Each user is able to view/edit/preview/delete their own files.
Your job is to find vulnerabilities, fixing them is not needed albeit would be nice.
The app can be run via php's built-in server php -c .user.ini -S 127.0.0.1:9900 -t public or any other local ip:port.
-c .user.ini is important, since it adds some sane php configs.