feat(02-04): implement WP-Admin redirect for providers

- Create DDHH_JM_Access_Control class with redirect logic
- Redirect providers from WP-Admin to dashboard page
- Preserve access to profile.php for password/email changes
- Preserve access to admin-ajax.php for AJAX requests
- Integrate access control hooks in main plugin class

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

includes/class-access-control.php

@@ -0,0 +1,119 @@
+<?php
+/**
+ * Access Control class
+ *
+ * Handles access restrictions and redirects for provider role
+ *
+ * @package DDHH_Job_Manager
+ */
+
+// Exit if accessed directly.
+defined( 'ABSPATH' ) || exit;
+
+/**
+ * Access Control class
+ */
+class DDHH_JM_Access_Control {
+
+	/**
+	 * Initialize hooks
+	 */
+	public static function setup_hooks() {
+		// Redirect providers away from WP-Admin
+		add_action( 'admin_init', array( __CLASS__, 'redirect_providers_from_admin' ) );
+
+		// Protect dashboard page (logged-in providers only)
+		add_action( 'template_redirect', array( __CLASS__, 'protect_dashboard' ) );
+	}
+
+	/**
+	 * Redirect providers away from WP-Admin (except profile and AJAX)
+	 */
+	public static function redirect_providers_from_admin() {
+		// Get current user
+		$user = wp_get_current_user();
+
+		// Check if user has ddhh_provider role
+		if ( ! in_array( 'ddhh_provider', (array) $user->roles, true ) ) {
+			return; // Not a provider, allow access
+		}
+
+		// Allow access to profile.php (providers can edit their profile)
+		// phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		if ( isset( $_SERVER['SCRIPT_NAME'] ) && strpos( $_SERVER['SCRIPT_NAME'], 'profile.php' ) !== false ) {
+			return;
+		}
+
+		// Allow access to admin-ajax.php (needed for AJAX requests)
+		// phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		if ( isset( $_SERVER['SCRIPT_NAME'] ) && strpos( $_SERVER['SCRIPT_NAME'], 'admin-ajax.php' ) !== false ) {
+			return;
+		}
+
+		// Get dashboard page URL
+		$dashboard_page_id = get_option( 'ddhh_jm_dashboard_page_id' );
+		if ( ! $dashboard_page_id ) {
+			return; // Dashboard page not created yet
+		}
+
+		$dashboard_url = get_permalink( $dashboard_page_id );
+		if ( ! $dashboard_url ) {
+			return; // Could not get dashboard URL
+		}
+
+		// Redirect to dashboard
+		wp_redirect( $dashboard_url );
+		exit;
+	}
+
+	/**
+	 * Protect dashboard page (logged-in providers only)
+	 */
+	public static function protect_dashboard() {
+		// Get dashboard page ID
+		$dashboard_page_id = get_option( 'ddhh_jm_dashboard_page_id' );
+		if ( ! $dashboard_page_id ) {
+			return; // Dashboard page not created yet
+		}
+
+		// Check if current page is dashboard page
+		if ( ! is_page( $dashboard_page_id ) ) {
+			return; // Not dashboard page
+		}
+
+		// Check if user is logged in
+		if ( ! is_user_logged_in() ) {
+			// Get login page URL
+			$login_page_id = get_option( 'ddhh_jm_login_page_id' );
+			if ( $login_page_id ) {
+				$login_url = get_permalink( $login_page_id );
+				if ( $login_url ) {
+					wp_redirect( $login_url );
+					exit;
+				}
+			}
+
+			// Fallback to WordPress login
+			wp_redirect( wp_login_url( get_permalink( $dashboard_page_id ) ) );
+			exit;
+		}
+
+		// Check if user has ddhh_provider role
+		$user = wp_get_current_user();
+		if ( ! in_array( 'ddhh_provider', (array) $user->roles, true ) ) {
+			// User is logged in but not a provider
+			$login_page_id = get_option( 'ddhh_jm_login_page_id' );
+			if ( $login_page_id ) {
+				$login_url = get_permalink( $login_page_id );
+				if ( $login_url ) {
+					wp_redirect( $login_url );
+					exit;
+				}
+			}
+
+			// Fallback to WordPress login
+			wp_redirect( wp_login_url( get_permalink( $dashboard_page_id ) ) );
+			exit;
+		}
+	}
+}

includes/class-ddhh-job-manager.php

@@ -58,5 +58,8 @@ class DDHH_JM_Job_Manager {
 
 		// Initialize dashboard
 		add_action( 'init', array( 'DDHH_JM_Dashboard', 'init' ) );
+
+		// Initialize access control
+		add_action( 'init', array( 'DDHH_JM_Access_Control', 'setup_hooks' ) );
 	}
 }