vmiller/Digital-Dabei-Hamburg-Job-Manager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
Digital-Dabei-Hamburg-Job-M…/.planning/phases/02-provider-registration-auth/02-04-PLAN.md
Viktor Miller 054adb721a docs(02): create phase 2 plans 
Phase 02: Provider Registration & Auth
- 4 plans created
- 8 total tasks defined
- Ready for execution

Plans:
- 02-01: Formidable registration form with auto-login
- 02-02: Combined login/registration page
- 02-03: Provider dashboard template
- 02-04: Access control and redirects
2026-01-14 19:12:07 +09:00

4.5 KiB
Raw Permalink Blame History

phase, plan, type, depends_on, files_modified
phase plan type depends_on files_modified
02-provider-registration-auth 04 execute
02-03
includes/class-access-control.php
Implement access control and redirects for provider role.

Purpose: Prevent providers from accessing WP-Admin (except profile) and protect dashboard page. Output: Access control hooks that enforce provider restrictions per PROJECT.md requirements.

<execution_context> ~/.claude/get-shit-done/workflows/execute-plan.md ./summary.md </execution_context>

@.planning/PROJECT.md @.planning/ROADMAP.md @.planning/phases/01-foundation-setup/01-03-SUMMARY.md @.planning/phases/02-provider-registration-auth/02-03-SUMMARY.md

From PROJECT.md:

  • Constraint: "Providers: restricted capabilities, no WP-Admin access except profile"
  • Core value: Admin moderation is the trust layer

From Phase 1:

  • Provider role ddhh_provider exists with no admin capabilities

From 02-03:

  • Dashboard page exists at /anbieter-dashboard/
Task 1: Redirect providers away from WP-Admin includes/class-access-control.php Create `includes/class-access-control.php` with static method setup_hooks():

Hook into 'admin_init' action:

  • Check if current user has role 'ddhh_provider' (use wp_get_current_user()->roles)
  • If ddhh_provider AND not accessing profile.php or admin-ajax.php:
    • Get dashboard page URL: get_permalink(get_option('ddhh_jm_dashboard_page_id'))
    • Redirect using wp_redirect($dashboard_url) and exit
  • Allow profile.php (providers can edit their profile)
  • Allow admin-ajax.php (needed for AJAX requests from frontend)

Hook this to 'init' action in main class.

DO NOT block all admin access - allow profile.php so providers can change their password and email. DO NOT redirect on AJAX requests (admin-ajax.php must remain accessible). Provider user accessing wp-admin/ gets redirected to /anbieter-dashboard/, but wp-admin/profile.php remains accessible WP-Admin redirect implemented, profile access preserved, dashboard redirect functional

Task 2: Protect dashboard page (logged-in providers only) includes/class-access-control.php In class-access-control.php, add static method protect_dashboard():

Hook into 'template_redirect' action:

  • Check if current page is dashboard page (using get_option('ddhh_jm_dashboard_page_id'))
  • If yes:
    • Check if user is logged in: is_user_logged_in()
    • Check if user has ddhh_provider role
    • If NOT logged in OR NOT ddhh_provider: redirect to login page (get_option('ddhh_jm_login_page_id'))

This ensures only logged-in providers can access the dashboard.

DO NOT use wp_die() - use wp_redirect() to login page with a friendly redirect flow. Non-logged-in users accessing /anbieter-dashboard/ get redirected to /anbieter-login/, logged-in providers see dashboard Dashboard protected, only providers can access, redirects to login page if unauthorized

Before declaring plan complete: - [ ] Provider accessing wp-admin/ gets redirected to dashboard - [ ] Provider CAN access wp-admin/profile.php - [ ] Non-logged-in users accessing dashboard get redirected to login - [ ] Logged-in providers CAN access dashboard - [ ] Admin users are not affected by redirects

<success_criteria>

  • All tasks completed
  • Provider role properly restricted from WP-Admin
  • Dashboard protected and accessible only to providers
  • Profile access preserved for providers
  • Phase 2 complete - ready for Phase 3 (job submission forms) </success_criteria>
After completion, create `.planning/phases/02-provider-registration-auth/02-04-SUMMARY.md`:

Phase 2 Plan 4: Access Control & Redirects Summary

Access control enforcing provider restrictions and dashboard protection

Accomplishments

  • WP-Admin redirect for providers (except profile.php)
  • Dashboard page protection (logged-in providers only)
  • Login redirect for unauthorized dashboard access
  • Profile access preserved for providers

Files Created/Modified

  • includes/class-access-control.php - Redirect hooks and protection logic
  • includes/class-ddhh-job-manager.php - Hook access control setup

Decisions Made

[Document redirect approach, exceptions made]

Issues Encountered

[Problems and resolutions, or "None"]

Next Step

Phase 2 complete. Ready for Phase 3 (Job Management Core).

Reference in New Issue View Git Blame Copy Permalink