[tyee]

Greetings
I have been trying and trying to find a script that password protects a dynamically generated CMS page. I'm using sNews CMS and all pages except the main index.php page are all contained in a mysql database. Most scripts say to add one line of code to the top of the page to protect. Sorry, can't do that. These pages don't exist until called out of the database by our browsers.

However, another CMS, textpattern which also uses a database can be protected. Here's the modrewrite theory and how it was done -

How To --

Suppose your website is at http://example.com and TXP is installed in the root directory and you want to use HTTP authentication to protect the section called ‘protected’ (http://example.com/protected).

This example assumes your website is hosted on an Apache webserver and that you already have an existing .htpasswd file containing usernames and passwords.

1. Physically create that directory ‘protected’
2. Within that directory ‘protected’, create the following .htaccess file:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^(.*) ../index.php
</IfModule>

AuthType Basic
AuthUserFile /path/on/server/to/.htpasswd
AuthName "Only for registered users"
require valid-user

End How To

Theory Explanation --

When you’re allowed to visit the protected directory (which exists physically on the server), the RewriteRule prevents that physical directory from being shown to the user. Instead it redirects the request to Textpattern’s index.php (which would have happened if that protected directory hadn’t existed physically on the server), so TXP can show the section you really wanted to see.

Normally, sections in TXP don’t have a corresponding physical directory. It is all handled by index.php. To be able to password protect with .htaccess, a physical directory is required, but… when you request a file or directory that physically exists, the default TXP installation will no longer take care of it; instead that real, physical directory/file will be shown by the webserver. The rewrite rule overrides that by saying: even though there is a physical file/directory here, we still want TXP to handle the request. Because that happens after the authentication step, you get what you want: a password protected TXP section.


I tried to get sNews to work with this but no luck. I kept getting redirected to my index.php page and not to the other page I wanted to go to ("protected" folder in this example).

Can anyone see how to do this for sNews. I was told on another forum it can't be done because of how the htaccess file for sNews is written. Here it is --

Code:

<IfModule mod_php4.c>
    php_value session.use_trans_sid 0
</IfModule>
RewriteEngine On
#RewriteBase /sNews15
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^(.*) $1 [L]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?category=$1 [L]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([a-z_]+)/([^/]+) index.php?category=$1&title=$2 [L]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([a-z_]+)/([^/]+)/([^/]+)/ index.php?category=$1&title=$2&commentspage=$3 [L]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([a-z0-9_-]+)/([0-9]+)/ index.php?category=$1&nbsp;articlespage=$2 [L]

Any thoughts anyone??

tyee

[tyee]

Here's another suggestion by another cms forum. It also didn't work!

.htpasswd works inside the webserver in front of CMSms even if the URLs don't really "exist" but are internaly pretty-to-ugly rewritten. The protection acts before the rewriting.

So, for Apache, these auth lines may occur inside a LocationMatch or something like this :

Code:

<LocationMatch /personal/*>
AuthName "zieglecu private section"
AuthType basic
AuthuserFile /an/obfuscated/non/http/accessible/path/to/folder/of/.passwd <- this line must be changed!
require valid-user
</LocationMatch>

(please review Apache's manual before as I'm not sure about the syntax, just the concepts).

And go on with URL rewriting rules. I'm confident it should work. Have fun.