Have option for php file-handling for added security

[t.schwarz]

Currently, it is possible to access the files attached to private posts if the file's URL is known. That's expected behaviour. I suggest an option to allow php file handling (similar to the previous file handling in multisite) to be able to check whether a direct file request is made by a logged-in user. I understand that ms-files.php was removed in 3.5 for performance reasons, but I suggest would be useful to have php-file-serving option for added security.

This thread summarizes my findings in this respect.

​http://wordpress.stackexchange.com/questions/165293/how-to-protect-specific-uploaded-files-from-being-accessed-by-non-logged-in-user

[jeremyfelt]

Hi t.schwarz, thanks for taking the time to open a ticket.

We've covered this before in #20527 and #28748. This is entirely possible to do at a plugin level and likely makes sense to fit the numerous edge cases involved with authentication and files.