Password protected pages

This section describes how to protect one or more pages on your website with a log in screen. This document does not apply to products or categories.

Like a file system, your web pages are hierarchical and inherit their security from their closest ancestor possessing permission settings. By default, the root of your website is not password protected. Therefore, all of your web pages inherit "available to everyone" permissions. The cascading nature of permissions means you can secure entire sections of your website without having to explicitly defining permissions for each page. 

Prerequisites 

If you wish to protect a web page with a higher level of security than a registered user, you will require one ore more custom access roles.

Adding an Access Role

How it works

When a visitor attempts to access a protected page Evance does the following:

  • Checks if the visitor is logged in to the website. If not, the user is redirected to the log in screen with instruction to return the user to the page they requested upon successful log in. 
  • Determine if the visitor has been granted an Access Role required by page's permissions settings. If the user does not possess any of those required they will be shown a access denied page.
  • Administrators who have an active session to Evance's CMS editor bypass the previous steps and gain direct access to protected pages. This is designed for the purpose of editing and checking your web page content. To mimic how visitors see your website you will need to log out of Evance's control panel. 

Protected pages with "remember me"

When a user logs into your website they have the option to "remember me". This provides the user with a saved session cookie. As long as the user possess a valid saved session cookie on their device, they are not required to log in to gain access to password protected pages on subsequent visits to your website.

Now that we've discussed the mechanics let's take a look at protected a single page. 

Protecting a single page

To apply permission requirements to a web page you must first access the appropriate page within the CMS editor and then open the document settings window (illustrated below).

Getting to the Document Settings window

Once you have the Settings window open, scroll to the bottom of the screen. 

Turn off the "inherit from parent" permissions switch. When you first do this it will show access is available to "Everyone". You will also be presented with a list of available access roles for your website. You may tick any number of access roles applicable to the page. 

Web page permissions settings

When first experimenting with these settings we recommend you do not change the field labelled "If not logged in, redirect to...". However, this field allows you to redirect users, who are not logged in, to a page other than the default log in screen.

When you're happy "save" your settings. You won't be logged out of the page you are editing. As described above, you still have access to edit and test your page whilst you are logged into Evance's control panel. 

Protecting an entire section of your site

All descendants of the page you protected in the steps above are now also protected by the same permission settings. You can happily add child pages, and child pages of those child pages, without needing add additional permissions.