Thanks Anh, that example works. A bit too limited for our needs though.
It gets a lot more complicated since we’re trying to do that only for a specific custom post type, not complete WordPress.
We basically created a CPT “Downloads” and each post has a file uploaded to it through the file_upload metabox field. This file needs to be uploaded to
/wp-content/uploads/secure/ and not
/wp-content/uploads/[year]/[month]/ like the rest of time images and files that can be publicly available.
The files uploaded to this
/wp-content/uploads/secure/ directory are being denied through .htaccess so that only PHP can access them, not the browser directly.
<Files *> Deny from all </Files>
In theory.., not that hard. Especially since the file has a correct GUID in the database directly from the start. But after uploading a file and reloading the custom post type page, the above example no longer works without jumping through a whole lot of hoops.
I think we might have found a way by hooking into all the ajax hooks that are being fired for uploading, viewing and deleting a file to this custom post.
I’m not sure if we can show you a complete example of what we ended up with because it’s so many hooks tied together. We’ll let you know.