コード例 #1
 * Render function for Media Vault custom column in WP Media Library list table.
 * @since 0.4
 * @uses mgjp_mv_get_the_permissions()
 * @param $column_name string name-id of current column
 * @param $post_id int ID of post being evaluated
function mgjp_mv_render_media_library_custom_column($column_name, $post_id)
    if ('mgjp_mv_info' != $column_name) {
    if (!($permission = mgjp_mv_get_the_permission($post_id))) {
    $permissions = mgjp_mv_get_the_permissions();
    $permission = isset($permissions[$permission]) ? $permissions[$permission] : '';
    $description = isset($permission['description']) && !empty($permission['description']) ? esc_html($permission['description']) : '<span class="mgjp-mv-error">' . esc_html__('Undetermined! Permissions have been misconfigured for this attachment!', 'media-vault') . '</span>';

    esc_html_e('Protected Media', 'media-vault');


    esc_html_e('Files accessible to:', 'media-vault');

    echo $description;


コード例 #2
 * Check if the current user is permitted to access an attachment of a
 * specified ID
 * @since 0.7
 * @uses mgjp_mv_get_the_permission()
 * @uses mgjp_mv_get_the_permissions()
 * @param $attachment_id int The id of the attachment to check against
 * @return bool True if current user access permitted
 * @return bool False if current user access denied
function mgjp_mv_check_user_permitted($attachment_id)
    // check if attachment has protection and permissions set on it
    if (!($permission = mgjp_mv_get_the_permission($attachment_id))) {
        return true;
    $permissions = mgjp_mv_get_the_permissions();
    // check if permission set on attachment is valid
    if (!isset($permissions[$permission])) {
        return false;
    // it is better to fail safely than to reveal something we should not
    // check if permission check is set to need not run in admin
    if (is_admin() && isset($permissions[$permission]['run_in_admin']) && !$permissions[$permission]['run_in_admin']) {
        return true;
    // check if permission check is set to need the user to be logged in. if it is check if he is logged in
    if (!isset($permissions[$permission]['logged_in']) || $permissions[$permission]['logged_in'] && !is_user_logged_in()) {
        return false;
    // check if permission callback is set to false
    if (isset($permissions[$permission]['cb']) && false === $permissions[$permission]['cb']) {
        return true;
    // if not false (above), check if permission callback is valid, fail safely if it is not
    if (!is_callable($permissions[$permission]['cb'])) {
        return false;
    // perform the defined permission check callback on the user for this attachment
    // function MUST return true if the user is allowed access
    $permission_check = call_user_func($permissions[$permission]['cb'], $attachment_id);
    // if there are no errors permit access
    if (true === $permission_check) {
        return true;
    return false;
コード例 #3
 * Check if file with path $rel_file from WP uploads folder is in a Media Vault protected folder.
 * If it is, verify the user requesting it has permission to access it. After they pass the check,
 * If the 'safeforce' flag has been set for $action, send HTTP Headers forcing file download,
 * otherwise send normal headers and serve the file.
 * @since 0.1
 * @uses mgjp_mv_upload_dir()
 * @uses mgjp_mv_get_the_permissions()
 * @param string $rel_file Filesystem path or filename, must be relative to the WP uploads folder
 * @param string $action Force Download Flag, only acceptable value is 'safeforce'
function mgjp_mv_get_file($rel_file, $action = '')
    // $rel_file = path to the file to view/download,
    // relative to the WP uploads folder
    // (eg:'/media-vault/2013/10/media-vault-150x150.jpg')
    $upload_dir = wp_upload_dir();
    // only files in the WP uploads directory are allowed to be accessed:
    $file = rtrim($upload_dir['basedir'], '/') . str_replace('..', '', isset($rel_file) ? $rel_file : '');
    //---Basic Checks----------------------------------------------------//
    if (!$upload_dir['basedir'] || !is_file($file)) {
        wp_die('404. File not found.');
    $mime = wp_check_filetype($file);
    // Check filetype against allowed filetypes
    if (isset($mime['type']) && $mime['type']) {
        $mimetype = $mime['type'];
    } else {
        wp_die(__('403. Forbidden.<br/>You cannot directly access files of this type in this directory on this server. Please contact the website administrator.'));
    //---Permission Checks-----------------------------------------------//
    $file_info = pathinfo($rel_file);
    // check if file is protected by checking
    // if it is in the protected folder before
    // doing any permission checks
    if (0 === stripos($file_info['dirname'] . '/', mgjp_mv_upload_dir('/', true))) {
        // disable caching of this page by caching plugins ------//
        if (!defined('DONOTCACHEPAGE')) {
            define('DONOTCACHEPAGE', 1);
        if (!defined('DONOTCACHEOBJECT')) {
            define('DONOTCACHEOBJECT', 1);
        if (!defined('DONOTMINIFY')) {
            define('DONOTMINIFY', 1);
        // try and get attachment id from url -------------------//
        global $wpdb;
        $attachments = $wpdb->get_results($wpdb->prepare("\n        SELECT      post_id, meta_value\n        FROM        {$wpdb->postmeta}\n        WHERE       meta_key = %s\n                    AND meta_value LIKE %s\n        ", '_wp_attachment_metadata', '%' . $file_info['basename'] . '%'), ARRAY_A);
        $attachment_id = false;
        foreach ($attachments as $attachment) {
            $meta_value = unserialize($attachment['meta_value']);
            if (ltrim(dirname($meta_value['file']), '/') == ltrim($file_info['dirname'], '/')) {
                $attachment_id = $attachment['post_id'];
        // ------------------------------------------------------//
        if (!($permission = mgjp_mv_get_the_permission($attachment_id))) {
            $permission = get_option('mgjp_mv_default_permission', 'logged-in');
        $permissions = mgjp_mv_get_the_permissions();
        // permission set up error detection
        $standard_error_txt = ' ' . esc_html__('Therefore for safety and privacy reasons this file is unavailable. Please contact the website administrator.', 'media-vault') . '<p><a href="' . home_url() . '">&larr;' . esc_html__('Return to homepage', 'media-vault') . '</a></p>';
        if (!isset($permissions[$permission])) {
            wp_die(__('The permissions set for this file are not recognized.', 'media-vault') . $standard_error_txt);
        if (!isset($permissions[$permission]['logged_in'])) {
            $errors[] = 'logged_in';
        if (!isset($permissions[$permission]['cb'])) {
            $errors[] = 'cb';
        if (isset($errors)) {
            $error_txt = __('The permissions set for this file have left the following important parameters undefined:', 'media-vault') . '<ul><li>\'' . implode('\'</li><li>\'', $errors) . '\'</li></ul>' . '<p>' . $standard_error_txt . '</p>';
        if ($permissions[$permission]['logged_in']) {
            is_user_logged_in() || auth_redirect();
        // using is_user_logged_in is lighter than using just auth_redirect
        if (false !== $permissions[$permission]['cb']) {
            if (!is_callable($permissions[$permission]['cb'])) {
                wp_die(__('The permission checking function set in this file\'s permissions is not callable.', 'media-vault') . $standard_error_txt);
            $permission_check = call_user_func_array($permissions[$permission]['cb'], array($attachment_id, $rel_file, $file));
            if (is_wp_error($permission_check)) {
                wp_die($permission_check->get_error_message() . $standard_error_txt);
            if (true !== $permission_check) {
                wp_die(__('You do not have sufficient permissions to view this file.', 'media-vault') . $standard_error_txt);
    // end of permission checks
    header('Content-Type: ' . $mimetype);
    // always send this
    if (false === strpos($_SERVER['SERVER_SOFTWARE'], 'Microsoft-IIS')) {
        header('Content-Length: ' . filesize($file));
    if ('safeforce' !== $action) {
        //--OPEN FILE IN BROWSER functions-------------//
        $last_modified = gmdate('D, d M Y H:i:s', filemtime($file));
        $etag = '"' . md5($last_modified) . '"';
        header("Last-Modified: {$last_modified} GMT");
        header('ETag: ' . $etag);
        header('Cache-Control: no-store, no-cache, must-revalidate');
        // HTTP 1.1.
        header('Pragma: no-cache');
        // HTTP 1.0.
        header('Expires: Thu, 01 Dec 1994 16:00:00 GMT');
        // Proxies
        // Support for Conditional GET
        $client_etag = isset($_SERVER['HTTP_IF_NONE_MATCH']) ? stripslashes($_SERVER['HTTP_IF_NONE_MATCH']) : false;
        if (!isset($_SERVER['HTTP_IF_MODIFIED_SINCE'])) {
            $_SERVER['HTTP_IF_MODIFIED_SINCE'] = false;
        $client_last_modified = trim($_SERVER['HTTP_IF_MODIFIED_SINCE']);
        // If string is empty, return 0. If not, attempt to parse into a timestamp
        $client_modified_timestamp = $client_last_modified ? strtotime($client_last_modified) : 0;
        // Make a timestamp for our most recent modification...
        $modified_timestamp = strtotime($last_modified);
        if ($client_last_modified && $client_etag ? $client_modified_timestamp >= $modified_timestamp && $client_etag == $etag : $client_modified_timestamp >= $modified_timestamp || $client_etag == $etag) {
    } else {
        //--FORCE DOWNLOAD Functions-----------------------//
        // required for IE, otherwise Content-disposition is ignored
        if (ini_get('zlib.output_compression')) {
            ini_set('zlib.output_compression', 'Off');
        header('Pragma: public');
        // required
        header('Expires: 0');
        header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
        header('Cache-Control: private', false);
        // required for certain browsers
        header('Content-Disposition: attachment; filename="' . $file_info['basename'] . '";');
        header('Content-Transfer-Encoding: binary');
    // If we made it this far, just serve the file
    if (ob_get_length()) {