_request = $request; $this->_reviewAssignmentId = $reviewAssignmentId; } // // Implement template methods from AuthorizationPolicy // /** * @see AuthorizationPolicy::effect() */ public function effect() { if (!$this->_reviewAssignmentId) { return AuthorizationPolicy::AUTHORIZATION_DENY; } $reviewRound = $this->getAuthorizedContextObject(Application::ASSOC_TYPE_REVIEW_ROUND); $submission = $this->getAuthorizedContextObject(Application::ASSOC_TYPE_SUBMISSION); $assignedStages = $this->getAuthorizedContextObject(Application::ASSOC_TYPE_ACCESSIBLE_WORKFLOW_STAGES); $userRoles = $this->getAuthorizedContextObject(Application::ASSOC_TYPE_USER_ROLES); if (!$reviewRound || !$submission) { return AuthorizationPolicy::AUTHORIZATION_DENY; } /** @var ReviewAssignmentDAO */ $reviewAssignmentDao = DAORegistry::getDAO('ReviewAssignmentDAO'); $reviewAssignment = $reviewAssignmentDao->getById($this->_reviewAssignmentId); if (!($reviewAssignment instanceof ReviewAssignment)) { return AuthorizationPolicy::AUTHORIZATION_DENY; } // Review assignment, review round and submission must match if ($reviewAssignment->getReviewRoundId() != $reviewRound->getId() || $reviewRound->getSubmissionId() != $submission->getId()) { return AuthorizationPolicy::AUTHORIZATION_DENY; } // Managers can write review attachments when they are not assigned to a submission if (empty($assignedStages) && count(array_intersect([Role::ROLE_ID_MANAGER, Role::ROLE_ID_SITE_ADMIN], $userRoles))) { $this->addAuthorizedContextObject(Application::ASSOC_TYPE_REVIEW_ASSIGNMENT, $reviewAssignment); return AuthorizationPolicy::AUTHORIZATION_PERMIT; } // Managers, editors and assistants can write review attachments when they are assigned // to the correct stage. if (!empty($assignedStages[$reviewRound->getStageId()])) { $allowedRoles = [Role::ROLE_ID_MANAGER, Role::ROLE_ID_SUB_EDITOR, Role::ROLE_ID_ASSISTANT]; if (!empty(array_intersect($allowedRoles, $assignedStages[$reviewRound->getStageId()]))) { $this->addAuthorizedContextObject(Application::ASSOC_TYPE_REVIEW_ASSIGNMENT, $reviewAssignment); return AuthorizationPolicy::AUTHORIZATION_PERMIT; } } // Reviewers can write review attachments to their own review assignments, // if the assignment is not yet complete, cancelled or declined. if ($reviewAssignment->getReviewerId() == $this->_request->getUser()->getId()) { $notAllowedStatuses = [ReviewAssignment::REVIEW_ASSIGNMENT_STATUS_DECLINED, ReviewAssignment::REVIEW_ASSIGNMENT_STATUS_COMPLETE, ReviewAssignment::REVIEW_ASSIGNMENT_STATUS_THANKED, ReviewAssignment::REVIEW_ASSIGNMENT_STATUS_CANCELLED]; if (!in_array($reviewAssignment->getStatus(), $notAllowedStatuses)) { $this->addAuthorizedContextObject(Application::ASSOC_TYPE_REVIEW_ASSIGNMENT, $reviewAssignment); return AuthorizationPolicy::AUTHORIZATION_PERMIT; } } return AuthorizationPolicy::AUTHORIZATION_DENY; } } if (!PKP_STRICT_MODE) { class_alias('\PKP\security\authorization\ReviewAssignmentFileWritePolicy', '\ReviewAssignmentFileWritePolicy'); }