Understanding <txp:password_protect />

NorfolkGreg · 2023-03-07 20:40:48

Finally, I’m back working on my TextPattern project. The documentation fo the password_protect tag says:

Note: It is not adequate to protect a single section. This is not due to the tag itself, but rather because of how Textpattern handles URLs. By changing the URL an article can be rendered with a different section template, which would mean that the tag in the protected section would not be rendered and could not protect the article – only page requests that would be rendered in that section would be protected.

So my naive question is under what circumstances will a URL change? And what techniques must I use to ensure access to certain areas of my site is limited to those intended.

For example, what if I want to provide an area of a site that the public cannot access but its content can be read by club members. It would contain member’s contact details with the list compiled and published only by the club secretary.

If a member of the public does a search, will the search facility reveal someone’s contact details, even though it’s published in the member access only area?

etc · 2023-03-07 20:56:02

NorfolkGreg wrote #334952:

So my naive question is under what circumstances will a URL change? And what techniques must I use to ensure access to certain areas of my site is limited to those intended.

As you very rightly put below, making a search would (typically) land you on default section, thus circumventing your protected section template. You should rather put <txp:password_protect /> tag inside the article form(s) responsible for the output:

<txp:if_article_section name="private">
    <txp:password_protect />
</txp:if_article_section>

You must also disable in_rss option for protected sections.

Bloke · 2023-03-07 20:59:38

etc wrote #334955:

You must also disable in_rss option for protected sections.

And is_searchable ;)

etc · 2023-03-07 21:01:47

And on_frontpage too, otherwise only members might be able to see it :-)

Bloke · 2023-03-07 21:08:07

In fact, I would perhaps go so far as to set it up like this:

Make a pageless section called, say, member-contacts for your member contact details and post them there, perhaps each one as an article.
Password protect a public-facing section called, e.g. /members similar to the way etc outlines above.
In the page template for that section, use <txp:article_custom section="member-contacts" /> to display the list of contact details. You can paginate them as you see fit, or use limit="0" to display them all as a long list, depending on how many there are.

The benefit of this is that there is absolutely no way anybody can stumble upon the contact detail URLs because they will always return nothing – no page template. The only access to it is through the /members URL entry point, which you control.

NorfolkGreg · 2023-03-08 01:10:05

Many thanks, both of you, for your help. You may recall that in Is Textpattern For Me? I was describing a large church site, so my simple example of member data may have under-represented the overall requirement.

There are probably four separate groups that need access to various areas. One of the reasons that Textpattern appeals is that it should relieve me of some of the burden of handling all those queries resulting from forgotten passwords, changed email addresses, etc that are generated through our current forum and diary software. I am seeking to protect four distinct areas that would each have its own regularly changed password, shared by all needing to access each area.

Besides contact details that need to be kept from the world at large, we also share with our “fellowship”, some 100 people who attend church regularly or are housebound but used to be able to attend, newsletters from the missionaries that we support. Some of these work in dangerous locations in Africa and the Middle East, who feel the need to use pseudonyms in their correspondence, that could be revealed by other material held by our “deacons”. We distinguish our fellowship from “members”, those who are allowed to vote at church meetings and have been accepted as having the same faith as others in formal membership of the church. The “deacons” need a separate area as they share reports from those who may be supporting non-attenders with matters that might be deeply personal. Finally, there’s our “worship group” who prepare our weekly services. They need to share sheet music and other copyright material.

@Bloke: Do you think your three part proposal can be multiplied up to provide the four separate areas I need. In the earlier topic an alternative plan was suggested that I run a “private” installation of Textpattern in a sub-domain. With several separate private areas to maintain might that be a better approach?

The total number needing to post across all four areas is probably no more than a dozen people, with at least half of those needing write access to two or more areas.

NorfolkGreg · 2023-03-08 01:11:14

That’s four private areas, plus the public one, of course!

Textpattern CMS

Textpattern CMS support forum

#1 2023-03-07 20:40:48