How do I password protect resources in a ModX Website using htaccess and htpasswd?
Question
We are trying to protect a couple of different resources in our ModX installation. The current .htaccess code is as follows (not including all of the ModX stuff)
AuthName "Dialog prompt"
AuthType Basic
AuthUserFile /var/www/vhosts/mywebsite.co.uk/.htpasswd
<FilesMatch ^index.php\?q=71$>
require valid-user
</FilesMatch>
The object of the exercise is to protect the following resources:
I have tried various combinations of LocationsMatch, Locations, Files and Filesmatch and can't get it to work.
Thank you in advance
La solution 2
This is what the total solution was:
If anyone else needs to know, I created a snippet called passwordprotect and put at the top of the page: [[passwordprotect]]. I then put in the following code (an adaptation of the above response):
<?php
if(isset($_SERVER['PHP_AUTH_USER']) && ($_SERVER['PHP_AUTH_USER']=='user') && ($_SERVER['PHP_AUTH_PW']=='password'))
{
echo 'You are successfully logged in.';
} else {
header('WWW-Authenticate: Basic realm="Protected area"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit;
}
EDIT: If you are finding that this sometimes does work and sometimes doesn't work, this is probably because using [[passwordprotect]], modx will cache the snippet. I got better success with: [[!passwordprotect]] on Revolution. I think the code is [!passwordprotect!] on Evolution. The exclamation marks just denote not to cache the snippet. Hope that helps someone!
Autres conseils
You probably dont need htaccess. You can send HTTP authentication headers http://php.net/manual/en/features.http-auth.php from correct system event
There is absolutely no reason to do this and voids the entire purpose of the MODX Revolution ACLs. The correct answer is to:
- Establish a user group with a minimum role which can access the resources.
- Create a test resources within the resource group.
- Add the site admin to the resource group.
- Create a test user in the resource group.
- Refresh the site cache.
- Log out all users - including yourself.
- Test the ACLs - with the site administrator both in the manager and on the front end.
- Log out or use a completely different browser and test with the test user.
- Once it is working move the protected documents to the resource group.
- Add users to the group who you want to have access.
- Remove the snippet.
If you need more help get a copy of my book or visit my site.