[Membership 2 Pro] Protecting a url in membership 2 pro

I am trying to protect a link to a PDF. This PDF should only be available to members. So my url is like this: https://mywebsite/PDF/something.pdf I tried URL Restriction addon, added the url there, but that does not work. People are still able to see the PDF
I also tried media protection and that did not work. Can you please let me know how I can restrict people (non-members) from seeing the PDF?

  • Adam Czajczyk

    Hello gediweb

    I hope you're well today and thank you for your question!

    I tried to check your site but it seems that media protection Membership 2 Pro add-on is currently disabled on the main site of the network and I'm not sure where to look for an example PDF in questions.

    In general, the way it's supposed to work is that when a given file (that's uploaded to the Media Library) is protected, you can put a link to it (or insert an image in post/page if it's an image file) in the post/page content or anywhere within your site and:

    - if it's an image, it's displayed only if the visitor is a logged in member of the relevant membership
    - if it's a link to a downloadable file (e.g. PDF link) it should only work for logged in members of relevant memberships.

    However, what will not work "out of the box", is that if a user - even not logged in/not member - knows the original URL of the file and tries to access it, they'd still be able to do so. Unless, the direct access to the specific type of file is explicitly protected.

    So, what I'd do to protect the file would be this:

    1. Enable "Media Protection" add-on of Membership 2 Pro
    2. Go into "Details" settings of the add on (the "Details" link in add-on description)
    3. Apart of setting your protection mode of choice, enable both "Advanced Media Protection" and "Protect Individual Media files" options.
    4. Go to the "Membership 2 -> Protection Rules -> Media Library Items", find the PDF file that you wisth to protect and assigned desired membership(s) to it
    5. Go to the "Membership 2 -> Settings -> Advanced Media Protection" and

    - make sure that the "Application Server" that's selected is the one that's powering your site (you should be able to see if it's e.g. Apache on "WPMU DEV -> Support -> System Info -> Server" page in site's back-end)

    - make sure that the .pdf extension is NOT added to the list of "Only allow direct access to the following file extensions." option

    - save that setting

    This should make the file protected and also disallow direct access ("hotlinking") to the PDF files in case someone tried to access them directly by the direct (not masked) URL.

    Give it a try please and if it still doesn't work for you, let me know please which PDF (might be just an example one) should be protected on your site, with what memberships and where on site's front-end (what page/post) can I find it being linked.

    Best regards,
    Adam

  • gediweb

    Hi Adam Czajczyk ,

    Didnt work :slight_frown: what a mess!

    Media protection breaks my site. With it enabled, my main navigation dropdowns dont work and for example if you go to /account/ I see a random image instead of my site...
    I also tried uploading a pdf to a directory in the root of my site. Tried linking from the page to the pdf with url protection and it does NOT work.

    I enabled support access. Feel free to test things out. Do you think you can see if you can make it work? I also left you a message there with specifics on the URL and the page linking from.
    Thank you so much!

  • Adam Czajczyk

    Hello gediweb

    Thank you for your response and for granting access.

    However, before I'll make us of the access to check the site, I'd like to ask you to try one more thing. There's an issue with M2P that might actually be affecting "media protection" add-on that I didn't think of while responding to you (I'm sorry, I should have!) so could you try applying a small patch on the plugin first?

    Please do as follows:

    1. download an attached zip file and extract it to your local drive; you should see a file named "class-ms-rule-media-model.php" there
    2. access your site via FTP or cPanel "File Manger" and go to this folder:

    /wp-content/plugins/membership-pro/app/rule/media

    3. rename the "class-ms-rule-media-model.php" file there to sth like e.g. "class-rule-media-model.php_org"

    4. upload the "class-ms-rule-media-model.php" file from downloaded zip archive to that folder on a server.

    Once that's done, clear all caches on site and check if that changed/improved things and let me know. If it doesn't solve the issue, I'll then access the site and investigate what's happening and how to solve it.

    Kind regards,
    Adam

  • gediweb

    Thanks Adam Czajczyk

    Unfortunately that did not work. The PDF file is still not protected and although on chrome the navigation is not messed up, on Firefox & Edge it is. Also /account/ still comes up with a random image...

    Forgot to mention, if I choose either complete protection or hybrid protection under media files details, my whole site goes down and all it shows is a random image. Just like the accounts page.

    If you access the site, I included details on the page that I have the link on and the PDF trying to protect.

  • Predrag Dubajic

    Hi gediweb,

    It seems that something on your site is changing the path of your file and thus overriding M2 media protection which makes the file accessible.

    Your file path on the download link looks like this:
    domain.com/PDF/filename.pdf
    And when you go to that link the file is indeed accessible and can be downloaded.
    However, the default link should be this:
    domain.com/PDF/2019/01/filename.pdf
    And if you check that link you will see that the file is protected, here's how it looks when I try to access it like that:

    So you can try using that URL for download or see what's changing the URLs on your site and after that the protection should be working fine.

    P.S. That file wasn't protected in Membership 2 Protection Rules so while testing I did protect it but I have reverted the changes once I was done, so the file is unprotected at the moment.
    If you prevent access to it you should see the results I mentioned above.

    Best regards,
    Predrag

  • gediweb

    I'm sorry, I'm just not able to get it to work. I could not protect the file.
    - I checked and my file is protected in the MP2 protection rules
    - I changed the link to go to: https://domain.com/PDF/2019/01/filename.pdf
    - Now I click on the link (logged-in and not logged in) and I see a weird page with a feed of my posts (with minimal styling)
    - Just to confirm, here is the link i'm using: https://snag.gy/gXiCGZ.jpg on the page I specified in the account access.

    - With media protection enabled, weird things are happening. For example, on top of the weird result on top, if you go to /account/ you see just a random image instead of the page...

    One more thing I noticed that may or may not have anything to do with this. This main site is an HTTPS:// site but when I go to media library, it shows image permalinks to be HTTP://

    Please help me figure this out. My client is patient, but their patience is wearing off.

  • gediweb

    Update: With help from chat, I was able to diagnose the http:// vs https:// issue and there was a configuration error. I have it se t properly now and I do in fact see "No access" when not logged in and the file when logged in. Correct! Finally!

    As a side note/question: Is there a way to take them to the protected content page (like the protected pages do) instead of showing them "no access" ?

  • Adam Czajczyk

    Hi gediweb

    I'm happy to hear that you were able to solve that!

    As a side note/question: Is there a way to take them to the protected content page (like the protected pages do) instead of showing them "no access" ?

    The media protection add-on's main purpose is to actually hide an image that from visitors that are not entitled to see it (are not members of a selected membership) while still letting them view the rest of the post/page/content that's not protected for them. It's similar to what you can sometimes see on some forums where there are images included in posts but there's some "no access" image instead until you're logged in - while you can still see the post itself.

    In case of such use as on your site such redirect would make sense but since Media Protection is mostly used to protect images included in posts/pages, such redirect on protected image would actually act exactly the same as protecting the entire post with regular protection rules :slight_smile:

    However, I've passed this question to our developers as your case is specific and such redirect would work here - if possible. It would most likely require some additional custom code but I need some consultation from our devs on this. If it's something that could be achieved with some relatively simple additional code (e.g. in functions.php or as mu-pluing) I'm sure they'll be able to provide us with it. Otherwise, we'll let you know if it would require more development.

    Best regards,
    Adam

  • Panos

    Really sorry for the delay gediweb !

    In order to redirect to protected page instead of showing the no-access image, you can try adding the following snippet in a mu-plugin:

    add_action( 'ms_rule_media_model_output_file_before', function(){
    	wp_safe_redirect( MS_Model_Pages::get_page_url( MS_Model_Pages::MS_PAGE_PROTECTED_CONTENT, false ) );
    	exit;
    } );

    That seemed to do the trick in my test site.

    If you are not familiar with mu-plugins you can read more about them here :
    https://premium.wpmudev.org/manuals/wpmu-manual-2/using-mu-plugins/
    In short, those are php files that work similar to plugins, with the difference that they they are executed without the need to be activated. Those files should be placed in the wp-content/mu-plugins directory. If it doesn't exist you can simply create it.

    Let us know if it works on your side too!

    Kind regards!

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.