=== CosmautDL === Contributors: cosmaut Donate link: https://cosmaut.com/cosmautdl/sponsor/ Tags: download, download-manager, file-download, cloud-drive, wechat-unlock Requires at least: 6.2 Tested up to: 6.9 Requires PHP: 7.4 Stable tag: 1.0.9 License: GPLv3 License URI: https://www.gnu.org/licenses/gpl-3.0.html Multi-cloud download manager: unified download cards, dedicated download pages, a file-tree index, and click statistics. == Description == CosmautDL is a multi-cloud download manager plugin for WordPress. It turns scattered cloud-drive links into a clean "download card" experience, and provides dedicated download pages, a site-wide file-tree index, and click statistics for site owners. Key features: * Unified download card UI for posts/pages * Dedicated download page route per post * Redirect route to keep outbound links tidy * File-tree page to browse all shared resources * Click statistics stored in your own database * Optional WeChat QR unlock workflow * Assets loaded only when needed == Upgrade Notice == = 1.0.9 = Maintenance update: i18n and release metadata alignment for WordPress.org stable language-pack flow. = 1.0.8 = Maintenance update: Tested up to WordPress 6.9, minor code improvements and compatibility enhancements. = 1.0.7 = Maintenance update: Bundle on-site QR code generation library and tighten admin capability checks. == Supported providers == Baidu Pan, 123Pan, Aliyun Drive, Tianyi Cloud, Quark, PikPak, Lanzou, Xunlei, Weiyun, OneDrive, Google Drive, Dropbox, MEGA, MediaFire, Box, and Other. Routes (pretty permalinks recommended): * Download page: /downloads/{post_id}.html (or ?cosmdl_download=1&post_id={id}) * File tree: /downloads/tree.html (or ?cosmdl_tree=1) * Stats entry: /downloads/stats.html (or ?cosmdl_stats=1; admin-only) * Redirect: /{prefix}/{post_id}/{type}.html (or ?cosmdl_redirect=1&post_id={id}&type={type}) Data and privacy overview: * Stores download click logs in a custom table: {wp_prefix}cosmdl_clicks (post_id, type, attach_id, user_id, ip, ua, referer, success, created_at). * Core features do not require external services. == Privacy/External Services == - Data Collection: The plugin records the IP, UA, Referer, and time of download clicks only for backend statistics and troubleshooting; data is stored in your database and never sent outside. - External Services (Optional): When "IP Geolocation Display" is enabled, the admin backend queries ipapi/ip-api/ipinfo for geolocation; results are cached and displayed in wp-admin. No external requests occur when disabled. - WeChat QR Unlock (Optional): Redirects the visitor browser to WeChat authorization (open.weixin.qq.com) and the server calls api.weixin.qq.com endpoints to exchange code for openid and check subscription. The plugin does not persist openid; it uses a short-lived unlock flag (~10 minutes) and caches the official account access_token (up to ~2 hours). - User Control: You can disable these optional features at any time in plugin settings; uninstalling the plugin cleans up plugin-created data and caches. - Compliance Note: In some jurisdictions, IP addresses are personal data; obtain consent or meet legal requirements before enabling IP geolocation. == External services == This plugin can connect to external services only when you enable related options. === 1) WeChat OAuth and subscription check === * Service: WeChat / Tencent * Purpose: Used for WeChat unlock mode authentication * Endpoints: * https://open.weixin.qq.com/connect/oauth2/authorize (OAuth authorize, visitor browser redirect) * https://api.weixin.qq.com/sns/oauth2/access_token (exchange OAuth code for openid) * https://api.weixin.qq.com/cgi-bin/token (fetch official account access_token) * https://api.weixin.qq.com/cgi-bin/user/info (check subscription status) * When: Only if you enable WeChat unlock in CosmautDL settings and visitors open the unlock URL in WeChat after scanning the QR code. * Data sent: * Visitor browser to open.weixin.qq.com: appid, redirect_uri, response_type, scope, state, and standard HTTP request metadata handled by WeChat (for example IP address and user agent). * Your server to api.weixin.qq.com: appid, appsecret, OAuth code, grant_type; later access_token, openid, lang. * Data stored (local): Does not store openid permanently; stores a short-lived unlock flag transient (10 minutes) and caches the official account access_token transient (up to ~2 hours, based on API expires_in). * User control: You can disable this feature at any time in plugin settings. * Data deletion: Transients expire automatically. * Terms of Service: https://www.wechat.com/en/service_terms.html * Privacy Policy: https://www.wechat.com/en/privacy_policy.html === 2) IP geolocation lookup === * Services (selectable in settings): * https://ipapi.co/ * https://ip-api.com/ * https://ipinfo.io/ * Purpose: To display IP location in admin download statistics * When: Only if you enable Show IP location in stats and open stats details in wp-admin. * Data sent: IP address from your click logs, from your server to the chosen provider (requests are cached). * Caching: Results are cached for 168 hours (7 days) by default to reduce API calls. * User control: You can disable this feature at any time in plugin settings. * Data Flow: Your server to IP Geolocation API and back to your server (IP addresses are sent for location lookup) * Privacy Impact: IP addresses are considered personal data in some jurisdictions; cached results help minimize exposure * Data Deletion: Cached geolocation data automatically expires after 7 days; IP addresses in click logs can be deleted from admin stats page * Terms of Service: * ipapi: https://ipapi.co/terms/ * ip-api: https://ip-api.com/docs/legal * ipinfo: https://ipinfo.io/terms-of-service * Privacy Policies: * ipapi: https://ipapi.co/privacy/ * ip-api: https://ip-api.com/docs/legal * ipinfo: https://ipinfo.io/privacy-policy == Third-party libraries == === phpqrcode === * Library: phpqrcode (LGPL-3.0) * Purpose: On-site QR code generation for WeChat unlock functionality * License: GNU Lesser General Public License v3.0 * License URI: https://www.gnu.org/licenses/lgpl-3.0.html * Usage: Used for generating unlock QR codes without external dependencies * Compatibility: LGPL-3.0 is compatible with GPLv3 == Installation == 1. Upload the `cosmautdl` folder to `/wp-content/plugins/`. 2. Activate the plugin in Plugins. 3. Go to CosmautDL in wp-admin and configure: * Cloud Drive Management (enable/rename/reorder) * Route prefix * Download page modules and optional unlock settings 4. Edit a post/page, fill in cloud-drive links in the CosmautDL meta box, and publish. == Frequently Asked Questions == = How do I add a download card to a post? = Edit a post/page, find the CosmautDL meta box, paste cloud-drive links (and extraction codes if any), then update/publish. The plugin renders the card automatically on the frontend. = I see 404 on /downloads/{id}.html. What should I do? = Go to Settings > Permalinks and click Save Changes once to refresh rewrite rules. Also ensure your site supports pretty permalinks. = What data does CosmautDL store for statistics? = It stores click logs in your own database table, including post_id, drive type, IP, user agent, referer, timestamp, and related fields. This is used only for download statistics and can be deleted from the stats page. = Does the plugin make external requests by default? = No. External requests happen only if you enable: * WeChat unlock * IP geolocation in stats = Can I customize the redirect prefix and drive list? = Yes. You can change the redirect prefix in settings, and enable/rename/reorder providers in Drive management. There is also an Other type for custom links. = Does this plugin depend on a specific theme? = No. CosmautDL uses WordPress routing and template hooks and aims to be compatible with most themes. If your theme or cache plugin is aggressive, clear caches after changes. = Is multisite supported? = CosmautDL is primarily tested on single-site installations. For multisite, please test in a staging site first. == Screenshots == 1. Download card UI 2. Post editor meta box 3. File tree page 4. Download statistics == Changelog == = 1.0.9 = * 2026-03-18 Maintenance: Align plugin version/readme stable tag, keep Text Domain consistency, and prepare stable release metadata for WordPress.org translation package generation. = 1.0.8 = * 2026-02-14 Maintenance: Tested up to WordPress 6.9, minor code improvements and compatibility enhancements. = 1.0.7 = * 2026-01-25 Maintenance: Bundle on-site QR code generation library for unlock QR rendering and tighten admin capability checks. = 1.0.6 = * 2026-01-15 Security: Comprehensive security hardening including SQL injection fix, AJAX URL hardcoding removal, nonce verification for download redirects, and full AJAX handler nonce checks. = 1.0.5 = * 2026-01-10 Security: Add nonce verification for admin AJAX actions. = 1.0.4 = * 2026-01-06 Fix download stats details expansion and ensure click logs capture IP/UA. = 1.0.3 = * 2026-01-03 Smart recognition of cloud drive links in the editor meta box. = 1.0.2 = * 2026-01-02 Initial release with download page, file tree, and click statistics.