Institutional Access for Ghost

How I delivered institutional access by IP address, and some other options.

Institutional Access for Ghost
Always excited to build something new!

This week’s interesting client project was institutional access to Ghost based on IP addresses. I also made some theme edits to change how institutional members see the site. The Portal script doesn't load, and there are no buttons to log out. Yes, the Ghost site itself is hosted on Ghost Pro! We just stuck a Cloudflare worker out in front of the site, to do a little rewriting.

Fundamentally, Ghost doesn’t understand IP access restrictions. We worked around this by having an ‘institutional user’ who had full access to everything. (If he’d had multiple institutional tiers, we could have made multiple users.) When a request came in Cloudflare, the worker code checked to see if it was coming from an IP address that was on his institutional access list. If it was, the worker rewrote the header to put on the institutional user cookie. It also removed the Portal code, since we didn’t want IP access visitors to change the institutional user’s settings.

Requirements: Domain must be proxied by Cloudflare. My client maintained a list of IP addresses that should have access. He just edits them on Cloudflare, and handles payments for institutional access manually, since most big institutions would rather pay an invoice anyway. Very small edits to the theme were necessary to suppress the ‘edit your account’ and ‘subscription’ pages in his theme.

Disadvantage: Users with institutional access didn’t receive emailed newsletters, because they didn’t have real accounts. We didn’t deal with the scenario where a user might have had a membership through another means but was within an institutional IP block. I don’t think that situation is insurmountable, but it would need some thinking through what the desired behavior is.

If the institutions have their users connect through a campus proxy, such that they come to Ghost (actually Cloudflare) via a specific subnet, then it should work fine.


If you want institutional users to have memberships of their own, then I think it might make more sense to provide the library with a link that results in creation of a full Ghost user, with complimentary access to the appropriate tier. Or allow users coming from a specific subnet of IPs to make complimentary accounts. (Or users with a specific code of some sort provided by the paying library…) Once they’ve made an account, then they have full access from anywhere.  

You could check that the user is within the IP netblock for the institution and/or check that their email address is the institution's domain, and if we're talking about a college/university, perhaps there'd be complimentary access for a year and then the user would need to click the link again to renew the complimentary subscription?  Since those would be real Ghost users, they could receive newsletters.  Once the accounts are set up, the user could use them from anywhere.

Ready to build something like this? Please contact us!