Changed it to leave the 'login' and 'register' actions in the system; we're already taking them over and redirecting them to the OpenID login page, so they won't be reached by accident; but now those redirects can be reached on purpose. ;)
Better long-term fix may be to allow some aliasing, so we can have common_local_url('login') actually send us straight to the OpenID login page instead of having to go through an intermediate redirect, but this'll do.
function onStartConnectPath(&$path, &$defaults, &$rules, &$result)
{
if (common_config('site', 'openidonly')) {
function onStartConnectPath(&$path, &$defaults, &$rules, &$result)
{
if (common_config('site', 'openidonly')) {
- static $block = array('main/login',
- 'main/register',
- 'main/recoverpassword',
+ // Note that we should not remove the login and register
+ // actions. Lots of auth-related things link to them,
+ // such as when visiting a private site without a session
+ // or revalidating a remembered login for admin work.
+ //
+ // We take those two over with redirects to ourselves
+ // over in onArgsInitialize().
+ static $block = array('main/recoverpassword',
'settings/password');
if (in_array($path, $block)) {
'settings/password');
if (in_array($path, $block)) {