I have a folder "secretstuff". Its content should be protected, using the shared password schema. I can't get the URL / routing variables in protect.yaml to work.

I've tried protect.yaml with a couple of different variables to debug this –

   # The URL containing the password form
   password_form_url: {{ _site_root }}member/password  # does not work
   password_form_url: /statamic/member/password  # does not work; this is the correct hard link on my dev server

But regardless of how I assign the variable in protect.yaml, it makes no difference. The only thing that affects the behavior and properly routes the user to the password page is if I assign form_url in the secretstuff/page.md front matter:

  allow:
    roles: [ member, admin ]
  password:
    allowed: [ "foo", "bar" ]
    form_url: /statamic/member/password

The problem with hard coding the path is that I have a different {{ _site_root }} in my dev environment than in my production environment, and the front matter YAML doesn't parse {{ _site_root }} as a variable; it encodes it and routes the user to %7B%7B%20_site_root%20%7D%7D/member/password.

What am I doing wrong here? Any suggestions? Shouldn't the path names in protect.yaml work as long as form_url is undefined? Can protect.yaml and page.md access global variables?

Thanks, EB