Open Monograph Press  3.3.0
SubmissionAccessPolicy.inc.php
1 <?php
16 import('lib.pkp.classes.security.authorization.internal.ContextPolicy');
17 import('lib.pkp.classes.security.authorization.RoleBasedHandlerOperationPolicy');
18 
19 class SubmissionAccessPolicy extends ContextPolicy {
20 
30  function __construct($request, $args, $roleAssignments, $submissionParameterName = 'submissionId', $permitDeclined = false) {
31  parent::__construct($request);
32 
33  // We need a submission in the request.
34  import('lib.pkp.classes.security.authorization.internal.SubmissionRequiredPolicy');
35  $this->addPolicy(new SubmissionRequiredPolicy($request, $args, $submissionParameterName));
36 
37  // Authors, managers and sub editors potentially have
38  // access to submissions. We'll have to define differentiated
39  // policies for those roles in a policy set.
40  $submissionAccessPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES);
41 
42  //
43  // Managerial role
44  //
45  if (isset($roleAssignments[ROLE_ID_MANAGER])) {
46  // Managers have access to all submissions.
47  $submissionAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_MANAGER, $roleAssignments[ROLE_ID_MANAGER]));
48  }
49 
50  //
51  // Author role
52  //
53  if (isset($roleAssignments[ROLE_ID_AUTHOR])) {
54  // 1) Author role user groups can access whitelisted operations ...
55  $authorSubmissionAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
56  $authorSubmissionAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_AUTHOR, $roleAssignments[ROLE_ID_AUTHOR], 'user.authorization.authorRoleMissing'));
57 
58  // 2) ... if they meet one of the following requirements:
59  $authorSubmissionAccessOptionsPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES);
60 
61  // 2a) ...the requested submission is their own ...
62  import('lib.pkp.classes.security.authorization.internal.SubmissionAuthorPolicy');
63  $authorSubmissionAccessOptionsPolicy->addPolicy(new SubmissionAuthorPolicy($request));
64 
65  // 2b) ...OR, at least one workflow stage has been assigned to them in the requested submission.
66  import('lib.pkp.classes.security.authorization.internal.UserAccessibleWorkflowStageRequiredPolicy');
67  $authorSubmissionAccessOptionsPolicy->addPolicy(new UserAccessibleWorkflowStageRequiredPolicy($request));
68 
69  $authorSubmissionAccessPolicy->addPolicy($authorSubmissionAccessOptionsPolicy);
70  $submissionAccessPolicy->addPolicy($authorSubmissionAccessPolicy);
71  }
72 
73 
74  //
75  // Reviewer role
76  //
77  if (isset($roleAssignments[ROLE_ID_REVIEWER])) {
78  // 1) Reviewers can access whitelisted operations ...
79  $reviewerSubmissionAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
80  $reviewerSubmissionAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_REVIEWER, $roleAssignments[ROLE_ID_REVIEWER]));
81 
82  // 2) ... but only if they have been assigned to the submission as reviewers.
83  import('lib.pkp.classes.security.authorization.internal.ReviewAssignmentAccessPolicy');
84  $reviewerSubmissionAccessPolicy->addPolicy(new ReviewAssignmentAccessPolicy($request, $permitDeclined));
85  $submissionAccessPolicy->addPolicy($reviewerSubmissionAccessPolicy);
86  }
87 
88  //
89  // Assistant role
90  //
91  if (isset($roleAssignments[ROLE_ID_ASSISTANT])) {
92  // 1) Assistants can access whitelisted operations ...
93  $contextSubmissionAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
94  $contextSubmissionAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_ASSISTANT, $roleAssignments[ROLE_ID_ASSISTANT]));
95 
96  // 2) ... but only if they have been assigned to the submission workflow.
97  import('lib.pkp.classes.security.authorization.internal.UserAccessibleWorkflowStageRequiredPolicy');
98  $contextSubmissionAccessPolicy->addPolicy(new UserAccessibleWorkflowStageRequiredPolicy($request));
99  $submissionAccessPolicy->addPolicy($contextSubmissionAccessPolicy);
100  }
101 
102  //
103  // Sub editor role
104  //
105  if (isset($roleAssignments[ROLE_ID_SUB_EDITOR])) {
106  // 1) Sub editors can access all operations on submissions ...
107  $subEditorSubmissionAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
108  $subEditorSubmissionAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_SUB_EDITOR, $roleAssignments[ROLE_ID_SUB_EDITOR]));
109 
110  // 2b) ... but only if they have been assigned to the requested submission.
111  import('lib.pkp.classes.security.authorization.internal.UserAccessibleWorkflowStageRequiredPolicy');
112  $subEditorSubmissionAccessPolicy->addPolicy(new UserAccessibleWorkflowStageRequiredPolicy($request));
113 
114  $submissionAccessPolicy->addPolicy($subEditorSubmissionAccessPolicy);
115  }
116 
117  $this->addPolicy($submissionAccessPolicy);
118 
119  return $submissionAccessPolicy;
120  }
121 }
122 
123 
UserAccessibleWorkflowStageRequiredPolicy
Policy to deny access if an user assigned workflow stage is not found.
Definition: UserAccessibleWorkflowStageRequiredPolicy.inc.php:19
SubmissionAccessPolicy\__construct
__construct($request, $args, $roleAssignments, $submissionParameterName='submissionId', $permitDeclined=false)
Definition: SubmissionAccessPolicy.inc.php:30
ContextPolicy
Basic policy that ensures availability of a context in the request context and a valid user group....
Definition: ContextPolicy.inc.php:19
SubmissionAuthorPolicy
Class to control access to a submission based on authorship.
Definition: SubmissionAuthorPolicy.inc.php:21
PolicySet\addPolicy
addPolicy($policyOrPolicySet, $addToTop=false)
Definition: PolicySet.inc.php:63
ReviewAssignmentAccessPolicy
Class to control access to a submission based on whether the user is an assigned reviewer.
Definition: ReviewAssignmentAccessPolicy.inc.php:20
SubmissionRequiredPolicy
Policy that ensures that the request contains a valid submission.
Definition: SubmissionRequiredPolicy.inc.php:17
RoleBasedHandlerOperationPolicy
Class to control access to handler operations via role based access control.
Definition: RoleBasedHandlerOperationPolicy.inc.php:18
SubmissionAccessPolicy
Base class to control (write) access to submissions and (read) access to submission details in OMP.
Definition: SubmissionAccessPolicy.inc.php:19
PolicySet
An ordered list of policies. Policy sets can be added to decision managers like policies....
Definition: PolicySet.inc.php:26