Access Restriction for Live Staging Sites

[Fun with code is a multi-part series. Read the rest.]

We have a lot of active, ongoing projects here at Oxide, especially when it comes to the web. In order to build and make changes to sites which can still be viewable for internal or client review, we run live staging versions of them on subdomains of oxidedesign.com. Don’t bother digging around looking for a secret gem though, because you can’t get in. At least, not anymore.

For sites like bigomaha.com and mahamusicfestival.com, there’s some sensitive information that shouldn’t be visible before we deploy the changes to the live site. This presented a problem, and it stands to reason that some crafty person could have found their way onto spn.oxidedesign.com and blown the lid off of the whole event.

The simple solution was to check if the user is logged in with the WordPress function is_user_logged_in() by throwing something like this at the very top of the header.php file in the theme:

if ( !is_user_logged_in() ) { wp_die('No peeking!'); }

Which basically reads, if the current user is not logged in, kill WordPress and present the message “No peeking!”.

Well, that’s great, but so what? We get a little message if we’re not logged in and we can’t see the site. Yes, it works, but it is rather ungraceful and I have to remember to remove it every time I push the theme to the live site. This is problematic and turns out to be not such a great solution.

So what do we know about what we need? Well, I need a script that remains in the theme at all times, only runs on the staging site, restricts access to logged in users, and (for convenience sake) takes me straight to the WordPress login so I can begin working quickly.

Easy enough

So I stopped messing around with header.php and set my eyes on functions.php – now we’re talking. The first challenge is to determine whether or not we are sitting on a subdomain of oxidedesign.com. In PHP there is a magic constant called __FILE__ which always gives me the absolute path to the current file in the form of a string, wonderful! I also know that there is a PHP function called strpos($haystack, $needle) which will give me the numerical position of the beginning of a substring within a string, where $needle is what I’m looking for, and $haystack is where I’m looking. So I can perform this simple search:

$staging = strpos(__FILE__, 'oxidedesign.com');

According to this setup, the variable $staging will be set to either an integer, signifying that “oxidedesign.com” was found in the file’s path (and its position within the string), or the boolean value false, signifying that oxidedesign.com was not found, perfect.

Another requirement was that I’d like it to automatically send me to the WordPress login instead of just killing WordPress. Using wp_redirect() is just as safe as wp_die() for my purposes because it can still shield the staging site from the light of day without the user being logged in (as long as we kill it all afterwards with an exit. Knowing all of this, we can structure a pretty simple function based on a comparison of the $staging variable we set up earlier, and other WordPress convenience functions discussed earlier.

function oxide_staging_access() {
	$staging = strpos(__FILE__, 'oxidedesign.com');
	if ( $staging !== false && !is_user_logged_in() ) {
		wp_redirect( wp_login_url() ); exit;
add_action('parse_request', 'oxide_staging_access');

Now we’ve got exactly what we need, a function that locks people out of any staging site running anywhere on oxidedesign.com, but stays out of the way when it’s running on any other domain.

22 Sep 2019

‘Enter’ to submit

SVG is a thing now; you should use it.

With all this talk about resolution independence and responsive design, how many times have you built something for the internet and thought, hey, it sure would be nice if I could have a vector graphic here instead of a series of pre-saved bulky images switching in and out some way or another? For example: every single logo ever, social media buttons, line art of any type. If your concern is responsiveness and you’re using images, then you’re in for trouble.…

The multiply effect is a lie

This year’s fabulous Big Omaha website is showcasing a little visual trick. Early on, when Nathan and I were discussing the intended visuals on the site, I failed to notice he was using the multiply effect in Photoshop to achieve the appearance of the red overlays – and he went forward working that into the design. To my dismay, when I went to add the red layers by simply overlaying a slightly transparent layer of red over the top of…

Fun with code at Meet The Pros

Last week I spoke at Meet The Pros and, not surprisingly, my presentation was titled Fun with code. When I had volunteered to speak way back when, I envisioned myself talking about a bunch of code stuff and making it really interesting and fun. If you’re a regular reader of the Fun with code series here, you probably don’t remember any of it being terribly interesting or fun. It may be really helpful and useful, but it’s certainly too specialized…

Detecting a retina display

A few weeks ago, we announced that oxidedesign.com was fully retina optimized. For those of you who do not know, a retina display is a monitor or device that has more pixels per inch of space than a normal display. This basically means it is harder to tell where the edges of pixels are, allowing for an extremely crisp and clean appearance. This works great on the web for things like text, but a problem arises when displaying images. Since…

Extend post types with custom taxonomies

For part two of this series, I want to show how I extended the default functionality of WordPress custom post types and taxonomies in order to build a user-friendly way to associate posts from one type to another. To recap, in part one, we set up a couple of custom post types. To start this tutorial we’ll be using a very similar function to set up the taxonomy which we will leverage for post-to-post association.

Using custom post types for WordPress

Over the past few years, I’ve written quite a bit of code and I’ve had a lot of fun doing it. I’ve got tons of useful snippets in my back pocket and I’m just itching to share them with the world. I’m going to take this opportunity to start a new series here on the Oxide blog, Fun with code. To get things started, let’s outline a problem and uncover a situation which creative code can solve.