Allow access to Access-Controlled Files for specific requests

When an Access-Controlled Files mode is active on a WordPress site, access to files and media uploaded to the Media Library is restricted. The vip_files_acl_file_visibility filter can be used to allow mobile applications or plugins to selectively have access to those files by validating if a request for an Access-Controlled file is legitimate.

To determine what level of access to a file can be granted for a request, the vip_files_acl_file_visibility filter accepts the parameters $file_visibility and $file_path and returns one of the filter value constants:

Automattic\VIP\Files\Acl\FILE_IS_PUBLIC
Automattic\VIP\Files\Acl\FILE_IS_PRIVATE_AND_ALLOWED
or Automattic\VIP\Files\Acl\FILE_IS_PRIVATE_AND_DENIED

Requests for Access-Controlled Files can be sent with HTTP Authorization header X-Original-Authorization and User Agent X-Original-User-Agent. One or both of these headers can be included in a vip_files_acl_file_visibility filter for additional validation of a request.

The HTTP Authorization header can be sent with credentials for authenticating a request. If the token value assigned to the Authorization header in a request can be matched and validated by the environment receiving the request, the request is identified as legitimate. A matching value on the receiving environment can be stored as an environment variable.

Usage example

In this code example, requests from a mobile application are granted access to Access-Controlled Files if the token passed by X-Original-Authorization matches the environment variable APP_FILE_ACCESS_TOKEN, and the filter value constant returned is FILE_IS_PRIVATE_AND_ALLOWED:

/client-mu-plugins/example-plugin.php

/**
 * Allow mobile app requests to have access to Access-Controlled Files
 * @param string|boolean $file_visibility Return one of Automattic\VIP\Files\Acl\(FILE_IS_PUBLIC | FILE_IS_PRIVATE_AND_ALLOWED | FILE_IS_PRIVATE_AND_DENIED) to set visibility.
 * @param string $file_path The requested file path (note: This does not include `/wp-content/uploads/`. And, on multisite subdirectory installs, this does not includes the subdirectory).
 */
function vip_check_file_visibility_for_mobile_request( $file_visibility, $file_path ) {
    /**
     * Allow mobile requests with a token
     */
    $token_header = isset( $_SERVER['HTTP_X_ORIGINAL_AUTHORIZATION'] ) ? sanitize_text_field( $_SERVER['HTTP_X_ORIGINAL_AUTHORIZATION'] ) : false;

    // Get token from environment variable.
    $token = vip_get_env_var( 'APP_FILE_ACCESS_TOKEN', '' );
    if ( $token === $token_header ) {
        return Automattic\VIP\Files\Acl\FILE_IS_PRIVATE_AND_ALLOWED;
    }

    return $file_visibility;
}
add_filter( 'vip_files_acl_file_visibility', 'vip_check_file_visibility_for_mobile_request', 11, 2 );

/**
 * Allow mobile app requests to have access to Access-Controlled Files
 * @param string|boolean $file_visibility Return one of Automattic\VIP\Files\Acl\(FILE_IS_PUBLIC | FILE_IS_PRIVATE_AND_ALLOWED | FILE_IS_PRIVATE_AND_DENIED) to set visibility.
 * @param string $file_path The requested file path (note: This does not include `/wp-content/uploads/`. And, on multisite subdirectory installs, this does not includes the subdirectory).
 */
function vip_check_file_visibility_for_mobile_request( $file_visibility, $file_path ) {
    /**
     * Allow mobile requests with a token
     */
    $token_header = isset( $_SERVER['HTTP_X_ORIGINAL_AUTHORIZATION'] ) ? sanitize_text_field( $_SERVER['HTTP_X_ORIGINAL_AUTHORIZATION'] ) : false;

// Get token from environment variable.
    $token = vip_get_env_var( 'APP_FILE_ACCESS_TOKEN', '' );
    if ( $token === $token_header ) {
        return Automattic\VIP\Files\Acl\FILE_IS_PRIVATE_AND_ALLOWED;
    }

return $file_visibility;
}
add_filter( 'vip_files_acl_file_visibility', 'vip_check_file_visibility_for_mobile_request', 11, 2 );

Last updated: December 31, 2025

Usage example

Relevant to