Bug 8332 - Authors can always list (but not download) reviewer's attachments
Authors can always list (but not download) reviewer's attachments
Status: RESOLVED FIXED
Product: OMP
Classification: Unclassified
Component: Reviewers
1.1
All All
: P3 normal
Assigned To: PKP Support
Depends on: 8314
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-24 16:00 PDT by James MacGregor
Modified: 2013-11-22 09:43 PST (History)
1 user (show)

See Also:
Version Reported In:
Also Affects:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description James MacGregor 2013-07-24 16:00:23 PDT
Regarding the Reviewer's Attachments that reviewers can upload as part of the review process: when an editor makes an accept/decline/resubmit decision, they have the option to check off whether authors have access to these files or not. Regardless of what they choose, authors *always* have access. Replicated in stable; haven't tested in master, but happy to.
Comment 1 James MacGregor 2013-07-24 16:17:14 PDT
It also appears that authors can access reviewer attachments from the author dashboard basically as soon as they are uploaded -- that is, access isn't triggered by a submission action. This should be fixed as well.
Comment 2 James MacGregor 2013-09-30 16:37:15 PDT
This isn't entirely true: the reviewer files are listed in the "Reviewer's Attachments" grid, but can't actually be downloaded -- when clicking on one, I get a pop-up message saying "The current role does not have access to this operation."; and am then redirected to a page 

http://localhost:8888/omp/index.php/demo/$$$call$$$/api/file/file-api/download-file?fileId=31&revision=1&monographId=4&stageId=2

... with nothing but the following text: 

{"status":false,"content":"The current role does not have access to this operation.","elementId":"0"}
Comment 3 Alec Smecher 2013-09-30 16:53:15 PDT
James, can you send me a DB dump, username and submission ID?
Comment 4 Alec Smecher 2013-10-18 15:40:17 PDT
(This may be a caching issue.)
Comment 5 Alec Smecher 2013-10-21 11:05:15 PDT
Prevent listing of non-viewable review materials
https://github.com/pkp/omp/commit/671b94c4f56db66b9030f3c1f205943e66f99d91
Comment 6 Alec Smecher 2013-10-21 11:05:29 PDT
Found it. Thanks, James.
Comment 7 Alec Smecher 2013-10-21 11:06:02 PDT
Prevent listing of non-viewable review materials (OMP master branch for release in 1.1)
https://github.com/pkp/pkp-lib/commit/d57ee6d48422c77f75fd497fa749ba7c466703e1
Comment 8 Alec Smecher 2013-10-21 12:04:02 PDT
Prevent listing of non-viewable review materials (OMP master branch for release in 1.1)
https://github.com/pkp/pkp-lib/commit/86c217a77d440ab97301919b78447d6a3136f0e7