vmiller/Digital-Dabei-Hamburg-Job-Manager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7286133bf4f235dd110419d1ed3dc9dcadfa9cb0
Digital-Dabei-Hamburg-Job-M…/.planning/phases/02-provider-registration-auth/02-04-PLAN.md
Viktor Miller 054adb721a docs(02): create phase 2 plans 
Phase 02: Provider Registration & Auth
- 4 plans created
- 8 total tasks defined
- Ready for execution

Plans:
- 02-01: Formidable registration form with auto-login
- 02-02: Combined login/registration page
- 02-03: Provider dashboard template
- 02-04: Access control and redirects
2026-01-14 19:12:07 +09:00

135 lines
4.5 KiB
Markdown
Raw Blame History

---
phase: 02-provider-registration-auth
plan: 04
type: execute
depends_on: ["02-03"]
files_modified: [includes/class-access-control.php]
---
<objective>
Implement access control and redirects for provider role.
Purpose: Prevent providers from accessing WP-Admin (except profile) and protect dashboard page.
Output: Access control hooks that enforce provider restrictions per PROJECT.md requirements.
</objective>
<execution_context>
~/.claude/get-shit-done/workflows/execute-plan.md
./summary.md
</execution_context>
<context>
@.planning/PROJECT.md
@.planning/ROADMAP.md
@.planning/phases/01-foundation-setup/01-03-SUMMARY.md
@.planning/phases/02-provider-registration-auth/02-03-SUMMARY.md
**From PROJECT.md:**
- Constraint: "Providers: restricted capabilities, no WP-Admin access except profile"
- Core value: Admin moderation is the trust layer
**From Phase 1:**
- Provider role `ddhh_provider` exists with no admin capabilities
**From 02-03:**
- Dashboard page exists at /anbieter-dashboard/
</context>
<tasks>
<task type="auto">
<name>Task 1: Redirect providers away from WP-Admin</name>
<files>includes/class-access-control.php</files>
<action>
Create `includes/class-access-control.php` with static method setup_hooks():
Hook into 'admin_init' action:
- Check if current user has role 'ddhh_provider' (use wp_get_current_user()->roles)
- If ddhh_provider AND not accessing profile.php or admin-ajax.php:
- Get dashboard page URL: get_permalink(get_option('ddhh_jm_dashboard_page_id'))
- Redirect using wp_redirect($dashboard_url) and exit
- Allow profile.php (providers can edit their profile)
- Allow admin-ajax.php (needed for AJAX requests from frontend)
Hook this to 'init' action in main class.
DO NOT block all admin access - allow profile.php so providers can change their password and email.
DO NOT redirect on AJAX requests (admin-ajax.php must remain accessible).
</action>
<verify>Provider user accessing wp-admin/ gets redirected to /anbieter-dashboard/, but wp-admin/profile.php remains accessible</verify>
<done>WP-Admin redirect implemented, profile access preserved, dashboard redirect functional</done>
</task>
<task type="auto">
<name>Task 2: Protect dashboard page (logged-in providers only)</name>
<files>includes/class-access-control.php</files>
<action>
In class-access-control.php, add static method protect_dashboard():
Hook into 'template_redirect' action:
- Check if current page is dashboard page (using get_option('ddhh_jm_dashboard_page_id'))
- If yes:
- Check if user is logged in: is_user_logged_in()
- Check if user has ddhh_provider role
- If NOT logged in OR NOT ddhh_provider: redirect to login page (get_option('ddhh_jm_login_page_id'))
This ensures only logged-in providers can access the dashboard.
DO NOT use wp_die() - use wp_redirect() to login page with a friendly redirect flow.
</action>
<verify>Non-logged-in users accessing /anbieter-dashboard/ get redirected to /anbieter-login/, logged-in providers see dashboard</verify>
<done>Dashboard protected, only providers can access, redirects to login page if unauthorized</done>
</task>
</tasks>
<verification>
Before declaring plan complete:
- [ ] Provider accessing wp-admin/ gets redirected to dashboard
- [ ] Provider CAN access wp-admin/profile.php
- [ ] Non-logged-in users accessing dashboard get redirected to login
- [ ] Logged-in providers CAN access dashboard
- [ ] Admin users are not affected by redirects
</verification>
<success_criteria>
- All tasks completed
- Provider role properly restricted from WP-Admin
- Dashboard protected and accessible only to providers
- Profile access preserved for providers
- Phase 2 complete - ready for Phase 3 (job submission forms)
</success_criteria>
<output>
After completion, create `.planning/phases/02-provider-registration-auth/02-04-SUMMARY.md`:
# Phase 2 Plan 4: Access Control & Redirects Summary
**Access control enforcing provider restrictions and dashboard protection**
## Accomplishments
- WP-Admin redirect for providers (except profile.php)
- Dashboard page protection (logged-in providers only)
- Login redirect for unauthorized dashboard access
- Profile access preserved for providers
## Files Created/Modified
- `includes/class-access-control.php` - Redirect hooks and protection logic
- `includes/class-ddhh-job-manager.php` - Hook access control setup
## Decisions Made
[Document redirect approach, exceptions made]
## Issues Encountered
[Problems and resolutions, or "None"]
## Next Step
Phase 2 complete. Ready for Phase 3 (Job Management Core).
</output>
Reference in New Issue View Git Blame Copy Permalink