NYCPHP Meetup

[Jayesh Sheth]

Hello all,

I was wondering if any of you knew of a PHP-script (either open source 
or commercially-licensed) that helps one do the following:
- Password protect all files or select files in a directory using 
.htaccess files
- The information in the .htaccess files will be written when the user 
selects the files (or directories) to be password protected, and then 
adds a username and password that correspond to those protected resources
- Some user info, such as last login date and time and email will be 
stored in a MySQL database
- When  the administrator adds a new user (thus allowing the new user to 
access a specific directory or set of files), that user's info is stored 
in the MySQL database and the username and password info is also written 
to a .htaccess file. (In this case the admin either chooses a new 
password for the user, or one is randomly created by the system.)
- At this time, the user is also emailed with a note saying something 
like: "John has added you as a member. Your username is john at aol.com, 
your password is 4rgf567u. Log-in at http://www.somewebsite.com "
- An access log should be available, showing who logged in last and when
- Users should be able to add short notes to a guestbook that is visible 
to other users

This system should also be able to work with an existing website that is 
full of static .html files. The reason .htaccess seems the best tool for 
this job is that the potential client already has a boat-load of static 
content that is to be protected.

Finally, since the potential client is on a tight budget, the only 
option seems to be to buy a PHP script that does all of this and 
customize the script as necessary for the client. This will take much 
less time than writing it from scratch, and thus fit into this person's 
budget. I don't might writing this from scratch (in which case I would 
use the htaccess class from pear.php.net ) - but the thing is writing it 
from scratch takes longer than just installing and customizing an 
existing script.

I came across the following product from cgi-city.com:

http://www.cgi-city.com/authpro/demo.shtml

It is written in Perl, though, which is a bit denser than PHP, and a bit 
harder to work with (my opinion only).
Additionally, it is simply TOO feature rich, and the potential client 
will likely not have a clue as to how to use it.

Does anyone have any suggestions on how to proceed, or can anyone 
suggest an appropriate third-party script?
I searched sourceforge for "htaccess" and came up with a few things, but 
I am not sure those scripts are good or easily customizable. If it is a 
commercial script, I could only use it if the source code is not encoded 
(i.e. is modifyable, even if I am not allowed to redistribute it.)

Another easier idea occured to me, but it involved mod_rewrite. I have 
not used mod_rewrite before, but I have read about it. If anyone can 
help me with the following mod_rewrite rule, I would be most grateful.

Here's the idea:
- Suppose the client's website is www.abc123.com
- The client has files such as www.abc123.com/one.html and 
www.abc123.com/two.html that need to be password protected
- All current .html files are moved from the root web directory to a 
sub-directory called "protected". This directory is protected by a 
single set of  .htaccess username and password that is only available to 
the administrator
- The administrator logs into the control panel and whitelists all file 
or selected files from the "protected" directory to be 
processed/included later (by mod_rewrite and a PHP script). This 
whitelist info is stored in a MySQL table
- A mod_rewrite rule is written to say the following: all .html files 
accessed from www.abc123.com are rerouted to the following file for 
processing: www.abc123.com/load.php?page=chosenpage.html
- The load.php page checks to see if the requested file exists in the 
MySQL file whitelist.
- If a user is logged-in, it includes the file. If not, it prompts the 
user to log-in.
- The log-in is performed using the PEAR Auth class. The username and 
password info (along with user email and last login info) is stored in a 
MySQL table.

The advantage of this approach is that one is not dealing with messy 
.htaccess files. Additionally, there is no duplication of username and 
password data as in the previous case - where the username and password 
were being stored both in .htaccess files and in a MySQL database. Thus 
all info is in a MySQL database, and works with existing static files.

The user can continue to use Frontpage (or whatever) to modify static 
files, and simply upload them to the "protected" directory.

Does anyone know of a mod_rewrite rule to do the rewriting described in 
step 5 above?

Maybe this second method is more complication, but I am interested in 
hearing feedback.

Thanks in advance,

- Jay