cross-solution / YAWIK

YAWIK is a web application. It can be used as an ATS applicant tracking system or as a jobboard.
https://yawik.org
MIT License
125 stars 67 forks source link

every recruiter can edit all joboffers #104

Closed mbo-s closed 9 years ago

mbo-s commented 9 years ago

Create a new account on and change role to recruiter, if not set.

Create a new job, it has now the status draft. Copy the JobID

Log out and log in with another recruiter account e.g. demo/demo

manually call with the copied JobID http://yawik.org/demo/en/jobs/edit?id=JOBID

Alternative: go to the jobboard: http://yawik.org/demo/en/jobboard Take the JobID from an job offer e.g. http://yawik.org/demo/en/jobs/view?id=5475ca7bae0259171e67376a

Log in with an new recruiter Account an open http://yawik.org/demo/en/jobs/edit?id=5475ca7bae0259171e67376a

You have now full access to the job and can edit everything.

cbleek commented 9 years ago

Yes, the ACL Check is currently commentet.

https://github.com/cross-solution/YAWIK/blob/develop/module/Jobs/src/Jobs/Controller/ManageController.php#L107

If the check is enabled via

    $this->acl($jobEntity, 'edit');

and if you take some foreign ID, you'll get a fatal error.

Fatal error: Call to a member function getId() on a non-object in /home/cbleek/Projects/YAWIK/module/Jobs/src/Jobs/Acl/WriteAssertion.php on line 47
TiSiE commented 9 years ago

WriteAssertion was changed with e602a16

The error will be fixed when #87 is finished