Digital-Dabei-Hamburg-Job-Manager/.planning/phases/03-job-management-core/03-02-PLAN.md

phase, plan, type, depends_on, files_modified

phase	plan	type	depends_on	files_modified
03-job-management-core	02	execute		includes/class-formidable.php templates/provider-dashboard.php

Create Formidable Forms job edit form with ownership validation to prevent providers from editing others' jobs.

Purpose: Enable providers to update their own job listings. Security is critical - providers must only edit jobs they own. Output: Functional job edit form with strict ownership checks, pre-populated with existing job data.

<execution_context> ~/.claude/get-shit-done/workflows/execute-plan.md ~/.claude/get-shit-done/templates/summary.md </execution_context>

@.planning/PROJECT.md @.planning/ROADMAP.md @.planning/STATE.md @.planning/phases/01-foundation-setup/01-03-SUMMARY.md @.planning/phases/02-provider-registration-auth/02-01-SUMMARY.md @includes/class-formidable.php @includes/class-acf-fields.php @includes/class-post-types.php @templates/provider-dashboard.php

Tech stack available: Formidable Forms Pro (with Update Post action), ACF Pro, job_offer CPT Established patterns: Programmatic Formidable form creation, ACF field mapping Constraining decisions:

• Providers can only edit their own jobs (security requirement)
• German labels for all form fields
• ACF fields: job_location, job_type, job_deadline, job_contact_email, job_logo
• Edit link in dashboard table (established in 02-03)

Task 1: Create job edit form with ownership validation includes/class-formidable.php Add `create_job_edit_form()` method to DDHH_JM_Formidable class. Programmatically create Formidable form with key 'job_edit' containing:

Form Fields (identical to submission form):

1. job_title (text, required) - "Stellentitel"
2. job_description (textarea, required) - "Stellenbeschreibung"
3. job_location (text, required) - "Standort"
4. job_type (select, required) - "Art" with choices: Vollzeit, Teilzeit, Ehrenamt
5. job_deadline (date, optional) - "Bewerbungsfrist" (format: d.m.Y)
6. job_contact_email (email, required) - "Kontakt-E-Mail"
7. job_logo (file upload, optional) - "Logo" (accept: image/jpeg, image/png, max: 2MB)

Form Configuration:

• Edit mode: Load data from post ID passed via URL parameter (e.g., ?job_id=123)
• Form action: "Update Post" (not Create Post)
• Update target: Post ID from URL parameter
• Field pre-population: Load existing values from post and ACF fields

Form Actions:

• Update Post action configured to:
  • Post ID source: URL parameter 'job_id'
  • Post type: 'job_offer'
  • Post title: mapped to job_title field
  • Post content: mapped to job_description field
  • Custom field mappings (same as submission form):
    • job_location → meta:job_location
    • job_type → meta:job_type
    • job_deadline → meta:job_deadline
    • job_contact_email → meta:job_contact_email
    • job_logo → meta:job_logo

Ownership Validation Hook: Create validate_job_ownership() method that hooks into frm_validate_entry filter:

• Check if job_id URL parameter exists
• Verify post_type is 'job_offer'
• Verify post_author matches current user ID
• If validation fails: add Formidable error "Sie haben keine Berechtigung, dieses Stellenangebot zu bearbeiten."
• CRITICAL security check - prevents URL parameter tampering

Form Settings:

• Submit button text: "Änderungen speichern"
• Success message: "Ihre Änderungen wurden gespeichert!"
• Success action: Redirect to provider dashboard (/anbieter-dashboard/)

Add get_job_edit_form_id() helper method.

AVOID trusting URL parameters without ownership validation. WHY: Security risk - malicious providers could edit others' jobs by changing URL parameter.

1. Form exists: Check Formidable admin for form with key 'job_edit'
2. Ownership validation: Check validate_job_ownership() method exists and hooks into frm_validate_entry
3. Update action: Form should have "Update Post" action, not "Create Post"
4. PHP syntax: php -l includes/class-formidable.php (no errors)

• Edit form created with key 'job_edit'
• All fields present and pre-populate from existing post
• Update Post action configured
• Ownership validation hook implemented
• No PHP syntax errors

Task 2: Update dashboard edit links to use edit form templates/provider-dashboard.php Update the "Edit" action link in the dashboard job listings table to point to the edit form.

Current state: Edit link likely points to WP edit post screen (providers can't access) New state: Edit link points to edit form on dashboard with job_id parameter

Implementation: Update the edit link generation in the jobs table:

// OLD (if exists):
$edit_url = get_edit_post_link( $job->ID );

// NEW:
$edit_url = add_query_arg(
    array(
        'action' => 'edit_job',
        'job_id' => $job->ID
    ),
    get_permalink( get_option( 'ddhh_jm_dashboard_page_id' ) )
);

Add form display logic before or after the listings table:

// Check if we're in edit mode
if ( isset( $_GET['action'] ) && $_GET['action'] === 'edit_job' && isset( $_GET['job_id'] ) ) {
    $job_id = absint( $_GET['job_id'] );
    $form_id = DDHH_JM_Formidable::get_job_edit_form_id();

    if ( $form_id ) {
        echo '<div class="ddhh-job-edit-section">';
        echo '<h2>Stellenangebot bearbeiten</h2>';
        echo '<p><a href="' . get_permalink() . '">← Zurück zur Übersicht</a></p>';
        echo do_shortcode( "[formidable id={$form_id}]" );
        echo '</div>';

        // Don't show listings table when editing
        return;
    }
}

// Show normal dashboard (submission form + listings) if not editing

AVOID displaying both edit form and listings simultaneously - show one or the other. WHY: Confusing UX, wastes screen space, makes page too long.

1. Edit links updated to use ?action=edit_job&job_id=X format
2. Edit form displays when clicking edit link
3. Listings table hidden when editing
4. Back link present to return to dashboard
5. php -l templates/provider-dashboard.php (no errors)

• Edit links point to edit form with job_id parameter
• Edit form displays on dashboard when action=edit_job
• Listings hidden during edit mode
• Back navigation link present
• No PHP syntax errors

Before declaring plan complete: - [ ] Form 'job_edit' exists in Formidable Forms - [ ] Ownership validation hook implemented in `frm_validate_entry` - [ ] Edit form pre-populates with existing job data - [ ] Edit links in dashboard table work correctly - [ ] Providers cannot edit others' jobs (security validated) - [ ] No PHP syntax errors in modified files

<success_criteria>

• All tasks completed
• Job edit form functional with ownership checks
• Dashboard integrates edit form properly
• Security validated - only own jobs editable
• Ready for Plan 03-03 (notifications) </success_criteria>

After completion, create `.planning/phases/03-job-management-core/03-02-SUMMARY.md` with:

---

phase: 03-job-management-core plan: 02 subsystem: job-editing tags: [formidable, job-editing, post-update, security, ownership] requires: [01-03, 02-03] provides: [job-edit-form, ownership-validation] affects: [] tech-stack: added: [formidable-update-post] patterns: [ownership-validation, pre-populated-forms] key-files: modified: [includes/class-formidable.php, templates/provider-dashboard.php] key-decisions:

• Edit form validates ownership via frm_validate_entry hook
• Dashboard shows edit form OR listings, not both simultaneously
• Edit mode triggered by URL parameter action=edit_job issues-created: []

---

Phase 3 Plan 2: Job Edit Form Summary

[Substantive one-liner - what shipped]

Accomplishments

• [Key outcomes including security validation]

Files Created/Modified

• includes/class-formidable.php - [description]
• templates/provider-dashboard.php - [description]

Security Implementation

[Details of ownership validation hook and how it prevents unauthorized edits]

Decisions Made

[Implementation choices, or "None"]

Issues Encountered

[Problems and resolutions, or "None"]

Next Step

Ready for 03-03-PLAN.md (admin notifications) or 03-04-PLAN.md (admin UI) - both can run in parallel