[$30] Security Issue - JD Edits from TaaS App

[wdprice]

Jobs that have a Job Application Form attribute = true in RCRM are posted directly to the Topocder.com Gig Work page. In scenarios where that field is true, a user in TaaS App could write anything and post directly to Topcoder.com without review. We cannot allow this behavior to occur.

Proposed Solution

1. Add a new boolean to Jobs API & database: isApplicationPageActive
2. Update Zapier integration to update this field whenever it is edited in RecruitCRM. Do not allow this field to be edited inside TaaS App UI or though API (except m2m).
3. Add logic to Job Edit page: IF isApplicationPageActive == true THEN disable the Job Description editor. Display a message underneath that reads: "You may not edit a Job Description that is currently posted to Topcoder.com. Please contact support@topcoder.com."

[wdprice]

@maxceem @nkumar-topcoder - read above. I think the solution outlined should support the scenario. Interested in your thoughts.

[maxceem]

@wdprice solution looks right to me.

[maxceem]

@wdprice please, let me know if this is confirmed, and we may start working on this.

[maxceem]

@wdprice @nkumar-topcoder what about existent jobs records? Should we set this value false to all of them so the Description could be edited? Or should we set true to all existent records so the Description could not be edited?

Or is there any criteria that we can use when updating existent data so we can set the value depends on something which indicates if the Job was posted or no?

If there is no such indicator, but this value is important to us, we can try creating migration script which would load information about the jobs from RCRM API and check if it's activated or no. Or we might import data to JSON, and create a script that would use JSON to set this value for jobs, but such a list of jobs should be fresh so it includes all the jobs.

[wdprice]

Set to false be default.

A script would be a great option, or we can also do minor updates to everything with active flags to force sync.

[wdprice]

@maxceem I just checked and their Job table export includes this information, so I can provide a dump w/ Job slug + isApplicationPageActive

[maxceem]

A script would be a great option, or we can also do minor updates to everything with active flags to force sync.

If there are not so many active jobs, then triggering sync manually could be easier. I guess script would be not so easy to create as providing demo access for a developer is not easy. And importing/sanitizing JSON data also takes effort.

[maxceem]

@wdprice if it's easy to provide such a dump, then sure, please provide and we would create a script then.

[maxceem]

Sum up:

• If isApplicationPageActive is true then disable description editor

  

  • note, that we should be able to scroll the content inside the editor but should not be able to edit it
  • if the editor doesn't have a feature to "disable" it, then we can show the TuiViewer instead of the editor when the editor is disabled. But make sure that we don't add some special logic to the Form. So if we need to display Viewer, then still pass disabled={true} to the form and only inside MarkDownEditor if disabled===true then show MarkdownViewer. But make the height the same like the editor with the scrollbar, so we don't show the long text like we do on the Job View page.