QueryRequiredPolicy.inc.php

<?php
import('lib.pkp.classes.security.authorization.DataObjectRequiredPolicy');
 
class QueryRequiredPolicy extends DataObjectRequiredPolicy {
   function __construct($request, &$args, $parameterName = 'queryId', $operations = null) {
      parent::__construct($request, $args, $parameterName, 'user.authorization.invalidQuery', $operations);
   }
 
   //
   // Implement template methods from AuthorizationPolicy
   //
   function dataObjectEffect() {
      $queryId = (int)$this->getDataObjectId();
      if (!$queryId) return AUTHORIZATION_DENY;
 
      // Make sure the query belongs to the submission.
      $queryDao = DAORegistry::getDAO('QueryDAO'); /* @var $queryDao QueryDAO */
      $query = $queryDao->getById($queryId);
      if (!is_a($query, 'Query')) return AUTHORIZATION_DENY;
      switch ($query->getAssocType()) {
         case ASSOC_TYPE_SUBMISSION:
            $submission = $this->getAuthorizedContextObject(ASSOC_TYPE_SUBMISSION);
            if (!is_a($submission, 'Submission')) return AUTHORIZATION_DENY;
            if ($query->getAssocId() != $submission->getId()) return AUTHORIZATION_DENY;
            break;
         default:
            return AUTHORIZATION_DENY;
      }
 
      // Save the query to the authorization context.
      $this->addAuthorizedContextObject(ASSOC_TYPE_QUERY, $query);
      return AUTHORIZATION_PERMIT;
   }
}