Using Meta Box Field to Restrict Content to Logged-in Users

👋 Hi there,

I am trying to use Meta Box to restrict specific media (images, PDFs, etc.) to logged-in users. I created a custom field, which I have named privacy. It can have one of two values: member or public. I linked the Meta Box custom field to Attachements, so it is selectable on anything in my Media library.

When a media item, like a JPG, has a privacy value of member, the content should not be viewable anywhere on the internet, unless a user is logged-in to WordPress. When the privacy value is public, nothing needs to happen.

To accomplish this, I have some .htaccess code that refers file requests to a .php file where I check for two things: 1) that the visitor is logged-in to WordPress, and 2) whether the Meta Box privacy field has a value of member. When bot hare true, the visitor should be permitted to view member files. When the user is not logged-in, they should be restricted from viewing member files.

Unfortunately, despite several rewrite attempts, I'm unable to apply these restrictions. Nothing happens. I'm unsure if Meta Box can support this, or if I'm calling the field value wrong. Any suggestions will be greatly appreciated.

This is my .htaccess script, added to the root directory of WordPress:

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_FILENAME} -s
    RewriteRule ^wp-content/uploads/(.+)$ check-login-status.php?file=$1 [QSA,L]
</IfModule>

This is my check-login-status.php file, added to the root directory of WordPress:

<?php
// Make sure a file is specified
if(isset($_GET['file'])) {
    $file_path = realpath(ABSPATH . '/wp-content/uploads/' . $_GET['file']);
    
    // Check if the file exists
    if(file_exists($file_path)) {
        
        // Check if the user is logged in and the media file has a privacy value of "member"
        if(is_user_logged_in() && rwmb_meta('privacy') === 'member') {
            // Set appropriate headers
            header('Content-Description: File Transfer');
            header('Content-Type: application/octet-stream');
            header('Content-Disposition: attachment; filename="' . basename($file_path) . '"');
            header('Expires: 0');
            header('Cache-Control: must-revalidate');
            header('Pragma: public');
            header('Content-Length: ' . filesize($file_path));
            readfile($file_path);
            exit;
        } else {
            // User is not authorized to access the file
            wp_die(__('You are not authorized to access this file.'));
        }
    } else {
        // File does not exist
        wp_die(__('File not found.'));
    }
} else {
    // No file specified
    wp_die(__('No file specified.'));
}

Thank you!