Password Protect Entire Site

Topics: Administration, General
Sep 21, 2011 at 3:38 PM

I'm building a site that the client wants behind a password.  Any recommendations on the best way to restrict all content (page content)? I am apply the authenticated keyword on all the rules, just need a little help with the page restrictions.

Thnx! -adrian

Sep 21, 2011 at 4:41 PM

The is an Access Front End permission that you can disable for "Anonymous" role, but there is a bug in the current release, which has been fixed on 1.x branch of the source code. So you can either wait for next release or use the current source code version.

Sep 21, 2011 at 8:45 PM

I am on v. ... I have un-checked the option for Access site front-end for the Anonymous user but can still see a pages content.  The Effective permission option is checked but disabled.

Sep 21, 2011 at 8:52 PM

Yes, that is what Sébastien is saying: it's fixed in the 1.x branch, which is the unreleased 1.3 version. It is not fixed in 1.2.

Sep 21, 2011 at 8:55 PM

Ah. Thanks and my bad.

Sep 22, 2011 at 4:51 PM

The new stuff is awesome guys, great job! I want to bounce a quick question off you to possibly get some direction before I start digging.  I'm not not yet familiar with the permissions yet or how the RSS feeds are generated in Orchard, the current source is doing exactly what I needed it to do with the page content but it is also hiding the RSS feeds (DOH!).  Any ideas/insights to get me going?  Right now I'm leaning towards having the account team generate an RSS feed from somewhere else unless I would be able to rig something up in a reasonable amount of time.  Thanks again for your help!

Sep 22, 2011 at 5:52 PM

Not sure exactly what you're after, but you may want to check out the Feedburner feature in Vandelay Industries. It might do what you want, or it may give you a good starting point for whatever it is you are trying to do.,

Sep 22, 2011 at 6:06 PM

The client wants a site that is behind a password.  Unchecking the option for Access Front End under the Anonymous role provides this.  But it also hides the rss feed behind the password.  Feed burner would also be blocked from the RSS feed (unless there is a way to pass credentials through the URL).

Sep 22, 2011 at 6:15 PM

I think that eventhough the site is protected, the rss feed should work. To be verified in the feed module to see if a specific permission is checked. Otherwise we might be able to add a permission for feeds.

Sep 22, 2011 at 6:45 PM
Edited Sep 22, 2011 at 6:58 PM

That would be as sweet as the brownies I'd want to send you if that would be possible.

Sep 22, 2011 at 8:40 PM

In the mean time, if anyone else has this issue before the community is able to put a special permission if for a feed (feed only user perhaps?) I enlisted a little help from a smarty pants to hack in a quick solution.

We modified the OnAuthorization() function in the Modules\Orchard.Users\Security\AccessFrontEndFilter.cs directory to:

		public void OnAuthorization(AuthorizationContext filterContext) {
			var isAuthPage = (filterContext.ActionDescriptor.ActionName == "LogOn"
							  || filterContext.ActionDescriptor.ActionName == "ChangePassword"
							  || filterContext.ActionDescriptor.ActionName == "AccessDenied"
							  || filterContext.ActionDescriptor.ActionName == "Register")
							 && filterContext.ActionDescriptor.ControllerDescriptor.ControllerName == "Account";
			bool isRSS = filterContext.ActionDescriptor.ActionName == "Index"
				&& filterContext.ActionDescriptor.ControllerDescriptor.ControllerName == "Feed";
			if (!isAuthPage 
				&& !isRSS
				&& !_authorizer.Authorize(StandardPermissions.AccessFrontEnd, T("Can't access this website"))) {
				filterContext.Result = new HttpUnauthorizedResult();

It's not a good thing to do I know but will work for the time being.

Oct 5, 2011 at 8:02 PM

The 1.3.9 version is great guys! Thank you!

I'm not sure if I should create a new ticket for this but there's a view missing from the exclusions (unless it was left out on purpose).  The RequestLostPassword view should also be in the OnAuthorization() function.

            var isAuthPage = (filterContext.ActionDescriptor.ActionName == "LogOn"
				|| filterContext.ActionDescriptor.ActionName == "ChangePassword"
				|| filterContext.ActionDescriptor.ActionName == "AccessDenied"
				|| filterContext.ActionDescriptor.ActionName == "Register"
				|| filterContext.ActionDescriptor.ActionName == "RequestLostPassword")
				&& filterContext.ActionDescriptor.ControllerDescriptor.ControllerName == "Account";

Oct 5, 2011 at 8:11 PM

Looks like an oversight. Can you file a bug? Thanks!

Oct 7, 2011 at 9:01 AM

Oct 7, 2011 at 6:39 PM