This is the blog of Adam Kalsey. Unusual depth and complexity. Rich, full body with a hint of nutty earthiness.
This is the blog of Adam Kalsey. Unusual depth and complexity. Rich, full body with a hint of nutty earthiness.
14 Aug 2004
I’ve got a new project, let’s call it Project X, and one of the things I needed to do was set up a password-protected blog on an existing installation of Movable Type. Everyone that has a user account in MT needs to be able to view the blog. I also needed to use basic HTTP authentication so that the RSS feed could be password protected but still be accessed by feed readers that know the password.
I created a single PHP file that is included at the top of each page in the blog, including the RSS feed. In order to get the PHP included, each page needs to be processed by PHP. You’ll need to use all .php file extensions (even for the RSS) or get your Web server to process HTML and XML files for PHP as well. (See the end of this article for information on doing that in Apache.)
Your Web server will now ask for a username and password before it will serve any page that includes the file. The username and password are then checked against MT’s database to see if you have the correct credentials. If you do, you won’t be asked to log in again until you close your browser.
Read on for the code. Keep in mind that this only works if you are using MySQL for a database, use PHP to output your site, and want your blog to be available to any user who can log into your copy of MT.
<?php
is_user_valid();
function is_user_valid() {
$auth=false;
if (isset( $_SERVER['PHP_AUTH_USER'] ) && isset($_SERVER['PHP_AUTH_PW'])) {
$db=mysql_connect ("localhost", "yourusername", "yourpassword") or die ('I cannot connect to the database.');
mysql_select_db ("yourdatabase");
$sql = "SELECT author_password FROM mt_author WHERE author_name = '".mysql_real_escape_string($_SERVER['PHP_AUTH_USER'])."'";
$result = mysql_query($sql) or die ("Bad query");
while ($row = mysql_fetch_array($result)) {
$real_pass = $row['author_password'];
}
if (crypt($_SERVER['PHP_AUTH_PW'], substr($real_pass, 0, 2)) == $real_pass) {
$auth = true;
}
}
if (!$auth) {
header( 'WWW-Authenticate: Basic realm="The hidden Blog"' );
header( 'HTTP/1.0 401 Unauthorized' );
echo 'Authorization Required.';
exit();
} else {
return true;
}
}
?>To get Apache to run HTML and XML files as PHP just add the following to your .htaccess file…
AddType application/x-httpd-php .html
AddType application/x-httpd-php .xml
Excerpt: Only works for some blogs and some hosts (where you control the templates, and can add and execute PHP). But still useful....
Probably last statement else statement ( …} else { return true; }… ) is useless because function always returns true or stops execution.
Discovered this more than a year later but it’s great nonetheless. I’m curious though if it would be possible to limit access to the author(s) associated with the blog_id=x, not just every author in the MySQL database.
So, I’m trying to password protect my blog, could you break down the instructions for me? I’m sorry, I am a little computer illiterate.
Thanks Crys
These are the last 15 comments. Read all 24 comments here.
This discussion has been closed.
Adam Kalsey
Mobile: 916.600.2497
Email: adam AT kalsey.com
AIM or Skype: akalsey
©1999-2010 Adam Kalsey.
Content management by Movable Type.
Christian
September 18, 2004 9:32 AM
There’s a problem with the code. One of your curly brackets (whatever) is in the wrong place. The while statements should contain the following if statement. Like this:
while ($row = mysql_fetch_array($result)) { $real_pass = $row['author_password']; if (crypt($_SERVER['PHP_AUTH_PW'], substr($real_pass, 0, 2)) == $real_pass) { $auth = true; }//end if }//end while