Hi, I am in testing phase of my site using the Job Search module.

When logged in as a Job Seeker, I am unable to clear one of my applications from: My Account > Jobs applied for > View job postings.

When I click on the "Clear" fucntion, I receive a Access Denied error. I have tried changing permissions to be able to resolve this and also rebuilding them and clearing the cache, it makes no difference.

Which permission must be set for the Job Seeker to be able to clear one of their applications?.

Also, once a Job Seeker has cleared one of their applications from Jobs applied for view, will the change be reflected in the Recruiters view of Job applications received by clearing it from there also? Signifying to the Recruiter that the applicant has cancelled their application.

Thank you.

CommentFileSizeAuthor
#18 clear_perm.patch4.14 KBmandclu

Comments

Peng.Pif’s picture

Category: support » bug
Priority: Normal » Critical

I have been tinkering with permission settings to no avail. Tested now from Admin role and found a bug.

If you clear an appliaction from the "Jobs Applied For" view, you get re-directed to the "Job Applications Received" view. This is where you get the confirmation message saying "Job application #[nid] has been cleared".

This explains why, with the Job Seeker Role I was unable to clear applications as the re-direct is taking me to a area I am not allowed to access.

How can this re-direct be fixed?

Peng.Pif’s picture

I have solved the problem of the re-direct. In the job.module file I changed:

drupal_goto('job/applications');

To:

$referer = referer_uri();
drupal_goto($referer);
}

So from the Admin / Recruiter login it works fine.

But I am still unable to Clear an application from the Job Seeker role. I keep getting Access denied.

Can someone please give me a pointer or suggestion to where I am going wrong?

Thank you.

Peng.Pif’s picture

I have tried this on a fresh install and still the same Access Denied error. It seems Job Seeker cannot clear/cancel their own applications.

The only way I am able to let a Job Seeker clear an application is to give them the 'Manage Job Applications' permission.

But this creates another problem as in 'My account' of a Job Seeker you now see a link to the view 'Job Applications Received' even though the Job Seeker does not have any permission to create Jobs!

I have rebuilt permissions, cleared cache etc. No luck...

I'm really stuck and could do with some help guys.

Thanks.

Peng.Pif’s picture

I think the problem lies here:

$items['job/clear'] = array(
'page callback' => 'job_clear',
'type' => MENU_CALLBACK,
'access arguments' => array(JOB_PERM_MANAGE),
);

I have tried changing the access argument to : 'access arguments' => array(JOB_PERM_APPLY),

This allows the job seeker to clear applications but will not allow recruiters to do the same.

I've tried passing 2 access arguments and even creating a new one that I have assigned to both job seeker and recruiter but still no luck...

Peng.Pif’s picture

I have changed:

$items['job/clear'] = array(
'page callback' => 'job_clear',
'type' => MENU_CALLBACK,
'access arguments' => array(JOB_PERM_MANAGE),
);

To:

$items['job/clear'] = array(
'page callback' => 'job_clear',
'type' => MENU_CALLBACK,
'access arguments' => array('access content'),
);

Both job seekers and recruiters can now clear jobs.

mandclu’s picture

While that gives them access to remove applications, I believe it actually gives them the authority to remove all applications, not just their own. It might be more in keeping with standard Drupal practice to have a separate permission to delete own applications, or you could assume that right is given to anyone with JOB_PERM_APPLY.

Peng.Pif’s picture

Thanks for the reply, much appreciated.

If JOB_PERM_APPLY is used, that would mean the recruiter wil have to be given the 'Apply for jobs' permission. This would be a problem as the recruiter will then be exposed to the "Apply for this job" link in every job node. Issue is here: http://drupal.org/node/795844

With array('access content'), although users could clear any content, doesn't the views argument restrict them to only viewing their own applications? So only making it possible for them to clear their own applications?

If not, and other users applications became visible, then it would probably be best to have a new permission created in the module, that gives the express right to clear an application. Something like JOB_PERM_REMOVE?

While I have been testing it with the permission set as array('access content'), I have not seen Job Seeker 1's applications in Job Seeker 2's view of jobs applied for. And vice versa.

What are your thoughts?

mandclu’s picture

A devious user might see that it links to 'job/clear/12' and then arbitrarily try numbers just outside his own, to eliminate competition for a job he's applied to.

I think what you need is something that will grant access in one of two cases: the user has JOB_PERM_MANAGE or they have JOB_PERM_APPLY and it's their application.

Peng.Pif’s picture

LMAO @ the devious user! Yes, it's true, this could happen and would be a security issue.

What if JOB_PERM_APPLY was used, and hook_link was edited to unset the job application link from the recruiters view. Can that work? This way 1 of 2 default permissions are used without:

1. Job seeker being unable to clear applications.
2. Recruiter having to see apply for job link.

What about adding a new permission? Does that require more work in the module than just adding the following:

define('JOB_PERM_APPLY', 'apply for jobs');
define('JOB_PERM_MANAGE', 'manage job applications');
define('JOB_PERM_REMOVE', 'cancel job applications');

/**
* Implementation of hook_perm().
*/
function job_perm() {
return array(
JOB_PERM_APPLY,
JOB_PERM_MANAGE,
JOB_PERM_REMOVE,
);
}

mandclu’s picture

I don't think adding a new permission by itself solves the issue of allowing people to edit their own applications but not those of others. We could add an additional permission 'delete own job applications', or you could just assume that anyone with JOB_PERM_APPLY can do that.

The bigger issue is that we need to add that logic to job_menu, or possibly break that out into a separate permissions function, in the same way as node.module (which has its own permissions case for owners of a node vs. those with global access).

Peng.Pif’s picture

If it is broken into seperate permissions, I can see the need for 'delete own application' for job seekers to be able to 'Withdraw Application'.

But also a permission, 'delete all applications', which will allow for a recruiter to be able to 'Reject Application'.

mandclu’s picture

I suppose the salient question is if there will be cases where we want people to submit applications and not be able to delete them. If we can assume they should always be able to do that, then we don't need the extra permission.

I definitely agree, though, that there should be a distinct permission for "delete any application".

Peng.Pif’s picture

In regards to point 1. If the permission 'delete own application' is there, it would be up to the admin to decide, depending on their own usage requirements to allow / prevent job seekers from doing so.

The same way there is currently a permission for 'delete own resume content' etc.

mandclu’s picture

Based on the discussion so far, a revised permissions structure might look like:

define('JOB_PERM_APPLY', 'apply for jobs');
define('JOB_PERM_WITHDRAW', 'cancel own job applications');
define('JOB_PERM_MANAGE', 'manage job applications');
define('JOB_PERM_REMOVE', 'cancel any job applications');

/**
* Implementation of hook_perm().
*/
function job_perm() {
return array(
JOB_PERM_APPLY,
JOB_PERM_WITHDRAW,
JOB_PERM_MANAGE,
JOB_PERM_REMOVE,
);
}

Also, the hook_menu treatment should be a little different, such as:

/**
* Implementation of hook_menu().
*/
function job_menu() {
$items = array();
$items['admin/settings/job'] = array(
'title' => t('Job'),
'description' => t('Job settings'),
'page callback' => 'drupal_get_form',
'page arguments' => array('job_admin_settings'),
'access arguments' => array('administer site configuration'),
);

$items['job/apply'] = array(
'page callback' => 'job_apply',
'type' => MENU_CALLBACK,
'access arguments' => array('access content'),
);

$items['job/clear'] = array(
'page callback' => 'job_clear',
'type' => MENU_CALLBACK,
'access' => _job_perm_clear(),
);

$items['job/applications'] = array(
'page callback' => 'job_view',
'title' => t('Job Applications Received'),
'type' => MENU_SUGGESTED_ITEM,
'access arguments' => array(JOB_PERM_MANAGE),
);

$items['job/appliedfor'] = array(
'page callback' => 'job_post_view',
'title' => t('Jobs Applied For'),
'type' => MENU_SUGGESTED_ITEM,
'access arguments' => array(JOB_PERM_APPLY),
);

return $items;
}

function _job_perm_clear() {
global $user;

$nid = arg(2);
$uid = arg(3);
// NOTE: should it be possible to remove all applications for a job in one step?

$node = node_load($nid);
if (user_access(JOB_PERM_REMOVE) || ($uid == $user->uid && user_access(JOB_PERM_WITHDRAW))) {
return true;
}
return false;
}

Peng.Pif’s picture

Hey surge,

Where it says: // NOTE: should it be possible to remove all applications for a job in one step?

Do you mean if there should be a confirmation step? If so, I think there should be.

Something else to do with the clear function - Would it be possible to modify job_mail to send a email to recruiter / job seeker if one or the other rejects or withdraws an application?

Reason being, if a recruiter clears an application received from the Job Applications Received view, this application is also removed from the Job Seekers Jobs Applied For view. The Job Seeker will not have a clue as to what has happened to their application.

A workaround could be to have a block which appears at the top of the view saying something like "If one of your applications is no longer visible here, it is currently being reviewed by (node published by)". This would help clear any confusion the job seeker may experience when looking back at their applications.

What do you think?

mandclu’s picture

Currently the job_clear function seems written to only clear a single user's application for a specified job. The note was to signify that there might be value in having an option for an administrator to clear out all the jobs at once. A confirmation step is probably a good idea as well.

I do tend to agree that it might be confusing if an applicant finds some of his applications missing, though I have to confess I think that a notification feature seems like it should be part of a separate issue.

Should I roll a patch for this new code?

Peng.Pif’s picture

Yes it could save a lot of time for recruiters to batch clear applications. "Clear All" or Checkboxes next to each row to allow them to hand pick applications to clear?

The Checkbox approach could be beneficial for recruiters as they could use this to narrow down applicants after reviewing their resumes and use the view as an applicant filter of sorts.

If you could roll a patch that would be great pal.

Thanks.

mandclu’s picture

Status: Active » Needs review
StatusFileSize
new4.14 KB

OK, the attached patch should provide the new permissions, and allow those with the new "withdraw" permission to clear their own applications. I've also included an ability to clear all applications for a job using "all" as URL wildcard, such as "job/clear/256/all". It does need some kind of interface option for that, but perhaps that would best be addressed under the issue about the apply link, and the various permutations there.

Peng.Pif’s picture

Hey surge, Just tested patch, it's working fine.

New permissions are visible. Job seekers 1 and 2 were given "Clear own applications" permission and were able to do so. Recruiter was given "Clear all applications" and was able to do so.

I agree with having the "Clear all" visible in the view. Do you think it would be a good idea to incorprate VBO functionality with the module? Allowing the views Jobs Applied For and Jobs Applications Received views to be more customisable? There is also the Views Send module which could be harnesed to allow for message to be sent from either of these views that could solve the issue above of job seekers not knowing what has happened to their application if a recruiter removes it. we can take this up in a new thread as it is a seperate issue.

Thanks.

mandclu’s picture

Status: Needs review » Fixed

This change has been committed. VBO support sounds like a great idea, definitely open up a separate ticket for that.

Peng.Pif’s picture

Thanks!

Will open a seperate issue for the VBO supprt.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.