---
phase: 02-provider-registration-auth
plan: 04
type: execute
depends_on: ["02-03"]
files_modified: [includes/class-access-control.php]
---
Implement access control and redirects for provider role.
Purpose: Prevent providers from accessing WP-Admin (except profile) and protect dashboard page.
Output: Access control hooks that enforce provider restrictions per PROJECT.md requirements.
~/.claude/get-shit-done/workflows/execute-plan.md
./summary.md
@.planning/PROJECT.md
@.planning/ROADMAP.md
@.planning/phases/01-foundation-setup/01-03-SUMMARY.md
@.planning/phases/02-provider-registration-auth/02-03-SUMMARY.md
**From PROJECT.md:**
- Constraint: "Providers: restricted capabilities, no WP-Admin access except profile"
- Core value: Admin moderation is the trust layer
**From Phase 1:**
- Provider role `ddhh_provider` exists with no admin capabilities
**From 02-03:**
- Dashboard page exists at /anbieter-dashboard/
Task 1: Redirect providers away from WP-Admin
includes/class-access-control.php
Create `includes/class-access-control.php` with static method setup_hooks():
Hook into 'admin_init' action:
- Check if current user has role 'ddhh_provider' (use wp_get_current_user()->roles)
- If ddhh_provider AND not accessing profile.php or admin-ajax.php:
- Get dashboard page URL: get_permalink(get_option('ddhh_jm_dashboard_page_id'))
- Redirect using wp_redirect($dashboard_url) and exit
- Allow profile.php (providers can edit their profile)
- Allow admin-ajax.php (needed for AJAX requests from frontend)
Hook this to 'init' action in main class.
DO NOT block all admin access - allow profile.php so providers can change their password and email.
DO NOT redirect on AJAX requests (admin-ajax.php must remain accessible).
Provider user accessing wp-admin/ gets redirected to /anbieter-dashboard/, but wp-admin/profile.php remains accessible
WP-Admin redirect implemented, profile access preserved, dashboard redirect functional
Task 2: Protect dashboard page (logged-in providers only)
includes/class-access-control.php
In class-access-control.php, add static method protect_dashboard():
Hook into 'template_redirect' action:
- Check if current page is dashboard page (using get_option('ddhh_jm_dashboard_page_id'))
- If yes:
- Check if user is logged in: is_user_logged_in()
- Check if user has ddhh_provider role
- If NOT logged in OR NOT ddhh_provider: redirect to login page (get_option('ddhh_jm_login_page_id'))
This ensures only logged-in providers can access the dashboard.
DO NOT use wp_die() - use wp_redirect() to login page with a friendly redirect flow.
Non-logged-in users accessing /anbieter-dashboard/ get redirected to /anbieter-login/, logged-in providers see dashboard
Dashboard protected, only providers can access, redirects to login page if unauthorized
Before declaring plan complete:
- [ ] Provider accessing wp-admin/ gets redirected to dashboard
- [ ] Provider CAN access wp-admin/profile.php
- [ ] Non-logged-in users accessing dashboard get redirected to login
- [ ] Logged-in providers CAN access dashboard
- [ ] Admin users are not affected by redirects
- All tasks completed
- Provider role properly restricted from WP-Admin
- Dashboard protected and accessible only to providers
- Profile access preserved for providers
- Phase 2 complete - ready for Phase 3 (job submission forms)