The BuddyPress Group Documents plugin allows groups a handy way for users to share documents with fellow members of a BP group. It’s crucial to the work that is done on the CUNY Academic Commons. But, by default, the plugin stores documents in a subdirectory of your WP uploads folder (usually /wp-content/blogs.dir/ on multisite). That means that documents are available directly, to anyone who has the URL, regardless of the public/private/hidden status of groups. This isn’t a problem from within BuddyPress, since URLs for the documents only appear inside of the protected group interface. But if the URL is shared, then the document becomes publicly available. Worse, if someone posts the URL of a document in a public place, search engine bots will find it, and the contents of the document could end up in Google.
I wrote a few helper functions to change this behavior. The strategy is this: Move the files so that they are not accessible via URL, ie in a directory above the web root. (In my case, it’s a directory called bp-group-documents, just above my web root.) Then, catch requests of a certain type (I’ve chosen to go with a URL parameter get_group_doc=), and check them to see whether the current user has the adequate permission to access the document in question. Finally, make sure that all of the URLs and paths that BPGD uses to upload and display documents are filtered to the updated versions. I’ve provided my code below – use and modify at your pleasure. You should be able to place it in your plugins/bp-custom.php file, and then move your existing docs from their current location (probably something like wp-content/blogs.dir/1/files/group-documents) to the new directory.
I also added a line to my .htaccess file to ensure that requests to the old URLs are redirected to the new, hardened URL. That line is this:
RewriteRule ^wp\-content/blogs\.dir/1/files/group\-documents/(.*) /?get_group_doc=$1 [R,L]
Obviously, you may have to modify it for different file paths.
EDITED Feb 8, 2011 to include the code for creating directories when none exist
12 thoughts on “Hardening BuddyPress Group Documents”
This is a great piece of code.
Document protection and privacy is important but not easy to implement.
Have just started using BP Group Documents and would love to use you hardening code to make files more protected. Unfortunately I don’t know quite how to modify it to suit. I’ve added the code above to plugins/bp-customs.php, but I’m having trouble with the path:
The “site-folder” is my site root and I’ve placed the bp-group-documents folder above it, at:
But I don’t know how to change your code so that it looks for the bp-group-documents folder one step above the site root folder? Any hints would be much appreciated!
Your code example was just what I was looking for. It allows the bp-group-documents folder that is used to store group files to be be placed outside your DocumentRoot to prevent direct linking and search engine crawlers that do not comply to denial in robots.txt. And it adds an extra security layer that filters each file download request throught BP to check if the visitor is logged in and has access to the group. Great!
Hi does anyone has the original (latest) plugin file to download? it is know longer available to download over by buddypress
Hi, this looks like a great piece of code, thanks for sharing. I’m hoping for a little advice… I’m not actually using the BP Group Documents plugin, but I’m using a couple of others that allow general media uploads within the group. I’d like to harden the path to any media uploads to private groups. Could this code be adjusted to do this? Thanks so much.
Haylc – Theoretically, yes. The key thing is that you’ll have to be able to filter (a) the location where the plugins store the files, and (b) the URL that is output when rendering the page. Beyond that, you should mostly be able to use my code as is.
Thank you! Thank you! Thank you! This code helped me a lot!
Plugin not found?