Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2005-06-02 20:37:42

igner
Plugin Author
Registered: 2004-06-03
Posts: 337

ign_password_protect

I had a need for password protection for a project I’ve been working on, and the limited functionality of Textpattern’s existing <txp:password_protect /> simply wasn’t cutting it for me.

It seemed there were some others that were looking for some similar functionality. I wasn’t really in the mood to write my own user management piece, so I looked at the existing authentication for the admin area in TXP. I hacked it to meet my immediate needs…then thought I ought to bundle it up as a plug-in. Without further ado, please give a warm welcome to my first plugin… ign_password_protect

I reused a lot of the existing authentication code, tweaking it to meet my needs, so a big thanks goes out to Dean et al, for making this easier to knock out. I’ll be the first to admit there are a few rough edges in this, so any feedback would be great. There are some basic hooks for styling the login form, otherwise it pretty much spits out the form where’s it’s called. Currently this authenticates users against the txp_users table, so users are created in the site_admin tab. For users that shouldn’t have admin access at all, simply use Privilege level “none” (the default).

This features two tags currently: ign_password_protect and ign_logged_user

ign_password_protect – use to password protect part or all of a txp website against users in the txp_user database (on the site_admin tab). can be used in page or form templates, or even directly within an article.

Accepted parameters:

privs: comma separated list of privilege levels to compare against. If omitted, plugin simply
checks for account existence (including privs = None).

err_msg: replaces error message on bad logins

login_msg: use this to set the greeting message that is displayed above the form

class: use this to set the class assigned to the div containing the form; default value is ign_login

remember: boolean to display checkbox for “remember me”, set to 1 or true to display check box (and set persistent cookie)
set to anything else or omit entirely to disable.

ign_logged_user – displays logged in user name with link to log out if logged in.

Accepted parameters:

logged_msg: replaces default “not logged in” message.

Example usage:

<txp:ign_password_protect privs="1,2,3,4,7" login_msg="Please log in to view this resource" remember="true">
Some content to protect here
</txp:ign_password_protect>

Give it a spin and let me know what you think!

Version 0.5 Beta available 1.19.2007

Version 0.5 is available for download – this version reworks the display of rendered elements (login form, error messages, etc.) to use TXP forms. Read the (somewhat incomplete) help in the plugin for information on using these forms. This should remove the vast majority of localization issues (though there are still a few items that need some love). As of 1.18.07 this beta also incorporates the necessary changes to support Dave Devine-Harper’s ddh_vanilla_integration plugin; it should no longer be necessary to use his modified password_protect plugin, though as I noted in the thread for that plugin I incorporated the necessary code but have not actually tested.
I’ve also received a couple of reports of odd caching behaviour, but nothing I’ve been able to consistently reproduce.

Any and all feedback would be much appreciated on that front.

Version 0.5b7 Available 3.18.08

In this release:

  • bug fix for domains with multiple TLDs ( i.e. .co.uk, .com.au ) – thanks to Gerhard Lazu for a more elegant fix than the hackish one I’d worked out.
  • bug fix for ign_self_edit – now properly uses TXP form in all instances.
  • stub for file_download protection – more a proof of concept, it’s functional but there’s no UI for setting the permissions on the file downloads.

Download the beta – ign_password_protect_0.5b7.txt

Version 0.5b8 Released 4.05.08

This release addresses an issue with logout links under messy urls – ign_logout_link will now return you to the current page rather than returning to the front of the site.

Download the beta – ign_password_protect_0.5b8.txt

Version 0.5b9 Released 4.06.08

Preserves query strings on login / logout.

Download the beta – ign_password_protect_0.5b9.txt

Last edited by igner (2008-04-07 01:46:51)


And then my dog ate my badger, and the love was lost.

Offline

#2 2005-06-02 20:53:40

Vitruvius
Plugin Author
Registered: 2004-09-21
Posts: 125

Re: ign_password_protect

Wow – I have been waiting for something like this. Nice work!

Can you tell me – does it cover files uploaded using TXP?

I was hoping to password protect a section of my site (I would put your tag within a page) but it would need to secure files uploaded and referenced within that section too. Is that currently possible?

SH

Offline

#3 2005-06-02 21:01:43

igner
Plugin Author
Registered: 2004-06-03
Posts: 337

Re: ign_password_protect

You could hide the file list, but someone with a knowledge of how TXP works could sort out the download URL and still download the file. Off the top of my head, I don’t know that there’s much that could be done about this without actually hacking the file-download routines.

I can look into it, though.

Update:

Looks as though the file handling stuff is based off Manfre’s mod_file_upload hack, and there’s support for some privilege setting in the txp code, but it’s all been commented out. When I get some time, I can look at what it’d take to hack permissions back into the upload and download routines. There’s definitely room for incorporating permissions into the file handling (including a permissions field in txp_files).

Last edited by igner (2005-06-02 21:21:22)


And then my dog ate my badger, and the love was lost.

Offline

#4 2005-06-02 21:55:04

Andrew
Plugin Author
Registered: 2004-02-23
Posts: 730

Re: ign_password_protect

Have you found a way around the password protect feed backdoor bug?

Offline

#5 2005-06-03 01:07:13

soulship
Member
From: Always Sunny Charleston
Registered: 2004-04-30
Posts: 669
Website

Re: ign_password_protect

igner this looks interesting, but I am trying to figure out how to add a user. Do I have to add the user as a txp site participant/admin? If that is the case how (if at all) do I add a casual user? I would like to use this on my site to lock down client pages to all but the intended client. Is this applicable for that? Or do I have to add them as a user? I don’t necessarily have a problem with that, but only if they will not be able to log in to the back end of my site somehow. How would I handle this with ign_password_protect? I don’t have rss feeds for this site, but I am interested in the feed lockdown issue as well.

Thanks!

Offline

#6 2005-06-03 01:59:38

igner
Plugin Author
Registered: 2004-06-03
Posts: 337

Re: ign_password_protect

@Andrew – no, the backdoor would still exist as this doesn’t affect the feeds in any way. Then again, I’m not sure I can see a reason one would want to provide feeds for password protected material. I’ll look at it, though.

@soulship – In this release, it’s just based on the users in the txp_users database, because that served my immediate needs. I may look at moving this to a different table, to separate it from the admin user permissions, but that’d also involve writing a user management piece…
You could do what you wanted in the meantime with a minor hack to /textpattern/include/txp_admin.php – the $levels array defines the permission levels listed in site_admin. You could add entries to that array to correspond to your clients, so that the array looked something like this:

<code>
$levels = array( 1 => gTxt(‘publisher’), 2 => gTxt(‘managing_editor’), 3 => gTxt(‘copy_editor’), 4 => gTxt(‘staff_writer’), 5 => gTxt(‘freelancer’), 6 => gTxt(‘designer’), 0 => gTxt(‘none’), 101 => ‘Client One’, 102 => ‘Client Two’, 103 => ‘Client Three’
//and so on…
);
</code>

Then to protect a particular client’s page, you’d use <code><txp:ign_password_protect privs=“101”>stuff</txp:ign_password_protect></code>

It’s not perfect, but a step in the right direction.


And then my dog ate my badger, and the love was lost.

Offline

#7 2005-06-03 03:24:38

soulship
Member
From: Always Sunny Charleston
Registered: 2004-04-30
Posts: 669
Website

Re: ign_password_protect

Thanks for that insight. That will do exactly what I want. I think I’ll give it a whirl. It will keep me from having to make an individual section for each client. It’s easier for me to keep a copy of txp_admin and switch it on the server, than adding a pge and section each time I want to add a client.

Thanks

I’ll let you know how it goes.

Offline

#8 2005-06-03 16:14:06

igner
Plugin Author
Registered: 2004-06-03
Posts: 337

Re: ign_password_protect

@soulship – please do.

Feel free to add a wish-list, as I’ve already got a couple of improvements I want to make. Most notable – provinding an option to separate the login form from the protected content, so one could opt to display the login form in a sidebar or header, for instance. One could conceivably do that now by absolutely positioning the div containing the form, and maybe some clever DOM scripting, but it’d be nice to be able to keep it in the document flow.


And then my dog ate my badger, and the love was lost.

Offline

#9 2005-06-04 05:45:28

Vitruvius
Plugin Author
Registered: 2004-09-21
Posts: 125

Re: ign_password_protect

I am getting the following error using this plugin in a TXP page (rather than an article or form).

<pre><code>
Warning: Missing argument 2 for ign_dotxpvalidate() in /home/usr/public_html/textpattern/lib/txplib_misc.php(352) : eval()’d code on line 79
</code></pre>

Anyone got any ideas?

Offline

#10 2005-06-05 01:06:09

igner
Plugin Author
Registered: 2004-06-03
Posts: 337

Re: ign_password_protect

Sorry, long week… accidentally uploaded an unfinished revision. Corrected now.

Added in this version:

hide_login: parameter to the ign_password_protect tag – this will suppress the inline presentation of the login form

<code><txp:ign_show_login /></code>
Displays login form independent of protected area.

Accepted parameters:

show_logged: boolean to display “logged-in as” message w/ logout link when user is logged in
Set to 1 or true to show, 0 or false to hide.
Default is on.
logged_msg: sets the message displayed when not logged in
login_msg: sets the greeting message that is displayed above the form
remember: boolean to display checkbox for “remember me”
Set to 1 or true to display check box (and set persistent cookie) set to 0 or false to disallow.
Default is off.

As always, feedback is appreciated.


And then my dog ate my badger, and the love was lost.

Offline

#11 2005-06-10 06:17:59

aslsw66
Member
From: Canberra, Australia
Registered: 2004-08-04
Posts: 342
Website

Re: ign_password_protect

igner, Looking at the demo on your site, does this mean you can password protect specific bits on the page? I notice that when I logged in with the demo password, the photo of snow appeared on the page. This would mean you could mix protected and public content on the same page …

Offline

#12 2005-06-10 12:31:29

igner
Plugin Author
Registered: 2004-06-03
Posts: 337

Re: ign_password_protect

yes, you can password specific bits – anything surrounded by the txp:ign_password_protect tags will not be displayed unless the user logs in. Note that the login is persistent to the browser session, and the login form can be divorced from the content, so it’s possible to have, say, the login form on one page, but protected content, like a comment form, on other pages.

It’s likely I’ll be updating this soon to include a page-protect mode that uses the browsers authentication dialog as well.


And then my dog ate my badger, and the love was lost.

Offline

Board footer

Powered by FluxBB