1) Create a new directory through the EE control panel
2) Using your FTP program of choice, upload an .htaccess file containing the following to the root of your new directory:
order deny, allow
deny from all
This locks out the directory to all users so that they cannot access its goodies via direct URL or HTML links.
3) Now, create a new template with PHP enabled. Also, this template must be Members Only. In this template, you will be inputting a PHP force download script. I used the following, which I found from poking through Google search results for “PHP force download script”.
<?php
dl_file("**URL TO YOUR DIRECTORY**/**FILE NAME TO DOWNLOAD**"); // or whatever the file name is.
function dl_file($file){
//First, see if the file exists
if (!is_file($file)) { die("<b>{segment_3}, 404 File not found!</b>"); }
//Gather relevent info about file
$len = filesize($file);
$filename = basename($file);
$file_extension = strtolower(substr(strrchr($filename,"."),1));
//This will set the Content-Type to the appropriate setting for the file
switch( $file_extension ) {
case "pdf": $ctype="application/pdf"; break;
case "exe": $ctype="application/octet-stream"; break;
case "zip": $ctype="application/zip"; break;
case "doc": $ctype="application/msword"; break;
case "xls": $ctype="application/vnd.ms-excel"; break;
case "ppt": $ctype="application/vnd.ms-powerpoint"; break;
case "gif": $ctype="image/gif"; break;
case "png": $ctype="image/png"; break;
case "jpeg":
case "jpg": $ctype="image/jpg"; break;
case "mp3": $ctype="audio/mpeg"; break;
case "wav": $ctype="audio/x-wav"; break;
case "mpeg":
case "mpg":
case "mpe": $ctype="video/mpeg"; break;
case "mov": $ctype="video/quicktime"; break;
case "avi": $ctype="video/x-msvideo"; break;
//The following are for extensions that shouldn't be downloaded (sensitive stuff, like php files)
case "php":
case "htm":
case "html":
case "txt": die("<b>Cannot be used for ". $file_extension ." files!</b>"); break;
default: $ctype="application/force-download";
}
//Begin writing headers
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: public");
header("Content-Description: File Transfer");
//Use the switch-generated Content-Type
header("Content-Type: $ctype");
//Force the download
$header="Content-Disposition: attachment; filename=".$filename.";";
header($header );
header("Content-Transfer-Encoding: binary");
header("Content-Length: ".$len);
readfile($file);
exit;
}
?>
4) Now, when you want to link to a file in the “Members Only” directory, you will point the link to the force-download script template (I’ll call it the “Download” template) and amend it with the name of the file you want it to retrieve. So, your link might look like:
<a href="{path=templates/download}{file_name}">Download!</a>
5) In order for the force download script to get the file name, point it towards the last segment of the URL where you placed it in step 4 when you made your link.
So, if your link output:
http://www.mysite.com/templates/dowload/secret_file.pdf
The line in the force download script that begins:
dl_file("**URL TO YOUR DIRECTORY**/...
In complete form should appear:
dl_file("**URL TO YOUR DIRECTORY**/{segment_3}");
6) Now, the link you made in step 4 should initialize the force-download script and prompt you to download the file in question.
So, to summarize:
-“Members Only” directory is locked out to all with .htaccess
-The script in the “Download” template bypasses .htaccess and dowloads specified file
-Links to members only files should now be written to point to the “Download” template and with the file name as the last segment
This method enables EE admins to control which member groups have access to certain directories because the access is dictated by the force-download script, which is contained in an EE Template, which in turn is subject to EE’s member group permissions. So, when you change member group permissions for the “Download” template, you are actually also changing permissions for your restricted directory. It also prevents anyone at all from accessing restricted files via URL or even knowing what the URL to their location on your server is.
Hopefully these directions make sense. I realize it’s a round-about way of doing something that seems rather simple, but it’s the only solution I’ve been able to come up with. I feel obligated to point to this forum thread where I learned about Download Lock which is great for simpler URL protection scenarios and is also what cued me onto the PHP force-download script.