Private pages with login

[houseofdeadleg]

I've done a quick search through the forums and found a couple of similar threads to this, but none of them seemed to work in quite the way I'm looking for (or maybe they did and they just went over my head) so I thought I'd start a new thread for it.

What I would like to be able to do is create new pages (projects) on my site but with the ability to mark them as private so that only someone with a password (set in the back end) can view that particular page. I'm not sure if this is best approached with templates, roles or some combination of both. It may be that there is only ever one private project, or it may run into maybe 10-12, each with their own individual password set when the project is created.

What I have so far is a project template file that I use for all the artwork pages and a modified version with the addition of a password field. Any help is much appreciated.

[cstevensjr]

There are many ways you can achieve what you're looking for (that's a strength of ProcessWire).

What I normally do is use templates and roles.  Say we have Group A, Group B and Group C.  I create the roles and give permissions, as required.  I assign users to the Groups, as needed.

I create individual templates for each group (i.e. "Access-For-Group-A", "Access-For-Group-B", "Access for Group C").  Each template has Access Security enabled where access is only given to a particular group. I will then create a page and in the Settings tab, assign the template for Group A.  I then will create individual pages for the other 2 groups.  When doing this I always disable Guest access on the templates.

These pages serve as the access point for the private data for each group.  I then create sub-pages below the main group page.  Those pages take their access from the parent page above it.

When someone logs in, they will only see the pages that they have access to.  You can even have an individual assigned to two or more roles with this scheme.

There are probably better ways of doing this, however this works for me.

Edited May 30, 2014 by cstevensjr

[houseofdeadleg]

It was late and I was tired when I wrote the first post so maybe I didn't describe it properly. It made sense at the time

This is an idea I have for my personal site. I'm the only administrator, under no circumstances do I want anyone else to have access, or even know the url, of the backend. Everything has to be done from the front end.

So, say I create a project/article/whatever on self-sufficiency and I send the url and a password to view it to Tom and Barbara. When they visit the page first thing they see is a login box. They use the password I sent and BAM, they can see it. Say I then want to show it to Jerry and Margot, I send them the same url and password (as the password was set for that page (in a field in the template) when it was created).

Hopefully that makes sense outside my head.

[onjegolders]

Sounds like you want to create a login.inc template where you include a login form (modal or the like) and on pages where you want to password protect, include this form and do a check to see if the user is logged in.

If they are, then form doesn't show and content does, otherwise vice versa.

If you really don't want them to have a username you could just do a check between your predefined password and what they enter in the password field. If it passes, then let them see the content (and set a $session variable so they remain able to see that page)

[cstevensjr]

The above does exactly that, however you are using ProcessWire's existing access mechanisms.  When you give access to the templates, you only enable view access only.  Then the groups/users defined with that password can only see that page.  You can additionally make the page hidden, so that it doesn't show up in the sitemap, if you have one. 

As I said, there are many ways to do this, this just uses what's already readily available in ProcessWIre.

[DaveP]

I think I understand what you want. Something like this very pseudo-code should point you in the right direction...

<?php
if($input->post->passkey == $page->passkey){

// Show for-your-eyes-only content
// and perhaps set a cookie to allow viewing of content unhindered in future

} else {

// Show form asking for passkey (using method=post to avoid inadvertent sharing of passkey in url (with Miss Mountshaft?) if we used get) action=<?php echo $page->url; ?>

};
?>

You will obviously need to wrap some proper php and html around this and perhaps separate bits out in the cause of DRYness.

[SiNNuT]

In it's simplest form it could be something like this, where $page->page_password is a textfield you can set for every page that needs the login.

<?php

if ($_POST['awesome_password'] != $page->page_password) {

echo <<<EOT
<h1>Login</h1>
    <form name='form' method='post' action='$page->url'>
    <input type='password' title='Enter your password' name='awesome_password' />
    <br />
    <input type='submit' name='Submit' value='Login' />
</form>
EOT;
} else {
echo "<p>This is the protected page. Content goes here.</p>";
}

?> 

[adrian]

So, say I create a project/article/whatever on self-sufficiency and I send the url and a password to view it to Tom and Barbara. When they visit the page first thing they see is a login box. They use the password I sent and BAM, they can see it. Say I then want to show it to Jerry and Margot, I send them the same url and password (as the password was set for that page (in a field in the template) when it was created).

But the Goods don't even have a TV, let alone a computer and Ryan was probably still in diapers at the time, so no PW

[houseofdeadleg]

Thanks for all the responses guys, I copied in the code SiNNuT posted and it (almost) works perfectly. It's throwing up this error - Notice: Undefined index: awesome_password, if anyone can shed any light on what this means I'd appreciate it.

On a related note, is the content on a private page going to be crawlable by Google et al's bots?

[kongondo]

Thanks for all the responses guys, I copied in the code SiNNuT posted and it (almost) works perfectly. It's throwing up this error - Notice: Undefined index: awesome_password, if anyone can shed any light on what this means I'd appreciate it.....

Edit: Deleted...

I think some of my explanation above is wrong; it's late, am tired! ...

Edited June 3, 2014 by kongondo

[kongondo]

Of course, there's always the simple typo maybe? 

Edit:

   Duh to self!!! You have to use isset() to first check if a variable has been sent

$pass = $input->post->awesome_password;
if (isset($pass) && $pass != $page->page_password || !$pass)//....show form etc...

Edited June 4, 2014 by kongondo

[kongondo]

Oops, you also need to show the form if nothing has been sent ...so do an || as well...or similar...Ideally, you need to show some error and the form if a wrong password was sent versus when no password was input at all..

Edited June 4, 2014 by kongondo

[horst]

$pass = $input->post->awesome_password; 
if( (isset($pass) && $pass != $page->page_password) || !$pass) //....show form etc... 

or better / shorter

$pass = $input->post->awesome_password; 
if ( !$pass || $pass != $page->page_password ) //....show form etc... 

[SiNNuT]

Thanks for all the responses guys, I copied in the code SiNNuT posted and it (almost) works perfectly. It's throwing up this error - Notice: Undefined index: awesome_password, if anyone can shed any light on what this means I'd appreciate it.

On a related note, is the content on a private page going to be crawlable by Google et al's bots?

Didn't think you would run with this code, but with the additions by kongondo(/horst) and if it's suits your needs, it's fine to use this.

With regards to crawling: using the method above would do nothing special to hide the content, but if Google were to reach the page they would only be able to see the login page. If you want to also avoid that adding <meta name="robots" content="noindex, nofollow"> to the head of your html usually helps.

Come to think of it, if pages can go from private to public and vice versa, by setting/unsetting the password field in the backend you probably want to add some extra logic to your template(s) that support the page_password field.

[bwakad]

I use for example this inside a function which get used on my main template, checking the current viewed page->id and at the end of the function I include $layout file that make up the code I want to display according to that page id.

//    see which page id is current one and create part of $selector
    switch ($page->id) {    
        case '1171': // members
            
            // declare our variables first because they are used in all cases, then use SUB switch
            // we don't want to change variable $pages, just it's value. Change $layout
               $pages  = $users;
               $layout = "./myinclude/members.inc";

                  // SUB switch to find user role. for now we let all roles see all roles
                  switch (true) {
                    // superuser
                    case ($user->hasRole('38'))  :    $selector = "roles=38|1160|1170|1177";     break;
                    // supplier
                    case ($user->hasRole('1160')):    $selector = "roles=38|1160|1170|1177";     break;
                    // store
                    case ($user->hasRole('1170')):    $selector = "roles=38|1160|1170|1177";     break;
                    // member
                    default:                          $selector = "roles=38|1160|1170|1177";     break;
                }   // end of SUB switch

        break;    // end of case 1171

I use this to create the find() pages, but you can also use other code in the case's...

// On that included file I start a double check, so sirect access is restricted 
// while the switch is still active, because this include file is inside the template

    if(!$user->isLoggedin()) {
    // redirect to login page
    $session->redirect("/login/");
}:

Of course, the login is a seperate page, and one would never access the content without logging in first AND having the right role.

[lsag]

In it's simplest form it could be something like this, where $page->page_password is a textfield you can set for every page that needs the login.

<?php

if ($_POST['awesome_password'] != $page->page_password) {

echo <<<EOT
<h1>Login</h1>
    <form name='form' method='post' action='$page->url'>
    <input type='password' title='Enter your password' name='awesome_password' />
    <br />
    <input type='submit' name='Submit' value='Login' />
</form>
EOT;
} else {
echo "<p>This is the protected page. Content goes here.</p>";
}

?> 

i'm also looking for something like this: protecting a page just with a password. I dont need user + pasword.

But how do logout of here?

thanks

[adrian]

I had forgotten about this post, but check out this new module - coming very soon

https://processwire.com/talk/topic/7723-protecteddevelopment-mode/?p=78233

Based on the poll results, it will probably be released as a separate module, named ProtectPages or something along those lines.

[lsag]

im looking forward to it