Community Support Forums

Is it possible to block access, using s2member, from folders?

For example, I don't want anyone getting into:
mydomain.com/blue/
mydomain.com/a/

Can this be done in the "URI restrictions" section? Can this be done with s2mebmer at all?

Thanks!
David

I presume you are on a Apache server and not Windows. If you are not sure you should be able to see when you log into your website's control panel or just contact support at your webhost.

If you are on Apache you can put a plain text file named .htaccess in the main folder you want to protect. All the sub folders will inherit the same restriction.
There are many things you can do but it sounds like the following simple line will work for you:

Code: Select all

deny from all

The file name must be named .htaccess
The dot makes the file invisible.

If you use deny from all you will still be able to gain ftp access using your normal password and login.

There may also be a password protection feature in your control panel which sets up an htaccess file.

There are many things you can do with htacess; password protecting folders, files, groups, etc. For more info on .htaccess have a look at: http://www.htpasswdgenerator.com/apache/htaccess.html

Daine

s2Member can protect content through its URI Restrictions ( i.e. word fragments found within URLs on your site ). However, this will ONLY work if those files/directories are loaded by WordPress.

In cases where you need to protect a real directory that is NOT a part of WordPress ( i.e. it's not loaded through WordPress / WordPress rewrite rules ), you will need to implement another form of protection. I agree with Daine, .htaccess is great solution for this.

@Daine - I am on Linux/Apache and I'm remiss in saying thank you for your prompt and spot-on answer; one of the developers I know had told me do do the .htaccess and .htpasswd trick and gave me some links to instructions. So far, fail - as I have received server error messages using this method so far which I suspect is an error on my part; probably the file path incorrectly named, so I'll look into that.

@Jason Caldwell - thanks much for your reply as well; I had tried folder restriction in the URI input field - fail - but it was a good try, eh? do you think there's any chance you might add a folder restriction in addition to the post, URI, and other restriction types? I don't know the feasibility of adding that as another restriction type in s2member, but do you think it's a good idea for an addition? In my specific case, I have a folder of mp3 files on a separate domain (domain2.com) with a separate install of s2member than my actual member site (domain1.com) points to for access to audio which is played by members on domain1.com via wordpress plugin (no direct download accessibility of mp3, just a player so they can listen) - the result I'd like to produce is making sure that if anyone finds the mp3 folder on domain2.com, they can't get access to the mp3 files.

All - is there a perhaps- different or better way to achieve my desired outcome?

Thanks!
David Portney

Actually, presuming you are not hosting this site on your own server, I am surprised that your control panel doesn't have a simple UI for password protecting folders.
Both hosts I use have it, even the one that is really bad, useless and out of date (which I am leaving soon) so I would think that and reasonably modern host would have it.
That said, if your host's support is worth anything, they should also be able to help you by putting the .htaccess file where you need it with the code/functionality you want.

Also, keep in mind that no matter how well an application works, there are vulnerabiltes. .htaccess is a system level setting so is, at least in theory, the most difficult to get around.

Did you try deny from all?
Adding other functionality can get you in trouble with path names and such but that should really work.

Daine

Since they are just media files, wouldn't Amazon S3 work for that?

http://s3.amazon.com

You can adjust the permissions so that the content of the directory isn't listed, but the files are accessible if you know the exact URL to each. There are advanced protection methods that would make links expire and such, too.

@Cristian Lavaque - thanks for your (always prompt and insightful) helpful reply! Actually, in the final analysis, Amazon S3 is "the" correct way to go. The things is that at this point my membership levels are so low that I don't see the need to invest in that option just yet - and I'll also admit that I *could* be looking at this "in the wrong way" as it were. As I recall, S3 charges based on size of files / amount of space used, so I should indeed look into this more closely.

@man-O-media - <smacking my palm to my forehead> I do have cPanel via BlueHost, and it never (but should have) occurred to me that they'd have a way to block a folder in a more WYSIWYG interface than my so-far failed attempts at .htaccess etc. so far. I'm going to log into BlueHost right now and see about that.

All - one more question about this: so, let's say that I do manage to protect the folder with mp3 files on site2.com (my non-membership site) - on site1.com (my membership site) I use a Wordpress Plugin called "Audio player" so that members can play the audio, but not have download access to the files, and of course the file path on site1.com using the plugin is a path to site2.com/folder-with-mp2. So my question is, if I block access to that mp3 folder, does that mean the audio player won't be able to "access" the files either?

Thanks!
David Portney

UPDATE: Okay, so just for fun, I went onto live chat with my BlueHost (my hosting account) and told them the outcome I wanted to produce, the very-helpful tech said either use cPanel to password protect (and gave me the simple steps) or, just upload a blank index.html file into the folder.

The problem with password protecting is that my members would have to have the UN/PW to hear the audio files - with index.html solution, they can still hear, but the file path to my mp3 folder now just shows a blank page instead of links to all the mp3 files as it did before.

So as far as I can tell, problem solved!

Now, don't me wrong, I know that there are tech-savvy folks out there that can get whatever they want, but in this case, it's more like I'm just putting a chain around my bicycle in public; if someone wants that bicycle, sure, they'll get it. But at least it's not just sitting there completely unprotected and easy to take, eh?

What do you all say? Thanks!

David Portney

You are very welcome.

True, some protection is definitely better than none.

About S3, it's super cheap, really, price is not an issue there. And practical, cause bandwidth and space are never lacking.

About the index.html file, true, an index file will prevent the directory listing. You can also achieve that with an .htaccess file in that dir with the following line:

Code: Select all

Options -Indexes

Now, for someone with a bit of experience, it wouldn't take much to find the files. They can look at the source code and see if you provide the URL there in the embedded player. If that is not available, something like Firefox' add-on HttpFox would tell the URL of the file being streamed. Also, if you didn't prevent that directory from being indexed by search engines, someone could search this in Google

site:your-website.com (filetype:mp3 OR inurl:mp3)

This is why file protection by means of s2Member or Amazon S3 is so good, because they allow different ways to protect the files even if they do know the URLs to them.

Hey Cristian - nice, thanks! in order:

1. I'll definitely look into s3, but for now am being hard-headed and want to solve another way. I know I'll have to cave in on that eventually, but not today

2. index.html file vs. .htaccess - good to know both I suppose, they achieve exactly the same result and are completely interchangeable?

3.1: When I view-source of the pages with the embedded audio player, there's no file path at all anywhere in the code showing the path to the other domain and the folder with mp3, so I think I'm safe there.

3.2: shoot, it figures there's a browser plugin that shows the file path of an mp3 being played. All the wind has been taken out of my sails, thanks a lot - but seriously, here I was all smug with my index.html file. I suppose most folks are not savvy enough to know about HttpFox, but that's still a pretty big hole I'm leaving open, hence the lack of wind in my sails.

4. I do have that site that has the mp3's on it search engine blocked (via Wordpress setting) and trying the search operator searches did not turn up any results, so I *think* I'm safe on that one.

5. Ah, the best for last - you seem to indicate that s2Member would allow file protection; what am I missing here? I thought I was being "slick" by putting the mp3's on a completely different domain than my membership site - are you saying that I should put them into a folder on my membership site and that I can protect them with s2Member??? Keep in mind I do NOT want anyone, no matter their member level, to be able to download, only listen to the mp3's....

Thanks!
David

Sorry, but I thought you should know.

About s2Member's download protection, check out these:
WP Admin -> s2Member -> Download Options
http://www.s2member.com/file-download-options-video/

justawizard wrote:Keep in mind I do NOT want anyone, no matter their member level, to be able to download, only listen to the mp3's....

If you don't want ANYONE to access the files, place your files here:
/wp-content/plugins/s2member-files/access-s2member-ccap-never/
This tells s2Member that only Members with the Custom Capability "never", would be allowed to access the files in that directory, and since you'll "never" give anyone that Capability; you're good.

You'll find further details covering advanced topics like this in your Dashboard, under:
s2Member -> API Scripting -> Custom Capability & Member Level Files

Not accessed by anyone directly, but he does want the files to be streamed via the embedded audio player.

Cristián Lávaque wrote:Not accessed by anyone directly, but he does want the files to be streamed via the embedded audio player.

OK. I see now. Thanks Cristián.
May I see a sample of the code that is being used to embed the audio?

May I see a sample of the code that is being used to embed the audio?

Hey Jason - I use a Wordpress Plugin to embed the audio, the plugin called "Audio player" and it uses a shortcode to reference the audio file path location, and embed the player onto the page/post - here's an example:

Code: Select all

[audio:http://www.domain.com/folder/audiofile1.mp3,http://www.domain.com/folder/audiofile2.mp3]

If helpful to you, there are 2 checkbox settings on the advanced tab of the plugin configuration protecting against downloads:

Encoding: Enable this to encode the URLs to your mp3 files. This is the only protection possible against people downloading the mp3 file to their computers. * Encode mp3 URLs

Remove all enclosures from feeds: This will remove all enclosures from your blog feeds. Only do this if you do not want your visitors to download the mp3 files. Do not do this if you do any kind of podcasting via your blog. * Remove all enclosures from feeds

Please let me know if I provided the info you requested, or if you'd like me to reply with the php code from the editor.

Thanks!
David

OK. So just to summarize.
You have MP3 files on "Site A", which are protected from public access.
Members on "Site B", are allowed to hear these protected MP3s; only when logged into "Site B".

Normally, this would be simple. s2Member can protect files for you. All you do is place your protected files inside the /wp-content/plugins/s2member-files/ directory, and s2Member will protect them from public access; allowing Members to download them, when they're logged in.

A download link on your site might look like this:

Code: Select all

http://www.example.com/?s2member_file_download=file.mp3

Actual location of file: /wp-content/plugins/s2member-files/file.mp3
Further detail/instruction available in your Dashboard, under: s2Member -> Download Options.

However, in your case, the protected MP3 files are not in the same domain, they are part of another site all together. That being said, I suspect both of your sites are on the same server, so it is possible for s2Member to acquire them. So here is how you might deal with this.

1. On "Site A", add an .htaccess file to the directory where your MP3 files are located. This will protect them from public access. Inside the .htaccess file, add this line: deny from all. [ reference article ]

2. On "Site B", where s2Member is installed, create this directory and file.
/wp-content/mu-plugins/s2-hacks.php

Code: Select all

<?php
add_filter ("ws_plugin__s2member_files_dir", "my_files_directory");
function my_files_directory ()
    {
        return "/server/path/to/files/on/siteA";
    }
?>

In other words, use something other than the default /s2member-files/ directory.

3. Now change your audio Shortcodes on "Site B", to something like this:

Code: Select all

[audio:http://www.siteb.com/?s2member_file_download=audiofile1.mp3&s2member_file_inline=yes]

Hey Jason - super and excellent info, thank you! I did go back and re-watch the videos about protecting files, making downloads available and such - the one thing that either I didn't make clear enough or got buried in the postings is that I do NOT want anyone to have access to downloading the mp3 files.

I only want my members to be able to listen to the mp3's, so I use the Wordpress Plugin "Audio player" for this purpose.

I suppose I could or should place the mp3's back on site B (my membership site) inside the s2member-files location? - if I did that, no person would be able to access any file there unless logged in, correct? - except that if they see the file path, they can access any and all files in that folder, correct?

Thanks Jason!
David

Thanks for the follow-up.

justawizard wrote:I suppose I could or should place the mp3's back on site B (my membership site) inside the s2member-files location? - if I did that, no person would be able to access any file there unless logged in, correct? - except that if they see the file path, they can access any and all files in that folder, correct?

Yes, you are correct in both cases.

From a technical perspective, if you allow the files to be accessed in any way, there is always a chance that a visitor will find the file path, and then have access to download the file directly.

For that matter, some audio applications will expose this right inside the application and invite the user to download the file. Of course, there are ways to thwart this, but just so you're aware. Under normal circumstances, making audio files available for playback, is the same as allowing them to be downloaded; from a technical standpoint.

Thanks again Jason, I appreciate it!
David

I know that there is at least one way of protecting a file so it can be streamed by a player, but not downloaded and, if I remember correctly, it was a custom solution.

Basically, it looked like it chunked the file into small parts that were served in sequence, each with a key, expiration and other variables. So basically, even if you managed to download something, all you got was that one piece, if you wanted the whole thing you could probably do it downloading every single piece and then stitching them. It wasn't worth the trouble. That was the only time I remember when I couldn't make a backup copy of something I bought and was only available in an embedded player.

So it's not impossible, but I don't know a solution that one can get easily. That said, I haven't looked into this in detail ever, so you should search Google and see what you can find.

Hey Cristian, thanks again for all your terrific input. Yeah, at some point the ROI of time needs to be factored, as you pointed out. I'm defaulting to my "bicycle lock/chain" analogy - because if the majority of my members are non-techies who are just wanting the quality info I'm providing, they're not going to be sitting around trying to figure out how to "pick the lock or cut the chain". So if they ARE a techie, and go after the download... dishonest people are going to do dishonest actions, so at the end of the day it's not worth losing sleep over.

At least I've got a "bike lock" in place to keep honest people honest!

Thanks again,
David

What you say is true.

I personally don't worry about members downloading my content, I don't have an issue with that.

I also don't worry if someone gets my content in an improper way, I know that kind of person wouldn't have paid me for it anyway, and probably won't benefit from it either. That kind is more in the game of getting it than using it, so it's not like I lost a sale because of them.

If you have a "no download" rule, though, I think it'd be best to make it known to customers. I don't see as dishonesty to download something I paid for, unless it was clearly stated that what I get is online playback of the material but not a local copy of it. But that's just my point of view.

I'm always glad to help and please let us know if there's anything else we can assist you with.