How can I allow access to the foo.html files in the .com/song/private/ subfolder for:
- a logged-in Wordpress user; or
- any referral domains (including subfolders) I add; or
- any URL on our own domain from the
com/song/privatefolder;
For all others, the user should be redirected to the corresponding public version of the Post, which is the same html filename and structured .com/song/foo.html. (The private versions uses a different template with different custom fields for each Post.)
Update: Here's what I have so far:
<Limit GET POST>
order deny,allow deny from all allow from domain.com/song/private allow from otherdomain.com
</Limit>
RewriteRule ^(.*)$ ../$ [NC,L]
More:
Will that last rewrite rule take people back to the public version, from
com/song/private/foo.htmltocom/song/foo.html?I found the following rule for detecting Wordpress logged-in status, but what do I put aferward with a RewriteRule, and will it work anyway? (If not, is there an alternative?)
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
N.B.I have added code to my root .htaccess allowing me to insert additional .htaccess files in other subfolders as needed.
Copied from Stack Overflow, where they suggested I ask here.
-
If I understood you correctly, what you ask is probably impossibile to do at the HTTP server level, and needs to be (at least partially) done in PHP.
The
allow fromthat you wrote are probably wrong, they work on the client ip address / hostname, not on the referral of the URL, as you can read in Apache's documentation.Also, you shouldn't trust anything sent by the client to determine logged in status, that could be easily forged - you should always compare the session data sent by the client with the session info stored server side (and apache alone won't do that). This also means that the first person who finds out that you're allowing access from certain referrals (2nd and 3rd point in your list) will just have to fake them to obtain access to your 'protected' resource.
From Luke404
0 comments:
Post a Comment