404 redirects do not work when jDownloads is set as homepage

[ibrahim]

Hello,

I found a few issues related to jDownloads that may be useful to review for a future release.

Wrong URLs show the homepage instead of 404

When jDownloads is set as the homepage, invalid URLs like:

/test-wrong-url-123456

show the jDownloads homepage instead of a 404 page.

Because of this, redirecting missing URLs to a custom 404 page also does not work correctly.

I fixed this in:

components/com_jdownloads/src/Helper/LegacyRouter.php

by adding this inside the switch:

default:
    return;

This leaves unknown URLs unparsed, so Joomla returns the normal 404 page.

Expired downloads could still be downloaded

My paid downloads should expire after 180 days. In some cases, expired items were still downloadable.

To protect against this, I created a custom Joomla system plugin:

System - Jdaupguard

Folder:

plugins/system/jdaupguard/

The plugin checks the download before the file is delivered. If the purchase is older than 180 days, it blocks the download and shows a message asking the user to purchase the item again.

I also adjusted my jDownloads download-history template so users can see the expiry date and whether the item is expired.

Download history could contain items without a matching payment record

I found download-history rows in:

#__jdownloads_logs

where the user appeared to have an active downloaded item, but there was no matching AlphaUserPoints payment record.

This could allow access without a valid payment.

I created an SQL audit to find these rows and removed only the invalid jDownloads history entries. No AlphaUserPoints transactions were deleted.

It would be useful if jDownloads could validate that a paid download has a matching payment or entitlement record before allowing access.

Low wallet balance should block the download before file delivery

In some cases, a user could try to download a paid item without enough wallet balance.

My System - Jdaupguard plugin now blocks this before the file is delivered and shows a recharge message with a link to my purchase plans page.

Could you please review these points and include the relevant fixes or hooks in a future release? This would prevent my custom changes from being overwritten during updates.

Best regards,

[Arno]

Hi Ibrahim,
thanks for the detailed report and for sharing your findings.

We reviewed your points and have now implemented concrete hardening in the download flow and routing behavior.

1. 404 behavior on invalid URLs (when jDownloads is homepage) 
This routing issue has been fixed so unknown route segments remain unparsed and Joomla can return normal 404 handling.

2. Download authorization and expiry enforcement in file delivery 
We have strengthened core behavior in the send path:
- delivery now consistently respects publication timeframe checks (publish_up / publish_down), not only published=1
- a stable pre-delivery authorization hook is now available so custom entitlement plugins can deny access before side effects (points, counters, logs, delivery)

This keeps business-specific purchase and renewal logic in plugins, while making core enforcement safer and more consistent.

These improvements are already implemented and will be included in the upcoming jDownloads 4.1.5.