When uploading files to the media tab, I’d like to be able to limit who can download the file based on their user role. I have wasted around 6 hours so far trying to make this possible. I’ve read countless Reddit posts, tried multiple plugins, and updated numerous .htaccess files, and I still haven’t accomplished this.
I’ve tried many of the commonly recommended plugins. The only one I’ve seen which prevents files from being downloaded from their direct links is **Prevent Direct Access**. The free version of this plugin falls short when authorizing who can access these files. They only allow the author or admins to access them.
I’ve found a possible solution using the .htaccess file. The arguments I’ve found to use are:
# File Access Restricter
RewriteEngine On
# 1) If NOT the current host
RewriteCond %{HTTP_HOST}@@%{HTTP_REFERER} !^([^@]*)@@https?://\1/.*
# 2) Deny access to these types
RewriteRule \.(gif|jpg|jpeg|png|tif|pdf|wav|wmv|wma|avi|mov|mp4|m4v|mp3|zip?)$ – [F]
This seems to prevent downloading files by using the direct link, but I feel like this might be exploitable still. If I include the download link in a post on my website, the user can then use it to download the file. If this method isn’t exploitable, then I have found multiple plugins to easily restrict page access based on roles, which works perfectly for me, but again, I think this can be exploited.
I appreciate any suggestions. I’ve researched this for literal hours, but just keep hitting a brick wall. Do I just need to spend $30/month on a plugin just to get this functionality?
[ad_2]