Allow access to custom directories outside of the network site uploads directory

On a WordPress multisite that has Access-Controlled Files enabled, a network sites by default only has access to media files that are stored within that network site’s wp-content/uploads directory. This is intentionally designed to prevent a network site from accessing protected files that belong to other network sites.

The vip_files_acl_is_valid_path_for_site filter can be used to override default validation logic for file paths within the wp-content/uploads directory. Arguments added to the vip_files_acl_is_valid_path_for_site filter can allow access to specific custom directories within the uploads path outside of the current network site’s directory while still adhering to other access control rules.

For example, to grant access to a directory named custom-uploads to all network sites within a multisite, implement the following code in a plugin in the /client-mu-plugins directory:

function allow_custom_uploads_path( $is_valid, $file_path ) {
    if ( str_starts_with( $file_path, 'custom-uploads/' ) ) {
        return true;
    }
    return $is_valid;
}
add_filter( 'vip_files_acl_is_valid_path_for_site', 'allow_custom_uploads_path', 10, 2 );

With the above configuration, requests to files in the custom-uploads directory will bypass the default upload path validation checks which prevent sites from loading assets outside their wp-content/uploads/<site-id>/ folder in a multisite setup.

It is also possible to further restrict this folder using additional logic such as using the core WordPress function get_current_blog_id() to restrict access to this folder to certain network sites instead of opening it up to all network sites within the same multisite.