vmiller/Digital-Dabei-Hamburg-Job-Manager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
Digital-Dabei-Hamburg-Job-M…/.planning/phases/03-job-management-core/03-02-SUMMARY.md
Viktor Miller 9df86a3847 docs(03-02): complete job edit form plan 
- Document job edit form implementation with ownership validation
- Track security implementation preventing URL tampering
- Record conditional template rendering pattern
- List modified files and technical decisions
- Mark plan complete, ready for 03-03 or 03-04

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-01-14 19:46:07 +09:00

6.7 KiB
Raw Permalink Blame History

phase, plan, subsystem, tags, requires, provides, affects, tech-stack, key-files, key-decisions, patterns-established, issues-created, duration, completed
phase plan subsystem tags requires provides affects tech-stack key-files key-decisions patterns-established issues-created duration completed
03-job-management-core 02 job-editing
formidable
job-editing
post-update
security
ownership
phase provides
01-03
ACF fields for job_offer
custom post type setup
phase provides
02-03
provider dashboard template
submission form integration
Job edit form with ownership validation
Dashboard edit mode with form pre-population
URL parameter-based edit flow
03-03
03-04
added patterns
formidable-update-post
ownership-validation
pre-populated-forms
conditional-template-rendering
created modified
includes/class-formidable.php
templates/provider-dashboard.php
Edit form validates ownership via frm_validate_entry hook before form submission
Dashboard shows edit form OR listings, not both simultaneously
Edit mode triggered by URL parameters (action=edit_job&job_id=X)
Form uses Formidable's Update Post action with id_param for pre-population
Ownership validation pattern: Check post_author matches current user in validation hook
Conditional template rendering: Single template handles both list and edit modes
Edit URL pattern: Dashboard base URL + action=edit_job&job_id=X
12min 2026-01-14

Phase 3 Plan 2: Job Edit Form Summary

Formidable edit form with ownership validation hook prevents unauthorized job edits via URL parameter tampering

Performance

  • Duration: 12 min
  • Started: 2026-01-14T[start time]
  • Completed: 2026-01-14T[end time]
  • Tasks: 2
  • Files modified: 2

Accomplishments

  • Created job edit form with identical fields to submission form
  • Implemented ownership validation hook preventing URL parameter tampering
  • Integrated edit mode into provider dashboard with conditional rendering
  • Form pre-populates existing job data via Formidable's id_param
  • Dashboard shows either edit form or listings table, not both
  • Back navigation link for returning to dashboard overview

Task Commits

Each task was committed atomically:

  1. Task 1: Create job edit form with ownership validation - a4e2fbf (feat)
  2. Task 2: Update dashboard edit links to use edit form - 491c4fb (feat)

Plan metadata: [will be added] (docs: complete job edit form plan)

Files Created/Modified

  • includes/class-formidable.php - Added create_job_edit_form() method for programmatic edit form creation, added validate_job_ownership() hook to prevent unauthorized edits, added get_job_edit_form_id() helper method
  • templates/provider-dashboard.php - Added edit mode detection and conditional rendering, updated edit links to point to dashboard edit form, added back navigation link and edit section styling

Security Implementation

The ownership validation is critical for preventing malicious providers from editing others' jobs:

Validation Hook: validate_job_ownership() hooked to frm_validate_entry filter Checks performed:

  1. Verify job_id parameter exists in URL
  2. Verify post exists and post_type is 'job_offer'
  3. Verify post_author matches current user ID
  4. If any check fails, add Formidable error and block submission

Attack prevented: Provider cannot edit another provider's job by changing the job_id URL parameter. Even if they modify the URL manually, the ownership check will prevent the form from submitting.

Technical Details

Form Structure

Form key: job_edit

Fields (identical to submission form):

  1. job_title (text, required) - "Stellentitel"
  2. job_description (textarea, required) - "Stellenbeschreibung"
  3. job_location (text, required) - "Standort"
  4. job_type (select, required) - "Art" with choices: Vollzeit, Teilzeit, Ehrenamt
  5. job_deadline (date, optional) - "Bewerbungsfrist" (format: d.m.Y)
  6. job_contact_email (email, required) - "Kontakt-E-Mail"
  7. job_logo (file upload, optional) - "Logo" (accept: image/jpeg, image/png, max: 2MB)

Submit button: "Änderungen speichern" Success message: "Ihre Änderungen wurden gespeichert!" Success action: Redirect to /anbieter-dashboard/

Form Actions

Update Post action configured:

  • Post ID source: URL parameter 'job_id' (via id_param)
  • Post type: 'job_offer'
  • Post status: 'pending' (requires re-approval after edit)
  • Post title: mapped to job_title field
  • Post content: mapped to job_description field
  • Custom field mappings (ACF fields):
    • job_location → meta:job_location
    • job_type → meta:job_type
    • job_deadline → meta:job_deadline
    • job_contact_email → meta:job_contact_email
    • job_logo → meta:job_logo

Dashboard Edit Flow

  1. User clicks "Bearbeiten" link in job listings table
  2. URL changes to: /anbieter-dashboard/?action=edit_job&job_id=123
  3. Dashboard template detects edit mode via URL parameters
  4. Edit form displayed with job data pre-populated via id_param
  5. Listings table hidden during edit mode
  6. Back link allows return to overview
  7. On form submission, ownership validation runs
  8. If valid, job updated and redirects to dashboard
  9. If invalid, error displayed and submission blocked

Decisions Made

  1. Ownership validation in frm_validate_entry hook - Formidable's validation filter is the correct place to check ownership before submission is processed. This prevents the Update Post action from running if ownership check fails.

  2. Conditional template rendering - Single template file handles both list view and edit view using URL parameter detection. This keeps related functionality together and avoids template duplication.

  3. Edit mode via URL parameters - Using action=edit_job&job_id=X pattern is WordPress-standard and allows bookmarking/sharing edit URLs (though ownership validation prevents unauthorized access).

  4. Form uses Update Post action - Formidable's Update Post action (not Create Post) correctly updates existing posts. The id_param parameter tells Formidable which post to update and enables field pre-population.

  5. Post status reset to pending - After editing, jobs return to 'pending' status requiring admin re-approval. This ensures edited jobs are reviewed before going live again, preventing abuse.

Deviations from Plan

None - plan executed exactly as written.

Issues Encountered

None - implementation was straightforward.

Next Phase Readiness

Ready for 03-03-PLAN.md (admin notifications) or 03-04-PLAN.md (admin UI) - both can run in parallel.

The job edit form is complete and functional with security validated. Providers can edit their own jobs but cannot edit others' jobs even by URL tampering.

Phase: 03-job-management-core Completed: 2026-01-14

Reference in New Issue View Git Blame Copy Permalink