latest stable versions: v150827 (changelog)

Old Forums (READ-ONLY): The community now lives at WP Sharks™. If you have an s2Member® Pro question, please use our new Support System.

Image protection – why not possible to upload

Home Forums Community Forum Image protection – why not possible to upload

This topic contains 11 replies, has 3 voices. Last updated by  Candy Me 4 years, 7 months ago.

Topic Author Topic
Posted: Tuesday Apr 24th, 2012 at 9:06 pm #11789
Candy Me
Username: candy

Hi

I haven’t noticed till now that S2member does NOT protect the images together with the content.
I was shocked to tell you the truth, as with all my respect, content MEANS EVERYTHING on the protected page and NOT just the text!

How comes you did not consider that when starting with s2?

Do you really expect a normal user to upload images via ftp than use I don’t which complicated scripting just to be sure that ALL of his content is protected?

As I could figure it so far, there is also no real solution for the issue so far, how comes?

And WHY on Earth is not possible to at least re-configure the WP-upload path to upload the images directly to the s2-protected folder?
I get an error – as the directory is not writeblöe by the server? bet it is, there must be some other issue somewhere which prevents this from working !?!?!

I really need a proper, logical, easy solution to protect all the content on a page, images INCLUDED!
Is there a solution for it already ? Thanks!

List Of Topic Replies

Viewing 11 replies - 1 through 11 (of 11 total)
Author Replies
Author Replies
Posted: Wednesday Apr 25th, 2012 at 9:43 am #11830
Eduan
Username: Eduan
Moderator

Hello there,
s2Member does allow you to achieve what you want, not so straight forward, but it is possible.

First you protect the files, uploading them to the s2member-files folder, under wp-content\plugins\s2member-files. I believe you can’t access these files correct? This is a server configuration issue I believe.

Then put the links to those images, and protect them with s2Member conditionals, although this isn’t necessary, since they are already protected, you might want special text for each image. ;) You can find the conditionals under Dashboard -› s2Member® -› API / Scripting -› Simple/Shortcode Conditionals.

This is the solution I know, hope this helps. :)

Posted: Friday Apr 27th, 2012 at 10:10 pm #12109

Hi, I have been testing s2 for a couple hours, considering to use it.

But sadly I also figured it does not protect uploaded images when uploading and embedding images using WordPress Add New Post’s interface for that.

I don’t think uploading my images using FTP to the s2member-files folder and then manually posting the embed codes (both embedding a manually compressed low resolution linking to the full sized image), that just sounds like far too much work.

Is it possible to use WordPress’s built-in image upload to get WordPress to do its thing and then post the images in that s2member-files folder for them to be protected? I’d like the option to use WordPress to move them between protected and non protected mode if I later change my mind or of course when I post images that are not meant to be protected.

Posted: Saturday Apr 28th, 2012 at 10:18 am #12150
Eduan
Username: Eduan
Moderator

Hello Nicolas,
you might be interested in this KBA (Knowledge Base Article) for that case:
Knowledge Base » Secure File Uploader Plugin for s2Member

Hope this helps. :)

Posted: Saturday Apr 28th, 2012 at 12:03 pm #12156

Thanks Eduan! This is nearly what I need.

The only thing is that this plugin does not upload pictures the same way WordPress image uploader does it, meaning it does not offer to embed a smaller down-scaled version of the image linking to the full sized image, it does not offer to write in the image tags right there before inserting. It only uploads the file to s2member-files and then links to it with the filename of the uploaded file.

It ads something like this to the HTML/Visual viewer:

<a href="http://mydomain.com/?s2member_file_download=MyPhoto.jpg">MyPhoto.jpg</a>

When I would like it to add something like this:

<a href="http://mydomain.com/?s2member_file_download=MyPhoto.jpg&amp;s2member_skip_confirmation"><img src="http://mydomain.com/?s2member_file_download=MyPhoto-200.jpg" title="Sowill" width="200" height="149" /></a>

it using the WordPress image rescaling engine to generate that smaller resolution thumbnail that links to the full image.

For now, if I choose to use s2member, which I probably will, I tried memberwing-x which didn’t look right for me and I only looked at http://www.tipsandtricks-hq.com/wordpress-emember-easy-to-use-wordpress-membership-plugin-1706 as a potential other choice, but I guess s2member looks to be great for now.

I think I’ll look for a macro one-click plugin so that I can add all my usual code in a one click process, then have my FTP client open and drag and drop the full size image and generate the thumbnail using http://www.rw-designer.com/picture-resize then just edit the titles in the standard embed code.

I think my standard embed code is going to look something like this every time at the bottom of my partially restricted posts:

[s2If !is_user_logged_in()]
<table>
  <tbody>
    <tr>
      <td><a href="http://mydomain.com/wp-login.php">Logged-in</a> Members ($XX/year) <a href="http://mydomain.com/become-a-member/">Join now!</a> can see a picture here. <a href="http://mydomain.com/become-a-member/">why become a Member</a></td>
    </tr>
  </tbody>
</table>
[/s2If]
[s2If is_user_logged_in()]
<a href="http://mydomain.com/?s2member_file_download=MyPhoto.JPG&amp;s2member_skip_confirmation"><img src="http://mydomain.com/?s2member_file_download=MyPhoto-200.jpg" title="For Members only, click for full size" width="200" height="149" /></a>
[/s2If]
Posted: Saturday Apr 28th, 2012 at 1:07 pm #12160
Eduan
Username: Eduan
Moderator

Hello Nicolas,
at this point then you would have to code it yourself, or pay the developer of that plugin a little more so that he adds your needed functionalities, he does mention he didn’t do much because his client didn’t pay for a lot of work.

Hope this helps. :)

Posted: Monday May 7th, 2012 at 5:34 pm #12840
Candy Me
Username: candy

Hi Eduan,

Thank you for your answers!

But I am not talking about files, just images, pictures only!
I created some sort of portfolio by using custom post-types & taxonomies and the images get uploaded to the standard WP-upload path!

I can’t start playing around with FTP and embeded links etc. It all has to work over the interface, and that is not set to mess around with linked or embeded pictures in all possible ways and forms and I don’t know which conditionals. As a matter of fact, the issue has not that much to do with accessing the file itself – because that one gets protected by s2, the problem is with the images themselves which CAN be accessed directly – no login needed – if the person knows the URL. THAT is the big issue … and I really see it as a security breech

I have tried to modify the WP-upload path in WP/ADMIN/Settings/Media but when I later tried to upload images to the newly defined path, it told me “you don’t have enough permission to do that”.

It definitely ISN’T a server issue, the server is set to process both ftp and direct server requests and it works on everything else other than this! So it must be a s2member limitation, which I would like to have solved …

The images are not supposed to be downloaded or accsessed outside those posts, and they are just embeded there like normal images with

<img src="pic" /> 

you know…

I realy, really need a way to have this solved, because it ruins all the so-called security which suddenly isn’t any security anymore :-(

Thank you!!

  • This reply was modified 4 years, 8 months ago by  Candy Me.
Posted: Monday May 7th, 2012 at 5:49 pm #12844
Eduan
Username: Eduan
Moderator

Hello there Candy,
this is a problem that’s probably caused by your .htaccess file under the s2member-files directory.

Apache shouldn’t be allowing anyone to access that, without permission, I suggest you make sure there is an .htaccess file there, and if there is, please post the contents with the code tags.

If there isn’t any file there, then I suggest you re-install s2Member, but first activate the deactivation safeguards just to be safe. :) You can find the deactivation safeguards under Dashboard -› s2Member® -› General Options -› Deactivation Safeguards.

Hope this helps. :)

Posted: Monday May 7th, 2012 at 7:28 pm #12852
Candy Me
Username: candy

Hi Eduan,

I did find a file under plugins/s2member-files

here the contents:

Options +FollowSymLinks -MultiViews -Indexes



<IfModule mod_env.c>

# No GZIP for script-based file downloads.

	SetEnv no-gzip 1

</IfModule>



<IfModule mod_rewrite.c>

# Enable rewrite and configure base.

	RewriteEngine On

	RewriteBase /



# Initialize all environment variables we're using below.

	RewriteCond %{ENV:s2member_file_download_setup} !^complete$

	RewriteRule ^(.*)$ - [E=s2member_file_download_wp_vdir:0,E=s2member_file_download:$1,E=s2member_file_stream:0,E=s2member_file_inline:0,E=s2member_file_storage:0,E=s2member_file_remote:0,E=s2member_file_ssl:0,E=s2member_file_download_key:0,E=s2member_skip_confirmation:0,E=s2member_file_download_setup:complete]



# Handle virtual directories, common on multisite networks.

	RewriteCond %{ENV:s2member_file_download_wp_vdir_check} !^complete$

	RewriteCond %{THE_REQUEST} ^(?:GET|HEAD)(?:[\ ]+)(?:/)([_0-9a-zA-Z\-]+/)(?:wp-content/)

	RewriteRule ^(.*)$ - [E=s2member_file_download_wp_vdir:,E=s2member_file_download_wp_vdir:%1,E=s2member_file_download_wp_vdir_check:complete]



# Handle streaming download requests via the rewrite engine.

	RewriteCond %{ENV:s2member_file_download} ^(.*?)(?:s2member-file-stream/)(.+)$

	RewriteRule ^(.*)$ - [N,E=s2member_file_download:,E=s2member_file_download:%1%2,E=s2member_file_stream:,E=s2member_file_stream:&s2member_file_stream=yes]



	RewriteCond %{ENV:s2member_file_download} ^(.*?)(?:s2member-file-stream-(.+?)/)(.+)$

	RewriteRule ^(.*)$ - [N,E=s2member_file_download:,E=s2member_file_download:%1%3,E=s2member_file_stream:,E=s2member_file_stream:&s2member_file_stream=%2]



# Handle inline file requests via the rewrite engine.

	RewriteCond %{ENV:s2member_file_download} ^(.*?)(?:s2member-file-inline/)(.+)$

	RewriteRule ^(.*)$ - [N,E=s2member_file_download:,E=s2member_file_download:%1%2,E=s2member_file_inline:,E=s2member_file_inline:&s2member_file_inline=yes]



	RewriteCond %{ENV:s2member_file_download} ^(.*?)(?:s2member-file-inline-(.+?)/)(.+)$

	RewriteRule ^(.*)$ - [N,E=s2member_file_download:,E=s2member_file_download:%1%3,E=s2member_file_inline:,E=s2member_file_inline:&s2member_file_inline=%2]



# Handle storage specifications via the rewrite engine.

	RewriteCond %{ENV:s2member_file_download} ^(.*?)(?:s2member-file-storage-(.+?)/)(.+)$

	RewriteRule ^(.*)$ - [N,E=s2member_file_download:,E=s2member_file_download:%1%3,E=s2member_file_storage:,E=s2member_file_storage:&s2member_file_storage=%2]



# Handle remote authorization requests via the rewrite engine.

	RewriteCond %{ENV:s2member_file_download} ^(.*?)(?:s2member-file-remote/)(.+)$

	RewriteRule ^(.*)$ - [N,E=s2member_file_download:,E=s2member_file_download:%1%2,E=s2member_file_remote:,E=s2member_file_remote:&s2member_file_remote=yes]



	RewriteCond %{ENV:s2member_file_download} ^(.*?)(?:s2member-file-remote-(.+?)/)(.+)$

	RewriteRule ^(.*)$ - [N,E=s2member_file_download:,E=s2member_file_download:%1%3,E=s2member_file_remote:,E=s2member_file_remote:&s2member_file_remote=%2]



# Handle SSL file requests via the rewrite engine.

	RewriteCond %{ENV:s2member_file_download} ^(.*?)(?:s2member-file-ssl/)(.+)$

	RewriteRule ^(.*)$ - [N,E=s2member_file_download:,E=s2member_file_download:%1%2,E=s2member_file_ssl:,E=s2member_file_ssl:&s2member_file_ssl=yes]



	RewriteCond %{ENV:s2member_file_download} ^(.*?)(?:s2member-file-ssl-(.+?)/)(.+)$

	RewriteRule ^(.*)$ - [N,E=s2member_file_download:,E=s2member_file_download:%1%3,E=s2member_file_ssl:,E=s2member_file_ssl:&s2member_file_ssl=%2]



# Handle file download keys via the rewrite engine.

	RewriteCond %{ENV:s2member_file_download} ^(.*?)(?:s2member-file-download-key-(.+?)/)(.+)$

	RewriteRule ^(.*)$ - [N,E=s2member_file_download:,E=s2member_file_download:%1%3,E=s2member_file_download_key:,E=s2member_file_download_key:&s2member_file_download_key=%2]



# Handle confirmations having beek skipped via the rewrite engine.

	RewriteCond %{ENV:s2member_file_download} ^(.*?)(?:s2member-skip-confirmation/)(.+)$

	RewriteRule ^(.*)$ - [N,E=s2member_file_download:,E=s2member_file_download:%1%2,E=s2member_skip_confirmation:,E=s2member_skip_confirmation:&s2member_skip_confirmation=yes]



	RewriteCond %{ENV:s2member_file_download} ^(.*?)(?:s2member-skip-confirmation-(.+?)/)(.+)$

	RewriteRule ^(.*)$ - [N,E=s2member_file_download:,E=s2member_file_download:%1%3,E=s2member_skip_confirmation:,E=s2member_skip_confirmation:&s2member_skip_confirmation=%2]



# Cleanup variables not used in this request. Looking for `0` values.

	RewriteCond %{ENV:s2member_file_download_wp_vdir} ^0$

	RewriteRule ^(.*)$ - [E=s2member_file_download_wp_vdir:]

	

	RewriteCond %{ENV:s2member_file_stream} ^0$

	RewriteRule ^(.*)$ - [E=s2member_file_stream:]

	

	RewriteCond %{ENV:s2member_file_inline} ^0$

	RewriteRule ^(.*)$ - [E=s2member_file_inline:]

	

	RewriteCond %{ENV:s2member_file_storage} ^0$

	RewriteRule ^(.*)$ - [E=s2member_file_storage:]

	

	RewriteCond %{ENV:s2member_file_remote} ^0$

	RewriteRule ^(.*)$ - [E=s2member_file_remote:]

	

	RewriteCond %{ENV:s2member_file_ssl} ^0$

	RewriteRule ^(.*)$ - [E=s2member_file_ssl:]

	

	RewriteCond %{ENV:s2member_file_download_key} ^0$

	RewriteRule ^(.*)$ - [E=s2member_file_download_key:]

	

	RewriteCond %{ENV:s2member_skip_confirmation} ^0$

	RewriteRule ^(.*)$ - [E=s2member_skip_confirmation:]

	

# Put everything together now and process the internal rewrite.

	RewriteRule ^(.*)$ %{ENV:s2member_file_download_wp_vdir}?s2member_file_download=%{ENV:s2member_file_download}%{ENV:s2member_file_stream}%{ENV:s2member_file_inline}%{ENV:s2member_file_storage}%{ENV:s2member_file_remote}%{ENV:s2member_file_ssl}%{ENV:s2member_file_download_key}%{ENV:s2member_skip_confirmation} [QSA,L]

</IfModule>



<IfModule !mod_rewrite.c>

	deny from all

</IfModule>

What can I do with it now? :)

Thanks!

Posted: Thursday May 17th, 2012 at 4:28 pm #13797
Candy Me
Username: candy

seems like there is NO solution for this crucial issue either !??!

So what on Earth does s2 member protect !?!? Just text ?!?!

Posted: Friday May 18th, 2012 at 3:09 pm #13894
Eduan
Username: Eduan
Moderator

Hello Candy,
sorry for the delay.

I believe most of the contents of the .htaccess file are not inserted by s2Member, even though they should.

If you could please make sure to enable deactivation safeguards under Dashboard -› s2Member® -› General Options -› Deactivation Safeguards.

And then re-install s2Member, in other words, uninstall it, and then install it again.

That should make sure the contents of the .htaccess file are set like they should. Please, backup anything that you think you should make a backup of, just so that you don’t lose it when you uninstall s2Member.

Hope this helps. :)

Posted: Friday May 18th, 2012 at 7:18 pm #13925
Candy Me
Username: candy

sorry Eduan, re-installing on a live site is unfortunatelly not an option :-(

It’s easy to say, but after millions of hacks and changes I had to make, it’s just impossible :-(

Would it be possible that you point me out to the contents I should find in the .htaccess?
Some standard file or so !?

Thanks again!

Viewing 11 replies - 1 through 11 (of 11 total)

This topic is closed to new replies. Topics with no replies for 2 weeks are closed automatically.

Old Forums (READ-ONLY): The community now lives at WP Sharks™. If you have an s2Member® Pro question, please use our new Support System.

Contacting s2Member: Please use our Support Center for bug reports, pre-sale questions & technical assistance.