Magento Website Restrictions

Magento Enterprise comes with a very useful extension to close a Magento site either completely or partially. For example, you can close the entire site until an upgrade is completed or you can lock a store to only registered users.

Website Restriction Settings

Website Restriction Settings

How It Works?

When Magento receives a request it starts routing the request through the controller that is being called. However before the request is routed to the controller Magento triggers a ‘predispatch’ event, which allows Magento to perform a number of preliminary checks before the controller processes the request. The website restrictions module takes advantage of this event and subscribes the function Enterprise/Websiterestriction/Model/Observer::restrictWebsite to the event ‘controller_action_predispatch‘ in order to determine if the action is allowed for the current session or not.

Inside Enterprise/Websiterestriction/Model/Observer::restrictWebsite

The website restrictions apply only to the frontend of Magento sites, therefore the first lines of the method check which store view is being access. If the Administration store is being used the method skips the validation section and returns.

Immediately after verifying that a frontend store is being accessed, a new event, ‘websiterestriction_frontend‘, is dispatched to allow modules to extend the validation checks. The event handlers can determine if the execution should continue or should be skipped by setting the ‘should_proceed‘ flag in the return object that is passed as one of the parameters. If none of the event handlers stop the execution the Website restriction module proceeds with checking whether the website restriction is enabled for the store. This is done through the general/restriction/is_active configuration value.

Up to this stage whenever a frontend store is accessed the above steps are performed. Once the website restrictions are confirmed to be in place, Magento determines whether the store front is closed (Website Closed), allowed only to registered users only (Private Sales: Login Only) or allowed registered users or the registration of new users (Private Sales: Login and Register). The website restrictions mode is determined by analyzing the configuration value general/restriction/mode.

Website Closed

The Website Closed mode will close the entire site for all visitors by redirecting all requests to a special CMS page called CMS Stub. The redirection to the CMS stub is performed by restarting the request routing process; this time with the action set to restriction_index_stub. It is important to note that the restarting of the routing process will re-trigger the ‘controller_action_predispatch‘ that in turn will again call the Websiterestriction observer, which will execute the same steps as before. However when the website closed code is executed the redirection is skipped and the CMS stub is served to the client browser.

Private Sales Mode

When the site is set to one of the private sales mode, that are Private Sales: Login Only and Private Sales: Login and Register, the first step performed is to check whether the customer is logged in or not. If the customer is logged in the customer is either redirected to the page that was last visited, if the core session variable WebsiteRestrictionAfterLoginUrl is set, otherwise they are redirected to the page linked by the controller.

On the other hand if the customer is not logged in, the action being called is checked against a configuration list, frontend/enterprise/websiterestriction/full_action_names that specifies which pages can be accessed. The list consists of two sections that are ‘generic‘ that means always accessible and ‘register‘ which are accessible only if website restriction is set as the Private Sales: Login and Register mode. Once the list of accessible sites is determined, the action name is compared to the list and if the action is allowed the customer is redirected to the page. Otherwise the client is either redirected to the CMS landing page specified under general/restriction/http_redirect or to the login page.


  • Magento Code