I assumed (probably incorrectly) that protected uploads would still be available to backend users? Is this the case? If so, what happens when the protected directory is rewritten to index.php? I can't find anything that deals with this and returns a 404. Does it just 404 because it can't find that October path or is there a snippet of code somewhere that instructs this?

I'm using nginx, so I don't have the whitelist in my nginx.conf as the setup instructions for nginx don't mention them. I added in one to test but it didn't seem to help.

Last updated 10 years ago

I'v solved this by adding a custom route to my plugin and doing some auth checks. If user not authorised a 404 is returned, if it is the file is downloaded.