So, at least as far as I understand the mission, there should be a default restriction on site access, which pushes everyone to the login page. Then, there are certain conditions which will not redirect everything to that page: 1) a user is logged in, so they get to look at everything, 2) they need access to the login page, 3) they need to get to the register page, 4) [I’ll get to 4 below]
So, the $allowAccess check is really just whether the redirect to login should happen. If any of the conditions for normal access are there, skip the redirecting. So, you could pile everything onto that one variable, $allowAccess:
protected function _preventSiteAccess($request)
{
$user = current_user();
$allowAccess = false;
$requestParams = $request->getParams();
if ($requestParams['controller'] == 'users' && $requestParams['action'] == 'login') {
$allowAccess = true;
}
if ($requestParams['module'] == 'guest-user' && $requestParams['action'] == 'register') {
$allowAccess = true;
}
// prevent access to site for anyone not logged in, including guests.
if (!$user && !$allowAccess){
$this->_getRedirect()->gotoUrl(WEB_ROOT .'/users/login');
}
}
This just piles up checks for whether to do the redirect with a sequence of ifs. If the pile of conditions are met, the redirect to login won’t happen, and users can happily go to their destination.
The links that you put on the login page to guide users where to go just have to have a corresponding check to allow access – I think that’s the base of the your second question about what goes into login.php?
And now for 4) from above. The login page, at least by default, includes a link if you have forgotten your password. That link should also get an if statement similar to the ones in the code above to allow access.
Whew! There’s a lot here, I know. But I hope this gets us on the right track.