From 9df86a3847eb6092f79f3915eec0461c3c7cf065 Mon Sep 17 00:00:00 2001
From: Viktor Miller <viktor.miller@vihais.com>
Date: Wed, 14 Jan 2026 19:46:07 +0900
Subject: [PATCH] docs(03-02): complete job edit form plan

- Document job edit form implementation with ownership validation
- Track security implementation preventing URL tampering
- Record conditional template rendering pattern
- List modified files and technical decisions
- Mark plan complete, ready for 03-03 or 03-04

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 .../03-job-management-core/03-02-SUMMARY.md   | 168 ++++++++++++++++++
 1 file changed, 168 insertions(+)
 create mode 100644 .planning/phases/03-job-management-core/03-02-SUMMARY.md

diff --git a/.planning/phases/03-job-management-core/03-02-SUMMARY.md b/.planning/phases/03-job-management-core/03-02-SUMMARY.md
new file mode 100644
index 0000000..514616a
--- /dev/null
+++ b/.planning/phases/03-job-management-core/03-02-SUMMARY.md
@@ -0,0 +1,168 @@
+---
+phase: 03-job-management-core
+plan: 02
+subsystem: job-editing
+tags: [formidable, job-editing, post-update, security, ownership]
+
+# Dependency graph
+requires:
+  - phase: 01-03
+    provides: [ACF fields for job_offer, custom post type setup]
+  - phase: 02-03
+    provides: [provider dashboard template, submission form integration]
+provides:
+  - Job edit form with ownership validation
+  - Dashboard edit mode with form pre-population
+  - URL parameter-based edit flow
+affects: [03-03, 03-04]
+
+# Tech tracking
+tech-stack:
+  added: [formidable-update-post]
+  patterns: [ownership-validation, pre-populated-forms, conditional-template-rendering]
+
+key-files:
+  created: []
+  modified: [includes/class-formidable.php, templates/provider-dashboard.php]
+
+key-decisions:
+  - "Edit form validates ownership via frm_validate_entry hook before form submission"
+  - "Dashboard shows edit form OR listings, not both simultaneously"
+  - "Edit mode triggered by URL parameters (action=edit_job&job_id=X)"
+  - "Form uses Formidable's Update Post action with id_param for pre-population"
+
+patterns-established:
+  - "Ownership validation pattern: Check post_author matches current user in validation hook"
+  - "Conditional template rendering: Single template handles both list and edit modes"
+  - "Edit URL pattern: Dashboard base URL + action=edit_job&job_id=X"
+
+issues-created: []
+
+# Metrics
+duration: 12min
+completed: 2026-01-14
+---
+
+# Phase 3 Plan 2: Job Edit Form Summary
+
+**Formidable edit form with ownership validation hook prevents unauthorized job edits via URL parameter tampering**
+
+## Performance
+
+- **Duration:** 12 min
+- **Started:** 2026-01-14T[start time]
+- **Completed:** 2026-01-14T[end time]
+- **Tasks:** 2
+- **Files modified:** 2
+
+## Accomplishments
+
+- Created job edit form with identical fields to submission form
+- Implemented ownership validation hook preventing URL parameter tampering
+- Integrated edit mode into provider dashboard with conditional rendering
+- Form pre-populates existing job data via Formidable's id_param
+- Dashboard shows either edit form or listings table, not both
+- Back navigation link for returning to dashboard overview
+
+## Task Commits
+
+Each task was committed atomically:
+
+1. **Task 1: Create job edit form with ownership validation** - `a4e2fbf` (feat)
+2. **Task 2: Update dashboard edit links to use edit form** - `491c4fb` (feat)
+
+**Plan metadata:** [will be added] (docs: complete job edit form plan)
+
+## Files Created/Modified
+
+- `includes/class-formidable.php` - Added create_job_edit_form() method for programmatic edit form creation, added validate_job_ownership() hook to prevent unauthorized edits, added get_job_edit_form_id() helper method
+- `templates/provider-dashboard.php` - Added edit mode detection and conditional rendering, updated edit links to point to dashboard edit form, added back navigation link and edit section styling
+
+## Security Implementation
+
+The ownership validation is critical for preventing malicious providers from editing others' jobs:
+
+**Validation Hook:** `validate_job_ownership()` hooked to `frm_validate_entry` filter
+**Checks performed:**
+1. Verify job_id parameter exists in URL
+2. Verify post exists and post_type is 'job_offer'
+3. Verify post_author matches current user ID
+4. If any check fails, add Formidable error and block submission
+
+**Attack prevented:** Provider cannot edit another provider's job by changing the job_id URL parameter. Even if they modify the URL manually, the ownership check will prevent the form from submitting.
+
+## Technical Details
+
+### Form Structure
+
+Form key: `job_edit`
+
+Fields (identical to submission form):
+1. **job_title** (text, required) - "Stellentitel"
+2. **job_description** (textarea, required) - "Stellenbeschreibung"
+3. **job_location** (text, required) - "Standort"
+4. **job_type** (select, required) - "Art" with choices: Vollzeit, Teilzeit, Ehrenamt
+5. **job_deadline** (date, optional) - "Bewerbungsfrist" (format: d.m.Y)
+6. **job_contact_email** (email, required) - "Kontakt-E-Mail"
+7. **job_logo** (file upload, optional) - "Logo" (accept: image/jpeg, image/png, max: 2MB)
+
+Submit button: "Änderungen speichern"
+Success message: "Ihre Änderungen wurden gespeichert!"
+Success action: Redirect to /anbieter-dashboard/
+
+### Form Actions
+
+**Update Post action configured:**
+- Post ID source: URL parameter 'job_id' (via id_param)
+- Post type: 'job_offer'
+- Post status: 'pending' (requires re-approval after edit)
+- Post title: mapped to job_title field
+- Post content: mapped to job_description field
+- Custom field mappings (ACF fields):
+  - job_location → meta:job_location
+  - job_type → meta:job_type
+  - job_deadline → meta:job_deadline
+  - job_contact_email → meta:job_contact_email
+  - job_logo → meta:job_logo
+
+### Dashboard Edit Flow
+
+1. User clicks "Bearbeiten" link in job listings table
+2. URL changes to: `/anbieter-dashboard/?action=edit_job&job_id=123`
+3. Dashboard template detects edit mode via URL parameters
+4. Edit form displayed with job data pre-populated via id_param
+5. Listings table hidden during edit mode
+6. Back link allows return to overview
+7. On form submission, ownership validation runs
+8. If valid, job updated and redirects to dashboard
+9. If invalid, error displayed and submission blocked
+
+## Decisions Made
+
+1. **Ownership validation in frm_validate_entry hook** - Formidable's validation filter is the correct place to check ownership before submission is processed. This prevents the Update Post action from running if ownership check fails.
+
+2. **Conditional template rendering** - Single template file handles both list view and edit view using URL parameter detection. This keeps related functionality together and avoids template duplication.
+
+3. **Edit mode via URL parameters** - Using `action=edit_job&job_id=X` pattern is WordPress-standard and allows bookmarking/sharing edit URLs (though ownership validation prevents unauthorized access).
+
+4. **Form uses Update Post action** - Formidable's Update Post action (not Create Post) correctly updates existing posts. The id_param parameter tells Formidable which post to update and enables field pre-population.
+
+5. **Post status reset to pending** - After editing, jobs return to 'pending' status requiring admin re-approval. This ensures edited jobs are reviewed before going live again, preventing abuse.
+
+## Deviations from Plan
+
+None - plan executed exactly as written.
+
+## Issues Encountered
+
+None - implementation was straightforward.
+
+## Next Phase Readiness
+
+Ready for 03-03-PLAN.md (admin notifications) or 03-04-PLAN.md (admin UI) - both can run in parallel.
+
+The job edit form is complete and functional with security validated. Providers can edit their own jobs but cannot edit others' jobs even by URL tampering.
+
+---
+*Phase: 03-job-management-core*
+*Completed: 2026-01-14*