Last active
April 5, 2017 18:50
-
-
Save nathanp/50e76eb23a3f084cce4205657ee71acc to your computer and use it in GitHub Desktop.
File that helps restrict access to uploads in a specific folder. Use in conjunction with .htaccess file - https://gist.github.com/nathanp/02a615fbc7e8bac6ca139c6c3bea38e7
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
/* | |
* dl-file.php | |
* | |
* Protect uploaded files with login. | |
* | |
* @link http://wordpress.stackexchange.com/questions/37144/protect-wordpress-uploads-if-user-is-not-logged-in | |
* @link https://gist.github.com/hakre/1552239 | |
* | |
* @author Nathan Parikh <https://ndzynes.com/> | |
* @license GPL-3.0+ | |
* | |
*/ | |
ob_start(); | |
require_once('wp-load.php'); | |
require_once ABSPATH . WPINC . '/formatting.php'; | |
require_once ABSPATH . WPINC . '/capabilities.php'; | |
require_once ABSPATH . WPINC . '/user.php'; | |
require_once ABSPATH . WPINC . '/meta.php'; | |
require_once ABSPATH . WPINC . '/post.php'; | |
require_once ABSPATH . WPINC . '/pluggable.php'; | |
wp_cookie_constants(); | |
$discard = ob_get_clean(); | |
is_user_logged_in() || auth_redirect(); | |
list($basedir) = array_values(array_intersect_key(wp_upload_dir(), array('basedir' => 1)))+array(NULL); | |
$file = rtrim($basedir, '/') . '/' . (isset($_GET['file']) ? $_GET['file'] : ''); | |
$file = realpath($file); | |
if ($file === FALSE || !$basedir || !is_file($file)) { | |
status_header(404); | |
die('404 — File not found.'); | |
} | |
if (strpos($file, $basedir) !== 0) { | |
status_header(403); | |
die('403 — Access denied.'); | |
} | |
$mime = wp_check_filetype($file); | |
if( false === $mime[ 'type' ] && function_exists( 'mime_content_type' ) ) | |
$mime[ 'type' ] = mime_content_type( $file ); | |
if( $mime[ 'type' ] ) | |
$mimetype = $mime[ 'type' ]; | |
else | |
$mimetype = 'image/' . substr( $file, strrpos( $file, '.' ) + 1 ); | |
header( 'Content-Type: ' . $mimetype ); // always send this | |
if ( false === strpos( $_SERVER['SERVER_SOFTWARE'], 'Microsoft-IIS' ) ) | |
header( 'Content-Length: ' . filesize( $file ) ); | |
$last_modified = gmdate( 'D, d M Y H:i:s', filemtime( $file ) ); | |
$etag = '"' . md5( $last_modified ) . '"'; | |
header( "Last-Modified: $last_modified GMT" ); | |
header( 'ETag: ' . $etag ); | |
header( 'Expires: ' . gmdate( 'D, d M Y H:i:s', time() + 100000000 ) . ' GMT' ); | |
// Support for Conditional GET | |
$client_etag = isset( $_SERVER['HTTP_IF_NONE_MATCH'] ) ? stripslashes( $_SERVER['HTTP_IF_NONE_MATCH'] ) : false; | |
if( ! isset( $_SERVER['HTTP_IF_MODIFIED_SINCE'] ) ) | |
$_SERVER['HTTP_IF_MODIFIED_SINCE'] = false; | |
$client_last_modified = trim( $_SERVER['HTTP_IF_MODIFIED_SINCE'] ); | |
// If string is empty, return 0. If not, attempt to parse into a timestamp | |
$client_modified_timestamp = $client_last_modified ? strtotime( $client_last_modified ) : 0; | |
// Make a timestamp for our most recent modification... | |
$modified_timestamp = strtotime($last_modified); | |
if ( ( $client_last_modified && $client_etag ) | |
? ( ( $client_modified_timestamp >= $modified_timestamp) && ( $client_etag == $etag ) ) | |
: ( ( $client_modified_timestamp >= $modified_timestamp) || ( $client_etag == $etag ) ) | |
) { | |
status_header( 304 ); | |
exit; | |
} | |
// If we made it this far, just serve the file | |
readfile( $file ); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment