Password protection


I have to implement a password protected section on a kirby webpage.
As i found out this is possible and mentioned in the cookbook by checking permission in the template.

However, i already know that this topic will come up in future projects so my idea is to create an generic implementation as a plugin.

So the way i see it this plugin has to hook into any page request an check if the page itself or any parent page has a distinct named password field and if so check the session against it. If the hashed password is not in the user session -> show login screen instead of content.

So, getting any page request i do with a routing hook and a wildcard i guess, right?
How do i prevent content to be delivered?

And very interesting: how can i hook and apply this logic to downloads/files of the pages?

Thanks for help and ideas!

Wouldn’t it make more sense to check user roles instead of storing passwords in content files?

I can see your point but since there a multiple sections and we only want to set one password per section it makes sense in my opinion to store the password at the section - also for the user to set it there in the panel.

Most worried i’m right now with the downloads, because i would like to avoid changing the kirby htaccess or something else outside the plugin…

Am I getting this right: You want to store the plain text passwords of some user(s) in a content file? Doesn’t sound like a good idea to me.

As regards changing the .htaccess, I don’t think you can get around that, because as it says in the recipe, you have to send files through Kirby, otherwise they are handled by the server. And if that is the case, there’s nothing you can do in a plugin.

No, sorry, got me wrong. Just the password for the page/section is stored in the content file as the editors have a section where they can create pages but have no access to user management.

In this case there are teachers who are allowed to manage the pages of their section of the website an will create subpages, some of them public, some of them with simple password protection like we all know it from university: for the sheets go to www…/maier/kurs5 with password “sose201819”…

If somebody can read the content file he has the content anyway and thats all you can do with the password.

If i got time left i will hook into saving pages and hash the specific field und hook into reading and empty it so you can only set a new one - but thats not top priority.

Ok, too bad. Maybe its an performance thing not to go through php for each file request but it doesn’t sound to weird to me what i’m looking for :slight_smile:

And right now i even found the right cookbook article, only read the authentication one before - my bad :frowning:
It even shows how to manipulate .htaccess…

Oh sorry, I thought you had read it because you were referring to the .htaccess.