Jump to content
Ilyas

Proccesswire admin url protected by prompt password

Recommended Posts

Hello everyone. I need to protect the link to the admin panel with an additional password. So when the user enters a direct link to www.sitename.com/processwire/, he will first enter the prompt password, after which he has access to the entrance to the processwire.

image.png.bf0d7328b11c6dc721575eda7a856ba5.png

I tried using .htpasswd but that did not help.

Maybe someone knows how to put a password to the route /processwire/.

Thanks.

Share this post


Link to post
Share on other sites

Hi @Ilyas

I'm kind of curious as to your use case for this request. Could you explain a bit more about the reason for wanting to password-protect the login page. Is this something that could be achieved another way - for example by moving the admin login to a less well known location?

Share this post


Link to post
Share on other sites

Hi @netcarver

I have several user roles. Some types of users have ability to change the content of some pages on the front-end side. But the processwire is built so that these users can edit the data from the admin panel too. I would like to limit this possibility.

I also need this in terms of system security. Is there a way to make .htpasswd work for specific route?

Share this post


Link to post
Share on other sites
12 hours ago, Ilyas said:

I have several user roles. Some types of users have ability to change the content of some pages on the front-end side. But the processwire is built so that these users can edit the data from the admin panel too. I would like to limit this possibility.

You can use a hook to ProcessPageEdit::execute to redirect users with those roles to the frontend page. Make a new file /site/ready.php and put this code inside:

wire()->addHookBefore('ProcessPageEdit::execute', function (Hookevent $event) {
    $restrictedRoles = array('admin', 'frontendeditor'); // list your roles here
    foreach ($this->user->roles as $role) {
        if ($role->name !== 'guest' && in_array($role->name, $restrictedRoles)) {
            $this->session->redirect($this->config->urls->root);
        }
    }
});

This will redirect users with given roles to the homepage of your site.
Note that this will restrict them only from accessing page edit screen in the admin panel.
If you like to restrict access to the whole admin area for those roles, you would need to hook into Page::render or Page::viewable and than check if the Page has template admin.

 

  • Like 6

Share this post


Link to post
Share on other sites

Not tested, but if you use Apache 2.4 it should work something like this:

# Define Directives:
# AuthName
# AuthType
# AuthUserFile
# AuthGroupFile

# If Request_URI == your_admin_url: set environment variable authb
SetEnvIf Request_URI your_admin_url authb

<RequireAny>
  Require not env authb
  Require valid-user
</RequireAny>

 

Share this post


Link to post
Share on other sites

You can mimic a basic authentication in the file "site/templates/admin.php"

Therefor you have to handle a set of valid usernames and passwords in that file too, like in the following example:

<?php namespace ProcessWire;

$validUsers = [
    'user1' => 'pass1',
    'user2' => 'pass2',
    'user3' => 'pass3'
];
$validAdminUser = false;
if(isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) {
    if(isset($validUsers[$_SERVER['PHP_AUTH_USER']])) {
        if($validUsers[$_SERVER['PHP_AUTH_USER']] == $_SERVER['PHP_AUTH_PW']) {
            $validAdminUser = true;
        }
    }
}
if(!$validAdminUser) {
    header('WWW-Authenticate: Basic realm="Adminsection"');
    header('HTTP/1.0 401 Unauthorized');
    echo '401 Unauthorized! Accessing this page needs a valid useraccount!';
    exit();
}

require($config->paths->adminTemplates . 'controller.php');

 

  • Like 8

Share this post


Link to post
Share on other sites

What @gebeer said. It could even be as simple as that in /site/ready.php

if($page->template == "admin") {
  if(!$user->hasRole('your-role')) $session->redirect($pages->get(1)->url);
}

 

  • Like 6

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...