pkp/pkp-lib#10486 adds validation to prevent an author of a rejected submission from editing metadata in the submission.

api/v1/submissions/PKPSubmissionHandler.inc.php

@@ -698,7 +698,7 @@ public function editPublication($slimRequest, $response, $args) {
 
 		// Prevent users from editing publications if they do not have permission. Except for admins.
 		$userRoles = $this->getAuthorizedContextObject(ASSOC_TYPE_USER_ROLES);
-		if (!in_array(ROLE_ID_SITE_ADMIN, $userRoles) && !Services::get('submission')->canEditPublication($submission->getId(), $currentUser->getId())) {
+		if (!in_array(ROLE_ID_SITE_ADMIN, $userRoles) && !Services::get('submission')->canEditPublication($submission, $currentUser->getId())) {
 			return $response->withStatus(403)->withJsonError('api.submissions.403.userCantEdit');
 		}
 

classes/security/authorization/internal/PublicationCanBeEditedPolicy.inc.php

@@ -37,7 +37,7 @@ public function effect()
 
 		// Prevent users from editing publications if they do not have permission. Except for admins.
 		$userRoles = $this->getAuthorizedContextObject(ASSOC_TYPE_USER_ROLES);
-		if (in_array(ROLE_ID_SITE_ADMIN, $userRoles) || Services::get('submission')->canEditPublication($submission->getId(), $this->_currentUser->getId())) {
+		if (in_array(ROLE_ID_SITE_ADMIN, $userRoles) || Services::get('submission')->canEditPublication($submission, $this->_currentUser->getId())) {
 			return AUTHORIZATION_PERMIT;
 		}
 

classes/services/PKPSubmissionService.inc.php

@@ -788,22 +788,34 @@ public function delete($submission) {
 	/**
 	 * Check if a user can edit a publications metadata
 	 *
-	 * @param int $submissionId
+	 * @param Submission $submission
 	 * @param int $userId
 	 * @return boolean
 	 */
-	public function canEditPublication($submissionId, $userId) {
+	public function canEditPublication($submission, $userId) {
+                $contextId = Application::get()->getRequest()->getContext()->getId();
 		$stageAssignmentDao = DAORegistry::getDAO('StageAssignmentDAO'); /* @var $stageAssignmentDao StageAssignmentDAO */
-		$stageAssignments = $stageAssignmentDao->getBySubmissionAndUserIdAndStageId($submissionId, $userId, null)->toArray();
+		$stageAssignments = $stageAssignmentDao->getBySubmissionAndUserIdAndStageId($submission->getId(), $userId, null)->toArray();
+                $userIsAuthor = !empty($stageAssignmentDao->getBySubmissionAndRoleId($submission->getId(), ROLE_ID_AUTHOR, null, $userId)->toArray());
+                // If the submission is rejected and the user's only role is an author
+                if ($submission->getStatus() == STATUS_DECLINED && $userIsAuthor) {
+                        $roleDao = DAORegistry::getDAO('RoleDAO'); /* @var $roleDao RoleDAO */
+                        $roles = $roleDao->getByUserId($userId, $contextId);
+                        foreach ($roles as $role) {
+                                if ($role->getRoleId() != ROLE_ID_AUTHOR && $role->getRoleId() != ROLE_ID_READER) {
+                                        return true;
+                                }
+                        }
+                        return false;
+                }
 		// Check for permission from stage assignments
 		foreach ($stageAssignments as $stageAssignment) {
 			if ($stageAssignment->getCanChangeMetadata()) {
 				return true;
 			}
 		}
 		// If user has no stage assigments, check if user can edit anyway ie. is manager
-		$context = Application::get()->getRequest()->getContext();
-		if (count($stageAssignments) == 0 && $this->_canUserAccessUnassignedSubmissions($context->getId(), $userId)) {
+		if (count($stageAssignments) == 0 && $this->_canUserAccessUnassignedSubmissions($contextId, $userId)) {
 			return true;
 		}
 		// Else deny access

controllers/grid/users/author/AuthorGridHandler.inc.php

@@ -256,7 +256,7 @@ function canAdminister($user) {
 		if ($submission->getDateSubmitted() == null) return true;
 
 		// The user may not be allowed to edit the metadata
-		if (Services::get('submission')->canEditPublication($submission->getId(), $user->getId())) {
+		if (Services::get('submission')->canEditPublication($submission, $user->getId())) {
 			return true;
 		}
 

pages/authorDashboard/PKPAuthorDashboardHandler.inc.php

@@ -287,7 +287,7 @@ function setupTemplate($request) {
 		// Check if current author can edit metadata
 		$userRoles = $this->getAuthorizedContextObject(ASSOC_TYPE_USER_ROLES);
 		$canEditPublication = true;
-		if (!in_array(ROLE_ID_SITE_ADMIN, $userRoles) && !Services::get('submission')->canEditPublication($submission->getId(), $user->getId())) {
+		if (!in_array(ROLE_ID_SITE_ADMIN, $userRoles) && !Services::get('submission')->canEditPublication($submission, $user->getId())) {
 			$canEditPublication =  false;
 		}
 

pages/workflow/PKPWorkflowHandler.inc.php

@@ -145,7 +145,7 @@ function index($args, $request) {
 		$currentStageId = $submission->getStageId();
 		$accessibleWorkflowStages = $this->getAuthorizedContextObject(ASSOC_TYPE_ACCESSIBLE_WORKFLOW_STAGES);
 		$canAccessPublication = false; // View title, metadata, etc.
-		$canEditPublication = Services::get('submission')->canEditPublication($submission->getId(), $request->getUser()->getId());
+		$canEditPublication = Services::get('submission')->canEditPublication($submission, $request->getUser()->getId());
 		$canAccessProduction = false; // Access to galleys and issue entry
 		$canPublish = false; // Ability to publish, unpublish and create versions
 		$canAccessEditorialHistory = false; // Access to activity log