$sqlQuery = "SELECT post_parent FROM {$wpdb->posts} WHERE ID = (SELECT post_id FROM {$wpdb->postmeta} WHERE meta_key = '_wp_attached_file' AND meta_value = '" . esc_sql($filename_small) . "' LIMIT 1) LIMIT 1"; $file_post_parent = $wpdb->get_var($sqlQuery); //has access? if ($file_post_parent) { if (!pmpro_has_membership_access($file_post_parent)) { //hook for users without access do_action("pmpro_getfile_before_error", $filename, $file_post_parent); //nope header('HTTP/1.1 503 Service Unavailable', true, 503); echo "HTTP/1.1 503 Service Unavailable"; exit; } } } //get mimetype $mimetype = new pmpro_mimetype(); $file_mimetype = $mimetype->getType($filename); //in case we want to do something else with the file do_action("pmpro_getfile_before_readfile", $filename, $file_mimetype); //if file is not found, die if (!file_exists($filename)) { status_header(404); nocache_headers(); die("File not found."); } //if blacklistsed file type, redirect to it instead $basename = basename($filename); $parts = explode('.', $basename); $ext = strtolower($parts[count($parts) - 1]); //build blacklist and allow for filtering $blacklist = array("inc", "php", "php3", "php4", "php5", "phps", "phtml");
//only checking if the image is pulled from outside the admin if(!is_admin()) { //get some info to use $upload_dir = wp_upload_dir(); //wp upload dir $filename_small = substr($filename, strlen($upload_dir[basedir]) + 1, strlen($filename) - strlen($upload_dir[basedir]) - 1); //just the part wp saves //look the file up in the db $sqlQuery = "SELECT post_parent FROM $wpdb->posts WHERE ID = (SELECT post_id FROM $wpdb->postmeta WHERE meta_key = '_wp_attached_file' AND meta_value = '" . $wpdb->escape($filename_small) . "' LIMIT 1) LIMIT 1"; $file_post_parent = $wpdb->get_var($sqlQuery); //has access? if($file_post_parent) { if(!pmpro_has_membership_access($file_post_parent)) { //nope header('HTTP/1.1 503 Service Unavailable', true, 503); echo "HTTP/1.1 503 Service Unavailable"; exit; } } } //otherwise show it $mimetype = new pmpro_mimetype(); header("Content-type: " . $mimetype->getType($filename)); readfile($filename); exit; ?>