processwire-requests icon indicating copy to clipboard operation
processwire-requests copied to clipboard

Published 20 hours ago verified publisher icon processwire

Allow restricting access for the entire site, starting from the home / root page

Open teppokoivula opened this issue 4 years ago • 5 comments

Short description of the enhancement

I would like to be able to protect entire site from non-authenticated access, hence I'd like to disable guest view access for the home page.

Current vs. suggested behavior

Currently it's not possible to remove guest access to home page. My suggestion would be to either...

a) remove this restriction and instead add a proper warning, b) allow superusers (via admin) to decide if this should be doable, or c) add a way to specify via site config or custom hook whether this should be possible.

As things are now, this needs to be done with custom code, which is somewhat prone to error: unless it's done with hooks the developer may accidentally allow public access to things like assets, and even with the hook approach it can get complicated. Other hooks (i.e. from an installed module) may also accidentally interfere with this sort of protection.

Another option is to leave the home page unprotected, which in turn can result in an unnecessarily complex page structure, and requires making extra sure that the home page can't accidentally contain any non-public content and that all the pages that can be added as direct children are access protected.

Why would the enhancement be useful to users?

This is primarily intended for sites that are completely access-protected, such as intranets, extranets, internal tools or other types of non-public portals, sites still under development, and overall any situation where the site intentionally provides no public interface at all (not counting the login page).

Overall I believe that this feature would add flexibility and make a thing that now requires going through some hoops easier. The downsides are, in my opinion, less of an issue: if superuser and/or developer access is required anyway, said superuser/developer should be able to reverse the protection if it turns out to be a problem.

Optional: Screenshots/Links that demonstrate the enhancement

Some related links — might update this list later, just pointing out that this has indeed been discussed over the years (I'm probably missing a few cases here):

  • https://github.com/ryancramerdesign/ProcessWire/issues/276
  • https://processwire.com/talk/topic/24897-weekly-update-%E2%80%93%C2%A08-january-2021/?do=findComment&comment=210139
  • https://processwire.com/talk/topic/16896-best-approach-to-handling-page-view-permissions-in-an-app-built-on-processwire/
  • https://processwire.com/talk/topic/9965-restricting-file-access-to-logged-in-users/
  • https://processwire.com/talk/topic/4480-restricting-access-to-whole-site/
  • https://processwire.com/talk/topic/2025-restrictions-on-access-control/

teppokoivula avatar Jan 16 '21 11:01 teppokoivula