=== Konfyra Access Control ===
Contributors: GSRCOIMBATORE
Tags: security, multivendor, access control, woocommerce, membership
Requires at least: 5.8
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 1.1.0
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Locks non-admin roles out of wp-admin entirely, redirecting them to a frontend page you choose instead.

== Description ==

Multi-vendor plugins (WCFM, Dokan, MultiVendorX, WC Vendors) generally
redirect vendors to a frontend dashboard *after login*, and most offer a
capability toggle for "backend access." In practice, both of those are
login-flow conveniences, not hard access controls — a vendor who directly
visits `/wp-admin/` after logging in can often still land on some part of
the WordPress backend. The same gap exists for membership and course
plugins (MemberPress, LearnDash, etc.) whose members are typically just
Subscribers under the hood.

This plugin adds the missing hard block:

* Every `/wp-admin/` request is checked on `admin_init`.
* Administrators (and any role you explicitly exempt — e.g. Shop Manager)
  pass through untouched.
* Everyone else is redirected: configured "vendor" roles go to your vendor
  dashboard URL; everyone else goes to a default path you configure — a
  MemberPress account page, a LearnDash dashboard, anything — or, if left
  blank, WooCommerce My Account (if active) or the homepage.
* AJAX (`admin-ajax.php`), cron, and REST requests are always left alone,
  since marketplace and membership plugins alike route frontend actions
  through them internally. Blocking these would break the site, not just
  the backend.
* The admin toolbar is optionally hidden on the frontend for restricted
  roles too, closing a smaller but related information leak (plugin
  names/versions, site health notices).

This isn't tied to any one plugin's ecosystem — the lockdown itself is
plain WordPress role and capability logic. It was built with WCFM / Dokan
/ MultiVendorX / WC Vendors marketplaces in mind, but works identically
for MemberPress members, LearnDash students, or any custom role your own
code registers.

All of this is configured from **Settings → Konfyra Access Control** — the
role checkboxes are populated from the roles actually registered on your
site, so there's no need to guess whether your plugin calls its vendor
role `vendor`, `seller`, `wcfm_vendor`, or `dc_vendor`.

= A note on trademarks =

This plugin is not affiliated with, endorsed by, or sponsored by
Automattic, WooThemes/WooCommerce, weDevs (Dokan), WCFM, MultiVendorX, WC
Vendors, or MemberPress. Their names are mentioned solely to describe
compatibility.

= Before enabling on a live site =

Test on staging first, same as any access-control change. If you use a
Shop Manager (or similar staff) role that needs order/product screens in
wp-admin, make sure to check that role under "Roles allowed in wp-admin"
before saving — it's exempt by default on first activation, but confirm
it after your first save.

== Installation ==

1. Upload the `konfyra-access-control` folder to `/wp-content/plugins/`,
   or install the zip directly via Plugins → Add New → Upload Plugin.
2. Activate the plugin.
3. Go to Settings → konfyra Access Control and configure which roles are
   exempt, which are "vendor" roles, your vendor dashboard URL, and the
   default redirect path for everyone else.

== Frequently Asked Questions ==

= My frontend AJAX calls stopped working after activating this. =

They shouldn't — `admin-ajax.php` requests are explicitly exempted
regardless of role. If something broke, check whether another plugin is
making a direct (non-AJAX) request into `/wp-admin/` to fetch data, which
is unusual but not impossible; exempt that role temporarily to confirm,
then report the specific plugin/action.

= Does this replace my marketplace or membership plugin's own capability
settings? =

No — use both. This plugin is the hard enforcement layer; your other
plugin's own capability toggles still control what a vendor or member can
see and do *within* their own frontend dashboard.

= I locked myself out. What do I do? =

Connect via FTP/SFTP or your host's file manager, rename or delete the
`konfyra-access-control` folder in `wp-content/plugins/` — WordPress
deactivates a plugin automatically if its files disappear, restoring your
own wp-admin access immediately.

= Does this work with a custom login page or SSO plugin? =

Yes — the check runs on `admin_init` regardless of how the user
authenticated, so it applies uniformly.

== Screenshots ==

1. Settings → Konfyra Access Control — role checkboxes, vendor dashboard
   path, default redirect path, and the admin-bar toggle.

(Screenshot images aren't bundled in this initial package — see the
"Packaging screenshots" note for the plugin author before your first
wordpress.org submission.)

== Changelog ==

= 1.1.0 =
* Added a configurable default redirect path for any role that isn't a
  vendor role and isn't exempt (e.g. MemberPress members, LearnDash
  students) — previously this always went to WooCommerce My Account or
  the homepage with no way to customize it.

= 1.0.0 =
* Initial release.

== Upgrade Notice ==

= 1.1.0 =
Adds a configurable default redirect path. Existing installs keep their
current WooCommerce/homepage fallback behavior automatically — no action
required unless you want to customize it.
