Magnolia 5.7 reached extended end of life on May 31, 2022. Support for this branch is limited, see End-of-life policy. Please note that to cover the extra maintenance effort, this EEoL period is a paid extension in the life of the branch. Customers who opt for the extended maintenance will need a new license key to run future versions of Magnolia 5.7. If you have any questions or to subscribe to the extended maintenance, please get in touch with your local contact at Magnolia.
Magnolia's Public User Registration module allows users to register an account on the public site. This page explains how to use the module to set up public user registration and protected pages that are available only to users who have registered and logged in.
The tutorial takes you through the process of:
- Setting up pages containing the components provided by the module
- Restricting access to certain pages to registered users only.
We use the Sportstation demo in our example. CE users can adapt the example to fit the Travel demo or their own site.
Making PUR components available
The Travel demo's Public Users template makes the components available in
main area of the page. The example uses this template. See Area definition for more.
Your pages can be located anywhere in the site hierarchy.
Create two sets of pages:
- PUR pages:
- Base these pages on your PUR template. We will add the PUR components made available above to these pages.
- You need one page for each PUR component, for example a registration page for the Registration form component, a login page for the Login form component etc..
- Restricted content pages:
- These are standard pages. They do not rely on the functionality of the PUR module.
- You can base these pages on any template and you add any components.
- Registration: To register account (
- Login: To log in (
- Registration update: To update user information (
- Password retrieval: To retrieve lost or forgotten password (
- Password change: To change password (
- Restricted content page or tree (
Adding restricted content
The example creates an exclusive club for registered users on the Sportstation site. In the Sports Club area users have access to special deals on the
club-deals page and its subpages. The example uses the Travel Standard template for these pages.
/sports-club: All public users can access this page. The teaser component on the left takes logged-out registered users to the login form and logged-in users to the
club-dealspage. The teaser component on the right takes non-registered users to the registration form page.
/club-deals: This page contains teasers to all available deals.
/<deals: These are the Individual deal pages.
Adding PUR components
Open the PUR pages for editing and:
- Add the corresponding PUR component to each page.
- Hide the pages from navigation. You can set this in the Page properties dialog.
The PUR components are all forms.
Login is delivered as a preconfigured form. In the dialog, set links to the registration and forgotten-password pages. These links display at the bottom of the form. The target page directs the user to a page after login. Set this link to the restricted-content parent page.
The other PUR components require form setup. See Creating a form for more.
These forms expect fields with the exact names:
Here are the components used in the example.
Use this reference table to set up your forms:
Configuring the PUR module
The PUR module configuration used in the example is a copy of the
travel configuration (that extends
default) with minor changes.
Alwaysregistration strategy enables users immediately. A user can access restricted content straight after registration.
- Password retrieval:
MailChangePasswordLinkStrategysends an email to the user who submits the password retrieval form. A link in the email directs the user to the example /
- Default group: We create the
sportstation-purgroup in Setting permissions (below).
- Default role: The configuration overrides
defaultto ensure that users assigned only the
anomymousrole cannot access restricted content.
These options are configured in
At this stage, publish the work to date to the public instance. We set permissions and test the setup on the public site because this is where it will be used and anonymous users have different permissions on the author and public instances by default.
On the public instance, first restrict anonymous access to content reserved for registered users and then give registered users access to this content
Restricting anonymous access
In the Security app, edit the
anonymous role and add permissions denying access to restricted content.
Example: Web access:
The permissions starting with
<site name> prevent cross-site access. See Site-specific ACLs for more.
Granting registered users access
In the Security app, create a new role (
sportstation-pur in the example) that gives access to restricted content.
Example: Web access:
|Get & Post|
|Get & Post|
|Get & Post|
|Get & Post|
Next create a new group named after the value in the
defaultRoles configuration property (
sportstation-pur in the example) and assign the new role to the new group. Users in this group also need other basic roles.
Example: Group role assignment.
Adding a client callback to the security filter
Adding a client callback on the security callback filter ensures that users are redirected to the login component on a page and not to the default (green) Magnolia login screen. The redirect comes into play when a registered user logs out or an unregistered user attempts to access restricted content.
sportstation-pur client callback configured in
client callback name.
SimpleUrlPattern matches strings using simple
Pattern that defines the location of the restricted content that triggers the callback. See
RedirectClientCallback redirects to a configured path or URL.
Relative path to the login page. Add the
Testing the PUR setup
- Open the restricted content page logged in as
superuserand then log out by adding the
?mgnlLogout=trueparameter to the URL. The restricted content disappears and the page redirects to the login form page configured in the security callback.
- Click Register in the login form, register a dummy account (using a valid email address) and then login with the new credentials. The protected page (set in the Login form component) opens.
- Log out as the new user, click Forgotten password in the login form and enter the dummy account username and email. The link in the password reminder email opens the password reset form page (set in
passwordRetrievalStrategyconfiguration) where you can choose a new password.
- Log in to admincentral and launch the Security app to verify that the dummy user is assigned to the group defined in the