Restrict access to a sub folder on a CMSB controlled site to logged in users only

9 posts by 5 authors in: Forums > CMS Builder
Last Post: January 29   (RSS)

By gkornbluth - January 7

Hi All,

I'm trying to restrict access to a sub folder on a CMSB controlled site to logged in users only, on a site that's using the website membership plugin.

I'd rather that the users didn't have to enter another username and password, and that kind of eliminates the .htaccess route.

In addition to CMSB controlled pages, there are some 3rd party programs in the sub folder and I've tried hacking their page codes, but that really made a mess of things.

Any thoughts?

Thanks, and best wishes for a happier new year.

Jerry Kornbluth

The first CMS Builder reference book is now available on-line!

Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

By Deborah - January 7

Jerry, I no longer have any sites running Website Membership, but here's some code from my archives that might be helpful. I seem to remember this working when it was online.

<?php // WEBSITE MEMBERSHIP START //
  // error checking
  $errorsAndAlerts = alert();
  if (@$CURRENT_USER)  { $errorsAndAlerts .= "<a href=''>Log Out</a><br/>\n"; }
  if (!$CURRENT_USER && @$_REQUEST['loginRequired']) { $errorsAndAlerts .= "Please log in to continue.<br/>\n"; }
  // save url of referring page so we can redirect user there after login
  if (!getPrefixedCookie('lastUrl')) { setPrefixedCookie('lastUrl', @$_SERVER['HTTP_REFERER'] ); }
// WEBSITE MEMBERSHIP END //
?>

WEB PAGE CONTENT:

<?php if (@$CURRENT_USER): ?>
(show content for logged-in user)

<?php if (@$errorsAndAlerts):
 // show errrors/alerts ?>
<div>
<?php echo $errorsAndAlerts; ?><br>
</div>
<?php endif ?>

<?php // endif current_user
endif ?>

If that doesn't work, I might have more code to delve into or someone else might have an immediate answer.

~ Deborah

By gkornbluth - January 7

Hi Deborah,

Thanks for the lengthy response.

I've tried to do that kind of thing, and it has indeed worked for any of the CMS controlled pages.

Where I've been running into issues is when I've tried to implement that type of code on 3rd party programs. 

Besides, there are sometimes a great many files in their programs and I was hoping for a more global approach that would keep non-logged in users from accessing the containing folder itself.

Maybe that can't be done, but I figured that it didn't hurt to ask.

Again, thanks,

Jerry Kornbluth.

The first CMS Builder reference book is now available on-line!

Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

By Toledoh - January 7

I’d think that you may be able to achieve this by .htaccess and a cookie created with the login process? - but the specifics of how to implement that is way beyond me! very interested in how you progress though:)

Cheers,
Tim (toledoh.com.au)

By gkornbluth - January 7 - edited: January 7

Hi Tim,

Interesting thought...

Maybe someone will come up with the magic formula.

Jerry Kornbluth

The first CMS Builder reference book is now available on-line!

Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

By gkornbluth - January 27

I am, thanks for following up

Jerry Kornbluth

The first CMS Builder reference book is now available on-line!

Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

By Dave - January 29

Hi Jerry, 

I can't think of an easy clean solution.  To do it with PHP you'd need to add some code to all the 3rd party programs, and ensure that it didn't conflict with any of their code.  

Maybe if we set a PHP session variable to indicate if a user was logged in, that would be easier to check.  But you still have the issue that if any of the 3rd party apps are upgraded the code will be overwritten, and website membership would also need to clear that settings.

Tim's cookie idea is interesting, but you'd need to make sure people couldn't fake it since cookies are client side.  But maybe something along the lines of having htaccess code that redirects to the login page unless something is set that indicates a valid login.  

Or another approach is to only have the folder accessible through a time-expired URL or URL alias (eg: /members-j93dej7834/) that changes at intervals so it's not possible to guess it unless you can login.

But I can't think of an easy way to implement any of those without further research and custom code, and even then they seem a bit tricky.  

Dave Edis - Senior Developer
interactivetools.com

By gkornbluth - January 29

Hi Dave,

Thanks for your detailed response.

I guess that if it becomes important enough to the client, I'll look to your paid support to dive into this further.

Best, and have a good weekend,

Jerry Kornbluth

The first CMS Builder reference book is now available on-line!

Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php