New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature] Password protected blogs #4993

Closed
ErisDS opened this Issue Mar 4, 2015 · 9 comments

Comments

Projects
None yet
4 participants
@ErisDS
Member

ErisDS commented Mar 4, 2015

One feature that is in high demand, is an easy way to password protect the frontend of a blog. This could act as an under construction type page, or as a way to only circulate your content amongst a certain group of people.

The proposal is to provide a simple configuration option in the settings panel:

Note that the structure and labels here may change.

Once a password is filled out in the password box on this page, visiting any page of the blog should result in a temporary redirect to a new page served at /private/ which shows the message (if available) and a form to enter the password. This new page should have a default template (design issue: #5073), and be overridable/customisable by providing a password.hbs template in your theme.

Entering the password into the box should provide access to the original page requested.

The password should only need to be entered once a month, so that users are free to browse around once they have entered the password.

The RSS feed and sitemap should probably simply return a 404 for these blogs?

The message field should probably accept HTML and/or markdown.

@ErisDS ErisDS added the feature label Mar 4, 2015

@ErisDS ErisDS added this to the Current Backlog milestone Mar 4, 2015

@letsjustfixit

This comment has been minimized.

Show comment
Hide comment
@letsjustfixit

letsjustfixit Mar 4, 2015

I think the question is going to be asked real soon:
"Is it only available for a whole site lock-down or are you going to be able to lock only certain objects (posts) at a time?" :)
As well as: Ok but they might want to "whitelist" a few pages etc..

letsjustfixit commented Mar 4, 2015

I think the question is going to be asked real soon:
"Is it only available for a whole site lock-down or are you going to be able to lock only certain objects (posts) at a time?" :)
As well as: Ok but they might want to "whitelist" a few pages etc..

@ErisDS

This comment has been minimized.

Show comment
Hide comment
@ErisDS

ErisDS Mar 4, 2015

Member

Ghost is all about solving problems for 90% of our users. This solves the use case which has been in high demand, and is currently only possible with advanced nginx configurations using http basic auth, which is pretty ugly and requires you to self-host. This feature will likely get moved out to an app in future.

If you want to lock down specific pages, use the user accounts & permissions from the admin, build a paywall, exclude people by IP or any of the other more advanced versions of this sort of feature, you'll need to wait for apps ;)

Member

ErisDS commented Mar 4, 2015

Ghost is all about solving problems for 90% of our users. This solves the use case which has been in high demand, and is currently only possible with advanced nginx configurations using http basic auth, which is pretty ugly and requires you to self-host. This feature will likely get moved out to an app in future.

If you want to lock down specific pages, use the user accounts & permissions from the admin, build a paywall, exclude people by IP or any of the other more advanced versions of this sort of feature, you'll need to wait for apps ;)

@nuclearpengy

This comment has been minimized.

Show comment
Hide comment
@nuclearpengy

nuclearpengy Mar 5, 2015

This sounds great for "internal" team notice boards hosted on Ghost(Pro). Dig it.

nuclearpengy commented Mar 5, 2015

This sounds great for "internal" team notice boards hosted on Ghost(Pro). Dig it.

@letsjustfixit

This comment has been minimized.

Show comment
Hide comment
@letsjustfixit

letsjustfixit Mar 5, 2015

@ErisDS I see that and its a great feature I just wanted to suggest two things which I most commonly see wordpress users ask for regarding this (with the notice that they have one-page password protection only in the cms and ask for whole-page locdown :) )
All in all good to see the progress and 👍

letsjustfixit commented Mar 5, 2015

@ErisDS I see that and its a great feature I just wanted to suggest two things which I most commonly see wordpress users ask for regarding this (with the notice that they have one-page password protection only in the cms and ask for whole-page locdown :) )
All in all good to see the progress and 👍

@acburdine

This comment has been minimized.

Show comment
Hide comment
@acburdine

acburdine Mar 25, 2015

Member

@ErisDS Although I might need a little bit of help, I'm willing to take a crack at this one.

Member

acburdine commented Mar 25, 2015

@ErisDS Although I might need a little bit of help, I'm willing to take a crack at this one.

@acburdine

This comment has been minimized.

Show comment
Hide comment
@acburdine

acburdine Mar 26, 2015

Member

One question I do have initially: how would this be implemented in terms of session? The backend would need to return some sort of token most likely, and it would also need to handle expiration time. And I don't want to mess up the simple auth stuff by adding this to it...

Member

acburdine commented Mar 26, 2015

One question I do have initially: how would this be implemented in terms of session? The backend would need to return some sort of token most likely, and it would also need to handle expiration time. And I don't want to mess up the simple auth stuff by adding this to it...

@ErisDS

This comment has been minimized.

Show comment
Hide comment
@ErisDS

ErisDS Mar 26, 2015

Member

Hi @acburdine, the simple auth package lives in the admin client, and is completely separate to the server part of Ghost which deals with the frontend of the blog, therefore this would need to be implemented completely separately, probably as middleware for express.

My recommended implementation would be to generate a token based on a hash of the current password (and maybe also the expiry date), and store that in a cookie. This could then be used to invalidate the user's session if the password in the admin panel is changed (or the expiry date has passed).

I have updated this issue with a couple more details where it used to say TBD, and raised a separate issue for the design aspects. As mentioned in IRC, the best thing to do is hide the feature behind a feature flag for the time being and implement it without style/design and the design can be layered over the top afterwards.

For more info on adding 'feature' flags (controlled by config.js or a checkbox in labs) this PR should help: https://github.com/TryGhost/Ghost/pull/4754/files.

Member

ErisDS commented Mar 26, 2015

Hi @acburdine, the simple auth package lives in the admin client, and is completely separate to the server part of Ghost which deals with the frontend of the blog, therefore this would need to be implemented completely separately, probably as middleware for express.

My recommended implementation would be to generate a token based on a hash of the current password (and maybe also the expiry date), and store that in a cookie. This could then be used to invalidate the user's session if the password in the admin panel is changed (or the expiry date has passed).

I have updated this issue with a couple more details where it used to say TBD, and raised a separate issue for the design aspects. As mentioned in IRC, the best thing to do is hide the feature behind a feature flag for the time being and implement it without style/design and the design can be layered over the top afterwards.

For more info on adding 'feature' flags (controlled by config.js or a checkbox in labs) this PR should help: https://github.com/TryGhost/Ghost/pull/4754/files.

@acburdine

This comment has been minimized.

Show comment
Hide comment
@acburdine

acburdine Mar 28, 2015

Member

@ErisDS should the robots.txt file still be served? I'm trying to figure out where to put the middleware in the order of middleware calls.

Member

acburdine commented Mar 28, 2015

@ErisDS should the robots.txt file still be served? I'm trying to figure out where to put the middleware in the order of middleware calls.

@ErisDS

This comment has been minimized.

Show comment
Hide comment
@ErisDS

ErisDS Mar 28, 2015

Member

@acburdine yes I think it ought to be? I think we possibly even want a special robots.txt for these blogs

Member

ErisDS commented Mar 28, 2015

@acburdine yes I think it ought to be? I think we possibly even want a special robots.txt for these blogs

acburdine added a commit to acburdine/Ghost that referenced this issue Apr 4, 2015

added password protection
closes TryGhost#4993
- brings password protection to the frontend of blogs
- modified gh-count-chars to have a max value

acburdine added a commit to acburdine/Ghost that referenced this issue Apr 4, 2015

added password protection
closes TryGhost#4993
- brings password protection to the frontend of blogs
- modified gh-count-chars to have a max value

acburdine added a commit to acburdine/Ghost that referenced this issue Apr 4, 2015

added password protection
closes TryGhost#4993
- brings password protection to the frontend of blogs
- modified gh-count-chars to have a max value

acburdine added a commit to acburdine/Ghost that referenced this issue Apr 6, 2015

added password protection
closes TryGhost#4993
- brings password protection to the frontend of blogs
- modified gh-count-chars to have a max value

acburdine added a commit to acburdine/Ghost that referenced this issue Apr 7, 2015

added password protection
closes TryGhost#4993
- brings password protection to the frontend of blogs
- modified gh-count-chars to have a max value

acburdine added a commit to acburdine/Ghost that referenced this issue Apr 8, 2015

added password protection
closes TryGhost#4993
- brings password protection to the frontend of blogs
- modified gh-count-chars to have a max value

acburdine added a commit to acburdine/Ghost that referenced this issue Apr 8, 2015

added password protection
closes TryGhost#4993
- brings password protection to the frontend of blogs
- modified gh-count-chars to have a max value

acburdine added a commit to acburdine/Ghost that referenced this issue Apr 9, 2015

added password protection
closes TryGhost#4993
- brings password protection to the frontend of blogs

acburdine added a commit to acburdine/Ghost that referenced this issue Apr 9, 2015

added password protection
closes TryGhost#4993
- brings password protection to the frontend of blogs

acburdine added a commit to acburdine/Ghost that referenced this issue Apr 9, 2015

added password protection
closes TryGhost#4993
- brings password protection to the frontend of blogs

acburdine added a commit to acburdine/Ghost that referenced this issue Apr 16, 2015

added password protection
closes TryGhost#4993
- brings password protection to the frontend of blogs

acburdine added a commit to acburdine/Ghost that referenced this issue Apr 16, 2015

added password protection
closes TryGhost#4993
- brings password protection to the frontend of blogs

acburdine added a commit to acburdine/Ghost that referenced this issue Apr 17, 2015

added password protection
closes TryGhost#4993
- brings password protection to the frontend of blogs

acburdine added a commit to acburdine/Ghost that referenced this issue Apr 21, 2015

added password protection
closes TryGhost#4993
- brings password protection to the frontend of blogs

acburdine added a commit to acburdine/Ghost that referenced this issue Apr 22, 2015

added password protection
closes TryGhost#4993
- brings password protection to the frontend of blogs

acburdine added a commit to acburdine/Ghost that referenced this issue Apr 23, 2015

added password protection
closes TryGhost#4993
- brings password protection to the frontend of blogs
- adds testing for password protection

acburdine added a commit to acburdine/Ghost that referenced this issue Apr 23, 2015

added password protection
closes TryGhost#4993
- brings password protection to the frontend of blogs
- adds testing for password protection

acburdine added a commit to acburdine/Ghost that referenced this issue Apr 23, 2015

added password protection
closes TryGhost#4993
- brings password protection to the frontend of blogs
- adds testing for password protection

acburdine added a commit to acburdine/Ghost that referenced this issue Apr 27, 2015

added password protection
closes TryGhost#4993
- brings password protection to the frontend of blogs
- adds testing for password protection

acburdine added a commit to acburdine/Ghost that referenced this issue Apr 27, 2015

added password protection
closes TryGhost#4993
- brings password protection to the frontend of blogs
- adds testing for password protection
- changes the bcryptjs module to bcrypt

acburdine added a commit to acburdine/Ghost that referenced this issue Apr 27, 2015

added password protection
closes TryGhost#4993
- brings password protection to the frontend of blogs
- adds testing for password protection

acburdine added a commit to acburdine/Ghost that referenced this issue Apr 30, 2015

added password protection
closes TryGhost#4993
- brings password protection to the frontend of blogs
- adds testing for password protection
- upgrades bcrypt-js to 2.1.0

acburdine added a commit to acburdine/Ghost that referenced this issue Apr 30, 2015

added password protection
closes TryGhost#4993
- brings password protection to the frontend of blogs
- adds testing for password protection
- upgrades bcrypt-js to 2.1.0

acburdine added a commit to acburdine/Ghost that referenced this issue Apr 30, 2015

added password protection
closes TryGhost#4993
- brings password protection to the frontend of blogs
- adds testing for password protection
- upgrades bcrypt-js to 2.1.0

acburdine added a commit to acburdine/Ghost that referenced this issue Apr 30, 2015

added password protection
closes TryGhost#4993
- brings password protection to the frontend of blogs
- adds testing for password protection
- upgrades bcrypt-js to 2.1.0

acburdine added a commit to acburdine/Ghost that referenced this issue Apr 30, 2015

added password protection
closes TryGhost#4993
- brings password protection to the frontend of blogs
- adds testing for password protection
- upgrades bcrypt-js to 2.1.0

@ErisDS ErisDS closed this in 2865662 May 2, 2015

ErisDS added a commit to ErisDS/Ghost that referenced this issue May 13, 2015

Theming updates for password protection
refs TryGhost#4993, TryGhost#5073

- Removed nonexistent helpers siteDescription and bodyClass from admin templates
- Changed password.hbs to private.hbs to match the route name
- added a new input_password helper for rendering the password input with the correct properties
- removed the forward input as this can be handled via urls only

ErisDS added a commit to ErisDS/Ghost that referenced this issue May 13, 2015

Theming updates for password protection
refs TryGhost#4993, TryGhost#5073

- Removed nonexistent helpers siteDescription and bodyClass from admin templates
- Changed password.hbs to private.hbs to match the route name
- added a new input_password helper for rendering the password input with the correct properties
- removed the forward input as this can be handled via urls only

ErisDS added a commit to ErisDS/Ghost that referenced this issue May 13, 2015

Theming updates for password protection
refs TryGhost#4993, TryGhost#5073

- Removed nonexistent helpers siteDescription and bodyClass from admin templates
- Changed password.hbs to private.hbs to match the route name
- added a new input_password helper for rendering the password input with the correct properties
- removed the forward input as this can be handled via urls only

ErisDS added a commit to ErisDS/Ghost that referenced this issue May 13, 2015

Theming updates for password protection
refs TryGhost#4993, TryGhost#5073

- Removed nonexistent helpers siteDescription and bodyClass from admin templates
- Changed password.hbs to private.hbs to match the route name
- added a new input_password helper for rendering the password input with the correct properties
- removed the forward input as this can be handled via urls only

ErisDS added a commit to ErisDS/Ghost that referenced this issue May 13, 2015

Theming updates for password protection
refs TryGhost#4993, TryGhost#5073

- Removed nonexistent helpers siteDescription and bodyClass from admin templates
- Changed password.hbs to private.hbs to match the route name
- added a new input_password helper for rendering the password input with the correct properties
- removed the forward input as this can be handled via urls only

ErisDS added a commit to ErisDS/Ghost that referenced this issue May 13, 2015

Theming updates for password protection
refs TryGhost#4993, TryGhost#5073

- Removed nonexistent helpers siteDescription and bodyClass from admin templates
- Changed password.hbs to private.hbs to match the route name
- added a new input_password helper for rendering the password input with the correct properties
- removed the forward input as this can be handled via urls only
- moved 'private' to routeKeywords
- added 'private' context
- minor update to text next to the password in settings
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment