How to Password Protect Files Embedded in Content

By default, PPWP Pro helps you protect the content but not embedded images or uploaded files. Therefore, your files are still accessible to anyone with the links. You need Prevent Direct Access (PDA) Gold to block their direct file URL access.

In addition, using PDA Gold along with PPWP Pro plugin allows your users can access the protected files without having to log into your site. All they need to do is to enter the right password.

Requirements:

How to password protect embedded files

1. Protect files with PDA Gold

There are many ways to protect your private files with PDA Gold plugin. One of them is to simply tick the “Protect this file” checkbox while adding the media file into content.

2. Insert files into content and password protect it

You can password protect a page or post while editing by enabling the “Password protected” option.

How PPWP Pro integrates with PDA Gold

When users are whitelisted or enter the correct password, they will be able to view both protected page’s content and embedded files:

  • If the user logged in and has the right file access permission, our plugin will display the files using their protected links as usual.
  • Otherwise, our plugin will generate a private link for users to reach the protected file, which will expire after the page is loaded. In other words, a new private link will be created on every page load for each file. This stops users from sharing your protected files.

Since Password Protect WordPress Pro version 1.1.6 and Prevent Direct Access Gold version 3.1.3, we change the way protected files are served to users who have entered the right passwords. Instead of generating expiring links, which might cause protected videos & audios (MP3, MP4) not to work smoothly, we simply generate “temporary access” to these files.

Once users enter the right password, our plugin will store a cookie into their browser. The temporary access to protected files and content will be associated with this cookie. That means users will see the content and protected files as long as the cookie exists. And they won’t be able to share your protected links with others nor access them in different browsers.

Logic & Limitations

  • Our plugins haven’t supported “scaled” image, scrset, and PDA Gold Raw URLs yet (WIP)
  • Currently, we can only unlock protected files embedded in content protected by PPWP Pro plugin. That means the function doesn’t work when content is protected by category protection or PPWP Access Level extension.
  • You can use quick access links (QALs) to allow users to access the content and files directly without having to enter passwords.

Unlock protected files & content with PPWP Groups extension

If you protect the content using PPWP Groups extension, users can access the content but not protected files after entering password by default. To allow them to access the files, simply add the following code snippet to your (child) theme’s functions.php file.

add_filter('ppwp_before_handle_search_replace', function ($result, $post_id) {
	if ( true === $result ) {
		return $result;
	}

	$service = new PPWP_Group_Password_Service();

	// Get group ID and its parent.
	$group_id_from_post = $service->get_group_ids_by_post( $post_id );

	if ( empty( $group_id_from_post ) ) {
		// Do nothing if the post is not protected by any group.
		return $result;
	}

	$protection_data['is_post_protected'] = true;

	// Get group ID from cookie.
	$group_ids_from_cookie = $service->get_group_ids_from_cookie( $_COOKIE );

	$same_vals = array_intersect( $group_id_from_post, $group_ids_from_cookie );

	// Do nothing if the group ID and its parents doesn't have in cookie.
	if ( empty( $same_vals ) ) {
		// User has never entered the password.
		return $result;
	}

	/**
	 * Check password is valid.
	 * By looping the group ID and parents set in cookie to compare passwords with cookie.
	 */
	$password_service = new PPW_Password_Services();

	foreach ( $same_vals as $val ) {
		$passwords = $service->get_passwords_from_group_id( $val );
		if ( $password_service->is_valid_cookie( intval( $val ), $passwords, PPWP_Group_Password_Service::COOKIE_GROUP ) ) {
			error_log( 'S&R Result: ' . print_r( true, true ) );

			return true;
		}
	}
	return $result;

}, 12, 2);

add_filter('pda_after_check_file_exist', function ($valid, $attachment_id) {
	if ( ! isset( $_GET[ PPW_Pro_Constants::PDA_ORIGIN_LINK_TOKEN ] ) ) {
		return false;
	}

	$token_service = new PPW_Pro_Token_Services();
	$post_id = $token_service->process_protected_file_token( $_GET[ PPW_Pro_Constants::PDA_ORIGIN_LINK_TOKEN ], $attachment_id ); //phpcs:ignore

	if ( false === $post_id ) {
		return false;
	}

	$service = new PPWP_Group_Password_Service();

	// Get group ID and its parent.
	$group_id_from_post = $service->get_group_ids_by_post( $post_id );

	if ( empty( $group_id_from_post ) ) {
		// Do nothing if the post is not protected by any group.
		return false;
	}

	$group_ids_from_cookie = $service->get_group_ids_from_cookie( $_COOKIE );

	$same_vals = array_intersect( $group_id_from_post, $group_ids_from_cookie );
	$password_service = new PPW_Password_Services();

	$result = false;
	foreach ( $same_vals as $val ) {
		$passwords = $service->get_passwords_from_group_id( $val );
		if ( $password_service->is_valid_cookie( intval( $val ), $passwords, PPWP_Group_Password_Service::COOKIE_GROUP ) ) {
			error_log( 'S&R Result: ' . print_r( true, true ) );

			$result = true;
		}
	}
	return apply_filters( PPW_Pro_Constants::HOOK_UNLOCK_PDA_FILE, $result, $post_id, $attachment_id );

}, 12, 2);
Lasted updated on April 29, 2021