Project

General

Profile

Support #14074

page password protection problem

Added by Marilyn Weber 7 months ago. Updated 7 months ago.

Status:
Reporter Feedback
Priority name:
Normal
Assignee:
-
Category name:
WordPress (misc)
Target version:
Start date:
2021-02-27
Due date:
% Done:

0%

Estimated time:

Description

Ines Vano_Garcia has successfully password protected the "readings and other material" page on her site, https://spa114fall2020.commons.gc.cuny.edu/readings-and-other-material/

However, her attempt and mine to do so for a different page do not work - the link for "blogging", https://spa114fall2020.commons.gc.cuny.edu/blogging/

She appears to have done the same thing on each page. I tried too, but no luck. Is this a bug?

Thanks!

History

#1 Updated by Boone Gorges 7 months ago

  • Category name set to WordPress (misc)
  • Status changed from New to Reporter Feedback
  • Target version set to Not tracked

https://spa114fall2020.commons.gc.cuny.edu/blogging/ is a special kind of page, which has been selected as the 'Posts page' at https://spa114fall2020.commons.gc.cuny.edu/wp-admin/options-reading.php. When configured this way, WordPress no longer uses the regular "single page" template to generate the page, but instead uses the "post archive" template. The post-archive template does not support password-protection in the same way as the single-page template; on archives, the content of individual password-protected posts will be hidden, but the entire archive cannot be hidden. This is a limitation of the WordPress platform.

If it's important that specific posts be hidden behind a password, then each of those posts must be password-protected separately (such as https://spa114fall2020.commons.gc.cuny.edu/2020/12/04/estereotipos-en-gentefied/, for example). You cannot password-protect the "archive" or "Blogging" page as a shortcut.

I'm adding Ray and Jeremy as watchers in case they know of any shortcuts or other ways around this issue.

#2 Updated by Marilyn Weber 7 months ago

thanks - this is super useful to know full stop. I'll pass it on to Ines.

#3 Updated by Raymond Hoh 7 months ago

Boone, the following would allow password protection on the blog page (a.k.a Posts page):

add_action( 'parse_query', function( $q ) {
    // Bail if not main query or blog page.
    if ( ! $q->is_main_query() || ! $q->is_home() ) {
        return;
    }

    // Get blog page ID.
    $id = $q->get_queried_object_id();

    // Bail if blog page is not password protected.
    if ( ! post_password_required( $id ) ) {
        return;
    }

    // If password protected, wipe out posts and show password form.
    add_action( 'loop_start', 'cac_blogpage_postpass_ob_start', -9999 );
    add_action( 'loop_end', 'cac_blogpage_postpass_ob_end_clean', 999 );
    add_action( 'loop_end', function() use ( $id ) {
        echo get_the_password_form( $id );
    }, 9999 );
} );

function cac_blogpage_postpass_ob_start( $q ) {
    // Sanity check.
    if ( ! $q->is_main_query() ) {
        return;
    }

    remove_action( 'loop_start', __FUNCTION__, -9999 );
    ob_start();
}

function cac_blogpage_postpass_ob_end_clean( $q ) {
    // Sanity check.
    if ( ! $q->is_main_query() ) {
        return;
    }

    ob_end_clean();
    remove_action( 'loop_end', __FUNCTION__, 999 );
}

#4 Updated by Boone Gorges 7 months ago

Thanks, Ray! This is very clever. I worry about weird edge cases, though - like when a theme doesn't properly implement the loop, so that loop_start and loop_end hooks aren't fired as expected. It also raises the possibility of weird display issues, because WP's default behavior is to swap out the_content with the password form, which might have different markup as a wrapper than the post loop.

More generally, I am wary of doing magic like this, especially as regards privacy. It feels fragile. And it gives the incorrect indication that hiding an archive page means hiding the individual items on that archive, which is definitely not the case - even with this trick in place, you'd have to hide individual pages as well if you didn't want them accessible via their URLs (or via other, non-blocked archives like the date archives). So it provides a sense of false security.

For these reasons, I recommend against implementing any further changes of this sort.

Also available in: Atom PDF