Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pkp/pkp-lib#10486 adds validation to prevent an author of a rejected submission from editing metadata in the submission. #10693

Open
wants to merge 5 commits into
base: stable-3_3_0
Choose a base branch
from

Conversation

YvesLepidus
Copy link
Contributor

Related issue: pkp/pkp-lib#10486

Copy link
Member

@asmecher asmecher left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @YvesLepidus! I made a few suggestions for change.

@@ -795,6 +795,12 @@ public function delete($submission) {
public function canEditPublication($submissionId, $userId) {
$stageAssignmentDao = DAORegistry::getDAO('StageAssignmentDAO'); /* @var $stageAssignmentDao StageAssignmentDAO */
$stageAssignments = $stageAssignmentDao->getBySubmissionAndUserIdAndStageId($submissionId, $userId, null)->toArray();
$submission = $this->get($submissionId);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Every case where canEditPublication is called, the $submission object is already available -- so I'd suggest changing calling code to just pass the submission object instead of $submission->getId(). That would save the additional (expensive) fetch of the submission object from the DB.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, @asmecher ! 😃
I've adjusted the canEditPublication method and updated the calls in lib-pkp. I've also done the PR to include the method call update in OMP and OPS.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@YvesLepidus I think you're missing a PR for OJS too, no?

Copy link
Contributor Author

@YvesLepidus YvesLepidus Dec 13, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I couldn't find a call to the canEditPublication method in the OJS 3.3.0 source code. 🤔
I only found it in the main branch, using Repository.

$userIsAuthor = !empty($stageAssignmentDao->getBySubmissionAndRoleId($submissionId, ROLE_ID_AUTHOR, null, $userId)->toArray());
// If the submission is declined and the current user is an author of the submission
if ($submission->getStatus() == STATUS_DECLINED && $userIsAuthor) {
return false;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think a more complex policy will be required. If someone is an editor, for example, they probably should have permission to edit metadata on declined submissions they also authored. This restriction should probably apply to submissions only when the author is the only stage assignment.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think a more complex policy will be required. If someone is an editor, for example, they probably should have permission to edit metadata on declined submissions they also authored.

I added a check if the user doesn't have permissions to edit metadata according to the role.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This restriction should probably apply to submissions only when the author is the only stage assignment.

Sorry, I didn't understand exactly what you meant. Is that a necessary validation in this conditional, too?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I didn't understand exactly what you meant. Is that a necessary validation in this conditional, too?

I discussed it internally with others and understood the point. In the current PR code, there are still issues, such as an author having the role of Moderator in the OPS but not being able to edit the declined submission. I will make the necessary adjustments.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've adjusted the restriction to apply only in cases where the author has no role other than author/reader.

… a Submission object instead of a submission identifier and updates calls to this method.

Signed-off-by: yves <[email protected]>
…tadata editing restriction only to these cases.

Signed-off-by: yves <[email protected]>
Copy link
Member

@asmecher asmecher left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @YvesLepidus, just another couple of comments!

When you've gone through a set of review comments, don't forget to tag me on the issue to let me know; otherwise I won't know when you've finished adjusting things and have it ready for a second look.

* @param int $userId
* @return boolean
*/
public function canEditPublication($submissionId, $userId) {
public function canEditPublication($submission, $userId) {
$contextId = Application::get()->getRequest()->getContext()->getId();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's risky to use Request::getContext here -- that'll work for web-based invocations of this function, but if it's ever called from e.g. a command-line tool or when processing a batch job at the end of a request, it may give the wrong value. Instead, use $submission->getData('contextId'). (I see that the existing code used to use $request->getContext() further down -- best to fix it now.)

$roles = $roleDao->getByUserId($userId, $contextId);
foreach ($roles as $role) {
if ($role->getRoleId() != ROLE_ID_AUTHOR && $role->getRoleId() != ROLE_ID_READER) {
return true;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this will erroneously bypass the checks further down in the code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants