From 80751944d0204803a773ff6bada252568d0ac076 Mon Sep 17 00:00:00 2001 From: Robert O'Rourke Date: Tue, 26 Jul 2022 12:46:04 +0000 Subject: [PATCH] Documentation excluding pages from requiring login Fixes #121 --- docs/require-login.md | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/docs/require-login.md b/docs/require-login.md index 0cfcc31..3fb3934 100644 --- a/docs/require-login.md +++ b/docs/require-login.md @@ -13,7 +13,34 @@ Enabling Require Login for an environment will also prevent it from being indexe Requiring login on individual sites is as easy as unchecking the site's public setting in the Edit Site screen. To access this setting, go to [My Sites > Network Admin > Sites](internal://network-admin/sites.php) and then click the URL for the site you want to edit. From there you check the box for whether the site is public or not under the "Attributes" section. -## Overrides +## Excluding Pages and Endpoints + +In certain cases you may need to exclude a URL or PHP file from redirecting to the login page when Require Login is active. This is possible using the `hm-require-login.allowed_pages` filter: + +```php +add_filter( 'hm-require-login.allowed_pages', function ( array $allowed, ?string $page = null ) : array { + // Allow registration on multisite. + $allowed[] = 'wp-activate.php'; + $allowed[] = 'wp-signup.php'; + return $allowed; +}, 10, 2 ); +``` + +The 2nd parameter `$page` is populated from WordPress's `$pagenow` global variable. If you need to make exceptions for frontend URLs this value will be `index.php`, as such this will require additional logic to restrict which requests are allowed. + +To allow a custom REST API endpoint you would do something similar to the following example: + +```php +add_filter( 'hm-require-login.allowed_pages', function ( array $allowed, ?string $page = null ) : array { + if ( $_SERVER['REQUEST_URI'] === ( '/' . rest_get_url_prefix() . '/public-endpoint/' ) ) { + $allowed[] = $page; + } + + return $allowed; +}, 10, 2 ); +``` + +## Environment Specific Overrides You can also set the `security.require-login` setting to `true` in `composer.json` to require all users to be logged in to view the website (this will override individual sites' public setting). You can require login for all environments by adding the setting directly under `altis.modules`, or individual environments by nesting it within `altis.environments`. The following example sets all environments except for local to require login: