From 4706f72ba4a6bb8b7d7b71c0b4774d946f7f6696 Mon Sep 17 00:00:00 2001
From: Viktor Miller <viktor.miller@vihais.com>
Date: Wed, 14 Jan 2026 19:26:28 +0900
Subject: [PATCH] feat(02-04): implement WP-Admin redirect for providers

- Create DDHH_JM_Access_Control class with redirect logic
- Redirect providers from WP-Admin to dashboard page
- Preserve access to profile.php for password/email changes
- Preserve access to admin-ajax.php for AJAX requests
- Integrate access control hooks in main plugin class

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 ddhh-job-manager.php                |   1 +
 includes/class-access-control.php   | 119 ++++++++++++++++++++++++++++
 includes/class-ddhh-job-manager.php |   3 +
 3 files changed, 123 insertions(+)
 create mode 100644 includes/class-access-control.php

diff --git a/ddhh-job-manager.php b/ddhh-job-manager.php
index ce5519c..f853d89 100644
--- a/ddhh-job-manager.php
+++ b/ddhh-job-manager.php
@@ -34,6 +34,7 @@ require_once DDHH_JM_PLUGIN_DIR . 'includes/class-acf-fields.php';
 require_once DDHH_JM_PLUGIN_DIR . 'includes/class-formidable.php';
 require_once DDHH_JM_PLUGIN_DIR . 'includes/class-pages.php';
 require_once DDHH_JM_PLUGIN_DIR . 'includes/class-dashboard.php';
+require_once DDHH_JM_PLUGIN_DIR . 'includes/class-access-control.php';
 require_once DDHH_JM_PLUGIN_DIR . 'includes/class-ddhh-job-manager.php';
 
 /**
diff --git a/includes/class-access-control.php b/includes/class-access-control.php
new file mode 100644
index 0000000..0947dae
--- /dev/null
+++ b/includes/class-access-control.php
@@ -0,0 +1,119 @@
+<?php
+/**
+ * Access Control class
+ *
+ * Handles access restrictions and redirects for provider role
+ *
+ * @package DDHH_Job_Manager
+ */
+
+// Exit if accessed directly.
+defined( 'ABSPATH' ) || exit;
+
+/**
+ * Access Control class
+ */
+class DDHH_JM_Access_Control {
+
+	/**
+	 * Initialize hooks
+	 */
+	public static function setup_hooks() {
+		// Redirect providers away from WP-Admin
+		add_action( 'admin_init', array( __CLASS__, 'redirect_providers_from_admin' ) );
+
+		// Protect dashboard page (logged-in providers only)
+		add_action( 'template_redirect', array( __CLASS__, 'protect_dashboard' ) );
+	}
+
+	/**
+	 * Redirect providers away from WP-Admin (except profile and AJAX)
+	 */
+	public static function redirect_providers_from_admin() {
+		// Get current user
+		$user = wp_get_current_user();
+
+		// Check if user has ddhh_provider role
+		if ( ! in_array( 'ddhh_provider', (array) $user->roles, true ) ) {
+			return; // Not a provider, allow access
+		}
+
+		// Allow access to profile.php (providers can edit their profile)
+		// phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		if ( isset( $_SERVER['SCRIPT_NAME'] ) && strpos( $_SERVER['SCRIPT_NAME'], 'profile.php' ) !== false ) {
+			return;
+		}
+
+		// Allow access to admin-ajax.php (needed for AJAX requests)
+		// phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		if ( isset( $_SERVER['SCRIPT_NAME'] ) && strpos( $_SERVER['SCRIPT_NAME'], 'admin-ajax.php' ) !== false ) {
+			return;
+		}
+
+		// Get dashboard page URL
+		$dashboard_page_id = get_option( 'ddhh_jm_dashboard_page_id' );
+		if ( ! $dashboard_page_id ) {
+			return; // Dashboard page not created yet
+		}
+
+		$dashboard_url = get_permalink( $dashboard_page_id );
+		if ( ! $dashboard_url ) {
+			return; // Could not get dashboard URL
+		}
+
+		// Redirect to dashboard
+		wp_redirect( $dashboard_url );
+		exit;
+	}
+
+	/**
+	 * Protect dashboard page (logged-in providers only)
+	 */
+	public static function protect_dashboard() {
+		// Get dashboard page ID
+		$dashboard_page_id = get_option( 'ddhh_jm_dashboard_page_id' );
+		if ( ! $dashboard_page_id ) {
+			return; // Dashboard page not created yet
+		}
+
+		// Check if current page is dashboard page
+		if ( ! is_page( $dashboard_page_id ) ) {
+			return; // Not dashboard page
+		}
+
+		// Check if user is logged in
+		if ( ! is_user_logged_in() ) {
+			// Get login page URL
+			$login_page_id = get_option( 'ddhh_jm_login_page_id' );
+			if ( $login_page_id ) {
+				$login_url = get_permalink( $login_page_id );
+				if ( $login_url ) {
+					wp_redirect( $login_url );
+					exit;
+				}
+			}
+
+			// Fallback to WordPress login
+			wp_redirect( wp_login_url( get_permalink( $dashboard_page_id ) ) );
+			exit;
+		}
+
+		// Check if user has ddhh_provider role
+		$user = wp_get_current_user();
+		if ( ! in_array( 'ddhh_provider', (array) $user->roles, true ) ) {
+			// User is logged in but not a provider
+			$login_page_id = get_option( 'ddhh_jm_login_page_id' );
+			if ( $login_page_id ) {
+				$login_url = get_permalink( $login_page_id );
+				if ( $login_url ) {
+					wp_redirect( $login_url );
+					exit;
+				}
+			}
+
+			// Fallback to WordPress login
+			wp_redirect( wp_login_url( get_permalink( $dashboard_page_id ) ) );
+			exit;
+		}
+	}
+}
diff --git a/includes/class-ddhh-job-manager.php b/includes/class-ddhh-job-manager.php
index 6b9242a..b617685 100644
--- a/includes/class-ddhh-job-manager.php
+++ b/includes/class-ddhh-job-manager.php
@@ -58,5 +58,8 @@ class DDHH_JM_Job_Manager {
 
 		// Initialize dashboard
 		add_action( 'init', array( 'DDHH_JM_Dashboard', 'init' ) );
+
+		// Initialize access control
+		add_action( 'init', array( 'DDHH_JM_Access_Control', 'setup_hooks' ) );
 	}
 }