pkp/pkp-lib#10486 adds validation to prevent an author of a rejected submission from editing metadata in the submission. #10693
Conversation
…on from editing metadata in the submission. Signed-off-by: yves <[email protected]>
Signed-off-by: yves <[email protected]>
| @@ -795,6 +795,12 @@ public function delete($submission) { | |||
| public function canEditPublication($submissionId, $userId) { | |||
| $stageAssignmentDao = DAORegistry::getDAO('StageAssignmentDAO'); /* @var $stageAssignmentDao StageAssignmentDAO */ | |||
| $stageAssignments = $stageAssignmentDao->getBySubmissionAndUserIdAndStageId($submissionId, $userId, null)->toArray(); | |||
| $submission = $this->get($submissionId); | |||
There was a problem hiding this comment.
Every case where canEditPublication is called, the $submission object is already available -- so I'd suggest changing calling code to just pass the submission object instead of $submission->getId(). That would save the additional (expensive) fetch of the submission object from the DB.
There was a problem hiding this comment.
@YvesLepidus I think you're missing a PR for OJS too, no?
There was a problem hiding this comment.
I couldn't find a call to the canEditPublication method in the OJS 3.3.0 source code. 🤔
I only found it in the main branch, using Repository.
| $userIsAuthor = !empty($stageAssignmentDao->getBySubmissionAndRoleId($submissionId, ROLE_ID_AUTHOR, null, $userId)->toArray()); | ||
| // If the submission is declined and the current user is an author of the submission | ||
| if ($submission->getStatus() == STATUS_DECLINED && $userIsAuthor) { | ||
| return false; |
There was a problem hiding this comment.
I think a more complex policy will be required. If someone is an editor, for example, they probably should have permission to edit metadata on declined submissions they also authored. This restriction should probably apply to submissions only when the author is the only stage assignment.
There was a problem hiding this comment.
I think a more complex policy will be required. If someone is an editor, for example, they probably should have permission to edit metadata on declined submissions they also authored.
I added a check if the user doesn't have permissions to edit metadata according to the role.
There was a problem hiding this comment.
This restriction should probably apply to submissions only when the author is the only stage assignment.
Sorry, I didn't understand exactly what you meant. Is that a necessary validation in this conditional, too?
There was a problem hiding this comment.
Sorry, I didn't understand exactly what you meant. Is that a necessary validation in this conditional, too?
I discussed it internally with others and understood the point. In the current PR code, there are still issues, such as an author having the role of Moderator in the OPS but not being able to edit the declined submission. I will make the necessary adjustments.
There was a problem hiding this comment.
I've adjusted the restriction to apply only in cases where the author has no role other than author/reader.
… a Submission object instead of a submission identifier and updates calls to this method. Signed-off-by: yves <[email protected]>
…tadata editing restriction only to these cases. Signed-off-by: yves <[email protected]>
…sive role of author/reader Signed-off-by: yves <[email protected]>
Related issue: pkp/pkp-lib#10486