I just submitted this feature request to Gravity Forms’ roadmap. I post it here as well to open up for discussion.
I’d love to see Gravity Forms’ file protection improved in the following ways.
Block direct access to files in hidden upload folders.
Replace the current file hash-based authorization with token-based authorization so that we can implement user-based permission checks (not just the role-based permission checks we can do today using gform_permission_granted_pre_download).
Make the token-based authorization system’s access tokens expire after a couple of hours.
Thanks for the reply. I’ve already disabled it on our sites. The suggestion is just in case I (or any other Gravity Forms user) accidentally reveals the real path.
In the meanwhile, I wrote a proof-of-concept class for improving the file protection without breaking the current functionality or adding any additional data to the database. The solution doesn’t leave any traces and keeps all generated links working even after removing the class.
The class does the following things.
Blocks direct access to the real uploads folder.
Requires users to login before downloading files through secure download links.
Signs the download links, making them unique for each file and each user.
Revokes the validity of download links after one or two days.
Revokes the validity of download links every time the user logs in.
Feel free to suggest improvements/bug fixes. If you want to use the code snippet, you must replace the some of the code with hardcoded form IDs since the settings panel the class relies upon isn’t part of the class. You must also define a salt called OPAL_SALT in your wp-config.php file.
Please note, this is for developers. This is not intended to be a stand-alone plugin since it’s just a workaround while waiting for an official solution.
