Activity

Summary

The /jobs/{uid} public page exposed household-identifying details (postcode, property type, schedule, services) on a guessable Sqid URL. Anyone with the link could view a real client's request — that's a privacy/GDPR problem we don't want.

Bonus: it's also the page that's been throwing Inertia\Ssr\SsrException (Cannot convert undefined or null to object at renderTagStart) since SSR went live (Sentry event 5aae8afd87...). Removing the route makes that alert go away too.

Removed

• PublicJobController and the /jobs/{jobPosting} route
• jobs/show.tsx Inertia page (with its share button + OG meta)
• PublicJobControllerTest
• The "View public page" / "Copy link" affordance on the admin job show page, plus the publicUrl prop and its tests
• Wayfinder regenerated; resources/js/routes/jobs/ is gone

Kept (unaffected)

• /admin/jobs/{uid}, /client/jobs/{uid}, /cleaner/jobs/{uid} — authenticated, gated views with proper access control
• The post-job wizard, quote flow, messaging, notifications
• The shared inbound email links — none of them ever pointed at the public route, only at the authenticated ones, so no inboxes break

Net -478 lines, +0.

Test plan

• php artisan test tests/Feature/Admin/ tests/Feature/Client/JobControllerTest.php tests/Feature/Cleaner/JobControllerTest.php tests/Feature/ReviewTest.php → 167 passed
• php artisan route:list | grep jobs.show → only admin., client., cleaner. (no public jobs.show)
• vendor/bin/pint --dirty → clean
• After deploy: curl https://tidylinker.com/jobs/tXyJwvFC returns 404
• Sentry SsrException stops firing for this event group
• Admin job page still loads and works (just without the public-link button)