├── index.php
├── .gitignore
├── readme.txt
├── README.md
└── wc-conditionally-allow-download-access.php


/index.php:
--------------------------------------------------------------------------------
1 | <?php 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | .DS_Store
 2 | .DS_Store?
 3 | ._*
 4 | .Spotlight-V100
 5 | .Trashes
 6 | ehthumbs.db
 7 | Thumbs.db
 8 | _notes
 9 | *.LCK
10 | __assets
11 | 


--------------------------------------------------------------------------------
/readme.txt:
--------------------------------------------------------------------------------
 1 | === WooCommerce Conditionally Allow Downloads Folder Access ===
 2 | Tags: WooCommerce, Products, Download, Access
 3 | Tested up to: 6.9
 4 | Stable tag: 1.0.0
 5 | License: GPLv2 or later
 6 | License URI: http://www.gnu.org/licenses/gpl-2.0.html
 7 | 
 8 | == Description ==
 9 | 		
10 | Allow direct access to WooCommerce downloadable products folder based on user role.
11 | 
12 | == Changelog ==
13 | 
14 | = 1.0.0 =
15 | * 2025-06-26
16 | * Initial Plugin Release


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # wc-conditionally-allow-download-access
 2 | Contiionally allow access to WooCommerce (WC) downloads folder based role of user that is logged in.
 3 | 
 4 | For Downloadable Products in WooCommerce (WC), when "Force Downloads" is selected as the download method, WC protects the downloads folder with a .htaccess file containing "deny from all". This is normally desired.
 5 | 
 6 | An issue arises when downloadable products include standard image files (.jpg, .png, etc.) where WP displays image thumbnails in either the media library or when attempting to select images as part of downloadable product packages. With the downloads folder pretected by .htaccess file instead of seeing the image and image information there is a blank image square.
 7 | 
 8 | This plugin aims to correct this issue by altering the .htaccess file created by WC to allow access to files in the downloads folder if the user has a specific cookie set. This cookie is set based on the logged in user role upon logging into the site.
 9 | 
10 | This plugin should not be used as is. The cookie name and value should be altererd/customized on every site and should not be public knowledge. Using this plugin without altering these values or if these values become public knowledge could result in the downloads folder not being protected from direct access. Edit the main plugin file to set your cookie name and value or to change user roles that you want to permit access to the downloads folder for.
11 | 


--------------------------------------------------------------------------------
/wc-conditionally-allow-download-access.php:
--------------------------------------------------------------------------------
  1 | <?php 
  2 | 
  3 | 	/*
  4 | 		Plugin Name: WooCommerce Conditionally Allow Downloads Folder Access
  5 | 		Plugin URI: https://github.com/Hube2/wc-conditionally-allow-download-access
  6 | 		Description: Allow direct access to WooCommerce downloadable products folder based on user role.
  7 | 		Author: Hube2
  8 | 		Author URI: https://github.com/Hube2/
  9 | 		Version: 1.0.0
 10 | 	*/
 11 | 	
 12 | 	// If this file is called directly, abort.
 13 | 	if (!defined('WPINC')) {die;}
 14 | 	
 15 | 	new wc_condtional_download_access();
 16 | 	
 17 | 	class wc_condtional_download_access {
 18 | 		
 19 | 		// edit these values before using this plugin
 20 | 		// use only letters and underscores in cookie name, all other characters will be removed
 21 | 		// use only letters or numbers in cookie value, all other characters will be removed
 22 | 		// cookie name/vlaue are required to not be empty or nothing will happen
 23 | 		private $cookie_name = '';
 24 | 		private $cookie_value = '';
 25 | 		private $roles = array(
 26 | 			'administrator',
 27 | 			'editor',
 28 | 			'shop_manager'
 29 | 		);
 30 | 		
 31 | 		public function __construct() {
 32 | 			// replace any not letter characters in cookie name/value
 33 | 			$this->cookie_name = preg_replace('/[^_a-z]/i', '', $this->cookie_name);
 34 | 			$this->cookie_value = preg_replace('/[^a-z0-9]/i', '', $this->cookie_value);
 35 | 			if (empty($this->cookie_name) || empty($this->cookie_value)) {
 36 | 				// abort remainder of __construct
 37 | 				// this does not prevent the opbject from being created but prevents the actions from being added
 38 | 				return;
 39 | 			}
 40 | 			// maybe set or unset cookie on login/logout
 41 | 			add_action('wp_login', array($this, 'maybe_set_login_cookie'), 20, 2);
 42 | 			add_action('wp_logout', array($this, 'maybe_clear_login_cookie'), 20, 2);
 43 | 			
 44 | 			// I believe that the following are the only times that WC writes the .htaccess file, but not 100% sure
 45 | 			// to ensure our .htaccess file is in place it will also be checked during login
 46 | 			// this hook fires after WC updates settings and writes its .htaccess file to downloads folder
 47 | 			add_action('woocommerce_settings_saved', array($this, 'maybe_replace_htaccess'), 100);
 48 | 			// this hook is called when WC is installed or updated
 49 | 			add_action('woocommerce_installed', array($this, 'maybe_replace_htaccess'), 100);
 50 | 		} // end public function __construct
 51 | 		
 52 | 		public function maybe_set_login_cookie($login, $user) {
 53 | 			if (!class_exists('WooCommerce')) {
 54 | 				// do nothing if WC is not active
 55 | 				return;
 56 | 			}
 57 | 			// set cookit to allow direct access to WC downloads folder if user has an allowed role
 58 | 			$set_cookie = false;
 59 | 			foreach ($this->roles as $role) {
 60 | 				//echo $role.' '; var_dump(current_user_can($role)); echo '<br />';
 61 | 				if (current_user_can($role)) {
 62 | 					$set_cookie = true;;
 63 | 				}
 64 | 			}
 65 | 			if (!$set_cookie) {
 66 | 				//echo 'no cookie';
 67 | 				return;
 68 | 			}
 69 | 			//echo 'set cookie';
 70 | 			$options = array(
 71 | 				'expires' => 0, // session only
 72 | 				'path' => '/',
 73 | 				'secure' => true,
 74 | 				'httponly' => true
 75 | 			);
 76 | 			setcookie($this->cookie_name, $this->cookie_value, $options);
 77 | 			// htaccess file may have been changed, check it
 78 | 			// rechecking during login because I cannot be sure I have caught all the places
 79 | 			// that WC writes the .htaccess file
 80 | 			$this->maybe_replace_htaccess();
 81 | 		} // end public function maybe_set_login_cookie
 82 | 		
 83 | 		public function maybe_clear_login_cookie($user_id) {
 84 | 			if (!class_exists('WooCommerce')) {
 85 | 				// do nothing if WC is not active
 86 | 				return;
 87 | 			}
 88 | 			// only clear the cookie if it was previously set
 89 | 			// so that we don't send any cookie information at all to the browser
 90 | 			// unsetting a cookie that is not set would still send this information to the browswer
 91 | 			// and potentially reveal our cookie name
 92 | 			if (!isset($_COOKIE[$this->cookie_name])) {
 93 | 				return;
 94 | 			}
 95 | 			$options = array(
 96 | 				'expires' => time()-86400, // time in 1 day ago
 97 | 				'path' => '/',
 98 | 				'secure' => true,
 99 | 				'httponly' => true
100 | 			);
101 | 			setcookie($this->cookie_name, NULL, $options); 
102 | 		} // end public function maybe_clear_login_cookie
103 | 		
104 | 		public function maybe_replace_htaccess() {
105 | 			// maybe overwite the .htaccess file in downloads folder
106 | 			// this is basically pulled directly from WC_Admin_Settings::check_download_folder_protection
107 | 			// and then modified for use
108 | 			$upload_dir = wp_get_upload_dir();
109 | 			$downloads_path = $upload_dir['basedir'].'/woocommerce_uploads';
110 | 			$file_path = $downloads_path . '/.htaccess';
111 | 			$download_method = get_option('woocommerce_file_download_method');
112 | 			
113 | 			if ($download_method == 'redirect') {
114 | 				$file_content = 'Options -Indexes';
115 | 			} elseif ($download_method == 'force') {
116 | 				$file_content = 'RewriteEngine On'.PHP_EOL.'RewriteCond %{HTTP_COOKIE} !^.*'.
117 | 				                 $this->cookie_name.'='.$this->cookie_value.
118 | 				                 '.*$ [NC]'.PHP_EOL.'RewriteRule .* - [L,R=404]';
119 | 			}
120 | 			$create = false;
121 | 			if (wp_mkdir_p($downloads_path ) && !file_exists($file_path)) {
122 | 				$create = true;
123 | 			} else {
124 | 				$current_content = @file_get_contents($file_path);
125 | 				if ($current_content !== $file_content) {
126 | 					unlink($file_path);
127 | 					$create = true;
128 | 				}
129 | 			}
130 | 			if ($create) {
131 | 				$file_handle = @fopen($file_path, 'wb');
132 | 				if ($file_handle) {
133 | 					fwrite($file_handle, $file_content);
134 | 					fclose($file_handle);
135 | 				}
136 | 			}
137 | 		} // end public function maybe_replace_htaccess
138 | 		
139 | 	} // end class wc_condtional_download_access


--------------------------------------------------------------------------------