PDA Access Restriction 1.3.0 extends the ability to get control over the folder protection by restricting access to certain referrer links. In other words, you will be able to deny file access for private folders to specific visitors based on where they come from.
In this article, we will walk you through the following sections on how this function works.
Requirements:
- PDA Access Restriction version 1.3.0 or greater
- Prevent Direct Access Gold version 3.1.4 or greater
What are referrer links?
Referrer URL is the address of the webpage that sends users to your website. For example, you find our PDA Gold on the WordPress plugin repository. By clicking on the anchor text “Check out our Gold version now” you’ll be redirected to our Features page. The link https://wordpress.org/plugins/prevent-direct-access/ is a referrer link.
In case you embed files such as images in the content, the content URL will become the referrer link of these embedded files.
Grant individual file access based on referrer links
Step 1: Once you’ve protected your file, click on “Configure file protection” in Media Library List View.
Step 2: Switch to “Referrer Links” and you will see the following options.
(1) Use default setting
Follow the global-level Referrer Links option on the plugin settings page.
(2) Disable referrer links
Disallow file access based on referrer URLs. However, the file is still accessible to those having the right permission or whitelisted IP addresses.
(3) Allow all referrer links
Allow users to access the file as long as it’s embedded into the content.
However, they will be redirected to a “No Access” page if they paste the URL to the browser’s address bar directly.
(4) Allow specific referrer links
Define specific referrer URLs from which users will have access to your protected files.
* match any sequence of characters (including the blank sequence). If your whitelisted referrer link is https://preventdirectaccess.com/*, all referrer links from this domain are valid.
Grant multiple file access based on referrer links at once
For all files under specific protected folders
Step 1: Navigate to Prevent Direct Access Gold >> Settings from your admin dashboard and switch to Folder Protection tab.
You will see the option to whitelist referrer links at the bottom of this page.
Firstly, select which folders you want to protect and save your selection.
Once saved, the folder name will display in the dropdown under the “Allow Referrer Links” option. Select the desired folder and apply proper referrer rules.
There are 3 referrer rules, including:
(1) Disable referrer links
This feature is disabled by default. Only whitelisted user roles can access all files in protected folders.
(2) Allow all referrer links
This rule allows users to access your protected files as long as they’ve visited the content in which these files are embedded. Users won’t be able to share the file URLs with others without your permission.
(3) Allow specific referrer links
Define the specific referrer URLs from which users have access to your protected files.
* match any sequence of characters (including the blank sequence). If your whitelisted referrer link is https://preventdirectaccess.com/*, all referrer links from this domain are valid.
All protected files under Media Library
To grant access to all protected files under Media Library based on referrer links ,all at once, simply add the following code snippet to your child (theme).
add_filter('pda_after_check_file_exist', function ( $allowed, $post_id ) {
if ( ! method_exists( 'Pda_Ip_Block_Services', 'is_ref_in_custom_values' ) ) {
return $allowed;
}
$referer = wp_get_raw_referer();
if ( ! $referer ) {
return $allowed;
}
$mime_type = get_post_mime_type( $post_id );
if ( ! $mime_type ) {
return $allowed;
}
$whitelist_mime_types = ['image','pdf']; // Custom file allowed file type here.
$allowed_mime_types = array_filter($whitelist_mime_types,
function ( $whitelist_mime_type ) use( $mime_type ) {
return false !== strpos( $mime_type, $whitelist_mime_type );
});
// Allow image only.
if ( empty( $allowed_mime_types ) ) {
return $allowed;
}
$referral_urls = ['https://preventdirectaccess.com/*']; // Custom referral URL here
$services = new Pda_Ip_Block_Services();
if ( $services->is_ref_in_custom_values( $referer, $referral_urls ) ) {
return true;
}
return $allowed;
}, 50, 2);
Referrer-Policy
When you block or grant someone access using referrer links, you might come across the Referrer-Policy term. Its value tells browsers which referrer information is included with the page request.
This referrerpolicy="no-referrer-when-downgrade" value is set by default. In other words, referrer links won’t be sent with the requests from HTTPS to HTTP due to the protocol security. If you allow users to access your private folder from https://preventdirectaccess.com/*, for example, the folder must be hosted on a HTTPS website too.
Limitation: This feature won’t work properly if you use referrerpolicy="origin"
Target = “_blank” & rel=”noreferrer noopener”
From WordPress version 4.7.4, when users set target=”_blank” to a hyperlink, rel=”noreferrer noopener” will be added automatically into the link too. This is part of the security issue fixed by TinyMCE on 23rd Nov 2016.
This default WordPress feature will prevent you from whitelisting or blocking users via referrer links as well.
