: private", false);
	header("Content-Type: " . $contentType);
	header("Content-Disposition: attachment; filename=\"" . basename($attachmentFilename) . "\";");
	header("Content-Transfer-Encoding: binary");
	header("Content-Length: " . filesize($fullFilename));

	readfile($fullFilename);
} else {
	header("HTTP/1.1 403 Forbidden");
	echo "<h1>Forbidden</h1>";
}

job-manager-private-uploads.php

<?php
/*
Plugin Name: Job Manager Private Uploads
Plugin URI: https://gist.github.com/matb33/5092416
Description: Prevents direct access to files uploaded using the Job Manager plugin (http://pento.net/projects/wordpress-job-manager-plugin/)
Version: 1.0
Author: Mathieu Bouchard
Author URI: http://www.matb33.me/
License: MIT
*/

class JobManagerPrivateUploads {
	public static $privacyPrefix = "PRIVATE__";

	private static $ruleMatch;
	private static $ruleRedirect;
	private static $deactivated = false;

	public static function init() {
		$uploadDir = wp_upload_dir();
		$siteURL1 = site_url("", "http") . "/";
		$siteURL2 = site_url("", "https") . "/";

		$uploadPath = str_replace($siteURL2, "", str_replace($siteURL1, "", $uploadDir["baseurl"]));
		$downloadPath = str_replace($siteURL2, "", str_replace($siteURL1, "", plugins_url("download.php", __FILE__)));

		self::$ruleMatch = $uploadPath . ".*/" . self::$privacyPrefix . ".+$";
		self::$ruleRedirect = $downloadPath . "?f=$0";
	}

	private static function add_rewrite_rule() {
		global $wp_rewrite;
		$wp_rewrite->non_wp_rules[self::$ruleMatch] = self::$ruleRedirect;
	}

	private static function del_rewrite_rule() {
		global $wp_rewrite;
		if (array_key_exists(self::$ruleMatch, $wp_rewrite->non_wp_rules)) {
			unset($wp_rewrite->non_wp_rules[self::$ruleMatch]);
		}
	}

	public static function activate() {
		global $wp_rewrite;
		self::add_rewrite_rule();
		$wp_rewrite->flush_rules();
	}

	public static function deactivate() {
		global $wp_rewrite;
		self::$deactivated = true;
		self::del_rewrite_rule();
		$wp_rewrite->flush_rules();
	}

	public static function wp_handle_upload_prefilter($file) {
		$options = get_option("jobman_options");
		$fields = $options["fields"];

		if (count($fields) > 0) {
			foreach ($fields as $fid => $field) {
				$key = "jobman-field-" . $fid;
				if (isset($_FILES[$key])) {
					if ($_FILES[$key] === $file) {
						$file["name"] = self::$privacyPrefix . $file["name"];
						return $file;
					}
				}
			}
		}

		return $file;
	}

	public static function generate_rewrite_rules($wp_rewrite) {
		if (!self::$deactivated) {
			self::add_rewrite_rule();
		}
	}
}

JobManagerPrivateUploads::init();

add_filter("wp_handle_upload_prefilter", "JobManagerPrivateUploads::wp_handle_upload_prefilter");
add_filter("generate_rewrite_rules", "JobManagerPrivateUploads::generate_rewrite_rules");

register_activation_hook(__FILE__, "JobManagerPrivateUploads::activate");
register_deactivation_hook(__FILE__, "JobManagerPrivateUploads::deactivate");

@a-irvine, it's definitely related to the .htaccess file. I don't have much for you to go on... this is a WordPress configuration issue. If you can get rewriting to work from WP, then my plugin will be able to add rewrite rules and prevent downloading of files that start with PRIVATE__

Hi Mathieu, can you tell me how to limit the upload file size/upload cv without affect any others upload (only work for job manager). thanks

Rian Barus