Optionally stop direct web access to document files to force access only via WordPress #317
Description
This arose from the WP Support request User Level Security
The security model of the plugin normally requires users to access the file via the front-end. If the user can determine the MD5 format of the file name, it is possible that the someone can create a URL that points to the file directly. They than can access the file.
This can be blocked by an .htaccess rewrite rule that blocks direct access to these files.
As such, it needs to be based on a file name pattern (i.e. not a document check) and it needs to be defined prior to the rewrite rule that allows direct access.
This can be done in a two stage process:
a) Add an external rule to trigger the process using action generate_rewrite_rules to enter a placeholder value
b) Modify this placeholder usinmg the filter mod_rewrite_rules to become
RewriteCond %{REQUEST_FILENAME} -f RewriteRule xxxx/(\d{4}/\d{2}/)?[a-f0-9]{32}(\.\w{1,7})?/?$ /- [R=403,L]
where xxxx is any element needed to help specify the URL path.
Since it could happen that the document library contains files that are to be downloaded that are in this format. In this case this capability should not be implemented.
To implement it, a filter document_stop_file_access_pattern which should be set to the trailing part of the URL pattern.
If set to '/' then any URL ending with the pattern /(\d{4}/\d{2}/)?[a-f0-9]{32}(\.\w{1,7})?/?$ will not be directly accessible.
if set to 'wp-uploads' then any URL ending with the pattern wp-uploads/(\d{4}/\d{2}/)?[a-f0-9]{32}(\.\w{1,7})?/?$ will not be directly accessible.