5

We are trying to protect a couple of different resources in our ModX installation. The current .htaccess code is as follows (not including all of the ModX stuff)

AuthName "Dialog prompt"
AuthType Basic
AuthUserFile /var/www/vhosts/mywebsite.co.uk/.htpasswd

<FilesMatch ^index.php\?q=71$>
    require valid-user
</FilesMatch>

The object of the exercise is to protect the following resources:

I have tried various combinations of LocationsMatch, Locations, Files and Filesmatch and can't get it to work.

Thank you in advance

user1346416
  • 59
  • 6
  • 1
    I'd say: Start reading the manual for those directives, which at least will give you the insight why what you tried so far *does not work*: http://httpd.apache.org/docs/current/mod/core.html#filesmatch – hakre May 01 '12 at 15:23
  • Read every word and tried every option that I can explore. What this needs is someone probably with some experience in achieving this issue which must be pretty common. – user1346416 May 01 '12 at 15:38
  • 1
    Why are you using .htaccess and not modx's built in resource/security management? – Sean Kimball May 01 '12 at 15:39
  • 1
    @user1346416: Hint: The filename is on disk (not within the URL, so would be `index.php` and that's all requests), you're more looking for location probably: http://httpd.apache.org/docs/current/mod/core.html#location - Note that this directive is not available in .htaccess files. – hakre May 01 '12 at 15:43
  • @hakre Thanks for the direction, though I have tried Location and LocationMatch with no luck - will keep going – user1346416 May 01 '12 at 15:45
  • @SeanKimball Modx is overkill for this and exposes potential access to a lot of people who don't require it – user1346416 May 01 '12 at 15:46
  • you can put your files/directories outside of the webroot & use modx to control access to the resources, though it looks like you are tying to control access to a modx resource by your url example, these resources do not exist as files, only in the database [and cache]. Following kakre's posts, it appears that you do want to use the location, but can't within an .htaccess.... you would have to add a directive to the apache config [most control panels give you this ability] I did take a peek through the modx forums & this isn't a new problem, unfortunately it is a problem without solutions yet. – Sean Kimball May 01 '12 at 18:37

3 Answers3

0

You probably dont need htaccess. You can send HTTP authentication headers http://php.net/manual/en/features.http-auth.php from correct system event

dafyk
  • 1,042
  • 12
  • 24
0

This is what the total solution was:

If anyone else needs to know, I created a snippet called passwordprotect and put at the top of the page: [[passwordprotect]]. I then put in the following code (an adaptation of the above response):

<?php

if(isset($_SERVER['PHP_AUTH_USER']) && ($_SERVER['PHP_AUTH_USER']=='user') &&     ($_SERVER['PHP_AUTH_PW']=='password'))
{
    echo 'You are successfully logged in.';
} else {
    header('WWW-Authenticate: Basic realm="Protected area"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Text to send if user hits Cancel button';
    exit;
}

EDIT: If you are finding that this sometimes does work and sometimes doesn't work, this is probably because using [[passwordprotect]], modx will cache the snippet. I got better success with: [[!passwordprotect]] on Revolution. I think the code is [!passwordprotect!] on Evolution. The exclamation marks just denote not to cache the snippet. Hope that helps someone!

user1346416
  • 59
  • 6
  • If you are finding that this sometimes does work and sometimes doesn't work, this is probably because using [[passwordprotect]], modx will cache the snippet. – user1346416 May 06 '12 at 23:07
  • Also, the cached snippet may have the PREVIOUS user authenticated and not the new one. Read below for correct implementation. – W. Shawn Wilkerson Feb 28 '15 at 22:07
0

There is absolutely no reason to do this and voids the entire purpose of the MODX Revolution ACLs. The correct answer is to:

  1. Establish a user group with a minimum role which can access the resources.
  2. Create a test resources within the resource group.
  3. Add the site admin to the resource group.
  4. Create a test user in the resource group.
  5. Refresh the site cache.
  6. Log out all users - including yourself.
  7. Test the ACLs - with the site administrator both in the manager and on the front end.
  8. Log out or use a completely different browser and test with the test user.
  9. Once it is working move the protected documents to the resource group.
  10. Add users to the group who you want to have access.
  11. Remove the snippet.

If you need more help get a copy of my book or visit my site.

W. Shawn Wilkerson
  • 156
  • 4