-
Notifications
You must be signed in to change notification settings - Fork 451
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pkp/pkp-lib#10486 adds validation to prevent an author of a rejected submission from editing metadata in the submission. #10693
base: stable-3_3_0
Are you sure you want to change the base?
Conversation
…on from editing metadata in the submission. Signed-off-by: yves <[email protected]>
Signed-off-by: yves <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, @YvesLepidus! I made a few suggestions for change.
@@ -795,6 +795,12 @@ public function delete($submission) { | |||
public function canEditPublication($submissionId, $userId) { | |||
$stageAssignmentDao = DAORegistry::getDAO('StageAssignmentDAO'); /* @var $stageAssignmentDao StageAssignmentDAO */ | |||
$stageAssignments = $stageAssignmentDao->getBySubmissionAndUserIdAndStageId($submissionId, $userId, null)->toArray(); | |||
$submission = $this->get($submissionId); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Every case where canEditPublication
is called, the $submission
object is already available -- so I'd suggest changing calling code to just pass the submission object instead of $submission->getId()
. That would save the additional (expensive) fetch of the submission object from the DB.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@YvesLepidus I think you're missing a PR for OJS too, no?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I couldn't find a call to the canEditPublication
method in the OJS 3.3.0
source code. 🤔
I only found it in the main
branch, using Repository.
$userIsAuthor = !empty($stageAssignmentDao->getBySubmissionAndRoleId($submissionId, ROLE_ID_AUTHOR, null, $userId)->toArray()); | ||
// If the submission is declined and the current user is an author of the submission | ||
if ($submission->getStatus() == STATUS_DECLINED && $userIsAuthor) { | ||
return false; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think a more complex policy will be required. If someone is an editor, for example, they probably should have permission to edit metadata on declined submissions they also authored. This restriction should probably apply to submissions only when the author is the only stage assignment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think a more complex policy will be required. If someone is an editor, for example, they probably should have permission to edit metadata on declined submissions they also authored.
I added a check if the user doesn't have permissions to edit metadata according to the role.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This restriction should probably apply to submissions only when the author is the only stage assignment.
Sorry, I didn't understand exactly what you meant. Is that a necessary validation in this conditional, too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I didn't understand exactly what you meant. Is that a necessary validation in this conditional, too?
I discussed it internally with others and understood the point. In the current PR code, there are still issues, such as an author having the role of Moderator in the OPS but not being able to edit the declined submission. I will make the necessary adjustments.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've adjusted the restriction to apply only in cases where the author has no role other than author/reader.
… a Submission object instead of a submission identifier and updates calls to this method. Signed-off-by: yves <[email protected]>
…tadata editing restriction only to these cases. Signed-off-by: yves <[email protected]>
…sive role of author/reader Signed-off-by: yves <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, @YvesLepidus, just another couple of comments!
When you've gone through a set of review comments, don't forget to tag me on the issue to let me know; otherwise I won't know when you've finished adjusting things and have it ready for a second look.
* @param int $userId | ||
* @return boolean | ||
*/ | ||
public function canEditPublication($submissionId, $userId) { | ||
public function canEditPublication($submission, $userId) { | ||
$contextId = Application::get()->getRequest()->getContext()->getId(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's risky to use Request::getContext
here -- that'll work for web-based invocations of this function, but if it's ever called from e.g. a command-line tool or when processing a batch job at the end of a request, it may give the wrong value. Instead, use $submission->getData('contextId')
. (I see that the existing code used to use $request->getContext()
further down -- best to fix it now.)
$roles = $roleDao->getByUserId($userId, $contextId); | ||
foreach ($roles as $role) { | ||
if ($role->getRoleId() != ROLE_ID_AUTHOR && $role->getRoleId() != ROLE_ID_READER) { | ||
return true; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this will erroneously bypass the checks further down in the code.
Related issue: pkp/pkp-lib#10486