Redirect Custom Admin Role - Wordpress

Question

I've defined a custom role in Woocommerce. This user ONLY needs access to urls to edit shop_orders and inspect individual shop orders. Like:

/wp-admin/edit.php?post_type=shop_order
/wp-admin/post.php?post=124&action=edit
/wp-admin/post-new.php?post_type=shop_order

If they go anywhere else I want to redirect them to:

/wp-admin/edit.php?post_type=shop_order

In effect they should only see orders, modify orders, and create orders. I've added all the right permissions for this, and modified the menus drastically so they can't see 'products', 'my profile', etc. However, if they accessed some links directly they would still load (the 'dashboard' for one and 'my settings'). Removing them from dashboard != removing access to them.

I'm trying to harden my security a bit by redirecting on everything except a few whitelisted routes with wildcards. Any thoughts on how to approach? Thanks.

Answer 1

This sounds like something you may be able to do with this filter: https://codex.wordpress.org/Plugin_API/Filter_Reference/user_has_cap

My understanding of it is that when wordpress queries whether or not the user has the capability to do something on the site e.g. edit_posts, then you can apply further logic (in your example, checking whether or not their role is the custom role you defined) to decide to restrict or enhance that capability if you wish. In your case, if the user didn't meet your criteria (they are not requesting a pre-defined page), you could redirect.

Quick proof of concept (I think):

function only_let_user100_see( $allcaps, $cap, $args ) {
  if($args[0] === 'edit_posts' && is_admin()) {
    if(get_current_user_id() !== 100) {
      echo "No way";
      exit;
    }
  } else {
    return $allcaps;
  }
}
add_filter( 'user_has_cap', 'only_let_user100_see', 10, 3 );