php.htaccesspasswordsopencartpassword-protection

How to password protect a directory that contains an OpenCart shop


I have installed OpenCart in a folder on a hosted server. The reason why it's in a folder and not the root, is that I only want people who login to have access to the shop and stay logged in while shopping. This has nothing to do with logging into OpenCart as they would have to do that as well to see the prices. I just don't want anyone to see the shop before logging in.

I have resorted to using the .htaccess .htpasswd method, which seems to work fine, to an extent. There is a popup that wants you to login, and when you do, it takes you to a blank page, not the shop. So it works fine on the directory, but once logged in, there is nothing. I'm wondering if it's because there is other stuff in the .htaccess file from OpenCart. I'm very new at all of this, and therefore I don't know what any of that stuff does.

The problem is, that it appears that OpenCart, in the .htaccess file, hides the urls, so instead of going to an index.html page, there is nothing.

I added this to the .htaccess file from another post on stack overflow:

AuthType Basic  
AuthName "restricted area"  
AuthUserFile /path/to/the/directory/you/are/protecting/.htpasswd  
require valid-user  

And I changed the path of course. But when that wasn't working, it said to try adding this:

\<Directory /path/to/the/directory/of/htaccess\>  
Options Indexes FollowSymLinks MultiViews  
AllowOverride All  
\</Directory\>  

and again, I changed the path. But then I noticed that perhaps that might interfere with other things that were already in the file such as:

## No directory listings
<IfModule mod_autoindex.c>
  IndexIgnore *
</IfModule>

## No-Referrer-Header
<IfModule mod_headers.c>
  Header set Referrer-Policy "no-referrer"
</IfModule>

## Suppress mime type detection in browsers for unknown types and prevent FLOC
<IfModule mod_headers.c>
  Header always set X-Content-Type-Options "nosniff"
  Header always set Permissions-Policy "interest-cohort=()"
</IfModule>

## Can be commented out if causes errors, see notes above.
Options +FollowSymlinks

## Prevent Directory listing
Options -Indexes

## Prevent Direct Access to files
<FilesMatch "(?i)((\.tpl|\.twig|\.ini|\.log|(?<!robots)\.txt))">
 Require all denied
## For apache 2.2 and older, replace "Require all denied" with these two lines :
# Order deny,allow
# Deny from all
</FilesMatch>

## SEO URL Settings
RewriteEngine On
## If your opencart installation does not run on the main web folder make sure you folder it does run in ie. / becomes /shop/
RewriteBase /testing2/
## Rewrite Rules
RewriteRule ^system/storage/(.*) index.php?route=error/not_found [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !.*\.(ico|gif|jpg|jpeg|png|webp|js|css|svg)
RewriteRule ^([^?]*) index.php?_route_=$1 [L,QSA]

Also, some of these things said to restart the server, but I don't have access to that. But because I'm new at this, I don't know if any of these things work against each other. If it had been a clean, new .htaccess file, I could understand it would be simpler, but because it already has things in it because of OpenCart, then maybe it's not so simple after all. Is there another way to keep people from seeing the products, not just the prices in OpenCart (which is their standard option)?


Solution

  • In your opencart settings there is an option to hide prices until a customer is logged in.

    IF you actually want to hide the entire store and force login you can add the following code to your /store/catalog/controller/common/header.php at the top:

    if (!$this->customer->isLogged() && !in_array($this->request->get['route'], ['account/login', 'account/register'])) {
        $this->redirect($this->url->link('account/login', '', 'SSL'));
    }
    

    Opencart 4.x solution:

    if (!$this->customer->isLogged() && (!isset($this->request->get['route']) || !in_array($this->request->get['route'], ['account/login', 'account/register']))) {
        $this->response->redirect($this->url->link('account/login', '', true));
    }
    

    Reset your htaccess back to what it was, its a bad way to manage this, if your still having issues loading the site even with default htaccess of opencart you need to make sure your path is set right here:

    RewriteBase /testing2/