pkp/pkp-lib#10486 adds validation to prevent an author of a rejected submission from editing metadata in the submission. #10693
Conversation
…on from editing metadata in the submission. Signed-off-by: yves <[email protected]>
Signed-off-by: yves <[email protected]>
| @@ -795,6 +795,12 @@ public function delete($submission) { | |||
| public function canEditPublication($submissionId, $userId) { | |||
| $stageAssignmentDao = DAORegistry::getDAO('StageAssignmentDAO'); /* @var $stageAssignmentDao StageAssignmentDAO */ | |||
| $stageAssignments = $stageAssignmentDao->getBySubmissionAndUserIdAndStageId($submissionId, $userId, null)->toArray(); | |||
| $submission = $this->get($submissionId); | |||
There was a problem hiding this comment.
Every case where canEditPublication is called, the $submission object is already available -- so I'd suggest changing calling code to just pass the submission object instead of $submission->getId(). That would save the additional (expensive) fetch of the submission object from the DB.
There was a problem hiding this comment.
@YvesLepidus I think you're missing a PR for OJS too, no?
There was a problem hiding this comment.
I couldn't find a call to the canEditPublication method in the OJS 3.3.0 source code. 🤔
I only found it in the main branch, using Repository.
| $userIsAuthor = !empty($stageAssignmentDao->getBySubmissionAndRoleId($submissionId, ROLE_ID_AUTHOR, null, $userId)->toArray()); | ||
| // If the submission is declined and the current user is an author of the submission | ||
| if ($submission->getStatus() == STATUS_DECLINED && $userIsAuthor) { | ||
| return false; |
There was a problem hiding this comment.
I think a more complex policy will be required. If someone is an editor, for example, they probably should have permission to edit metadata on declined submissions they also authored. This restriction should probably apply to submissions only when the author is the only stage assignment.
There was a problem hiding this comment.
I think a more complex policy will be required. If someone is an editor, for example, they probably should have permission to edit metadata on declined submissions they also authored.
I added a check if the user doesn't have permissions to edit metadata according to the role.
There was a problem hiding this comment.
This restriction should probably apply to submissions only when the author is the only stage assignment.
Sorry, I didn't understand exactly what you meant. Is that a necessary validation in this conditional, too?
There was a problem hiding this comment.
Sorry, I didn't understand exactly what you meant. Is that a necessary validation in this conditional, too?
I discussed it internally with others and understood the point. In the current PR code, there are still issues, such as an author having the role of Moderator in the OPS but not being able to edit the declined submission. I will make the necessary adjustments.
There was a problem hiding this comment.
I've adjusted the restriction to apply only in cases where the author has no role other than author/reader.
… a Submission object instead of a submission identifier and updates calls to this method. Signed-off-by: yves <[email protected]>
…tadata editing restriction only to these cases. Signed-off-by: yves <[email protected]>
…sive role of author/reader Signed-off-by: yves <[email protected]>
There was a problem hiding this comment.
Thanks, @YvesLepidus, just another couple of comments!
When you've gone through a set of review comments, don't forget to tag me on the issue to let me know; otherwise I won't know when you've finished adjusting things and have it ready for a second look.
…est as a reference.
…e from author/reader.
| @@ -176,10 +176,7 @@ public function getProperties($submission, $props, $args = null) { | |||
|
|
|||
| // Retrieve the submission's context for properties that require it | |||
| if (array_intersect(['_href', 'urlAuthorWorkflow', 'urlEditorialWorkflow'], $props)) { | |||
| $submissionContext = $request->getContext(); | |||
There was a problem hiding this comment.
@YvesLepidus, these lines (and further down) were an optimization: if the request's context specifies the right ID, then we use it; otherwise fetch the context from the database. I think those were safe and reliable and shouldn't be removed.
There was a problem hiding this comment.
@YvesLepidus, just one more individual comment, thanks! Once that's addressed, could you forward-port this to stable-3_4_0 and main?
…ifier (it was previously excluded).
Ok @asmecher, I'll adapt it for these branchs. |
| @@ -317,7 +317,7 @@ public function getPropertyReviewAssignments($submission) { | |||
|
|
|||
| $request = \Application::get()->getRequest(); | |||
| $currentUser = $request->getUser(); | |||
| $context = $request->getContext(); | |||
| $context = Services::get('context')->get($submission->getData('contextId')); | |||
There was a problem hiding this comment.
Sorry to keep sending you back on this issue -- but this will potentially add a lot of overhead, as it'll mean fetching the object repeatedly if called on a list of submissions. I would suggest using the same optimization you see elsewhere:
if (!$context || $context->getId() != $submission->getData('contextId')) {
$context = Services::get('context')->get($submission->getData('contextId'));
}This will probably be faster, but still safe for batch jobs.
| @@ -396,7 +396,7 @@ public function getPropertyStages($submission, $stageIds = null) { | |||
| } | |||
|
|
|||
| $currentUser = \Application::get()->getRequest()->getUser(); | |||
| $context = \Application::get()->getRequest()->getContext(); | |||
| $context = Services::get('context')->get($submission->getData('contextId')); | |||
| if (!$submissionContext || $submissionContext->getId() != $submission->getData('contextId')) { | ||
| $submissionContext = Services::get('context')->get($submission->getData('contextId')); | ||
| } | ||
| $submissionContext = Services::get('context')->get($submission->getData('contextId')); |
There was a problem hiding this comment.
This change should be removed.
Related issue: pkp/pkp-lib#10486