.htaccess to rewrite rules and block file access for specific folder

Question

I have a mini PHP application in a sub-folder called "members", so domain.com/members

In this mini app I have the following in an .htaccess file to redirect URLs such as domain.com/members/categories/some-category or domain.com/members/login etc.

RewriteEngine On
RewriteBase /

# allow passthru to existing files/dirs
RewriteCond %{REQUEST_URI} !^/members/app  [OR]
RewriteCond %{REQUEST_URI}  ^/members/app/assets
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^(.+) - [PT,L]

# everything else rewrite
RewriteRule ^(.*) members/index.php

This is allowing my assets folder to load (CSS, JavaScript and images) and also allow any actual file URLs. However, we have a folder of files we now need protected.

So if someone were to go to domain.com/members/files/filename.pdf which would be an actual fileon the server we need this URL to be rewritten into the members/index.php file as we need to check permissions on the file before allowing download.

Whenever I try to remove the following line everything breaks:

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d

Answer 1

You may use this code in your site root .htaccess:

RewriteEngine On

RewriteRule ^members/index\.php$ - [L,NC]

RewriteRule ^members/files/ members/index.php [L,NC]

RewriteCond %{REQUEST_URI} !^/members/app/assets [NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ members/index.php [L]