[eluser]cornofstarch[/eluser]
I think I figured it out. Phil doesn't use the ION Auth controller restrict method in all the methods. I wasted a whole weekend to figure this out instead of building what I need for work... wish these things were put into a neat little manual >.< But in the spirit of sharing coding discoveries, here's hoping that this will help someone else with the same questions I had.
Pyro has a few things...
.htaccess which redirects everything to index.php unless the actual file or folder exists.
In config/routes.php, Pyro redirects both the default controller and 404 errors to pages.php. Among other things, pages.php basically does a remap of the uri to whatever you want it to. For example, if you need to pull /about, then it will search the database for an about page. If it exists, then it redirects. If you need to use a module of some kind, then after jumping through different checks and hoops, you may or may not be served the module.
But let's say you're a curious person who just wants to access the comments controller just for the fun of it. By default, the uri passed is index if the method doesn't exist in the controller (try printing $method from the example in the manual and not have the actual method in your controller). But in the comments controller, Pyro wouldn't have an index method. So, you'll never be able to load localhost/comments. Also, the other important methods are privatized using the underscore.
There are some controllers where Pyro will extend a custom Admin_Controller or a Public_Controller found in /core. Let's say a particular controller extends Admin_Controller. Then before the controller is loaded, all the security checks are performed to see if the user has access to the controller. If not, the user is redirected appropriately.
Occasionally, Pyro needs to restrict certain methods (even if it's been privatized with the underscore) and will use ION Auth's authentication methods for added security.
I think I got it... I hope...
