With the latest version of Coaster CMS you can now block visitors from accessing certain content such as PDFs, images and documents unless they are logged in. Users who try to access any of this content before they are logged in, will be redirected to a login page where if they don’t already have an account can choose to register accordingly. Once logged in, all of these files will become available to the user.
Setting up a secure directory
Securing files within Coaster CMS is easy. Once you are logged into your website yourwebsite.com/admin navigate to system settings and scroll to the bottom of the page. You should be able to see a setting named “Secure Upload Folders,” enter a directory name of your choice.
This directory will now be visible when you access your file manager. Any files placed within this new directory will only be accessible to logged in users. If you wish to have a members only area, where any visitor to your site can create an account, follow the steps below.
Creating a user registration form
You can piggyback off of Coaster’s own user model to register and authenticate front-end users. First things first, you will need to create a very short model that extends the Coaster CMS user model. Create a file named User.php within the app/Models directory. If the models directory doesn’t already exist, create one. Once this new file has been created, enter the code below:
1 2 3 4 5 6 7 |
<?php namespace App\Models; class User extends \CoasterCms\Models\User { protected $fillable = ['name', 'email', 'password', 'role_id']; } |
The next step involves adding some user login and user registration methods to the app/Http/Controllers/Auth/AuthController.php file.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 |
public function getLogin() { return view('auth/login'); } public function postLogin(Request $request) { $this->validate($request, [ 'username' => 'required', 'password' => 'required', ]); $credentials = $request->only('username', 'password'); if (Auth::attempt($credentials, $request->has('remember'))) { return redirect()->guest('downloads'); } else { return redirect()->guest('auth/login'); } } public function getLogout() { Auth::logout(); return redirect('/'); } public function getRegister() { return view('auth/register'); } public function postRegister(Request $request) { $this->validate($request, [ 'name' => 'required', 'email' => 'required', 'password' => 'required', 'password_confirmed' => 'required', ]); $data = $request->only('name', 'email', 'password', 'password_confirmed'); if ($data['password'] == $data['password_confirmed']) { // register user $this->create($data); $credentials = $request->only('username', 'password'); if (Auth::attempt($credentials, $request->has('remember'))) { return redirect()->guest('downloads'); } else { return redirect()->guest('auth/register'); } } return redirect('auth/register'); } |
Don’t worry about any of the views referenced within the above code, we will move on to creating them shortly. At the bottom of this file there is a create method, before we continue we must set the role_id of new users to that of something that has frontend access only.
1 2 3 4 5 6 7 8 9 |
protected function create(array $data) { return User::create([ 'name' => $data['name'], 'email' => $data['email'], 'password' => bcrypt($data['password']), 'role_id' => 6, ]); } |
It is vitally important that you add this line, as otherwise you leave the potential for anyone to have admin access to the backend of your site.
Finally we must make some changes/additions to the routes.php file within the app/Http directory.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
<?php Route::group(['middleware' => ['web']], function () { // auth routes Route::get('auth/login', 'App\Http\Controllers\Auth\AuthController@getLogin'); Route::post('auth/login', 'App\Http\Controllers\Auth\AuthController@postLogin'); Route::get('auth/logout', 'App\Http\Controllers\Auth\AuthController@getLogout'); // Registration routes... Route::get('auth/register', 'App\Http\Controllers\Auth\AuthController@getRegister'); Route::post('auth/register', 'App\Http\Controllers\Auth\AuthController@postRegister'); }); Route::group(['middleware' => ['web', 'auth']], function () { Route::get('downloads', array('as'=>'downloads', 'uses' => '\CoasterCms\Http\Controllers\Frontend\PageLoaderController@index')); }); |
The first part of the code registers all of the different routes relevant to user registration and login. The final part of the code ensures that any users who visit a downloads page are redirected to a login page if they are not already logged in. You can adapt this code to your liking, and require authentication for all sorts of different URLs.
Middleware
You’ll have seen the ‘auth’ middleware group in the routes (see Laravel’s middleware documentation for more information)…
There are a few changes you must make to the Authenticate.php file found in app/Http/Middleware. The below code ensures that any AJAX requests receive a 200 status code on protected pages if the user is logged in and authenticated.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
public function handle($request, Closure $next) { if ($this->auth->guest()) { if ($request->ajax()) { return response('Unauthorized.', 401); } else { return redirect()->guest('auth/login'); } } elseif ($this->auth->check()) { if ($request->ajax()) { return response('User is logged in.', 200); } } return $next($request); } |
All that is required now is a user authentication view and a user registration view. In the case of this tutorial we have placed these views within resources/views/auth. Create a login.blade.php file and a register.blade.php (if you’d prefer not to use the Blade templating engine, omit the .blade extension). I won’t go into too much detail involving the creation of forms as this has already been covered within our developer documentation.
Conclusion
We hope this post has helped those of you who were looking to add front-end user authentication to their website.
Please note that any files stored within a secured directory will be inaccessible to bots and crawlers such as Google, and will therefore not appear within search results.