Documentation excluding pages from requiring login

Fixes #121
humanmade · Jul 26, 2022 · 8075194 · 8075194
1 parent 15da007
commit 8075194
Showing 1 changed file with 28 additions and 1 deletion.
diff --git a/docs/require-login.md b/docs/require-login.md
@@ -13,7 +13,34 @@ Enabling Require Login for an environment will also prevent it from being indexe
 
 Requiring login on individual sites is as easy as unchecking the site's public setting in the Edit Site screen. To access this setting, go to [My Sites > Network Admin > Sites](internal://network-admin/sites.php) and then click the URL for the site you want to edit. From there you check the box for whether the site is public or not under the "Attributes" section.
 
-## Overrides
+## Excluding Pages and Endpoints
+
+In certain cases you may need to exclude a URL or PHP file from redirecting to the login page when Require Login is active. This is possible using the `hm-require-login.allowed_pages` filter:
+
+```php
+add_filter( 'hm-require-login.allowed_pages', function ( array $allowed, ?string $page = null ) : array {
+    // Allow registration on multisite.
+    $allowed[] = 'wp-activate.php';
+    $allowed[] = 'wp-signup.php';
+    return $allowed;
+}, 10, 2 );
+```
+
+The 2nd parameter `$page` is populated from WordPress's `$pagenow` global variable. If you need to make exceptions for frontend URLs this value will be `index.php`, as such this will require additional logic to restrict which requests are allowed.
+
+To allow a custom REST API endpoint you would do something similar to the following example:
+
+```php
+add_filter( 'hm-require-login.allowed_pages', function ( array $allowed, ?string $page = null ) : array {
+	if ( $_SERVER['REQUEST_URI'] === ( '/' . rest_get_url_prefix() . '/public-endpoint/' ) ) {
+		$allowed[] = $page;
+	}
+
+	return $allowed;
+}, 10, 2 );
+```
+
+## Environment Specific Overrides
 
 You can also set the `security.require-login` setting to `true` in `composer.json` to require all users to be logged in to view the website (this will override individual sites' public setting). You can require login for all environments by adding the setting directly under `altis.modules`, or individual environments by nesting it within `altis.environments`. The following example sets all environments except for local to require login: