September 13, 2024

Password protect all entries in a Statamic Collection

Out-of-the-box there's a number of different ways you can protect an entry within Statamic. By applying one of the following key/value pairs in your entry's YAML file you'll get a few different experiences:

  1. The user must log into the control panel: protect: logged_in
  2. The user must enter an accepted password: protect: password
  3. The entry is locked to all users: protect: true

We're going to focus on #2 which is the most common request in my experience. Simply a way to keep the general public out of certain records that may hold board minutes, campaign details, and the like.

⚠️ This should not be used to gate sensitive content such as credit card information, personally identifiable info, etc!

1. Set up a new "Protected Pages" collection

I like to place protected content into a dedicated "Protected Pages" collection. This allows us to use a URL prefix for all of the protected entries and allows us to set some sensible defaults for records that shouldn't be publicly visible (SEO settings, etc.).

Creating a new collection in Statamic with the name 'Protected Pages'

Having a URL prefix for these pages ensures we can exclude these pages from Statamic's static caching policy:

'exclude' => [
  'class' => null,

  'urls' => [
    '/search*',
    '/protected*', // Exclude protected pages from the static cache
  ],
],

2. Protect the entire collection via YAML

Now that we have a dedicated collection, we need a way to protect the entries without having to manually add protect: password to each of them. Fortunately Statamic allows us to do this at the collection-level.

Open up the content/collections/protected_pages.yaml file and insert the following block of YAML. This will apply a protection strategy of your choosing across all entries within our collection.

inject:
  protect: password
This value could also be logged_in if you prefer to gate the content behind a Statamic account.

3. Publish a new Protected Pages entry

Now when you publish a Protected Pages entry it will be gated behind a simple password view. Your list of acceptable passwords is configured within config/statamic/protect.php in the password.allowed array.

The password input screen on our first entry in the Protected Pages collection

Final notes

Now that you have a functional Protected Pages collection its important to consider a couple things:

  1. The list of acceptable passwords—with Statamic's default password driver—are fixed and hardcoded. You'll need to communicate to your authors what passwords will work to authenticate users.
  2. Passwords you use will unlock all gated entries. This is often beneficial for non-technical individuals so they don't have to input the same password multiple times when viewing several gated pages with similar content, but it is worth noting in case that's undesirable.
  3. Like many Statamic and Laravel features, this is a driver-based system. Meaning, if you would like to create your own protector driver that behaves differently the world is your oyster!