Password protect an ExpressionEngine template group

Question

I'm building a site where staff will have their own section of the site: example.com/jones, example.com/smith, etc. jones and smith are template groups with the same templates inside (using Stash and Low Variables to keep it all DRY). Some users will have different needs for privacy. On one end their section will be public. On the other end some users will need to administer who can access their content (using Solspace friends).

However in the middle of that range are some who just want to protect against any random person seeing their content. I don't want to use members/member groups to manage this. I don't want visitors to need to register to see the content. A shared member account is an option, but we ruled that out because of other issues (what if the password is reset, comments being left under the same account, etc.

What we would like is to password protect the template group. The staff can let people know where to see their page, and let users know what the password is. This is all possible on a server level, but is is possible to allow the user to directly manage the password? Anything we can do to minimize how much we need to have hands on admin of this the better. A custom field and an add on that allows for this kind of security? I didn't see anything on Devot-ee and the methods on the forums don't do this. Bit of a longshot, but figured I'd ask.

Answer 1

Since you said you didn't want to be tied to actual member accounts and were OK with using a custom field to store an editable password...

I just recently did something similar that protected a group of entries using a custom field. It is similar to the approach outlined in this "Password Protected Content Made Simple" article. But instead of using PHP in the template I used Mo' Variables. And instead of using url_title I used a custom field (called client_password below).

In addition, I used the Session Variables plugin to check if the user was already "logged in" on subsequent page loads, preventing them having to enter the password again and again.

{!-- PASSWORD REQUIRED --}
{if client_password != ""}

    {!-- if passed show content and set session --}
    {if post:password == client_password}

        {!-- protected content here --}
        {!-- set session --}
        {embed='embeds/_set_session' entry_id="{entry_id}"}

    {!-- if session is valid show content --}
    {if:elseif "{exp:session_variables:get name='logged_in'}" == "{entry_id}"}

        {!-- protected content here --}

    {!-- if failed show login --}   
    {if:elseif post:password != "" AND post:password != client_password}

        <div id="protected">
            <p>Incorrect password. Please try again.</p>
            <br>
            <form action="" method="post">
                <strong>Password</strong><br />
                <div>
                    <input name="password">
                </div>
                <input type="submit" class="submit" value="submit">
            </form>             
        </div>

    {!-- if first attempt show login and prompt --}
    {if:else}

        <div id="protected">
            <p>This page is password protected. Please provide the password.</p>
            <br>
            <form action="" method="post">
                <strong>Password</strong><br />
                <div>
                    <input name="password">
                </div>
                <input type="submit" class="submit" value="submit">
            </form>             
        </div>

    {/if}

{!-- NO PASSWORD REQUIRED --}
{if:else}

    {!-- protected content here --}

{/if}

Answer 2

I wanted to update this with the code I'm using to get htaccess and htpasswd working to protect by template group. It can be used in the same way as Alex's, but is an all or nothing approach. It has its own advantages, and disadvantages, but wanted to share it as an option.

First, I am using the native template behavior: example.com/group/template/url_title. I want to password protect some template groups, but outside of EE's members and member groups. ie a single user and password.

My htaccess file looks like this (from http://perishablepress.com/enable-file-or-directory-access-to-your-htaccess-password-protected-site/):

# We set some variables, matching URL's for which we do not wish to active
# the password protection
SetEnvIf Request_URI "^/privategroup.*$" private

# Setup the password protection
AuthName "Password Needed"
AuthGroupFile /dev/null
AuthType Basic
AuthUserFile /Users/user/Sites/example/.htpasswd
Require valid-user

# Add the exceptions for matched URL's
Order Deny,Allow
Deny from env=private
Satisfy any

The htpasswd file should be above webroot, but for testing I left it in webroot. The AuthUserFile line tells Apache where to find the file with the usernames and passwords. This must...MUST be an absolute path. I was using relative and got 500 errors. You need to use terminal or some other tool to make this file. http://developer.apple.com/library/Mac/#documentation/Darwin/Reference/ManPages/man1/htpasswd.1.html

The result is that directory requires a username and password. Right now it will accept any valid user in my htpasswd file. However I can change that by specifying a specific user (require user john tim lisa) or groups.

There you have it. Keep people out of specific template groups without using any native EE functionality.