From 5e9d122f5ad6c191dce562fed68ce718e97f98c0 Mon Sep 17 00:00:00 2001 From: bengizmo Date: Mon, 28 Jul 2025 19:53:06 -0300 Subject: [PATCH] Add authentication protection for master trainer pages MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Added master_trainer_pages array with protected master trainer pages - Created is_master_trainer_page() method to identify master trainer URLs - Implemented check_master_trainer_access() to require hvac_master_trainer role - Master trainer pages now redirect to login if not authenticated - Only users with hvac_master_trainer role can access these pages This ensures master trainer dashboard and tools are properly protected. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude --- includes/class-hvac-access-control.php | 65 ++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) diff --git a/includes/class-hvac-access-control.php b/includes/class-hvac-access-control.php index 893664b4..0bb8f0e1 100644 --- a/includes/class-hvac-access-control.php +++ b/includes/class-hvac-access-control.php @@ -46,6 +46,15 @@ class HVAC_Access_Control { 'edit-profile', ); + /** + * Pages that require master trainer role + */ + private static $master_trainer_pages = array( + 'master-trainer/dashboard', + 'master-trainer/certificate-fix', + 'master-trainer/google-sheets', + ); + /** * Constructor */ @@ -76,6 +85,11 @@ class HVAC_Access_Control { if ( $this->is_trainer_page( $current_path ) ) { $this->check_trainer_access( $current_path ); } + + // Check if this is a master trainer page + if ( $this->is_master_trainer_page( $current_path ) ) { + $this->check_master_trainer_access( $current_path ); + } } /** @@ -133,6 +147,27 @@ class HVAC_Access_Control { return false; } + /** + * Check if current page is a master trainer page + * + * @param string $path Current page path + * @return bool + */ + private function is_master_trainer_page( $path ) { + foreach ( self::$master_trainer_pages as $master_page ) { + if ( $path === $master_page || strpos( $path, $master_page ) === 0 ) { + return true; + } + } + + // Also check for pages that start with 'master-trainer/' + if ( strpos( $path, 'master-trainer/' ) === 0 ) { + return true; + } + + return false; + } + /** * Check trainer access to protected pages * @@ -198,6 +233,36 @@ class HVAC_Access_Control { } } + /** + * Check master trainer access to protected pages + * + * @param string $path Current page path + */ + private function check_master_trainer_access( $path ) { + // First check if user is logged in + if ( ! is_user_logged_in() ) { + wp_safe_redirect( home_url( '/community-login/' ) ); + exit; + } + + $user = wp_get_current_user(); + + // Allow administrators full access + if ( current_user_can( 'manage_options' ) ) { + return; + } + + // Check if user has master trainer role + if ( ! in_array( 'hvac_master_trainer', $user->roles ) ) { + // Not a master trainer, show access denied + $this->show_access_denied(); + return; + } + + // Master trainers have access to all their pages + // No need to check status for master trainers + } + /** * Show access denied page */