I guess this may be a 'lost case', but is it possible to password protect one or more pages generated by DocPad?
Is it possible to make a plugin or something that let you say protected = true in the metadata section of a page?
Or do I have to use .htaccess or similar to protect my pages?
If you're planning to host on a node.js hosting provider, then you can use the following gist: https://gist.github.com/4557006
The idea is that we use the serverExtend event to add a new express.js middleware. Middlewares added via the serverExtend event are added before docpad's middlewares are added, so this is the ideal place for this authetnication layer as well as most other use cases for custom routes/middlewares etc. Our custom middleware will then check to see if the document that is being requested is a protected document or not, if it isn't it continues down the middleware chain (probably hitting the docpad middlewares and rendering normally) or if it is a protected document then we'll forward it onto the express basicAuth middleware.
I guess you could indeed declare protected = true in the page metadata and have a collection named protectedPages in docpad.coffee :
collections:
protectedPages: (database) ->
database.findAllLive({protected: true})
And then create a file .htaccess.eco that looks something like that :
AuthUserFile /full/path/to/.htpasswd
AuthType Basic
AuthName "Protected area"
<% for document in #getCollection('protectedPages').toJSON(): %>
<Files "<%= document.url %>">
Require valid-user
</Files>
<% end %>
and it should be easy to turn this into a plugin that generates the .htaccess file. You could use the sitemap plugin as an example.
an other way (but it's just a concept right now) could be :
when you tag a document with a protection (protected:password or need-access-right:account-list) the document is crypted and then published as static content by docpad.
client-side, if you access to a protected page, the crypted content is loaded and a script ask for a password (or for your account info) and then, try to decrypt the content with it.
So you can have protected content on a static server without apache specific .htaccess and it performance issues.
Related
I'm facing a crazy problem, I've a website running on production and I'm trying to cache my index page using "Page Rules" from cloudflare to speed it up, it does not have dynamic content right now.
The problem is that it does not work probably because laravel always return the view with the XSRF-TOKEN and cloudflare will understand it as not-cachable, I already changed the header (cache-control: max-age=36000, public) but cloudflare always return the header "cf-cache-status: BYPASS) when it should return HIT.
When i try to use the same rule on a file from laravel public folder (the same php file of the view) it works ok and returns HIT.
The solution I can think is trying to remove this XSRF-TOKEN from the header response, but I'm going crazy on how to do this, any tips?
Obs: i tried removing those cookies using
\Config::set('session.driver' , 'array');
\Config::set('cookie.driver', 'array');
But this remove only one cookies not the XSRF-TOKEN one.
I believe you have to remove the CSRF token on pages you want to cache, or implement some sort of JavaScript solution where the CSRF token is being requested the moment you need it.
I found this article that explains your situation (bottom of the article):
https://blog.cloudflare.com/the-curious-case-of-caching-csrf-tokens/
If you are sure that your page does not need the CSRF token (i.e. it doesnt contain any POST/PUT/DELETE functionalities), you can remove the token for that particular page and be fine.
In Laravel, the CSRF-token is managed by \App\Http\Middleware\VerifyCsrfToken, which should be listed in your middleware in \App\Http\Kernel. Removing this middleware will remove it for all routes that use that middleware; so you'll likely have to create a separate middleware-group for pages where you do need CSRF protection.
You might also be able to add to the protected $except = [] property on your VerifyCsrfToken middleware class. This property contains an array of urls that should be excluded from CSRF verification. So you could add '/' to that array, or a wildcard like '/webhook/*'.
In Laravel Spark, settings pages have URLs that look like this
http://app.dev/settings#/security
Is there a way, via Laravel's PHP code (from a controller action) to redirect to these URLs that doesn't involve manually adding the # portion to the URL via string concatenation?
In other works, I know I can do this
return redirect(
route('settings') . '#/security'
);
but it feels sort of gross. I guess another way of asking this question is, is there a built-in way to generate route based URLs in laravel that include the # portion of a URL.
So, I have two different applications in my CodeIgniter installation. One is admin, the other is frontend. I basically just copied the index file, renamed it "admin.php", and changed the application directory to "application/admin". I then changed the application directory in index.php to "application/frontend".
What I would like to do is create a link on the frontend application that takes you to the admin application. The variable config['index_page'] in the frontend application is set to "index.php" and in the admin application it's set to "admin.php".
Is there a way to set the url helper to use "admin.php" instead of "index.php"?
You don't need to do that way.
you should make or use an authentication library and you set different roles for different
users.
you just after login can put the redirection to your admin controller.
and for other users and viewers you can redirect them to any other controllers.
for viewers you can just use something like this:
Code:
if(!$this->m_auth->is_logged_in())
{
$this->viewers();
}
else
{
$this->users();
}
In your users function you just check different roles and redirect according.
I think you are missing some codeigniter concept, and you are trying to do it the normal way, i suggest you to read this article , you will how you can use MY_Controller as same concept of front controller and how you will be able to give every use specific roles
another way is to use a ready made authentication library as #medhi said
I would recommend Tank Authentication or Ion Auth
I
I need to link to a secure page on the same website (https). I could probably hack something through xml, extend cms_page block, and put a secure instruction in constructor, but I'm just wondering if there's a template tag (for admin use) that would fetch me a secure link. I was trying to do this:
Secure page
but magento eats the "secure_page" part, leaving only the config template tag in href part. Has anyone achieved this?
Secure page
Here is a list of applicable parameters: http://www.magentocommerce.com/wiki/5_-_modules_and_development/reference/geturl_function_parameters
By default Joomla admin URL is yoursitename/administrator. How can I change this for Joomla 1.5 so that it doesn't affect my modules and components or any other thing on the backend.
I don't think that would be a good idea, because some links to '/administator' in modules/components are hardcoded (static), so you better should use some of these plugins http://extensions.joomla.org/extensions/access-a-security/site-security/login-protection or just try something with .htaccess (ask for password, IP filtering etc...)
Install the jSecure Authentication plugin.
Every Joomla back-end has the same URL. If you install a security plugin, you can add a suffix to your back-end URL to make it look like this: http://www.yoursite.com/administrator?helloworld
If the URL is not entered with a correct suffix, the site will redirect to a 404 (not found) page. Change the suffix regularly.
I use the changeadmin component to kind of hide the admin url:
http://extensions.joomla.org/extensions/access-a-security/site-security/login-protection/14666
Here is a Simple Step(And it's not a correct method but it works for me),
Just Create a new folder in your root directory.
create index.php (or some other name) in that folder, and add the following code
$admin_cookie_code="2145446497812";
setcookie("JoomlaAdminSession",$admin_cookie_code,0,"/");
header("Location: ../administrator/index.php");
Then add the following code inside administrator/index.php . Please make sure to add this immediately after opening the PHP tag.
if($_COOKIE['JoomlaAdminSession']!= "159753987456321")
{
header('Location:../index.php');
}
Then try to access the administrator login by typing your root_joomla_address/new_folder_name. Then it will automatically redirect to your admin page. If you tried to access the default admin login page directly then it will redirect to the Joomla home page.
Hope this will works. I don't claim this a correct procedure. But if you looking to avoid a plugin, then this hack will help you.
with simple step you can restrict to access your administrator login page
Follow bellow steps:
before going through all steps first find your id address from this link www.whatismyip.com
Create a .htaccess file in administrator folder.
Now write following code in .htaccess file
<Limit GET POST> deny,allow deny from all allow from 192.168.0.1</Limit>
3.Now write your own ip instead of 192.168.0.1
4.Finally save the file and try to access your administrator page from your ip and different ip.
Hope it'll help. Thanks.