vmiller/Digital-Dabei-Hamburg-Job-Manager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
Digital-Dabei-Hamburg-Job-M…/.planning/phases/03-job-management-core/03-02-SUMMARY.md
Viktor Miller 9df86a3847 docs(03-02): complete job edit form plan 
- Document job edit form implementation with ownership validation
- Track security implementation preventing URL tampering
- Record conditional template rendering pattern
- List modified files and technical decisions
- Mark plan complete, ready for 03-03 or 03-04

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-01-14 19:46:07 +09:00

169 lines
6.7 KiB
Markdown
Raw Permalink Blame History

---
phase: 03-job-management-core
plan: 02
subsystem: job-editing
tags: [formidable, job-editing, post-update, security, ownership]
# Dependency graph
requires:
- phase: 01-03
provides: [ACF fields for job_offer, custom post type setup]
- phase: 02-03
provides: [provider dashboard template, submission form integration]
provides:
- Job edit form with ownership validation
- Dashboard edit mode with form pre-population
- URL parameter-based edit flow
affects: [03-03, 03-04]
# Tech tracking
tech-stack:
added: [formidable-update-post]
patterns: [ownership-validation, pre-populated-forms, conditional-template-rendering]
key-files:
created: []
modified: [includes/class-formidable.php, templates/provider-dashboard.php]
key-decisions:
- "Edit form validates ownership via frm_validate_entry hook before form submission"
- "Dashboard shows edit form OR listings, not both simultaneously"
- "Edit mode triggered by URL parameters (action=edit_job&job_id=X)"
- "Form uses Formidable's Update Post action with id_param for pre-population"
patterns-established:
- "Ownership validation pattern: Check post_author matches current user in validation hook"
- "Conditional template rendering: Single template handles both list and edit modes"
- "Edit URL pattern: Dashboard base URL + action=edit_job&job_id=X"
issues-created: []
# Metrics
duration: 12min
completed: 2026-01-14
---
# Phase 3 Plan 2: Job Edit Form Summary
**Formidable edit form with ownership validation hook prevents unauthorized job edits via URL parameter tampering**
## Performance
- **Duration:** 12 min
- **Started:** 2026-01-14T[start time]
- **Completed:** 2026-01-14T[end time]
- **Tasks:** 2
- **Files modified:** 2
## Accomplishments
- Created job edit form with identical fields to submission form
- Implemented ownership validation hook preventing URL parameter tampering
- Integrated edit mode into provider dashboard with conditional rendering
- Form pre-populates existing job data via Formidable's id_param
- Dashboard shows either edit form or listings table, not both
- Back navigation link for returning to dashboard overview
## Task Commits
Each task was committed atomically:
1. **Task 1: Create job edit form with ownership validation** - `a4e2fbf` (feat)
2. **Task 2: Update dashboard edit links to use edit form** - `491c4fb` (feat)
**Plan metadata:** [will be added] (docs: complete job edit form plan)
## Files Created/Modified
- `includes/class-formidable.php` - Added create_job_edit_form() method for programmatic edit form creation, added validate_job_ownership() hook to prevent unauthorized edits, added get_job_edit_form_id() helper method
- `templates/provider-dashboard.php` - Added edit mode detection and conditional rendering, updated edit links to point to dashboard edit form, added back navigation link and edit section styling
## Security Implementation
The ownership validation is critical for preventing malicious providers from editing others' jobs:
**Validation Hook:** `validate_job_ownership()` hooked to `frm_validate_entry` filter
**Checks performed:**
1. Verify job_id parameter exists in URL
2. Verify post exists and post_type is 'job_offer'
3. Verify post_author matches current user ID
4. If any check fails, add Formidable error and block submission
**Attack prevented:** Provider cannot edit another provider's job by changing the job_id URL parameter. Even if they modify the URL manually, the ownership check will prevent the form from submitting.
## Technical Details
### Form Structure
Form key: `job_edit`
Fields (identical to submission form):
1. **job_title** (text, required) - "Stellentitel"
2. **job_description** (textarea, required) - "Stellenbeschreibung"
3. **job_location** (text, required) - "Standort"
4. **job_type** (select, required) - "Art" with choices: Vollzeit, Teilzeit, Ehrenamt
5. **job_deadline** (date, optional) - "Bewerbungsfrist" (format: d.m.Y)
6. **job_contact_email** (email, required) - "Kontakt-E-Mail"
7. **job_logo** (file upload, optional) - "Logo" (accept: image/jpeg, image/png, max: 2MB)
Submit button: "Änderungen speichern"
Success message: "Ihre Änderungen wurden gespeichert!"
Success action: Redirect to /anbieter-dashboard/
### Form Actions
**Update Post action configured:**
- Post ID source: URL parameter 'job_id' (via id_param)
- Post type: 'job_offer'
- Post status: 'pending' (requires re-approval after edit)
- Post title: mapped to job_title field
- Post content: mapped to job_description field
- Custom field mappings (ACF fields):
- job_location → meta:job_location
- job_type → meta:job_type
- job_deadline → meta:job_deadline
- job_contact_email → meta:job_contact_email
- job_logo → meta:job_logo
### Dashboard Edit Flow
1. User clicks "Bearbeiten" link in job listings table
2. URL changes to: `/anbieter-dashboard/?action=edit_job&job_id=123`
3. Dashboard template detects edit mode via URL parameters
4. Edit form displayed with job data pre-populated via id_param
5. Listings table hidden during edit mode
6. Back link allows return to overview
7. On form submission, ownership validation runs
8. If valid, job updated and redirects to dashboard
9. If invalid, error displayed and submission blocked
## Decisions Made
1. **Ownership validation in frm_validate_entry hook** - Formidable's validation filter is the correct place to check ownership before submission is processed. This prevents the Update Post action from running if ownership check fails.
2. **Conditional template rendering** - Single template file handles both list view and edit view using URL parameter detection. This keeps related functionality together and avoids template duplication.
3. **Edit mode via URL parameters** - Using `action=edit_job&job_id=X` pattern is WordPress-standard and allows bookmarking/sharing edit URLs (though ownership validation prevents unauthorized access).
4. **Form uses Update Post action** - Formidable's Update Post action (not Create Post) correctly updates existing posts. The id_param parameter tells Formidable which post to update and enables field pre-population.
5. **Post status reset to pending** - After editing, jobs return to 'pending' status requiring admin re-approval. This ensures edited jobs are reviewed before going live again, preventing abuse.
## Deviations from Plan
None - plan executed exactly as written.
## Issues Encountered
None - implementation was straightforward.
## Next Phase Readiness
Ready for 03-03-PLAN.md (admin notifications) or 03-04-PLAN.md (admin UI) - both can run in parallel.
The job edit form is complete and functional with security validated. Providers can edit their own jobs but cannot edit others' jobs even by URL tampering.
---
*Phase: 03-job-management-core*
*Completed: 2026-01-14*
Reference in New Issue View Git Blame Copy Permalink