Open Journal Systems  3.3.0
SubmissionFileAccessPolicy.inc.php
1 <?php
16 import('lib.pkp.classes.security.authorization.internal.ContextPolicy');
17 import('lib.pkp.classes.security.authorization.RoleBasedHandlerOperationPolicy');
18 
19 // Define the bitfield for submission file access levels
20 define('SUBMISSION_FILE_ACCESS_READ', 1);
21 define('SUBMISSION_FILE_ACCESS_MODIFY', 2);
22 
23 class SubmissionFileAccessPolicy extends ContextPolicy {
24 
26  var $_baseFileAccessPolicy;
27 
38  function __construct($request, $args, $roleAssignments, $mode, $fileIdAndRevision = null, $submissionParameterName = 'submissionId') {
39  // TODO: Refine file access policies. Differentiate between
40  // read and modify access using bitfield:
41  // $mode & SUBMISSION_FILE_ACCESS_...
42 
43  parent::__construct($request);
44  $this->_baseFileAccessPolicy = $this->buildFileAccessPolicy($request, $args, $roleAssignments, $mode, $fileIdAndRevision, $submissionParameterName);
45  }
46 
56  function buildFileAccessPolicy($request, $args, $roleAssignments, $mode, $fileIdAndRevision, $submissionParameterName) {
57  // We need a submission matching the file in the request.
58  import('lib.pkp.classes.security.authorization.internal.SubmissionRequiredPolicy');
59  $this->addPolicy(new SubmissionRequiredPolicy($request, $args, $submissionParameterName));
60  import('lib.pkp.classes.security.authorization.internal.SubmissionFileMatchesSubmissionPolicy');
61  $this->addPolicy(new SubmissionFileMatchesSubmissionPolicy($request, $fileIdAndRevision));
62 
63  // Authors, managers and series editors potentially have
64  // access to submission files. We'll have to define
65  // differentiated policies for those roles in a policy set.
66  $fileAccessPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES);
67 
68 
69  //
70  // Managerial role
71  //
72  if (isset($roleAssignments[ROLE_ID_MANAGER])) {
73  // Managers can access all submission files as long as the manager has not
74  // been assigned to a lesser role in the stage.
75  $managerFileAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
76  $managerFileAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_MANAGER, $roleAssignments[ROLE_ID_MANAGER]));
77  import('lib.pkp.classes.security.authorization.WorkflowStageAccessPolicy');
78  $managerFileAccessPolicy->addPolicy(new WorkflowStageAccessPolicy($request, $args, $roleAssignments, 'submissionId', $request->getUserVar('stageId')));
79  import('lib.pkp.classes.security.authorization.AssignedStageRoleHandlerOperationPolicy');
80  $managerFileAccessPolicy->addPolicy(new AssignedStageRoleHandlerOperationPolicy($request, ROLE_ID_MANAGER, $roleAssignments[ROLE_ID_MANAGER], $request->getUserVar('stageId')));
81 
82  $fileAccessPolicy->addPolicy($managerFileAccessPolicy);
83  }
84 
85 
86  //
87  // Author role
88  //
89  if (isset($roleAssignments[ROLE_ID_AUTHOR])) {
90  // 1) Author role user groups can access whitelisted operations ...
91  $authorFileAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
92  $authorFileAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_AUTHOR, $roleAssignments[ROLE_ID_AUTHOR]));
93 
94  // 2) ...if they are assigned to the workflow stage as an author. Note: This loads the application-specific policy class.
95  import('lib.pkp.classes.security.authorization.WorkflowStageAccessPolicy');
96  $authorFileAccessPolicy->addPolicy(new WorkflowStageAccessPolicy($request, $args, $roleAssignments, 'submissionId', $request->getUserVar('stageId')));
97  import('lib.pkp.classes.security.authorization.AssignedStageRoleHandlerOperationPolicy');
98  $authorFileAccessPolicy->addPolicy(new AssignedStageRoleHandlerOperationPolicy($request, ROLE_ID_AUTHOR, $roleAssignments[ROLE_ID_AUTHOR], $request->getUserVar('stageId')));
99 
100  // 3) ...and if they meet one of the following requirements:
101  $authorFileAccessOptionsPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES);
102 
103  // 3a) If the file was uploaded by the current user, allow...
104  import('lib.pkp.classes.security.authorization.internal.SubmissionFileUploaderAccessPolicy');
105  $authorFileAccessOptionsPolicy->addPolicy(new SubmissionFileUploaderAccessPolicy($request, $fileIdAndRevision));
106 
107  // 3b) ...or if the file is a file in a review round with requested revision decision, allow...
108  // Note: This loads the application-specific policy class
109  import('lib.pkp.classes.security.authorization.internal.SubmissionFileRequestedRevisionRequiredPolicy');
110  $authorFileAccessOptionsPolicy->addPolicy(new SubmissionFileRequestedRevisionRequiredPolicy($request, $fileIdAndRevision));
111 
112  // ...or if we don't want to modify the file...
113  if (!($mode & SUBMISSION_FILE_ACCESS_MODIFY)) {
114  import('lib.pkp.classes.submission.SubmissionFile'); // for SUBMISSION_FILE_...
115 
116  // 3c) ...the file is at submission stage...
117  import('lib.pkp.classes.security.authorization.internal.SubmissionFileStageRequiredPolicy');
118  $authorFileAccessOptionsPolicy->addPolicy(new SubmissionFileStageRequiredPolicy($request, $fileIdAndRevision, SUBMISSION_FILE_SUBMISSION));
119 
120  // 3d) ...or the file is a viewable reviewer response...
121  $authorFileAccessOptionsPolicy->addPolicy(new SubmissionFileStageRequiredPolicy($request, $fileIdAndRevision, SUBMISSION_FILE_REVIEW_ATTACHMENT, true));
122 
123  // 3e) ...or if the file is part of a query assigned to the user...
124  import('lib.pkp.classes.security.authorization.internal.SubmissionFileAssignedQueryAccessPolicy');
125  $authorFileAccessOptionsPolicy->addPolicy(new SubmissionFileAssignedQueryAccessPolicy($request, $fileIdAndRevision));
126 
127  // 3f) ...or the file is at revision stage...
128  $authorFileAccessOptionsPolicy->addPolicy(new SubmissionFileStageRequiredPolicy($request, $fileIdAndRevision, SUBMISSION_FILE_REVIEW_REVISION));
129 
130  // 3g) ...or the file is a copyedited file...
131  $authorFileAccessOptionsPolicy->addPolicy(new SubmissionFileStageRequiredPolicy($request, $fileIdAndRevision, SUBMISSION_FILE_COPYEDIT));
132 
133  // 3h) ...or the file is a representation (galley/publication format)...
134  $authorFileAccessOptionsPolicy->addPolicy(new SubmissionFileStageRequiredPolicy($request, $fileIdAndRevision, SUBMISSION_FILE_PROOF));
135  }
136 
137  // Add the rules from 3)
138  $authorFileAccessPolicy->addPolicy($authorFileAccessOptionsPolicy);
139 
140  $fileAccessPolicy->addPolicy($authorFileAccessPolicy);
141  }
142 
143 
144  //
145  // Reviewer role
146  //
147  if (isset($roleAssignments[ROLE_ID_REVIEWER])) {
148  // 1) Reviewers can access whitelisted operations ...
149  $reviewerFileAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
150  $reviewerFileAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_REVIEWER, $roleAssignments[ROLE_ID_REVIEWER]));
151 
152  // 2) ...if they meet one of the following requirements:
153  $reviewerFileAccessOptionsPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES);
154 
155  // 2a) If the file was uploaded by the current user, allow.
156  import('lib.pkp.classes.security.authorization.internal.SubmissionFileUploaderAccessPolicy');
157  $reviewerFileAccessOptionsPolicy->addPolicy(new SubmissionFileUploaderAccessPolicy($request, $fileIdAndRevision));
158 
159  // 2b) If the file is part of an assigned review, and we're not
160  // trying to modify it, allow.
161  import('lib.pkp.classes.security.authorization.internal.SubmissionFileAssignedReviewerAccessPolicy');
162  if (!($mode & SUBMISSION_FILE_ACCESS_MODIFY)) {
163  $reviewerFileAccessOptionsPolicy->addPolicy(new SubmissionFileAssignedReviewerAccessPolicy($request, $fileIdAndRevision));
164  }
165 
166  // 2c) If the file is part of a query assigned to the user, allow.
167  import('lib.pkp.classes.security.authorization.internal.SubmissionFileAssignedQueryAccessPolicy');
168  $reviewerFileAccessOptionsPolicy->addPolicy(new SubmissionFileAssignedQueryAccessPolicy($request, $fileIdAndRevision));
169 
170  // Add the rules from 2)
171  $reviewerFileAccessPolicy->addPolicy($reviewerFileAccessOptionsPolicy);
172 
173  // Add this policy set
174  $fileAccessPolicy->addPolicy($reviewerFileAccessPolicy);
175  }
176 
177 
178  //
179  // Assistant role.
180  //
181  if (isset($roleAssignments[ROLE_ID_ASSISTANT])) {
182  // 1) Assistants can access whitelisted operations...
183  $contextAssistantFileAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
184  $contextAssistantFileAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_ASSISTANT, $roleAssignments[ROLE_ID_ASSISTANT]));
185 
186  // 2) ... but only if they have been assigned to the submission workflow as an assistant.
187  // Note: This loads the application-specific policy class
188  import('lib.pkp.classes.security.authorization.WorkflowStageAccessPolicy');
189  $contextAssistantFileAccessPolicy->addPolicy(new WorkflowStageAccessPolicy($request, $args, $roleAssignments, 'submissionId', $request->getUserVar('stageId')));
190  import('lib.pkp.classes.security.authorization.AssignedStageRoleHandlerOperationPolicy');
191  $contextAssistantFileAccessPolicy->addPolicy(new AssignedStageRoleHandlerOperationPolicy($request, ROLE_ID_ASSISTANT, $roleAssignments[ROLE_ID_ASSISTANT], $request->getUserVar('stageId')));
192 
193  // 3) ...and if they meet one of the following requirements:
194  $contextAssistantFileAccessOptionsPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES);
195 
196  // 3a) ...the file not part of a query...
197  import('lib.pkp.classes.security.authorization.internal.SubmissionFileNotQueryAccessPolicy');
198  $contextAssistantFileAccessOptionsPolicy->addPolicy(new SubmissionFileNotQueryAccessPolicy($request, $fileIdAndRevision));
199 
200  // 3b) ...or the file is part of a query they are assigned to...
201  import('lib.pkp.classes.security.authorization.internal.SubmissionFileAssignedQueryAccessPolicy');
202  $contextAssistantFileAccessOptionsPolicy->addPolicy(new SubmissionFileAssignedQueryAccessPolicy($request, $fileIdAndRevision));
203 
204  // Add the rules from 3
205  $contextAssistantFileAccessPolicy->addPolicy($contextAssistantFileAccessOptionsPolicy);
206 
207  $fileAccessPolicy->addPolicy($contextAssistantFileAccessPolicy);
208  }
209 
210  //
211  // Sub editor role
212  //
213  if (isset($roleAssignments[ROLE_ID_SUB_EDITOR])) {
214  // 1) Sub editors can access all operations on submissions ...
215  $subEditorFileAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
216  $subEditorFileAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_SUB_EDITOR, $roleAssignments[ROLE_ID_SUB_EDITOR]));
217 
218  // 2) ... but only if they have been assigned as a subeditor to the requested submission ...
219  import('lib.pkp.classes.security.authorization.internal.UserAccessibleWorkflowStageRequiredPolicy');
220  $subEditorFileAccessPolicy->addPolicy(new UserAccessibleWorkflowStageRequiredPolicy($request));
221  import('lib.pkp.classes.security.authorization.AssignedStageRoleHandlerOperationPolicy');
222  $subEditorFileAccessPolicy->addPolicy(new AssignedStageRoleHandlerOperationPolicy($request, ROLE_ID_SUB_EDITOR, $roleAssignments[ROLE_ID_SUB_EDITOR], $request->getUserVar('stageId')));
223 
224  // 3) ... and only if they are not also assigned as an author and this is not part of a blind review
225  import('lib.pkp.classes.security.authorization.internal.SubmissionFileAuthorEditorPolicy');
226  $subEditorFileAccessPolicy->addPolicy(new SubmissionFileAuthorEditorPolicy($request, $fileIdAndRevision));
227 
228  $fileAccessPolicy->addPolicy($subEditorFileAccessPolicy);
229  }
230 
231  $this->addPolicy($fileAccessPolicy);
232  return $fileAccessPolicy;
233  }
234 }
235 
236 
SubmissionFileAccessPolicy\__construct
__construct($request, $args, $roleAssignments, $mode, $fileIdAndRevision=null, $submissionParameterName='submissionId')
Definition: SubmissionFileAccessPolicy.inc.php:38
UserAccessibleWorkflowStageRequiredPolicy
Policy to deny access if an user assigned workflow stage is not found.
Definition: UserAccessibleWorkflowStageRequiredPolicy.inc.php:19
SubmissionFileAuthorEditorPolicy
Submission file policy to ensure that an editor is denied access to blind review files when they are ...
Definition: SubmissionFileAuthorEditorPolicy.inc.php:19
SubmissionFileNotQueryAccessPolicy
Submission file policy to check if the requested file is not attached to a query. This returns AUTHOR...
Definition: SubmissionFileNotQueryAccessPolicy.inc.php:19
SubmissionFileAssignedQueryAccessPolicy
Submission file policy to check if the current user is a participant in a query the file belongs to.
Definition: SubmissionFileAssignedQueryAccessPolicy.inc.php:19
SubmissionFileStageRequiredPolicy
Submission file policy to ensure that we have a file at a required stage.
Definition: SubmissionFileStageRequiredPolicy.inc.php:18
AssignedStageRoleHandlerOperationPolicy
Class to control access to handler operations based on assigned role(s) in a submission's workflow st...
Definition: AssignedStageRoleHandlerOperationPolicy.inc.php:18
ContextPolicy
Basic policy that ensures availability of a context in the request context and a valid user group....
Definition: ContextPolicy.inc.php:19
SubmissionFileRequestedRevisionRequiredPolicy
Base Submission file policy to ensure we have a viewable file that is part of a review round with the...
Definition: SubmissionFileRequestedRevisionRequiredPolicy.inc.php:19
SubmissionFileMatchesSubmissionPolicy
Submission file policy to check if the file belongs to the submission.
Definition: SubmissionFileMatchesSubmissionPolicy.inc.php:20
WorkflowStageAccessPolicy
Class to control access to OMP's submission workflow stage components.
Definition: WorkflowStageAccessPolicy.inc.php:19
PolicySet\addPolicy
addPolicy($policyOrPolicySet, $addToTop=false)
Definition: PolicySet.inc.php:63
SubmissionFileAccessPolicy
Base class to control (write) access to submissions and (read) access to submission files.
Definition: SubmissionFileAccessPolicy.inc.php:23
SubmissionFileAccessPolicy\$_baseFileAccessPolicy
$_baseFileAccessPolicy
Definition: SubmissionFileAccessPolicy.inc.php:26
SubmissionFileAssignedReviewerAccessPolicy
Submission file policy to check if the current user is an assigned reviewer of the file.
Definition: SubmissionFileAssignedReviewerAccessPolicy.inc.php:19
SubmissionFileUploaderAccessPolicy
Submission file policy to check if the current user is the uploader.
Definition: SubmissionFileUploaderAccessPolicy.inc.php:19
SubmissionRequiredPolicy
Policy that ensures that the request contains a valid submission.
Definition: SubmissionRequiredPolicy.inc.php:17
RoleBasedHandlerOperationPolicy
Class to control access to handler operations via role based access control.
Definition: RoleBasedHandlerOperationPolicy.inc.php:18
PolicySet
An ordered list of policies. Policy sets can be added to decision managers like policies....
Definition: PolicySet.inc.php:26
SubmissionFileAccessPolicy\buildFileAccessPolicy
buildFileAccessPolicy($request, $args, $roleAssignments, $mode, $fileIdAndRevision, $submissionParameterName)
Definition: SubmissionFileAccessPolicy.inc.php:56