Password gate
When a download has a password set, every visitor is prompted to enter it before the file streams. Once the visitor submits the correct password, the gate remembers the pass for a configurable window so they are not re-challenged on every download.
Setting a password
Authors with the Set password permission see a password field on the download edit page. Moderators with Set any password can set a password on any download.
The password is stored as a hash. The plaintext is never kept. To clear the protection, save the download with the password field blank.
Password hint
The download edit page includes an optional Password hint field. The hint is shown above the password input on the challenge page. Use it to remind the recipient where they got the password from, without giving the password away.
Pass window
| Setting | Default | What it does |
|---|---|---|
| Password window | 60 minutes | How long a successful password entry is remembered. After this window, the next download from the same visitor prompts again. Set to 0 to prompt on every download. |
The pass is remembered per download per visitor session. Submitting a wrong password during a valid pass window does not invalidate the cached pass.
Bypass
The download's primary author and any co-owner with the matching team flag bypass the password gate on their own download. Moderators with Set any password can also bypass.
What the add-on does when this gate triggers
The download URL renders a password challenge page (HTTP 200) with the password input, the optional hint, and an error message on a wrong submission. The form posts back to the same URL.
Audit log
Setting, changing, or clearing a password is recorded in the audit log as Password set, Password changed, or Password cleared. The hash itself is never recorded. Per-attempt pass and fail outcomes at the gate are not written to the audit log.