Can I secure file folder by IP address?

I have a customer with an intranet who wants to use a Secure Zone but not require a login if the user is within a list of IP addresses. Is this possible? Any recommended work-arounds?


@shannonlynd If I understand correctly you want them to be able to click a link that goes to the secure zone on the site and have access to it based on their IP address. The short answer is “no”.

However. Here is what I would look at.

Are all the employees in the same office? Is the IP range and internal range?

If yes to both then is there a way to show the link in there intranet based on the IP range.

If No then your dealing with the sites external IP address, the one assigned by the internet provider. This would need to be a static IP for this to work.

{{request.request_data.ip}} gives you the external IP address. I have used it to restrict access to a secure zones.

You will still need a username and password to access the secure zone, but you can code an anonymous user into the form.

With some liquid you can display a button for the form or trigger an auto submit and redirect if the IP matches. Just know that there could be rcaptcha issues so make sure there is a fall back if the login fails.

Hope that helps. Maybe somebody else knows of a good way.

Thanks! This worked perfectly, and as you expected, except for the recaptcha 2 requirement on the login form. For now, they have to click the “I’m not a robot” checkbox before being redirected to the intranet. (at least once every 30 days now that we can set the duration of the Remember Me lifetime).

I’m also using code posted to the Treehouse by @Peter-Schmidt to automatically submit the form on recaptcha check - Automatic Anonymous Login after reCAPTCHA v2 Completion.

You can switch it to v3 so you don’t have to click “I’m not a robot”

I switched the form to Racaptcha v3 and it worked great. The user clicked the submit button and was routed successfully.

Next step was to eliminate the Submit button, but I can’t seem to get it to work.

This result in Forbidden.

However, it I add any form interaction as a trigger, it works:
$(“#loginForm”).click(function () {

I got it to work with a timeout -
setTimeout(function() { $(“#loginForm”).submit(); }, .1);

Now, how do I hide the anonymous user login info in the source code?

Timeout works everywhere except Edge. Ugh!

You could try triggering a click on the submit button, rather than a submit on the form (assuming your submit button is still in the form code).
I know I’ve had to do it this way in some cases, although not 100% sure why it works :slight_smile:

$('#loginForm [type="submit"]').trigger( "click" );

That’s impossible. Since you are working client-side there is no way to completely hide this data.
There are ways to make it more hidden (with more complex steps), but it’ll always be there somewhere.

No joy with the trigger click. It still fails in Chrome.

I’ll let you know what I come up with.
:slight_smile: Shannon

Ok, I think I’ve got it now.
Treepl needs to validate the recaptcha before submitting the form so it intercepts the form submit to do this.
We then need to tap into that event with the CMS_CustomSubmit event.

This works in my tests:

var myForm = document.getElementById("loginForm");
myForm.addEventListener("CMS_CustomSubmit", function(event) {

Then, when you call your form submit somewhere with $(“#loginForm”).submit(); the above code will listen for the custom event, prevent the default form submit allowing Treepls validation code to run, then continues to submit the form.
At least, that’s how I understand it to work :laughing:

Hopefully, it works for you too.

Payment Form Javascript