Limit login to staff only?

Hey everyone,

is there a way to limit login to a forum to a certain role like moderators or admins?

Background: I’m migrating a bigger forum and while the URL to this forum is unknown to the public I want to limit the login to moderators and admins only while we do test everything after the migration and get ready for the final transfer.

I thought I would have seen some option in the past but can’t seem to find it anymore.


1 Like

You can make it so the forum is by invitation only until you’re up and running. Then you can change it to accept public registrations once you’re ready. In your Dashboard go to Login and tick the boxes to set it up how you wish. Once you’re ready, go back and make the necessary changes.


This won’t work once users are imported and their accounts activate.

A temporary reverse proxy would work with authentication but introduces complexity.

Is a DNS name change a possibility? How are you planning to manage downtime?


You probably want to suspend all users so that they aren’t getting sent emails, which would keep them from being able to log in even if they should stumble on the site.

If that’s somehow not good enough, you could modify the nginx in the container to require bait auth in order to get to the site.


I totally wasn’t aware that Discourse doesn’t really have any role based capabilities. I had only used it in projects so far where this wasn’t an issue. I thought it whould be possible to limit login through that.

@JimPas as @Stephen rightfully said that won’t work for the imported users.

DNS Name change will be in place for that period as the old forum will still continue to be live in that time but as I said initially I wanted to have additional protection.

Looks like http base auth will be the only way to put additional protection on it and keep users from logging in. I need to check how that works.

Thanks guys.

1 Like

Not exactly, you always have the good old fallback of unpublishing the public DNS record and using a hosts entry for periods. It will break Let’s Encrypt if you rebuild while public DNS is absent, but otherwise it works. Users would need to know the new DNS name AND IP address to access it.

Disabling accounts is an option, but there’s also an option to disable all email in /admin which is probably prudent.

As a thought, you can also control access from one more layer by implementing your own IdM/SSO. More work, but potentially huge payoffs in other areas down the line. All depends what you’re comfortable with.


thanks for naming the alternatives, @Stephen.

I think base auth would be the most straightforward way. Using local hosts files is a bit cumbersome for the less technical advanced staff members/moderators and IdM/SSO is definitely too much of a hazzle for the hopefully short period of time that is needed to lay the ground work for the final migration. Also we’re not super secure there so we might still not secure it at all too.

1 Like