10

I'm building a site where staff will have their own section of the site: example.com/jones, example.com/smith, etc. jones and smith are template groups with the same templates inside (using Stash and Low Variables to keep it all DRY). Some users will have different needs for privacy. On one end their section will be public. On the other end some users will need to administer who can access their content (using Solspace friends).

However in the middle of that range are some who just want to protect against any random person seeing their content. I don't want to use members/member groups to manage this. I don't want visitors to need to register to see the content. A shared member account is an option, but we ruled that out because of other issues (what if the password is reset, comments being left under the same account, etc.

What we would like is to password protect the template group. The staff can let people know where to see their page, and let users know what the password is. This is all possible on a server level, but is is possible to allow the user to directly manage the password? Anything we can do to minimize how much we need to have hands on admin of this the better. A custom field and an add on that allows for this kind of security? I didn't see anything on Devot-ee and the methods on the forums don't do this. Bit of a longshot, but figured I'd ask.

Doug
  • 539
  • 3
  • 12
  • FYI...I tried to use the htaccess and htpasswd approach to require a password on certain template groups. However it isn't working. This works for 'real' directories, but since EE does not actually have a folder where the URL indicates it is it does not work. example.com/private is in server_path/system/expressionengine/templates/default_site/private and not server_path/private – Doug Oct 24 '12 at 21:27
  • This absolutely can work. I wonder if the issue is to do with hiding index.php. Have you tried triggering the password on example.com/index.php/private ? – AllInOne Oct 24 '12 at 22:39
  • the htaccess file is placed in the directory to be protected. As far as I know there isn't a way to put it somewhere else and tell it what directories to protect. It is possible to tell it where to allow traffic from, ie allowing some urls or domains to access the contents, but requiring the password from others. – Doug Oct 25 '12 at 16:00
  • Require valid-user http://httpd.apache.org/docs/2.2/mod/core.html#directory – AllInOne Oct 25 '12 at 16:55
  • I have been playing around with this and found http://perishablepress.com/enable-file-or-directory-access-to-your-htaccess-password-protected-site/ that explains things. I can get my root htaccess file to trigger the password prompt, but I'm getting 500 internal server errors once I enter the password (whether it is right or wrong). More debugging to do, but getting closer. – Doug Oct 25 '12 at 18:05

4 Answers4

11

Since you said you didn't want to be tied to actual member accounts and were OK with using a custom field to store an editable password...

I just recently did something similar that protected a group of entries using a custom field. It is similar to the approach outlined in this "Password Protected Content Made Simple" article. But instead of using PHP in the template I used Mo' Variables. And instead of using url_title I used a custom field (called client_password below).

In addition, I used the Session Variables plugin to check if the user was already "logged in" on subsequent page loads, preventing them having to enter the password again and again.

{!-- PASSWORD REQUIRED --}
{if client_password != ""}

    {!-- if passed show content and set session --}
    {if post:password == client_password}

        {!-- protected content here --}
        {!-- set session --}
        {embed='embeds/_set_session' entry_id="{entry_id}"}

    {!-- if session is valid show content --}
    {if:elseif "{exp:session_variables:get name='logged_in'}" == "{entry_id}"}

        {!-- protected content here --}

    {!-- if failed show login --}   
    {if:elseif post:password != "" AND post:password != client_password}

        <div id="protected">
            <p>Incorrect password. Please try again.</p>
            <br>
            <form action="" method="post">
                <strong>Password</strong><br />
                <div>
                    <input name="password">
                </div>
                <input type="submit" class="submit" value="submit">
            </form>             
        </div>

    {!-- if first attempt show login and prompt --}
    {if:else}

        <div id="protected">
            <p>This page is password protected. Please provide the password.</p>
            <br>
            <form action="" method="post">
                <strong>Password</strong><br />
                <div>
                    <input name="password">
                </div>
                <input type="submit" class="submit" value="submit">
            </form>             
        </div>

    {/if}

{!-- NO PASSWORD REQUIRED --}
{if:else}

    {!-- protected content here --}

{/if}
Alex Kendrick
  • 969
  • 9
  • 18
  • that looks like it might just be what I need. I'll give it a go and let you know how it works. – Doug Oct 24 '12 at 21:22
  • Great! Happy to provide more specific suggestions or to clarify if it would be helpful. – Alex Kendrick Oct 24 '12 at 21:30
  • Would you be able to show the content of your Mo' Variable? My php is not nearly up to par (I'm making my way from the design side of things). – Doug Oct 24 '12 at 22:35
  • The post Mo' Variable just contains whatever the user submitted in that simple login form, right there in the input named "password." Whatever the user enters there becomes a Mo' Variable when the form is submitted. In this case accessible as {post:password}, which I check against the password stored in the {client_password} custom field. – Alex Kendrick Oct 25 '12 at 02:06
5

I wanted to update this with the code I'm using to get htaccess and htpasswd working to protect by template group. It can be used in the same way as Alex's, but is an all or nothing approach. It has its own advantages, and disadvantages, but wanted to share it as an option.

First, I am using the native template behavior: example.com/group/template/url_title. I want to password protect some template groups, but outside of EE's members and member groups. ie a single user and password.

My htaccess file looks like this (from http://perishablepress.com/enable-file-or-directory-access-to-your-htaccess-password-protected-site/):

# We set some variables, matching URL's for which we do not wish to active
# the password protection
SetEnvIf Request_URI "^/privategroup.*$" private

# Setup the password protection
AuthName "Password Needed"
AuthGroupFile /dev/null
AuthType Basic
AuthUserFile /Users/user/Sites/example/.htpasswd
Require valid-user

# Add the exceptions for matched URL's
Order Deny,Allow
Deny from env=private
Satisfy any

The htpasswd file should be above webroot, but for testing I left it in webroot. The AuthUserFile line tells Apache where to find the file with the usernames and passwords. This must...MUST be an absolute path. I was using relative and got 500 errors. You need to use terminal or some other tool to make this file. http://developer.apple.com/library/Mac/#documentation/Darwin/Reference/ManPages/man1/htpasswd.1.html

The result is that directory requires a username and password. Right now it will accept any valid user in my htpasswd file. However I can change that by specifying a specific user (require user john tim lisa) or groups.

There you have it. Keep people out of specific template groups without using any native EE functionality.

Doug
  • 539
  • 3
  • 12
0

I will be honest, I'm not sure if this fits your needs or not. It's not clicking that it will though, I've never tried it before and would need to actually give it a go to know for sure that it does or does not fit.

I will post it just the same as it may help you or someone else down the road:

http://koivi.com/ee-entry-auth-dir/

Natetronn
  • 466
  • 3
  • 12
0

Have you looked at using the HTTP Authentication option under Template Access Restrictions? It uses a member password for authentication, but doesn't require the member to actually be logged-in.

You say you "don't want to use members/member groups to manage this", but then that you want to "allow the user to directly manage the password" ... surely using the built-in member system is the easiest way?

Derek Hogue
  • 4,589
  • 1
  • 15
  • 27
  • I don't want vistors to need a member account, but would like it if the content owner (who does have a member account) can manage the access to their content. IE they set the password. The issue with HTTP Authentication is it is by member group. That means I would either need to require member accounts for all users, or a shared user account for all visitors to use to access the content. In either case any user account in that member group can access any content protected with this method. – Doug Oct 24 '12 at 21:14