A Repair Blog Written By Gurus

Protect Magento Pages

We recently built a site with a whole­sale area, uti­liz­ing the “Login Only Cat­a­log Exten­sion” and the “Cus­tomer Acti­va­tion Exten­sion”. While this did pro­tect our whole­sale inven­tory from pry­ing eyes, it still left a few pages vis­i­ble to the gen­eral pub­lic. For­tu­nately we found a fix that addressed this issue, and allowed us to secure the rest of the site, in a manor that was intu­itive, and easy to implement.

Using Magento 1.3.2.4, the most recent ver­sion at this time, our setup is as fol­lows. The credit for this fix goes to chill­ipep­perde­sign.
First cre­ate a page in app/design/frontend/default/your_theme/template/page/html/ called “auth_redirect.phtml” with the fol­low­ing con­tent. In our case, our site has a whole­sale sub-directory, edit as necessary.

1
2
3
4
5
6
7

< ?php Mage::getSingleton('customer/session')->setBeforeAuthUrl($this->getRequest()->getRequestUri());  //save requested URL for later redirection
if(!Mage::getSingleton('customer/session')->isLoggedIn()) {  // if not logged in
    header("Status: 301");
    header('Location: http://www.sitename.com/wholesale/customer/account/login') ;  // send to the login page
    exit;
}
?>

Insert the fol­low­ing line in your app/design/frontend/default/your_theme/layout/page.xml file…

1

<block type="page/html" name="auth_redirect" as="auth_redirect" template="page/html/auth_redirect.phtml"/>

Directly after…

1

<block&nbsp;type="page/html" name="root" output="toHtml" template="page/2columns-left.phtml"></block>

Your tem­plate name may vary. Here’s how ours looked.

1
2
3
4
5

<default>
        <block type="page/html" name="root" output="toHtml" template="page/2columns-left.phtml">
		<block type="page/html" name="auth_redirect" as="auth_redirect" template="page/html/auth_redirect.phtml"/>
            </block><block type="page/html_head" name="head" as="head">
</block></default>

Now you’ll want to edit your page tem­plates. If your using a pur­chased theme, it may only have one or two page tem­plates in it. Ie. 2columns-left.phtml, 2columns-right.phtml, and so on. In this case, we would sug­gest copy­ing the miss­ing tem­plates from your default direc­tory, to your theme direc­tory. That way your sure these are the files being used in your site, and not the defaults.

At the top of each of these tem­plates, add the fol­low­ing line directly after the php start tag, as such…

1
2
3
4

< ?php echo $this->getChildHtml('auth_redirect')
/**
 * Magento
 *

Next we need to allow access to cer­tain pages, to allow our whole­sale cus­tomers to sign up for the site, recover a pass­word, and access con­fir­ma­tion mes­sages. In the file customer.xml, we need to add the fol­low­ing rule after each of the fol­low­ing. Your sit­u­a­tion may be dif­fer­ent, but the fol­low­ing are what you need if you want cus­tomers to be able to sign up them­selves. Because we’re using the “Cus­tomer Acti­va­tion Exten­sion”, cus­tomers can sign up, but they must be approved by the admin before they can access the whole­sale site.

The excep­tions we included are as follows…

1
2
3
4
5

<customer_account_login>
	<remove name="auth_redirect" />
        <!-- Mage_Customer -->
        <remove name="right"/>
</customer_account_login>

1
2
3
4
5

<customer_account_forgotpassword>
	<remove name="auth_redirect" />
        <remove name="right"/>
        <remove name="left"/>
</customer_account_forgotpassword>

and…

1
2
3
4
5

<customer_account_confirmation>
	<remove name="auth_redirect" />
        <remove name="right"/>
        <remove name="left"/>
</customer_account_confirmation>

While most every page is now blocked on our whole­sale site, we still want our cus­tomers to be able to access a few of our cms pages. Pages such as “con­tact us”, “legal terms”, or even the “home page”. All you have to do to enable these pages is add

1

<remove name="auth_redirect" />

to your “Lay­out Update XML”, under “Cus­tom Design” in your cms pages.

This was by far one of the eas­ier fixes I’ve seen, for what could seem­ingly be a major ordeal. I wish all our Magento expe­ri­ences went this smoothly. While Magento is a pow­er­ful tool, with loads of fea­tures, it can at times be extremely tem­pera­men­tal, and down­right finicky.

We hope this was help­ful. If we left any­thing out, let us know. Happy computing.

This entry was posted on Thursday, November 5th, 2009 at 4:24 pm and is filed under Magento and tagged with , , , , , , , , , , , , , , , , , , , , , , , , , , , . You can leave a response, or trackback from your own site.

Was this article helpful? Here's a few related articles which may also interest you.

Related Posts:

3 Comments to “Protect Magento Pages”

  1. Vira says:
    December 29, 2009 at 2:07 am

    As a New­bie, I am always search­ing online for arti­cles that can help me. Thank you

  2. admin says:
    January 7, 2010 at 2:13 am

    I’m glad you found our mus­ings use­ful. We truly enjoy our read­ers pos­i­tive replies. :-)

  3. Schedule says:
    October 30, 2010 at 2:20 am

    Best you should make changes to the blog sub­ject Pro­tect Magento Pages – Com­pRe­pair­Gu­rus to more catch­ing for your blog post you write. I enjoyed the post withal.

Leave a Comment