BuddyBoss Platform

Media Permissions

In this tutorial, we look into restricting media (e.g. photos, videos, and documents) access to protect your privacy and maintain the security of your private files with our update of the BuddyBoss platform. The tutorial shows you how to do so for both Apache, Nginx and Openlitespeed web servers. 

Apache Web Server

In the BuddyBoss platform version 1.7.0, if anyone tries to access the Media original URL they will see an error message that says it is Forbidden. 

Error message Apache web server

This is because we have added a .htaccess file in the bb_videos, bb_medias, and bb_documents folders. The file communicates with the Apache webserver to show that the media is restricted.

For Apache web server users, you simply have to update the BuddyBoss platform.

The .htaccess files will be automatically added to the mentioned folders and restrict media permission. (This means that no one would be able to directly access the media thus protecting your privacy. It would be visible to people only if it is on a website or somewhere public where it is uploaded for people to see.)

Note: If you remove the .htacess file from the folders, the media would again be accessible to anyone who has the media URL. However, this is not recommended as having your media files directly accessible can cause privacy and security issues.

Nginx

Nginx users have the control to configure access to media, video, and documents. Therefore they would need to insert the restriction code themselves once they update the BuddyBoss platform to the latest version. 

Once you install and update the BuddyBoss platform, you should see an index.html file in the bb_videos, bb_medias, and bb_documents folders. 

Follow the steps below to configure your media restriction for the Nginx web server.

  1. Open the Nginx Configuration File or ask your hosting provider to do so.

If you have access to your Nginx web server, open the configuration file. 

  • Open terminal and run the following command to open the NGINX configuration file.
$ sudo nano /etc/nginx/nginx.conf
  • Or, if you have separate virtual hosts for your site (e.g www.example.com), such as /etc/nginx/sites-enabled/example.conf then open its configuration file with the following code
$ sudo nano /etc/nginx/sites-enabled/example.conf
  • Or, if your hosting provider has the access to open the Nginx configuration file, simply asking them to insert the codes given in Step 2 below.
  1. Copy/Paste the following codes in the configuration file.

Add the following codes for each of the folders in the Nginx configuration file.

  • Restricting access to bb_medias, bb_videos and bb_documents folder.

location ~* /wp-content/uploads/bb_medias/ {
	if ( $upstream_http_x_accel_redirect = "" ) {
		return 403;
	}
	internal;
}
location ~* /wp-content/uploads/bb_videos/ {
	if ( $upstream_http_x_accel_redirect = "" ) {
		return 403;
	}
	internal;
}
location ~* /wp-content/uploads/bb_documents/ {
	if ( $upstream_http_x_accel_redirect = "" ) {
		return 403;
	}
	internal;
}
location ~* /wp-content/uploads/bb_medias/ {
	autoindex off;
}
location ~* /wp-content/uploads/bb_videos/ {
	autoindex off;
}
location ~* /wp-content/uploads/bb_documents/ {
	autoindex off;
}

The code should look like the above image in the configuration file for your Nginx web server.

Note: 

  • If you remove any of these codes for the folders from the configuration file then the files can be accessed directly again.
  • You would also need the same settings to be done on your server configuration file when you move the LIVE release to the production site.

Disclaimer

If you update to this version of the BuddyBoss Platform and then decide to go back to the previous version of the BuddyBoss platform then the photos that you uploaded after the update will be gone and they would break.

To solve this issue in the Apache webserver you would need to simply delete the .htaccess file from the “wp-content/uploads/bb_medias” folder. (This would make your photos look how they used to be before the update. The document and video restrictions would still be functional. You do not need to make any changes to the bb_videos and bb_documents folder.)

To solve this issue in the Nginx web server, remove the codes for bb_medias in the configuration file. You can keep the document and video restrictions code as they will still work even if you go back to the previous version of the BuddyBoss platform. The new code in the configuration file should look like this:

location ~* /wp-content/uploads/bb_videos/ {
	if ( $upstream_http_x_accel_redirect = "" ) {
		return 403;
	}
	internal;
}
location ~* /wp-content/uploads/bb_documents/ {
	if ( $upstream_http_x_accel_redirect = "" ) {
		return 403;
	}
	internal;
}
location ~* /wp-content/uploads/bb_medias/ {
	autoindex off;
}
location ~* /wp-content/uploads/bb_videos/ {
	autoindex off;
}
location ~* /wp-content/uploads/bb_documents/ {
	autoindex off;
}

If your hosting provider has the access to the Nginx web server, simply ask them to remove the previous configuration code and add this one.

Openlitespeed

Openlitespeed users also have the control to configure access to media, video, and documents. Therefore, Openlitespeed users would need to restrict files under upload folders on the server themselves once they update the BuddyBoss platform.

Follow the steps below to configure your media restriction for the Openlitespeed server.

1. Set Auto Load from .htaccess to “Yes” under Openlitespeed configuration.

2. Restart Openlitespeed service.

  • Open terminal and run the following command to restart the server.
sudo /usr/local/lsws/bin/lswsctrl restart
  • Or, you can restart it from the panel as shown in the screenshot below.

3. Delete the previous .htaccess files from the server.

location ~* /wp-content/uploads/bb_medias/.htaccess
location ~* /wp-content/uploads/bb_documents/.htaccess
location ~* /wp-content/uploads/bb_videos/.htaccess

4. Refresh the WordPress admin and check the .htaccess files created again.

5. Restart Openlitespeed service like you did in step 2.

Note: To comply with the restrictions on the media uploaded, the photos, videos, and documents uploaded from the frontend of the BuddyBoss platform will not show in the media library on the WordPress dashboard. The reason for that is the WP media URL or the media in the library can be used in other places that need to be always public which means it does not follow the core concept of the BuddyBoss Platform restricting media access to Only Me, Connections, and Members. Therefore, any BuddyBoss Platform media uploaded from the frontend will not show in the WordPress dashboard media library section if you are on the latest version 1.7.0 or above.

Questions?

We're always happy to help with code or other questions you might have! Search our documentation, contact support, or connect with our sales team.