Protecting a dev site

Most development sites have a way of protecting access to them behind some kind of login system (even if the site doesn’t have a user system per se)

Is their a best practice way of doing this for pimcore? I know on some site you can set the site to maintenance mode and it will allow a registered admin user to login and see pages.

.htaccess is the easiest solution…

If anyone is interested, we came up with a simple solution to password protecting a staging or dev site.

We created a listener for the page for the KernelEvent::REQUEST event. On every request, it does a simple set of lookups and will redirect to the admin screen if the site is in DEBUG mode and there is a valid admin session.

Here’s our listener class - sorry for the poor formatting


namespace AppBundle\EventListener;

use Symfony\Component\VarDumper\VarDumper;
use Pimcore\Event\Model\DocumentEvent;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpKernel\KernelEvents;
use Symfony\Component\HttpKernel\Event\GetResponseEvent;
use Pimcore\Http\RequestHelper;
use Symfony\Component\HttpFoundation\RequestStack;
use Pimcore\Bundle\CoreBundle\EventListener\Traits\PimcoreContextAwareTrait;
use Pimcore\Http\Request\Resolver\PimcoreContextResolver;
use Pimcore\Tool;

class PageLoadDebugSubscriber implements EventSubscriberInterface
    use PimcoreContextAwareTrait;

    private $requestStack;

public function __construct(RequestStack $requestStack)
    $this->requestStack = $requestStack;

 * @inheritDoc
public static function getSubscribedEvents()
    return [
        KernelEvents::REQUEST => ['onRequest', 10],

 * @param GetResponseEvent $event
public function onRequest(GetResponseEvent $event)
    // Make sure its the main request not a subrequest
    if (!$event->isMasterRequest()) {

    // Make sure its a frontend request not admin
    $requestHelper = new RequestHelper($this->requestStack);
    if (!$requestHelper->isFrontendRequest($event->getRequest())) {

    // What context are we in admin or no?
    if (!$this->matchesPimcoreContext($event->getRequest(), PimcoreContextResolver::CONTEXT_DEFAULT)) {

    // Check for debug
    if (PIMCORE_DEBUG && !Tool::isFrontendRequestByAdmin()) {
        // Check for admin user
        if (!$event->getRequest()->cookies->get('pimcore_admin_sid')) {
            // Redirect to admin
            $response = new RedirectResponse('/admin');



It’s not perfect but works for our needs.