ToolDocs

ToolDocs is a document management plugin for WordPress that lets you upload, organize, and share documents with your visitors through direct permalinks.

Key Features:

• Upload and manage PDF, Word, Excel, ZIP, and other file types
• Add external URLs as managed documents
• Organize documents into categories
• Generate direct permalink URLs for each document
• Embed document download links using shortcodes
• Track download counts and view per-document download history
• Export download statistics to CSV (summary, by day, by week, by month)
• File version history with configurable retention (0-4 versions)
• File usage detection across your site
• Customize shortcode icon color
• Font Awesome icon support with customizable file type icons
• Modern Vue.js admin dashboard
• REST API for programmatic access
• Developer-friendly with filters for customization

Shortcodes:

• [tooldocs_file id="X"] – Display a single document download link with file type icon
• [tooldocs_category_files category_id="Y"] – Display all documents in a category, with optional modal popup

How It Works:

1. Upload documents through the ToolDocs admin panel or add external URLs
2. Organize them into categories
3. Use shortcodes or direct URLs to share documents on your site
4. Track downloads and export reports

Development

The admin interface is built with Vue.js. Source code is included in the admin/src/ directory.
Frontend JavaScript source is in front/.

To build the admin interface:
1. Navigate to the admin/ directory
2. Run npm install
3. Run npm run build

To build the frontend JavaScript:
1. Navigate to the front/ directory
2. Run npm install
3. Run npm run build

Review Responses

Nonces and User Permissions (document-download.php)

The document download template is a public-facing page with no authentication or access restrictions – all documents are freely downloadable. The h parameter is simply a unique file identifier (like a post slug), and src is a tracking parameter similar to UTM parameters. These URLs are distributed in emails, press releases, and external sites, so they cannot be bound to a WordPress nonce (which would expire and require an active session to generate). Both $_GET parameters are sanitized with sanitize_text_field(wp_unslash()) and the hash is validated against the database before any file operation.

Variables and options must be escaped when echo’d (fread)

The echo fread() on this line streams raw binary file data (PDFs, ZIPs, documents, etc.) to the browser. Escaping binary data would corrupt the file. The Content-Type header is set from the WordPress media library MIME type, and the file path is resolved from a validated database record. This is the standard pattern for file streaming in PHP and cannot be escaped.

Changing global behaviour (DONOTCACHEPAGE)

The DONOTCACHEPAGE constant is only defined on the specific ToolDocs download page, not globally. It is set inside a conditional that checks get_queried_object_id() against the stored download page ID. This is a standard WordPress cache-busting constant recognised by all major caching plugins, and it is necessary to ensure download tracking fires on every visit to the download page.