Proccesswire admin url protected by prompt password

[Ilyas]

Hello everyone. I need to protect the link to the admin panel with an additional password. So when the user enters a direct link to www.sitename.com/processwire/, he will first enter the prompt password, after which he has access to the entrance to the processwire.

I tried using .htpasswd but that did not help.

Maybe someone knows how to put a password to the route /processwire/.

Thanks.

[netcarver]

Hi @Ilyas

I'm kind of curious as to your use case for this request. Could you explain a bit more about the reason for wanting to password-protect the login page. Is this something that could be achieved another way - for example by moving the admin login to a less well known location?

[Ilyas]

Hi @netcarver

I have several user roles. Some types of users have ability to change the content of some pages on the front-end side. But the processwire is built so that these users can edit the data from the admin panel too. I would like to limit this possibility.

I also need this in terms of system security. Is there a way to make .htpasswd work for specific route?

[gebeer]

12 hours ago, Ilyas said:

I have several user roles. Some types of users have ability to change the content of some pages on the front-end side. But the processwire is built so that these users can edit the data from the admin panel too. I would like to limit this possibility.

You can use a hook to ProcessPageEdit::execute to redirect users with those roles to the frontend page. Make a new file /site/ready.php and put this code inside:

wire()->addHookBefore('ProcessPageEdit::execute', function (Hookevent $event) {
    $restrictedRoles = array('admin', 'frontendeditor'); // list your roles here
    foreach ($this->user->roles as $role) {
        if ($role->name !== 'guest' && in_array($role->name, $restrictedRoles)) {
            $this->session->redirect($this->config->urls->root);
        }
    }
});

This will redirect users with given roles to the homepage of your site.
Note that this will restrict them only from accessing page edit screen in the admin panel.
If you like to restrict access to the whole admin area for those roles, you would need to hook into Page::render or Page::viewable and than check if the Page has template admin.

 

[Lutz]

Not tested, but if you use Apache 2.4 it should work something like this:

# Define Directives:
# AuthName
# AuthType
# AuthUserFile
# AuthGroupFile

# If Request_URI == your_admin_url: set environment variable authb
SetEnvIf Request_URI your_admin_url authb

<RequireAny>
  Require not env authb
  Require valid-user
</RequireAny>

 

[horst]

You can mimic a basic authentication in the file "site/templates/admin.php"

Therefor you have to handle a set of valid usernames and passwords in that file too, like in the following example:

<?php namespace ProcessWire;

$validUsers = [
    'user1' => 'pass1',
    'user2' => 'pass2',
    'user3' => 'pass3'
];
$validAdminUser = false;
if(isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) {
    if(isset($validUsers[$_SERVER['PHP_AUTH_USER']])) {
        if($validUsers[$_SERVER['PHP_AUTH_USER']] == $_SERVER['PHP_AUTH_PW']) {
            $validAdminUser = true;
        }
    }
}
if(!$validAdminUser) {
    header('WWW-Authenticate: Basic realm="Adminsection"');
    header('HTTP/1.0 401 Unauthorized');
    echo '401 Unauthorized! Accessing this page needs a valid useraccount!';
    exit();
}

require($config->paths->adminTemplates . 'controller.php');

 

[bernhard]

What @gebeer said. It could even be as simple as that in /site/ready.php

if($page->template == "admin") {
  if(!$user->hasRole('your-role')) $session->redirect($pages->get(1)->url);
}

 

[Ilyas]

@bernhard Thank you!