Hi,
I'm trying to limit access to users, based on a custom addition to the user object, a userstatusid.
If the userstatusid is not 0, the user isnt allowed to log in normally, they need to be redirected to one of a number of pages
(we have a complicated signup and verification process, as well as various other user states which requre the user to fill in a form before they can continue).
I've implemented hook_user so that when the user logs in, i check their status, and if its not 0, i call a function. This function should be able to prevent them from accessing any part of the site except a particular page (which is different for each ID)
This is where i have the problem:
if i call user_logout, i have no control over the page they are redirected to. Also their user object is lost so even if i did recirect them, the destination page doesnt know who they are.
if i do a simple redirect, they're still logged in and can just click a link and avoid my destination page.
There are too many states for me to set up a different role for each one, it needs to be something i do at login time, preferably while having full access to the $user object
Basically, once i've verified username and password through the standard login form, i want to know how I can redirect the user, whilst also preventing them from simply returning to the site.
I don't mind if i have to pass the userid manually, such as by redirecting to /somepage/$userid, but i do want the new page to be themed