I was just randomly testing a link and noticed that I could download the file when I wasn’t logged in.
I test in 4 browsers and used private mode.
This is a huge security flaw as the reason I use this plugin is to prevent unauthorized downloads.
i tested this by putting the following URL in any browser, with my domain name
groups version 1.9.0
Thanks for providing access to your site. I would like you to disable the Caching feature you’re currently using because I believe that this is affecting the functionality of GFA plugin. I wasn’t able to disable it myself through your Dashboard because a deactivation option is not available but once you do, please let me know.
During my tests I’ve uploaded two files and one of them was normally protected when trying to access it via its URL while the other wasn’t and for that reason I’ve also recorded my screen and will share it via email for security reasons.
Furthermore and regarding your site, as I mentioned on my last comment if the site is running live then you are advised to provide a staging clone so that we can both avoid my interference with the site’s normal functionality.
I think we should have a look at your site and if it’s running live at the moment, a staging clone should be preferable.
You may share the details with me including temp admin credentials and the site URL, using my personal email address, george at itthinx dot com.
Furthermore, please make sure to enable WP debugging for the testing site by the following process:
Edit your wp-config.php file and replace this line:
define( ‘WP_DEBUG’, false );
with these lines:
define( ‘WP_DEBUG’, true );
define( ‘WP_DEBUG_LOG’, true );
define( ‘WP_DEBUG_DISPLAY’, false );
All logs will be stored in your site’s root folder under wp-content/debug.log file.
During the testing process we might disable all/selective plugins and switch the active theme on your site.
The issue is not direct access. I tried a direct URL (
https://www.domain.com/wp-content/uploads/groups-file-access/file.ext) and get the Forbidden message, so the .htaccess file is working. It has deny from all in it.
I was already running Groups 2.15 and upgraded to Groups File Access 2.0 and it’s still an issue.
The issue is the Groups link: https://www.domain.com/?gfid=1
I’m running the latest version of WordPress. Site Health comes back clean. I’ve tried deactivating recently installed plugins and no effect.
Welcome to our support forum.
This is obviously not normal and most probably something is wrong on your site. In general all files that are uploaded to wp-content/uploads/groups-file-access directory are only accessible by those users that are granted access to them. As for direct access using the file URL as you described, then the aforementioned directory is protected by a .htaccess file which denies access to everyone.
Based on your description there is a security flaw on your site which in turn is affecting Groups File Access plugin and its protected files. You should definitely have a look at the .htaccess file in the files upload directory and check if it exists or it has the correct syntax. If this file has been modified either manually or by another third-party plugin that is capable of such operations, then you should locate the source of the issue and then re-install the Groups File Access plugin. In this case make sure that none of the options are checked
Last but not least if your Groups plugin version is 1.9.0 then you should definitely update to the latest version available, 2.15.0, while on the other hand if you are using Groups File Access 1.9.0, then you should also update this plugin to the latest version, 2.0.0.