Force guest users to login with no backend access at all [solved]

[cwsoft]

Hi,

as htaccess BasicAuth gets more and more blocked by admins via policy rules, I am searching for an alternative solution to hide a PW site from public, non authorized users and spam bots. The „guest users“ should only be able to see the PW frontend after login, but not be able to see the PW backend. The „guest users“ should not even be able to change their login credentials. Login credentials for the up to 500 „guest users“ will be created by the admin in advance and distributed manually e.g. via Email or public post.

What would be the best option to realize something like this with PW core or PW modules? Any tip or hint to point me into the right direction would be highly appreciated. 

Cheers cwsoft

[bernhard]

Hiding from guests is quite simple, see how I do it in RockMigrations: https://github.com/baumrock/RockMigrations/blob/141143a9108e1cc0eed52ed3bd53ed06a5ff3cb0/RockMigrations.module.php#L2243-L2275

Then you could add something like this into /site/templates/admin.php:

<?php
$user = wire()->user;
if($user->isLoggedin() and !$user->isSuperuser()) {
  $session->redirect("/");
}

I guess you'd improve that to check for login/logout pages, but you get the idea 🙂 

[cwsoft]

@bernhardThanks for the link and code snippet. Second part is what I had in mind. Your hide from guest method from RockMigration looks like what I am after, thanks for sharing. 

Need to check if my guest users can have a 40-digit uniqueID as username, than I guess I have all the pieces together to realize the idea I have in mind. 

[cwsoft]

Have realized my guest login via a custom HTML5 frontend-login form and the PW API $session->login() to log in the user with the provided credentials. Combined this with $session->redirect() to route to the page which requested the authorization via $input->get() param on success or back to the frontend-login page on failure. Finally I used the receipt from @bernhard above in templates/admin.php to send frontend-users identified via $user->hasRole() to the home page when they trying to enter the backend.

This allowed me to restrict all or certain pages from non authorized access via a simple method implemented in the default page class. Pretty slick what can be achieved with the great PW API plus core and the power of Latte templates of course.