[$30] Security Issue - JD Edits from TaaS App #125
Comments
|
@maxceem @nkumar-topcoder - read above. I think the solution outlined should support the scenario. Interested in your thoughts. |
|
@wdprice solution looks right to me. |
|
@wdprice please, let me know if this is confirmed, and we may start working on this. |
|
@wdprice @nkumar-topcoder what about existent jobs records? Should we set this value Or is there any criteria that we can use when updating existent data so we can set the value depends on something which indicates if the Job was posted or no? If there is no such indicator, but this value is important to us, we can try creating migration script which would load information about the jobs from RCRM API and check if it's activated or no. Or we might import data to JSON, and create a script that would use JSON to set this value for jobs, but such a list of jobs should be fresh so it includes all the jobs. |
|
Set to false be default. A script would be a great option, or we can also do minor updates to everything with active flags to force sync. |
|
@maxceem I just checked and their Job table export includes this information, so I can provide a dump w/ Job slug + isApplicationPageActive |
If there are not so many active jobs, then triggering sync manually could be easier. I guess script would be not so easy to create as providing demo access for a developer is not easy. And importing/sanitizing JSON data also takes effort. |
|
@wdprice if it's easy to provide such a dump, then sure, please provide and we would create a script then. |
|
Sum up:
|
maxceem
changed the title
|
Challenge https://www.topcoder.com/challenges/65521df7-adfe-4fbc-99b8-22ab140aa9ce has been created for this ticket. |
|
@yoution this is open for pickup. Job for testing with |
|
@yoution there is one more requirement:
We should implement it a good way, so still using our current from config. Do you have any good ideas how? |
|
@bug-bash-helper assign me |
|
@yoution 🛑 this issue is not included in the Bug Bash. You may only pickup issues which are included in this Bug Bash and open for pick up. |
|
@maxceem please assign me |
|
Challenge https://www.topcoder.com/challenges/65521df7-adfe-4fbc-99b8-22ab140aa9ce has been assigned to yoution. |
maxceem
added
tcx_OpenForPickup
and removed
Open for Pickup
tcx_Assigned
tcx_OpenForPickup
labels
|
Payment task has been updated: https://www.topcoder.com/challenges/65521df7-adfe-4fbc-99b8-22ab140aa9ce |
|
Verified on Dev Env. The Job description field is not editable after Enabling the Job application form and isApplicationPageActive field changed to true
|
|
Verified on Prod. Working as expected.
|
sandhiyakavi
modified the milestones:
v1.5.2 - Post Release Bugfix,
v1.5.1 - Post Release Bugfix
Jobs that have a Job Application Form attribute = true in RCRM are posted directly to the Topocder.com Gig Work page. In scenarios where that field is true, a user in TaaS App could write anything and post directly to Topcoder.com without review. We cannot allow this behavior to occur.
Proposed Solution
isApplicationPageActiveisApplicationPageActive==trueTHEN disable the Job Description editor. Display a message underneath that reads: "You may not edit a Job Description that is currently posted to Topcoder.com. Please contact [email protected]."The text was updated successfully, but these errors were encountered: