Page Controllers can be used to secure pages via several methods:
The process here is simple. The "checkAccess" method should be called every time that the page for a page controller is loaded. By default, this method simply calls "hasAccess" and then runs "blockAccess" if the user does not have access.
The "hasAccess" method is the heart of the process. The default method simply returns "true", but you can implement any logic here that you desire.
The default "blockAccess" method simple redirects the user to the URL returned from "getNoAccessURL" ("/" unless you change the method). Again, however, you can change this as needed.
The real power in this, however, is not simple securing a page from direct access. The real power is that other pages can call the "hasAccess" method to discover if a use would have access to a given page. This ensures that your pages are fully atomic and can use any complex algorithm necessary to determine access and any incoming links can conditionally be displayed based on the internal logic of the page.