How to protect uploads in multisite if user is not logged in?

Question

I am trying to set up a multisite intranet (using subdomains) where content on each sub-site is only accessible to users logged into their respective site. The problem I am having is trying to restrict access to uploaded files (e.g. http://example.org/wp-content/uploads/2011/12/dummy.pdf) to logged in users only.

Similar to How to Protect Uploads, if User is not Logged In?, how would I enable one of the solutions proposed by hakre or Frank Bueltge for a multisite installation?

I have been scouring the net and Wordress Answers but haven’t managed to find something that I can get to work. Related answers are:

• How to make media upload private?

• Protect Uploads in Multisite

Also, I am new to PHP and still learning how WordPress works under the hood, so detailed information about what I need to do and what goes where would be much appreciated.

Thanks!

Answer 1

Nice Question!

Poking around it a little bit, this seems to be working (further tests and a more qualified look are much welcome:). Tested only in a localhost development install with subdomains. No domain mapping.

Change the following .htaccess rewrite rule:

# uploaded files
# RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L]
RewriteRule ^files/(.+) dl-files.php?file=$1 [L]

Make a copy of /wp-includes/ms-files.php and place it on the root with the name dl-files.php.

Disable SHORTINIT, modify the wp-load.php path and add a current_user_can() check at the very beginning, so it becomes:

<?php
/**
 * Modified Multisite upload handler.
 *
 * @since 3.0.0
 *
 * @package WordPress
 * @subpackage Multisite
 */

//define( 'SHORTINIT', true );
require_once( 'wp-load.php' );

if( !is_multisite() )
    die( 'Multisite support not enabled' );

if( !current_user_can( 'subscriber' ) ) {
    status_header( 403 );
    die( '403 &#8212; Forbidden.' );
}

ms_file_constants();

/* ... rest of the original file ... */

Note that removing the SHORTINIT increases loading time and memory consumption. Read somewhere that it could be a ten fold increase (!?).

Interesting discussions in wp-edu list (haven't found nothing in wp-hackers):

• http://lists.automattic.com/pipermail/wp-edu//2012-May/000545.html
• http://lists.automattic.com/pipermail/wp-edu/2012-June/thread.html#551