0

I'm using Pico CMS, a small markdown project - http://pico.dev7studios.com/- installed and running good, however I am trying to password protect a folder with htaccess file but the cms is bypassing this and showing the file I call in the browser.

The funny thing is that the url for the file does not contain the "content" folder which is where all the files/pages are stored. All the other folders are contained in the url. This is the only reason that I can find to explain what's happening.

If I manually enter the url to that same folder, which is password protected, which includes the "content" folder in it's path, then I get the htaccess auth window showing. This proves the htaccess file is being read, but not when the CMS accesses it. Can anyone explain why and how to force the folder to be protected when I call any page with the browser.

tyee
  • 197
  • 1
  • 2
  • 13

1 Answers1

0

If you open up a Pico site, your request is redirected to the index.php file (via mod_rewrite). That's why the "content" folder does not show up in the url.

That's also the reason why you are not asked for a password. The index.php file does not have to pass the htaccess auth to get to the *.md files.

Read this for a bigger picture: https://stackoverflow.com/a/10923542/3294973

This plugin may be interesting to you: https://github.com/jbleuzen/Pico-Private

Unfortunately, it can't protect only part of the website at this point. Protecting single pages is now possible. (Check my GitHub Fork)

Community
  • 1
  • 1
elpoto
  • 105
  • 1
  • 7