PHPackages orangecat/module-visibility - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. orangecat/module-visibility ActiveMagento2-module[Authentication & Authorization](/categories/authentication) orangecat/module-visibility =========================== Guest access controls for Magento 2 B2B — force login redirect with URL whitelisting and selective price/cart hiding for guests 0.0.2(2d ago)02↑2900%OSL-3.0PHPPHP >=8.1 Since Jun 5Pushed 2d agoCompare [ Source](https://github.com/olivertar/m2_visibility)[ Packagist](https://packagist.org/packages/orangecat/module-visibility)[ RSS](/packages/orangecat-module-visibility/feed)WikiDiscussions main Synced 2d ago READMEChangelog (2)Dependencies (2)Versions (3)Used By (0) Orangecat\_Visibility ===================== [](#orangecat_visibility) Guest access controls for Magento 2 B2B storefronts — force login redirect with URL whitelisting and selective price/cart hiding for guests. **Module:** `Orangecat_Visibility`**Version:** 1.0.0 **License:** OSL-3.0 **Author:** Oliverio Gombert --- Table of Contents ----------------- [](#table-of-contents) 1. [Overview](#overview) 2. [Theme Compatibility](#theme-compatibility) 3. [Requirements](#requirements) 4. [Installation](#installation) 5. [What Gets Installed](#what-gets-installed) 6. [Configuration](#configuration) 7. [Store Admin Guide](#store-admin-guide) 8. [Guest Experience](#guest-experience) 9. [Developer Guide](#developer-guide) 10. [REST API](#rest-api) 11. [Frontend Routes Reference](#frontend-routes-reference) 12. [DevOps & Integrator Notes](#devops--integrator-notes) --- Overview -------- [](#overview) `Orangecat_Visibility` controls what unauthenticated (guest) visitors can see and access on a B2B storefront. It provides two independent, non-overlapping operating modes that can be enabled separately. The module handles: - **Force Login mode** — redirect guests away from any page not on a URL whitelist, preserving the original URL so the visitor lands back on it after login. - **Catalog Visibility mode** — when Force Login is off, selectively hide product prices and/or the Add to Cart button for guests without blocking navigation. - **URL Whitelist** — a per-store, admin-managed table of URL rules with pluggable matching strategies (static exact match or regex). System-critical URLs (login, logout, forgot password, etc.) are pre-seeded and protected from accidental deletion. - **Server-side cart protection** — blocks guest `POST` requests to the Add to Cart controller even when the button is CSS-hidden, preventing bypass via direct HTTP calls. - **Post-login redirect** — after the guest authenticates, the browser returns to the page they originally requested. ### Position in the Orangecat B2B Dependency Chain [](#position-in-the-orangecat-b2b-dependency-chain) This module is standalone and does **not** depend on `Orangecat_Company`. It can be installed independently on any Magento 2 storefront. ``` Orangecat_Core (via composer: orangecat/core) └── Orangecat_Visibility ← this module (standalone) ``` ### Operating Modes [](#operating-modes) ModeKey ConfigWhat It Does**Force Login**`visibility/general/enabled = 1`Intercepts every frontend request; redirects guests unless the URL matches a whitelist rule.**Catalog Visibility**`visibility/general/enabled = 0`Force Login off; `hide_price` and/or `hide_add_to_cart` flags control catalog display for guests.The two modes are mutually exclusive by design: when Force Login is active, the catalog visibility flags have no effect (guests are redirected before seeing any catalog content). --- Theme Compatibility ------------------- [](#theme-compatibility) ThemeStatusNotes**Luma**SupportedAll plugins fully apply. Block interceptors target standard Magento catalog block classes present in Luma.**Hyvä**PartialForce Login and pricing model plugins (return 0) work. `PriceBoxPlugin` and `AmountPlugin` work only if Hyvä still delegates to `Magento\Framework\Pricing\Render\PriceBox`/`Amount`. `CatalogBlockPlugin` may miss Hyvä Alpine.js listing components that do not extend the targeted block classes.**Breeze Evolution**PartialForce Login works. Pricing plugins work. `CatalogBlockPlugin` targets Magento core block classes; Breeze-specific listing components may need additional interceptors. The minicart hide (`minicart-wrapper` class injection) may require verification.For full Hyvä/Breeze Catalog Visibility support, add dedicated plugins targeting the theme-specific block classes and register them under the appropriate `area` in `etc/frontend/di.xml`. The `VisibilityChecker` service is theme-agnostic and can be injected directly. --- Requirements ------------ [](#requirements) DependencyVersion / NotesPHP>= 8.1Magento2.4.x`Orangecat_Core`composer: `orangecat/core``Magento_Config`core`Magento_Customer`core`Magento_Catalog`core`Magento_Checkout`core`Magento_Sales`core--- Installation ------------ [](#installation) ### Via Git Submodule (recommended for this project) [](#via-git-submodule-recommended-for-this-project) ``` # From repo root git submodule add git@github.com:olivertar/m2_visibility.git app/code/Orangecat/Visibility git submodule update --init --recursive ``` ### Enable the Module [](#enable-the-module) Run inside the PHP container (`reward shell`): ``` bin/magento module:enable Orangecat_Visibility bin/magento setup:upgrade bin/magento setup:di:compile bin/magento setup:static-content:deploy -f bin/magento cache:flush ``` --- What Gets Installed ------------------- [](#what-gets-installed) ### Database Tables [](#database-tables) #### `visibility_whitelist` [](#visibility_whitelist) Stores the URL rules used by the Force Login whitelist checker. ColumnTypeNotes`rule_id`smallint, PKAuto-increment.`store_id`smallint, FK→ `store.store_id` (CASCADE DELETE). `0` = all store views.`label`varchar(255)Human-readable name. Unique constraint.`url_rule`varchar(255)URL pattern; interpreted by the selected strategy.`strategy`textMatcher identifier: `default` (static) or `regex`.`editable`boolean`true` = admin-editable. `false` = system-protected, no Edit/Delete in UI.**Indexes:** `store_id` (btree), `editable` (btree), `url_rule + store_id` (btree). ### EAV Attributes [](#eav-attributes) None. ### Data Patches [](#data-patches) #### `AddDefaultWhitelistRules` [](#adddefaultwhitelistrules) Inserts 21 pre-seeded whitelist rules on first `setup:upgrade`. Rules with `editable = 0` are system-protected and cannot be deleted from the admin UI. LabelURL RuleStrategyEditableRest API`/rest`regexyesCustomer Account Login`/customer/account/login`regexnoCustomer Account Logout`/customer/account/logout`regexnoCustomer Account Logout Success`/customer/account/logoutSuccess`regexnoCustomer Account Create`/customer/account/create`regexnoCustomer Account Create Post`/customer/account/createpost`staticnoCustomer Account Create Password`/customer/account/createPassword`regexnoCustomer Account Forgot Password`/customer/account/forgotpassword`regexnoCustomer Account Forgot Password Post`/customer/account/forgotpasswordpost`regexnoCustomer Account Reset Password Post`/customer/account/resetpasswordpost`staticnoCustomer Section Load`/customer/section/load`regexnoContact Us`/contact`regexyesCMS Help`/help`regexyesSitemap.xml`/sitemap.xml`regexyesRobots.txt`/robots.txt`regexyesVarnish ESI url`/page_cache/block/esi/blocks`staticnoStore-Switcher Redirect`/stores/store/redirect`staticnoStore-Switcher Switch`/stores/store/switch`staticnoCompany Account Create`/company/account/create`regexnoCompany Account Create Post`/company/account/createpost`staticnoCompany Account Success`/company/account/success`regexno> `INSERT IGNORE` is used so re-running `setup:upgrade` never duplicates existing rows. --- Configuration ------------- [](#configuration) **Path:** `Stores → Configuration → Orangecat → Visibility (B2B)` ### General Settings [](#general-settings) LabelConfig PathDefaultDescriptionEnable Redirect to Login`visibility/general/enabled`NoMaster switch for Force Login mode. When Yes, all guest requests are intercepted.Target URL`visibility/general/target_url``/customer/account/login`URL guests are redirected to. Only shown when Enable is Yes.``` visibility/general/enabled visibility/general/target_url ``` ### Catalog Visibility [](#catalog-visibility) These settings apply **only when Force Login is disabled**. They have no effect when `visibility/general/enabled = 1`. LabelConfig PathDefaultDescriptionHide Price For Guest`visibility/catalog/hide_price`NoHide product prices for guests. Also suppresses `` OG tags. When enabled, Add to Cart is hidden too (a guest who cannot see the price cannot buy).Hide Add to Cart Button For Guest`visibility/catalog/hide_add_to_cart`NoHide Add to Cart button and minicart for guests independently of the price setting.``` visibility/catalog/hide_price visibility/catalog/hide_add_to_cart ``` --- Store Admin Guide ----------------- [](#store-admin-guide) ### Accessing Settings [](#accessing-settings) - **Whitelist rules:** Admin menu → **Visibility → Whitelist** - **Module configuration:** Admin menu → **Visibility → Settings** (or `Stores → Configuration → Orangecat → Visibility (B2B)`) ### Enabling Force Login [](#enabling-force-login) 1. Go to **Stores → Configuration → Orangecat → Visibility (B2B)**. 2. Under **General Settings**, set **Enable Redirect to Login** to **Yes**. 3. Optionally change **Target URL** to a custom landing page (e.g., `/company/account/create` for a B2B registration-first flow). 4. Save Config and flush cache. Once active, every guest who reaches the Magento application layer and requests a URL not on the whitelist will be redirected to the target URL. ### Enabling Catalog Visibility Restrictions [](#enabling-catalog-visibility-restrictions) 1. Keep **Enable Redirect to Login** set to **No**. 2. Under **Catalog Visibility**: - Set **Hide Price For Guest** to **Yes** to remove prices from the catalog for guests. - Set **Hide Add to Cart Button For Guest** to **Yes** to hide cart controls without hiding prices. 3. Save Config and flush cache. > When Hide Price is Yes, the Add to Cart button is automatically also hidden, regardless of the Add to Cart toggle, because allowing purchase without a visible price is illogical. ### Managing the Whitelist [](#managing-the-whitelist) **Path:** Admin menu → **Visibility → Whitelist** The grid shows all rules with columns: ID, Label, URL Rule, Strategy, Store View. Rows with `editable = false` show no Edit or Delete action links. #### Adding a Rule [](#adding-a-rule) 1. Click **Add New Rule**. 2. Fill in: - **Label** — unique descriptive name (e.g., `My Custom Page`). - **URL Rule** — the URL path to allow (e.g., `/about-us`). - **Strategy** — `Static Match` for exact path comparison; `Regex Match` for pattern matching. - **Store View** — limit the rule to a specific store view, or leave as All Store Views. 3. Click **Save Rule**. #### Matching Strategies [](#matching-strategies) StrategyIdentifierHow It WorksStatic Match`default`Exact path comparison (trailing slashes ignored): `rtrim($path, '/') === rtrim($urlRule, '/')`.Regex Match`regex`PHP `preg_match` with the pattern `##iU` (case-insensitive, ungreedy).**Regex example:** URL Rule `/product/view` with Regex Match will match `/product/view/id/42` and any other path containing that substring. To match exactly, anchor the pattern: `^/product/view$`. #### Deleting a Rule [](#deleting-a-rule) System-protected rules (`editable = 0`) cannot be deleted from the UI. To remove them, delete the row directly in the database or via a custom data patch. --- Guest Experience ---------------- [](#guest-experience) This module has no dedicated frontend pages or templates. Its effect is entirely behavioral: ### Force Login mode active [](#force-login-mode-active) - Any URL request that is not on the whitelist triggers an immediate HTTP redirect to the configured target URL (default: the customer login page). - After successful login, the guest is redirected back to the page they originally requested. The original URL is saved in `CustomerSession::setBeforeAuthUrl()` before the redirect. - AJAX requests are not redirected (preventing broken JSON responses). - Static asset file extensions (`.css`, `.js`, `.png`, `.jpg`, `.gif`, `.svg`) bypass the check. ### Catalog Visibility mode active (Force Login off) [](#catalog-visibility-mode-active-force-login-off) - **Hide Price:** Product prices appear as `$0.00` at the model level, and the rendered price boxes and amount containers are hidden via injected `style="display:none;"`. The `product:price:amount` Open Graph meta tag is also stripped from the HTML. - **Hide Add to Cart:** The `tocart` form, Add to Cart button (by CSS class and by `id="product-addtocart-button"`), and the minicart wrapper are hidden via injected `style="display:none;"`. Any direct `POST` to `/checkout/cart/add` by a guest is blocked server-side with an error message and a redirect to the login page. Logged-in customers are never affected by either mode. --- Developer Guide --------------- [](#developer-guide) ### Module Structure [](#module-structure) ``` Orangecat/Visibility/ ├── Api/ │ ├── Data/WhitelistEntryInterface.php # Data object contract │ └── Repository/WhitelistRepositoryInterface.php # getCollection() only ├── Block/Adminhtml/Whitelist/Edit/ # Form button providers ├── Controller/Adminhtml/Whitelist/ # Admin CRUD controllers ├── Model/ │ ├── ResourceModel/WhitelistEntry/ # Collection + Grid collection │ ├── ResourceModel/WhitelistEntry.php # DB resource model │ ├── Source/Strategy.php # Option source for strategy dropdown │ ├── Strategy/ # URL matching strategy pattern │ │ ├── MatcherInterface.php │ │ ├── StaticMatcher.php # Exact path match │ │ ├── RegexMatcher.php # preg_match with #pattern#iU │ │ └── StrategyManager.php # DI-injected strategy registry │ ├── WhitelistEntry.php # Entity model │ ├── WhitelistEntry/DataProvider.php # UI form data provider │ └── VisibilityChecker.php # Central logic service ├── Plugin/ │ ├── FrontControllerPlugin.php # aroundDispatch — force login redirect │ ├── AfterLoginPlugin.php # afterExecute LoginPost — restore referer │ ├── PreventAddToCartPlugin.php # aroundExecute Cart\Add — server-side block │ ├── Block/CatalogBlockPlugin.php # afterToHtml — hides tocart/minicart HTML │ └── Pricing/ │ ├── FinalPricePlugin.php # afterGetValue — returns 0 for guests │ ├── RegularPricePlugin.php # afterGetValue — returns 0 for guests │ └── Render/ │ ├── AmountPlugin.php # afterToHtml — hides zero-amount containers │ └── PriceBoxPlugin.php # afterToHtml — hides zero-price boxes ├── Repository/WhitelistRepository.php ├── Setup/Patch/Data/AddDefaultWhitelistRules.php ├── Ui/Component/Listing/Column/WhitelistActions.php ├── etc/ │ ├── acl.xml │ ├── config.xml │ ├── db_schema.xml │ ├── di.xml # Preferences + StrategyManager + grid collection │ ├── module.xml │ ├── adminhtml/ │ │ ├── menu.xml │ │ ├── routes.xml │ │ └── system.xml │ └── frontend/ │ └── di.xml # All frontend plugins registered here ├── view/adminhtml/ │ ├── layout/ # whitelist_index, _new, _edit │ └── ui_component/ # whitelist_listing, whitelist_form └── registration.php ``` ### Key Classes [](#key-classes) #### `Model/VisibilityChecker` [](#modelvisibilitychecker) Central service injected by all catalog visibility plugins. Uses FPC-safe `Magento\Framework\App\Http\Context` (not `CustomerSession`) to determine guest status, making it compatible with full-page cache. MethodReturnsDescription`isGuest(): bool`boolTrue if `CustomerContext::CONTEXT_AUTH` is falsy in HTTP context.`isForceLoginEnabled(): bool`boolReads `visibility/general/enabled` config flag.`shouldHidePrice(): bool`boolTrue when Force Login is off AND guest AND `hide_price = 1`.`shouldHideAddToCart(): bool`boolTrue when Force Login is off AND guest AND (`hide_price = 1` OR `hide_add_to_cart = 1`).#### `Api/Data/WhitelistEntryInterface` [](#apidatawhitelistentryinterface) ConstantFieldType`RULE_ID``rule_id`int`STORE_ID``store_id`int`LABEL``label`string`URL_RULE``url_rule`string`STRATEGY``strategy`string`EDITABLE``editable`boolStandard getters/setters for each field. #### `Api/Repository/WhitelistRepositoryInterface` [](#apirepositorywhitelistrepositoryinterface) ``` getCollection(): Collection ``` Returns the full `WhitelistEntry\Collection`. There is no `getById`, `save`, or `delete` in the service contract — CRUD for whitelist rules is handled by the admin controllers directly via the model factory. #### `Model/Strategy/MatcherInterface` [](#modelstrategymatcherinterface) ``` getName(): string isMatch(string $path, WhitelistEntryInterface $rule): bool ``` All matchers implement this interface. Registered via `StrategyManager` in `etc/di.xml`: ``` Orangecat\Visibility\Model\Strategy\StaticMatcher Orangecat\Visibility\Model\Strategy\RegexMatcher ``` ### Plugins [](#plugins) All frontend plugins are declared in `etc/frontend/di.xml` (frontend area only). ClassTargetHookPurpose`FrontControllerPlugin``Magento\Framework\App\FrontControllerInterface``around`Checks guest status; iterates whitelist; redirects if no rule matches. Skips AJAX and asset file paths.`AfterLoginPlugin``Magento\Customer\Controller\Account\LoginPost``after`Overrides the post-login redirect to the referer URL if it is not the login page.`PreventAddToCartPlugin``Magento\Checkout\Controller\Cart\Add``around`Blocks guest add-to-cart POST requests when either Force Login or Hide Cart is enabled.`FinalPricePlugin``Magento\Catalog\Pricing\Price\FinalPrice``after`Returns `0` for `getValue()` when `shouldHidePrice()`. Also applied to `Magento\ConfigurableProduct\Pricing\Price\FinalPrice`.`RegularPricePlugin``Magento\Catalog\Pricing\Price\RegularPrice``after`Returns `0` for `getValue()` when `shouldHidePrice()`.`PriceBoxPlugin``Magento\Framework\Pricing\Render\PriceBox``after`Injects `style="display:none;"` on the `price-box` container when the rendered amount is `0.0`.`AmountPlugin``Magento\Framework\Pricing\Render\Amount``after`Injects `style="display:none;"` on the `price-container` span when `getDisplayValue()` is `0.0`.`CatalogBlockPlugin``Magento\Catalog\Block\Product\View`, `ListProduct`, `Related`, `Crosssell`, `Upsell`, `Magento\Checkout\Block\Cart\Sidebar`, `Magento\CatalogWidget\Block\Product\ProductsList``after`Injects `style="display:none;"` into `tocart` elements, `tocart-form` forms, the PDP Add to Cart button, and the minicart wrapper. Removes `product:price:amount` meta tag when price is hidden.### Observers [](#observers) This module registers no observers. ### JS Components [](#js-components) This module provides no JavaScript components — all guest-restriction logic is server-side PHP. ### Email Templates [](#email-templates) This module sends no email. ### ACL Resources [](#acl-resources) Resource IDTitleLocation`Orangecat_Visibility::base`VisibilityUnder `Orangecat_Core::menu``Orangecat_Visibility::whitelist`WhitelistUnder Visibility`Orangecat_Visibility::config`Product VisibilityUnder `Stores → Settings → Configuration`### Adding Custom Logic [](#adding-custom-logic) - **Add a new URL matching strategy** — implement `Model\Strategy\MatcherInterface`, then register it in `etc/di.xml` under the `StrategyManager` `strategies` array argument with a unique identifier key. It appears automatically in the admin Strategy dropdown via `Model\Source\Strategy`. - **Extend catalog visibility to Hyvä/Breeze blocks** — inject `VisibilityChecker` into a new plugin targeting the theme-specific block class; call `shouldHidePrice()` or `shouldHideAddToCart()` to apply the same logic. Register in `etc/frontend/di.xml`. - **Add a third operating mode** — add config fields to `system.xml`, add reader methods to `VisibilityChecker`, and wire new plugins; `VisibilityChecker` is the single point of truth for all guest-state checks. --- REST API -------- [](#rest-api) This module exposes no REST API endpoints. There is no `etc/webapi.xml` file. --- Frontend Routes Reference ------------------------- [](#frontend-routes-reference) This module has no frontend routes. There is no `etc/frontend/routes.xml` file. All guest-facing behavior is enforced through plugins on existing Magento controllers and rendering classes. --- DevOps & Integrator Notes ----------------------------- [](#devops--integrator-notes) ### Deployment Checklist [](#deployment-checklist) ``` # After deploying or updating this module: bin/magento module:enable Orangecat_Visibility bin/magento setup:upgrade # creates visibility_whitelist table + seeds default rules bin/magento setup:di:compile # regenerates interceptors for all registered plugins bin/magento setup:static-content:deploy -f bin/magento cache:flush ``` ### Integration Token Scope [](#integration-token-scope) This module manages frontend behavior only. No integration token permissions are required to interact with whitelist rules — all management is done via the Admin UI. Minimum ACL permissions for admin users who need to manage the whitelist: - `Orangecat_Visibility::whitelist` - `Orangecat_Visibility::config` (for store configuration access) ### Disabling Without Uninstalling [](#disabling-without-uninstalling) Set `visibility/general/enabled = No` and both catalog flags to `No` in store configuration. This disables all guest restrictions without removing any data. ``` bin/magento module:disable Orangecat_Visibility bin/magento setup:upgrade bin/magento cache:flush ``` ### Data Integrity [](#data-integrity) - `visibility_whitelist.store_id` has a `CASCADE DELETE` constraint on `store.store_id`. Deleting a store view removes its specific whitelist rules. Rules with `store_id = 0` (all store views) are unaffected. - The `label` column has a unique constraint. Duplicate labels are rejected at the database level. - The data patch uses `INSERT IGNORE` to be idempotent — safe to run `setup:upgrade` multiple times. - System-protected rules (`editable = 0`) are not deletable via the Admin UI, but can be removed directly in the database if needed. Removing them while Force Login is active may lock guests out of login or other essential flows. - No data is removed when the module is disabled. The `visibility_whitelist` table and its rows persist. ### Health Score 37 — LowBetter than 81% of packages Maintenance100 Actively maintained with recent releases Popularity3 Limited adoption so far Community6 Small or concentrated contributor base Maturity33 Early-stage or recently created project Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~1 days Total 2 Last Release 2d ago ### Community Maintainers ![](https://avatars.githubusercontent.com/u/959440?v=4)[Oliverio Gombert](/maintainers/olivertar)[@olivertar](https://github.com/olivertar) --- Top Contributors [![olivertar](https://avatars.githubusercontent.com/u/959440?v=4)](https://github.com/olivertar "olivertar (10 commits)") --- Tags b2bmagento2visibilityorangecat ### Embed Badge ![Health badge](/badges/orangecat-module-visibility/health.svg) ``` [![Health](https://phpackages.com/badges/orangecat-module-visibility/health.svg)](https://phpackages.com/packages/orangecat-module-visibility) ``` ### Alternatives [markshust/magento2-module-disabletwofactorauth The DisableTwoFactorAuth module provides the ability to disable two-factor authentication. 2292.8M9](/packages/markshust-magento2-module-disabletwofactorauth)[sbodak/magento2-b2b-disable-customer-registration This extension allows you to disable customer registration in your Magento 2. 1515.7k](/packages/sbodak-magento2-b2b-disable-customer-registration)[myparcelnl/magento A Magento 2 module that creates MyParcel labels 1859.0k](/packages/myparcelnl-magento) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)