v1.0.2 The default password does not seem to work. Adding new users with (sha1) password does not work either.

In the security salt section of the documentation (README.md), there is link to a random password generator. The generator no longer exists at the URL. I did a search on http://www.sethcardoza.com but didn't find any reference to it.

I think a new alternate link should be added or the suggestion to use the link be removed.

If I enabled the plugin and set the whole site as private then the grav scheduler doesn't work anymore.

It is easy to test it when you call the scheduler manually to show all jobs:

cd /var/www/pathtosite
sudo -u www-data /usr/bin/php bin/grav scheduler -j

So if the site if private, no output is printed and no job will be executed.
If I disable the plugin, everything works fine.

Here is my config:

enabled: true
routes:
  login: /login
  logout: /logout
session_ss: RANDOM-HASH
private_site: true
private_tag: hidden
enable_username: false
users:
  no_user: PASSWORD-HASH
texts:
  h1: 'Privater Bereich'
  h2: 'Bitte <strong>einloggen</strong> um Inhalt zu sehen...'
fields:
  username:
    label: Username
    placeholder: 'Enter your username'
  password:
    label: Passwort
    placeholder: 'Gib das Passwort ein'
  antispam:
    label: Antispam
    placeholder: 'Please leave this field empty for Antispam'
  login:
    label: Login
messages:
  success: 'You are logged.'
  error: 'Oops! There was a problem with your submission. Please try again or <a href=''https://github.com/Diyzzuf/grav-plugin-private/issues'' target=''_blank''>report an issue </a>'
  fail: 'Oops! Something went wrong.. Try Again !'

Anyway to make the session time last longer ?

I installed the plugin today (2017-04-21) and set it exactly as your readme.md on GitHub says, but when I try it out and enter the (still default) password, I receive n error: "Call to a member function post() on null"

Does anyone know why this happens and how I can solve it?

Other plugins may utilize php sessions. To prevent an error from another session already running I would either name the session or change the session_start() to if (!isset($_SESSION)) { session_start(); }

I am a little confused. I need to implement this on a single page. From what I am reading in the ReadMe file, I should set private_site: false and add private-tag: hidden to the yaml on the page I am trying to make private? Or am I getting this wrong? Would it be possible for you to provide a sample private.yaml file that targets one page specifically?

Hi,

I have just installed and configured the plugin, and it works fine. However I have noticed that when doing a site search, results from protected pages are also returned, along with complete public access to those results.

Use case:

• I apply protection for a page or chapter
• If I navigate to the page, I am getting prompted for password (desired behavior)
• If I search for a keyword within the protected area, I am getting results and access to the protected area (undesired behavior)

Maybe I am missing something, but this should not happen. Any way to prevent protected content/pages from appearing in search results? I am using the Learn2 theme Thanks.

It seems your plugin works great so far but does not include integration to grav admin to easier configure your plugins options. Please add this.

What I have done are these.

• These are part of my private.yaml.

enabled: true

routes:
  login: "/login"
  logout: "/logout"

# MUST BE AN ALPHANUMERIC CHAR
# Generator : http://www.sethcardoza.com/tools/random-password-generator/
session_ss: random_value


private_site: false
private_tag: hidden
enable_username: false

• I go to system.yaml and add private_tag to the taxonomies. Here is my system.yaml.

title: notalentgeek
author:
  name: notalentgeek
  email: [email protected]
taxonomies:
  - category
  - private_tag
  - tag
metadata:
  description: 'Grav is an easy to use, yet powerful, open source flat-file CMS'
summary:
  enabled: true
  format: short
  size: 300
  delimiter: '==='
blog:
  route: /blog

• I go to the default.md of my post that I want to make it private and add this to the front matter tag: [private_tag]. Here is my example of default.md.

---
title: 'A Private Blog Post'
published: true
process:
    markdown: true
child_type: default
routable: true
cache_enable: true
visible: true
content:
    items: @self.children
    order:
        by: title
        dir: asc
    pagination: true
tag: [private_tag]

---

However my post was still there and there is no password prompt. I think I might miss a thing or more but I never have experience with this .yaml things before.

I have the plugin set to keep one page of my site private using the tag hidden, however, even after entering the password correctly I am not redirected to the page. Have I missed some step?

1. I've created a long salt
2. I've set a new SHA1 password
3. The plugin is enabled
4. I have the plugin set to no_user

I've attached a screenshot of the private.yaml file

Thoughts?

Hello Diyzzuf!
I am working with grav at the moment and we have just recently released our admin plugin (with a login plugin). Many users still enjoy your plugin and we need some help in order for your plugin to be continued to be downloaded. If you could create a "develop" branch of your "grav-plugin-priavte" repository it would be wonderful. The "develop" branch is the branch that the general majority of plugins are stable at so we pull from that. Even if you make your "develop" branch the same as you "master" branch it would be a great help allowing users to download and update your plugin from the admin panel.
Thank you!

I've created a new clean build of grav and added this plugin. Once it's enabled the login page loads but no password field is visible.

Hi! im used Grav documentation template ( http://learn.getgrav.org/ )
your plugin work, but unauthorized user has see left menu, how i can hide it before login?

Hello,

I have some problem on private page configuration.

The plugin private is enabled.

The private_site value (false) is correct in /user/config/plugins/private.yml

 enabled: true
 routes:
    login: /login
    logout: /logout
 session_ss: random_value
 private_site: false
 private_tag: hidden
 enable_username: false

I added private_tag: hidden in my private page named PRIVATE : /user/pages/11.PRIVATE/default.md

  ---
  title: PRIVATE
  private_tag: hidden
  ---

Result : No authentification form when i select PRIVATE page from menu. What is the problem ?

Best Regards.

For example I have multiple pages, one of them blog, which is private. When it is clicked on, username and password is asked. If I enter a username and password defined in /var/www/grav/user/config/plugins//var/www/grav/user/config/plugins all is ok, user gets in. But when entering undefined user, any combination, then user gets an error visible in browser and it gets logged as:
[2017-05-26 19:52:38] grav.CRITICAL: Undefined index: wootwoot - Trace: #0 /var/www/grav/user/plugins/private/private.php(224): Whoops\Run->handleError(8, 'Undefined index...', '/var/www/grav/u...', 224, Array) #1 /var/www/grav/user/plugins/private/private.php(167): Grav\Plugin\PrivatePlugin->sendLogin() #2 /var/www/grav/user/plugins/private/private.php(126): Grav\Plugin\PrivatePlugin->getLoginPage() #3 [internal function]: Grav\Plugin\PrivatePlugin->onPageInitialized(Object(RocketTheme\Toolbox\Event\Event), 'onPageInitializ...', Object(RocketTheme\Toolbox\Event\EventDispatcher)) #4 /var/www/grav/vendor/symfony/event-dispatcher/EventDispatcher.php(184): call_user_func(Array, Object(RocketTheme\Toolbox\Event\Event), 'onPageInitializ...', Object(RocketTheme\Toolbox\Event\EventDispatcher)) #5 /var/www/grav/vendor/symfony/event-dispatcher/EventDispatcher.php(46): Symfony\Component\EventDispatcher\EventDispatcher->doDispatch(Array, 'onPageInitializ...', Object(RocketTheme\Toolbox\Event\Event)) #6 /var/www/grav/vendor/rockettheme/toolbox/Event/src/EventDispatcher.php(23): Symfony\Component\EventDispatcher\EventDispatcher->dispatch('onPageInitializ...', Object(RocketTheme\Toolbox\Event\Event)) #7 /var/www/grav/system/src/Grav/Common/Grav.php(277): RocketTheme\Toolbox\Event\EventDispatcher->dispatch('onPageInitializ...', Object(RocketTheme\Toolbox\Event\Event)) #8 /var/www/grav/system/src/Grav/Common/Processors/PagesProcessor.php(25): Grav\Common\Grav->fireEvent('onPageInitializ...') #9 /var/www/grav/system/src/Grav/Common/Grav.php(126): Grav\Common\Processors\PagesProcessor->process() #10 /var/www/grav/system/src/Grav/Common/Grav.php(368): Grav\Common\Grav->Grav\Common\{closure}() #11 [internal function]: Grav\Common\Grav::Grav\Common\{closure}('pages', 'Pages', Object(Closure)) #12 /var/www/grav/system/src/Grav/Common/Grav.php(344): call_user_func_array(Object(Closure), Array) #13 /var/www/grav/system/src/Grav/Common/Grav.php(127): Grav\Common\Grav->__call('measureTime', Array) #14 /var/www/grav/index.php(52): Grav\Common\Grav->process() #15 {main} [] []

private.yaml has following start, the rest is default:

enabled: true
routes:
  login: /login
  logout: /logout
session_ss: apache_fastcgi
private_site: false
private_tag: hidden
enable_username: true
users:
  testuser: 6aed8f69402c1d7e81aff1bb2fd59d48e9b7639c
texts:
  h1: 'Private Area'
  h2: 'Please <strong>login</strong> to view this content...'

First I thought I have missed some config etc., but I cant find any, looks like a bug.

When I login in to private (whole site is private) the redirect goes to the 404 error page.

i have only a few pages marked hidden, not the whole site.
if i login on those pages, i get taken to the page as expected.
when i then go back (press back button in browser), it takes me to the /blog page instead of where i started from.
i have system.yaml set to hide the /blog route in urls.

this happens only after login, once the login session is active going back works normally.

i can always reproduce this by deleting the cookies.

Hi, thanks for your plugin.
I'm having issues in making a page private.
I have followed the README instruction: turning private_site: false in user/config/plugins/private.yaml, adding private_tag taxonomy in user/config/site.yaml and adding private_tag: true in page taxonomy I want private.
This is not working for me. Am I doing something wrong?

The private plugin works great to prevent entry to whole site.
However there is a conflict with the admin/login plugin combination.
Private is using the same template name as the login plugin so private plugin template is never rendered when login plugin is active.
Fix for me was just to rename the template in page.md

When changing the default password, how is this done? Do you just add password: newpassword to user>config>plugins>private.yaml ? I have added that line to the yaml and it does not seem to affect anything.

when enabled in all site, it works, but, when is false, and enabled in one page, dont.

my page is a blog inside a modular

write this in expert mode
#taxonomy:
private_tag: hidden

thanks!

I set up a grav form for a client and used my email address for testing/dev purposes. Everything worked perfectly. Now that we have the site live, we tried to update the email using the https://getsimpleform.com/ to get a new token. I replaced the line: session_ss: 065fc5e4f4306c97706fe22a2f4945e9 with the new token in the file: user/config/plugin/private.md

The problem comes in testing this new token - I am still receiving the emails as I did in testing. The client is not getting the emails as I would expect with the new token associated with his email. Is this a cache issue? Doing a bin/grav clear-cache has no affect.

Just FYI, you should update this for next release as it still shows 1.0.3

Hi!

I am using latest stable version of this plugin.

My user/config/plugins/private.yaml

enabled: true
routes:
login: /login
logout: /logout
session_ss: random_value
private_site: true
private_tag: hidden
enable_username: false
users:
no_user: fc683cd9ed1990ca2ea10b84e5e6fba048c24929
[......]

$ echo "secret" | sha1sum
fc683cd9ed1990ca2ea10b84e5e6fba048c24929 -

When i type "secret" in password field, I get "Oops! Something went wrong.. Try Again !"

session_start() in onInitializedPlugin forcefully Set-Cookie even if one is not needed.
This breaks caching and is undesirable.

I think this feature would make this plugin even mightier.

The external site for hash generation should only be advised as a fast checking, not something to be used for anything live (production). Transmitting your password to an unknown site over http is double not secure. Please add to the readme, help or comment in the file, as primary option for hash generation a locally executed command: echo -n "yourpassword" | sha1sum instead.

Is there a way to hide the "Hidden" tag? ... or am I missing something?

See attachment ...

Here is what I propose.
Let say I have these user in my private.yaml.

• no_user: password
• admin1: password
• admin2: password
• user1 password
• user2 password

I want so that admin1 only can open some pages while other user can only open some other different pages.

I would love to fork, but I do not have any experience in .php. Perhaps, if you can give me small pointer on which files and lines are important to take note on to, so that I can make this happen.

The private plugin is not working the way I want it to. Even if I update private_site: false, the whole page is still password-protected, and nothing changes when I use the hidden-tag on the specific page I want to make private.

Is this some kind of bug or am I doing something wrong?

Is there a way to set the site to private but exclude a few select pages and have them public?

Is there any setting to put only a single sub-route as private?
Ex: / site -> Public, / internal -> Private

Hi, with the simple use case of no username and fixed password it can seem like an easy target for brute force. It would be a great enhancement to rate limit logins. Some simple scheme would be sufficient. eg > 20 failed login attempts in any 60 minute period respond with 401. Just make it global, not per user. / session / ip or anything tricky (which is all able to be bypassed anyway)