StageRolePolicy.inc.php

<?php
import('lib.pkp.classes.security.authorization.AuthorizationPolicy');
 
class StageRolePolicy extends AuthorizationPolicy {
   private $_roleIds;
 
   private $_stageId;
 
   private $_allowRecommendOnly;
 
   function __construct($roleIds, $stageId = null, $allowRecommendOnly = true) {
      AppLocale::requireComponents(LOCALE_COMPONENT_PKP_USER);
      parent::__construct('user.authorization.accessibleWorkflowStage');
      $this->_roleIds = $roleIds;
      $this->_stageId = $stageId;
      $this->_allowRecommendOnly = $allowRecommendOnly;
   }
 
   //
   // Implement template methods from AuthorizationPolicy
   //
   function effect() {
 
      // Use the submission's current stage id if none is specified in policy
      if (!$this->_stageId) {
         $this->_stageId = $this->getAuthorizedContextObject(ASSOC_TYPE_SUBMISSION)->getData('stageId');
      }
 
      // Check whether the user has one of the allowed roles assigned in the correct stage
      $userAccessibleStages = (array) $this->getAuthorizedContextObject(ASSOC_TYPE_ACCESSIBLE_WORKFLOW_STAGES);
 
      if (array_key_exists($this->_stageId, $userAccessibleStages) && array_intersect($this->_roleIds, $userAccessibleStages[$this->_stageId])) {
         if ($this->_allowRecommendOnly) {
            return AUTHORIZATION_PERMIT;
         }
         $stageAssignmentDao = DAORegistry::getDAO('StageAssignmentDAO'); /* @var $stageAssignmentDao StageAssignmentDAO */
         $result = $stageAssignmentDao->getBySubmissionAndUserIdAndStageId(
            $this->getAuthorizedContextObject(ASSOC_TYPE_SUBMISSION)->getId(),
            Application::get()->getRequest()->getUser()->getId(),
            $this->_stageId
         );
         while (!$result->eof()) {
            $stageAssignment = $result->next();
            $userGroupDao = DAORegistry::getDAO('UserGroupDAO'); /* @var $userGroupDao UserGroupDAO */
            $userGroup = $userGroupDao->getById($stageAssignment->getUserGroupId());
            if (in_array($userGroup->getRoleId(), $this->_roleIds) && !$stageAssignment->getRecommendOnly()) {
               return AUTHORIZATION_PERMIT;
            }
         }
      }
 
      // A manager is granted access when they are not assigned in any other role
      if (empty($userAccessibleStages) && in_array(ROLE_ID_MANAGER, $this->getAuthorizedContextObject(ASSOC_TYPE_USER_ROLES))) {
         if ($this->_allowRecommendOnly) {
            return AUTHORIZATION_PERMIT;
         }
         // Managers may have a stage assignment but no $userAccessibleStages, so they will
         // not be caught by the earlier code that checks stage assignments.
         $stageAssignmentDao = DAORegistry::getDAO('StageAssignmentDAO'); /* @var $stageAssignmentDao StageAssignmentDAO */
         $result = $stageAssignmentDao->getBySubmissionAndUserIdAndStageId(
            $this->getAuthorizedContextObject(ASSOC_TYPE_SUBMISSION)->getId(),
            Application::get()->getRequest()->getUser()->getId(),
            $this->_stageId
         );
         if ($result->wasEmpty()) {
            return AUTHORIZATION_PERMIT;
         }
         while (!$result->eof()) {
            $stageAssignment = $result->next();
            $userGroupDao = DAORegistry::getDAO('UserGroupDAO'); /* @var $userGroupDao UserGroupDAO */
            $userGroup = $userGroupDao->getById($stageAssignment->getUserGroupId());
            if ($userGroup->getRoleId() == ROLE_ID_MANAGER && !$stageAssignment->getRecommendOnly()) {
               return AUTHORIZATION_PERMIT;
            }
         }
      }
 
      return AUTHORIZATION_DENY;
   }
}