The new Download Protect version 1.7.0 has some significant updates, upgrades, and changes designed to give the plugin more flexibility, more features, and better all-around security.
First, it fixes some of the folder permissions checking issues that existed in previous versions. For several versions, the plugin has set the protected folder permissions to “750”. With Apache systems, this isn’t necessary because we use an .htaccess file to restrict it, but on nginx, this is needed to protect the folder. The problem has not been with the folder permissions themselves, but rather the way the plugin checked them and delivered an error message. Due to a logic flaw, it would give an error message even if the correct permissions were set. This has been addressed and resolved in 1.7.0.
Some other minor changes are:
- Only loads the plugin now if WP-Members is installed (gives an error message otherwise).
- Added a progress bar to the CLI bulk move function.
- Fixed an issue with the file dropdown selector in the stats page if the file had no title (now uses the filename in these instances).
- Updated the plugin updates API.
Restricted/unrestricted files and membership support
A significant change in the new version is the ability to have files be restricted or unrestricted, as well as adding direct support for WP-Members membership products.
In some instances, users of the plugin had need to include files in the Download Protect folder system that were not restricted. Usually, these were using the [wpmem_dp_list] shortcode to display a table of files, but not all required registration and did not need to be protected. In other instances, they were generating lists of files, and all files needed the same kind of URL (like the DP plugin generates), but not all needed to be protected. So this was accommodated by allowing files to be specified as restricted or unrestricted.
Also, the plugin originally pre-dates the membership products feature in WP-Members core. Up until now, we could filter the results if a file needed to be limited to a specific membership. Now you can specify a membership to restrict the file to. This is optional, and only if memberships are used. Otherwise, the file is restricted as normal – just based on login.
HTML5 Video Player support (experimental)
Another big change is the inclusion of HTML5 video support. The plugin includes a streaming library for video files as well as a complete shortcode for specifying attributes of the HTML5 <video> tag.
Note that for the time-being, this is considered experimental. I’m quite certain that as people begin to use this feature, they will use it in ways I did not foresee and we’ll need to make changes to accommodate that.
Also, please note that this does not prevent a user from actually downloading a video. The fact is that most (all?) streaming systems can be circumvented in some way. I’m not going to explain how, but it is possible to get past the various popular systems that “restrict” playback by IP address so that video can only be streamed through your own site and not downloaded.
That being said, the integrated playback streams the video and does restrict it to playback based on the same criteria available as any other file in Download Protect.
There are some new API functions and filter hooks, with new documentation to follow:
- wpmem_db_get_file_info() – returns information on a file.
- wpmem_dp_user_can_access() – checks whether the current user or specific user ($user_id) has access to a file.
- wpmem_dp_download_header_args – filter to allow to customize the file delivery headers. Allows for customizing file disposition, type, etc.