Protect files based on session, not on user status

I’m trying to implement the method from Protecting files behind a firewall | Kirby CMS but as I’m using the Locked Pages plugin, I can’t base access on user status but need to read the session data, so I’m kind of stuck at the point in the article where it talks about allowing authorized users back in.

I see that the plugin is setting a session key in the login controller:
$kirby->session()->data()->set(LockedPages::SESSION_KEY, $access);
And in the LockedPages class it has public const SESSION_KEY = 'kirby-extended.locked-pages.access';

So, I suppose in config.php, instead of doing:

if (kirby()->user() && 
          ($page = page('downloads')) && 
          $file = $page->files()->findBy('filename', $filename)) {
          return $file->download();
        }

I somehow need to read that session data but I’m at loss as to how to do this. Can anyone guide me in the right direction?

You can get data from the session with kirby()->session()->get(), so

kirby()->session()->get(LockedPages::SESSION_KEY)

should work.

Sorry, I said that I do this in config.php which is wrong. Of course this check is done in the files-firewall plugin’s index.php, and if I try to get the session data there it gives me an error “Class ‘LockedPages’ not found”. Because, of course, why would one plugin know anything of any other plugin?

I guess ideally this should all be part of the Locked Pages plugin? But at the moment it isn’t, so I somehow need to work around that and still use the session data from that plugin.

You would have to make sure that the LockedPages plugin is loaded first, and then either use the full class name or add a use statement at the top of the index.php file.

And how would I do that? I found an old post at Plugin load order? - #2 by lukasbestle but it’s related to Kirby 2. In the reference manual I found Kirby::plugin() | Kirby CMS – is that used the same way as described in the forum post?

In Kirby 3 it is no longer possible to load other plugins first as that proved unreliable in some cases.

You have two options:

  1. Either you use a system.loadPlugins:after hook in your file firewall plugin and only then access the const of the LockedPages class.
  2. Or you hardcode the constant in your plugin to the string value (assuming that it will not change with future plugin updates).

Edit: Oh, wait. I just looked at the Locked Pages plugin. The issue you see doesn’t seem to be related to loading order, it’s just about the namespace. You need to import the class at the top of your file firewall index.php:

<?php

use KirbyExtended\LockedPages;

Likely it should already work then without further changes.