Talent-Catalog / talentcatalog

https://tctalent.org
GNU Affero General Public License v3.0
13 stars 4 forks source link

Bug: UNHCR-type partner can download CV with candidate name and contact info #1685

Open samschlicht opened 1 week ago

samschlicht commented 1 week ago

Vid of issue (logged in to production as UNHCR user):

Private Zenhub Video

camerojo commented 1 week ago

This is not just a technical issue. Many candidates do have a public CV where they include their name and whatever other details they choose.

Our view is that if a candidate uploads that, they are implicitly giving us permission to distribute it. We need to make that clearer to candidates. Maybe just a pop up when they do a CV upload saying that we will distribute whatever they provide us with.

samschlicht commented 1 week ago

Good to know it’s not a complete oversight, but this is generated by the TC — I don’t see why we would share the pictured information in anonymised TC view.

The anonymised public CV makes perfect sense, but not convinced on the DL link with full contact details.

If nothing else, as a user of the anonymised version, I would perceive this as a bug.

Screenshot 2024-11-28 at 10.39.12 am.png
samschlicht commented 1 week ago

I've discussed this with John. To clarify:

We've decided to include it in the other hot fix for UNHCR-type access (#1635).

samschlicht commented 1 week ago

Unfortunately the CV DL doesn't work in dev or staging, which I suspect may have to do with the Spring upgrade — so this is blocked behind #1688.

samschlicht commented 1 week ago

John has unblocked! Combined PR for this and #1635 is in - if all good will also be applied as a hot fix.