Force users login ?

[garvinhicking]

The problem is that the password you enter is just a global password on the staticpage.

Instead, how about this solution:

You create a staticpage (if you haven'T already) and set that staticpage as startpage. Do not password-protect that page. Then you enter this HTML code in your staticpage content:

Code: Select all

<form id="loginform" action="?" method="post">
<div>
Username: <input type="text" name="serendipity[user]" value="" /><br />
Password: <input type="password" name="serendipity[pass]" value="" /><br />

<input id="autologin" type="checkbox" name="serendipity[auto]" style="float: left; display: inline; width: 20px" /><label for="autologin"> Remember me</label><br />

<input type="submit" name="serendipity[action]" value="Go >" />
</div>
</form>

Now when people enter your blog they'll see the start page of your blog, they enter their credentials and then they see the real blog with all the entries only logged in users can see.

Regards,
Garvin

[Marcos]

Hi, Garvin
I just did the page You suggested, but I can't let it work ...
I named it "login.html" (which will be my bolg's startup page), put it in blog's home, and changed the tag [action="?"] to [action="index.php"].
It asks for credentials, but once it enters the blog, the user is NOT logged in (I suppose so, because when clicking 'open login screen', s9y asks for credentials again) ... What do I miss ?
Thanks again for Your attention.
See You.

Marcos


P.S: this is my "login.html", just in case ...:

<html>
<head>
<title>Autenticazione Blog Resistenze</title>
</head>
<body style="font-family:verdana">
<br><br><br><br><br>
<form id="loginform" action="index.php" method="post">
<table align="center">
<tr><td colspan="2"><h3>Autenticazione Blog Resistenze</h3></td></tr>
<tr><td align="right">Utente: </td><td><input type="text" name="serendipity[user]" value=""></td></tr>
<tr><td align="right">Password: </td><td><input type="password" name="serendipity[password]"></td></tr>
<tr><td align="left" colspan="2"><input id="autologin" type="checkbox" name="serendipity[auto]" /><label style="font-size=10px" for="autologin"> Ricordami</label><br /></td></tr>
<tr><td align="center" colspan="2"><input type="submit" name="serendipity[action]" value="Login"></td></tr>
</table>
</form>
</body>
</html>

[garvinhicking]

Oh, I forgot to mention you'll need the "loginform" event plugin serendipity_event_loginform.

Sorry and regards,
Garvin

[Marcos]

Hi, Garvin
thanks, it just works !!! , yupeeeee !

Marcos

[garvinhicking]

Phew, I'm really glad to hear that. Hope you'll enjoy Serendipity!

Regards,
Garvin

[jorainbo]

The problem is that the password you enter is just a global password on the staticpage.

Instead, how about this solution:

You create a staticpage (if you haven'T already) and set that staticpage as startpage. Do not password-protect that page. Then you enter this HTML code in your staticpage content:

Code: Select all

<form id="loginform" action="?" method="post">
<div>
Username: <input type="text" name="serendipity[user]" value="" /><br />
Password: <input type="password" name="serendipity[pass]" value="" /><br />

<input id="autologin" type="checkbox" name="serendipity[auto]" style="float: left; display: inline; width: 20px" /><label for="autologin"> Remember me</label><br />

<input type="submit" name="serendipity[action]" value="Go >" />
</div>
</form>

Now when people enter your blog they'll see the start page of your blog, they enter their credentials and then they see the real blog with all the entries only logged in users can see.

Regards,
Garvin

Hi Garvin,

I used exactly this method to make sure no one can see the blog without being logged in . My ISP is running PHP as CGI so the httpauth won´t work.
Anyway I have this staticpage with this loginform as startpage.
On this startpage I have all sidebars disabled and there is just the loginform.

However, if someone types in a wrong username/password and clicks on "ok" he is forwarded to index.php? which is no static page anymore.
So all sidebars including all categories etc are displayed, he just doesn´t see any entries (as I have all entries in categories and all-authors is not allowed to read them), but it would be better if there would be an error page that the login was wrong.... any ideas.

[garvinhicking]

Hi!

Maybe for you the sidebar plugin "User Login" (or whatever its called) might be the better way? This reports login errors.

Else you would need to write a new plugin that acts for a login in the middle-section of the blog.

Regards,
Garvin

[jorainbo]

Hi!

Maybe for you the sidebar plugin "User Login" (or whatever its called) might be the better way? This reports login errors.

Else you would need to write a new plugin that acts for a login in the middle-section of the blog.

Regards,
Garvin

okay, the sidebarplugin works well, it reports a login error, however the categories and other sidebars are displayed after the login...

Is there a way to write HTML-Code in the page depending on the login-status of a user?

something like if userstatus=logged-in then write .... else write....

If this would be possible I could write a div class="no-sidebar" or div class="sidebar" around the sidebars so that I can have a "display: none" for the whole section if someone is not logged in.

So far I have this div written depending on the pagetitle with the static pages....you have explained it in another thread and it worked perfect...
but as the page after the static login page is non-static anymore (no matter if the login was correct or not), I need another criteria to write the Code on the page.

[garvinhicking]

Hi!

Is there a way to write HTML-Code in the page depending on the login-status of a user?

Yes, youw ould need the Smarty-Markup plugin, and you would need to write your own PHP code which you can use then to check your login status.

But that's actually the same work you would need to do like building a custom event plugin.

You cannot check the login status with HTML, it can only be done within PHP.

HTH,
Garvin

[jorainbo]

Hi!

Yes, youw ould need the Smarty-Markup plugin, and you would need to write your own PHP code which you can use then to check your login status.

But that's actually the same work you would need to do like building a custom event plugin.

You cannot check the login status with HTML, it can only be done within PHP.

HTH,
Garvin

okay,...I might try this, I will let you know if it works, as my PHP-Skills are more or less zero

Anyway, probably the best way would be to have the httpauth plugin to really protect the whole blog (and not just the startpage).

you said this won´t work if php runs as CGI.... does anyone know what kind of efforts a provider has to make to change this so that PHP runs as a module? Is this something that can be done in a minute or is this a "bigger change" in the webserver configuration. If it´s easy to do I will call my provider and ask him to change this

Thanks again

Jorainbo

[garvinhicking]

Hi!

The httpauth plugin does protect the whole blog, I think.

Switching from CGI to mod_php is a complicated process. Once a provider runs as CGI, he will in 99% of all cases not be willing to move to mod_php.

Best regards,
Garvin

[tchirou]

Hi

So far, the Http authentication plugin doesn't work for the sudirectories of serendipity. I just have figured this out.

Actually, anyone trying http://myblog/serendipity/uploads can access this folder.

A solution would be to put an .htaccess file, but if users change their password in the blog config without noticing me of this to change it in the .htpasswrd, they will have to log twice and above all with 2 different passwords, won't they ? This is a kinda crappy solution

Do you have any idea about this, garv ? Is it complicated to change the code to protect the whole blog ?

Thanks,

Cyril

[garvinhicking]

Hi!

So far, the Http authentication plugin doesn't work for the sudirectories of serendipity. I just have figured this out.

Yes, that's not the scope of the http auth plugin, which only usage is to restrict blog entry read permissions.

Actually, anyone trying http://myblog/serendipity/uploads can access this folder.

If you want to protect whole folders, you should go with the usual .htaccess protection, not a plugin that can only be executed when PHP is called; the s9y plugin cannot deny access to something where it is not really called (like when a non-PHP request happens)

Do you have any idea about this, garv ? Is it complicated to change the code to protect the whole blog ?

It's nearly impossible. You could make PHP parse the whole image files and return them, bypassing the usual webserver process. But that would require to load the whole s9y framework to display a simple picture, which I'm not particilarly fond of and wouldn't suggest.

How about protecting the whole s9y directory with a single username+password using .htaccess?

Regards,
Garvin

[tchirou]

Hi

How about protecting the whole s9y directory with a single username+password using .htaccess?

I used to do that before using the http auth plugin. But People had to log twice : first with the htacess, secondly to see the content according to the group of users they belong to.

If i put the .htaccess and the http auth plugin, will they have to log twice or once, if we admit login and password are the same ?

And if users change the password in their admin panel, they will have to log twice for sure...

Tricky, isn't it ?

[garvinhicking]

Hi!

If i put the .htaccess and the http auth plugin, will they have to log twice or once, if we admit login and password are the same ?

HTTP-Auth can sadly only be used singulary; so you'd need to have the same username+password in both files.

And if users change the password in their admin panel, they will have to log twice for sure...

That's right.

I'm sorry, but I see no real way to solve your specific problem apart from creating that imagefile-wrapper I spoke of. But I doubt that this will be useful to many people, so I can't offer to do that for free. And that wrapping mechanism would only work on hosts where using a .htaccess file you can deny access to files and redirect them to a PHP file with "ErrorDocument 403 wrapper.php".

Best regards,
Garvin