The solution just popped into my head, I'm sharing it here in case anyone else has the same need as myself...
The problem with the password "protection" method I was using initially (note the quotes) is that it's not secure - at all. The validation being made client-side, the actual password can be obtained by the visitor from the page's source. The validation obviously needs to be done server-side, so how do you get the visitor to submit his password - client-side - and then have it being validated server-side, using CB and Auto Actions?
The answer lies in the URL.
First you have a small piece of JS code in an Auto Action that collects the visitor's password, but does not do the validation. Instead, it reloads the exact same page, with one additional variable in the URL - the password submitted by the visitor.
Then once the page gets reloaded, another Auto Action, in PHP this time (so, server-side), checks for the presence of the variable in the URL. Then it validates it against the real password (preferably in the form of an MD5 hash, i.e. when the account's owner saves his display password you have an Auto Action set to store the MD5 hash of the password in the database and not the password itself).
And voilà ... The validation is made server-side, neither the real password nor its hash are ever sent to the client.
I had the idea just minutes ago and haven't tried it yet but this should work. I was looking at solutions way too complicated when the real solution is finally quite simple...
Seb.
PS: How do you prevent people with JS disabled from by-passing it? With the noscript tag and a little bit of PHP, in your template's HTML header between <head> and </head>, like this:
Code:
function curPageURL() {
$pageURL = 'http';
if ($_SERVER["HTTPS"] == "on") {$pageURL .= "s";}
$pageURL .= "://";
if ($_SERVER["SERVER_PORT"] != "80") {
$pageURL .= $_SERVER["SERVER_NAME"].":".$_SERVER["SERVER_PORT"].$_SERVER["REQUEST_URI"];
} else {
$pageURL .= $_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];
}
return $pageURL;
}
if (strpos($currenturl,'my-account') !== false OR strpos($currenturl,'profile') !== false) {
echo '<noscript>
<meta http-equiv="Refresh" content="0; url=/index.php?option=com_content&&view=article&&id=30:javascript-is-disabled" />
</noscript>';
}
Of course here I am using "my-account" as alias for the profiles, this may be different in your case, so just adapt it.