/**
* Constructor
* @param $request PKPRequest
* @param $args array request parameters
* @param $roleAssignments array
* @param $mode int bitfield SUBMISSION_FILE_ACCESS_...
* @param $fileIdAndRevision string
* @param $submissionParameterName string the request parameter we expect
* the submission id in.
*/
function PKPSubmissionFileAccessPolicy($request, $args, $roleAssignments, $mode, $fileIdAndRevision = null, $submissionParameterName = 'submissionId')
{
// TODO: Refine file access policies. Differentiate between
// read and modify access using bitfield:
// $mode & SUBMISSION_FILE_ACCESS_...
parent::ContextPolicy($request);
$this->_baseFileAccessPolicy = $this->buildFileAccessPolicy($request, $args, $roleAssignments, $mode, $fileIdAndRevision, $submissionParameterName);
}
/**
* Constructor
* @param $request PKPRequest
* @param $args array request arguments
* @param $roleAssignments array
* @param $submissionParameterName string
* @param $stageId integer One of the WORKFLOW_STAGE_ID_* constants.
*/
function OmpEditorDecisionAccessPolicy($request, &$args, $roleAssignments, $submissionParameterName = 'submissionId', $stageId)
{
parent::ContextPolicy($request);
// A decision can only be made if there is a valid workflow stage
import('lib.pkp.classes.security.authorization.WorkflowStageAccessPolicy');
$this->addPolicy(new WorkflowStageAccessPolicy($request, $args, $roleAssignments, $submissionParameterName, $stageId));
// An editor decision can only be made if there is a press editor assigned to the stage
import('lib.pkp.classes.security.authorization.internal.ManagerRequiredPolicy');
$this->addPolicy(new ManagerRequiredPolicy($request));
}
/**
* Constructor
* @param $request PKPRequest
* @param $roleAssignments array
*/
function PkpContextAccessPolicy($request, $roleAssignments)
{
parent::ContextPolicy($request);
// On context level we don't have role-specific conditions
// so we can simply add all role assignments. It's ok if
// any of these role conditions permits access.
$contextRolePolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES);
import('lib.pkp.classes.security.authorization.RoleBasedHandlerOperationPolicy');
foreach ($roleAssignments as $role => $operations) {
$contextRolePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, $role, $operations));
}
$this->addPolicy($contextRolePolicy);
}
/**
* Constructor
* @param $request PKPRequest
* @param $args array request arguments
* @param $roleAssignments array
*/
function OjsAuthorDashboardAccessPolicy($request, &$args, $roleAssignments)
{
parent::ContextPolicy($request);
$authorDashboardPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
// AuthorDashboard requires a valid monograph in request.
import('classes.security.authorization.SubmissionAccessPolicy');
$authorDashboardPolicy->addPolicy(new SubmissionAccessPolicy($request, $args, $roleAssignments), true);
// Check if the user has an stage assignment with the monograph in request.
// Any workflow stage assignment is suficient to access the author dashboard.
import('classes.security.authorization.internal.UserAccessibleWorkflowStageRequiredPolicy');
$authorDashboardPolicy->addPolicy(new UserAccessibleWorkflowStageRequiredPolicy($request));
$this->addPolicy($authorDashboardPolicy);
}
/**
* Constructor
* @param $request PKPRequest
* @param $args array request parameters
* @param $roleAssignments array
* @param $submissionParameterName string the request parameter we
* expect the submission id in.
*/
function OmpPublishedMonographAccessPolicy($request, $args, $roleAssignments, $submissionParameterName = 'submissionId')
{
parent::ContextPolicy($request);
// Access may be made either as a member of the public, or
// via pre-publication access to editorial users.
$monographAccessPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES);
// Published monograph access for the public
$publishedMonographAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
import('lib.pkp.classes.security.authorization.internal.SubmissionRequiredPolicy');
$publishedMonographAccessPolicy->addPolicy(new SubmissionRequiredPolicy($request, $args, $submissionParameterName));
import('classes.security.authorization.internal.MonographPublishedPolicy');
$publishedMonographAccessPolicy->addPolicy(new MonographPublishedPolicy($request));
$monographAccessPolicy->addPolicy($publishedMonographAccessPolicy);
// Pre-publication access for editorial roles
import('classes.security.authorization.SubmissionAccessPolicy');
$monographAccessPolicy->addPolicy(new SubmissionAccessPolicy($request, $args, array_intersect_key($roleAssignments, array(ROLE_ID_MANAGER, ROLE_ID_SUB_EDITOR)), $submissionParameterName));
$this->addPolicy($monographAccessPolicy);
}
/**
* Constructor
* @param $request PKPRequest
* @param $args array request arguments
* @param $roleAssignments array
* @param $submissionParameterName string
* @param $stageId integer One of the WORKFLOW_STAGE_ID_* constants.
*/
function ReviewStageAccessPolicy($request, &$args, $roleAssignments, $submissionParameterName = 'submissionId', $stageId)
{
parent::ContextPolicy($request);
// Create a "permit overrides" policy set that specifies
// role-specific access to submission stage operations.
$workflowStagePolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES);
// Add the workflow policy, for editorial / press roles
import('lib.pkp.classes.security.authorization.WorkflowStageAccessPolicy');
$workflowStagePolicy->addPolicy(new WorkflowStageAccessPolicy($request, $args, $roleAssignments, $submissionParameterName, $stageId));
if ($stageId == WORKFLOW_STAGE_ID_INTERNAL_REVIEW || $stageId == WORKFLOW_STAGE_ID_EXTERNAL_REVIEW) {
// Add the submission policy, for reviewer roles
import('lib.pkp.classes.security.authorization.SubmissionAccessPolicy');
$submissionPolicy = new SubmissionAccessPolicy($request, $args, $roleAssignments, $submissionParameterName);
$submissionPolicy->addPolicy(new WorkflowStageRequiredPolicy($stageId));
$workflowStagePolicy->addPolicy($submissionPolicy);
}
// Add the role-specific policies to this policy set.
$this->addPolicy($workflowStagePolicy);
}
/**
* Constructor
* @param $request PKPRequest
* @param $args array request arguments
* @param $roleAssignments array
* @param $submissionParameterName string
* @param $stageId integer One of the WORKFLOW_STAGE_ID_* constants.
*/
function PKPWorkflowStageAccessPolicy($request, &$args, $roleAssignments, $submissionParameterName = 'submissionId', $stageId)
{
parent::ContextPolicy($request);
// A workflow stage component requires a valid workflow stage.
import('lib.pkp.classes.security.authorization.internal.WorkflowStageRequiredPolicy');
$this->addPolicy(new WorkflowStageRequiredPolicy($stageId));
// A workflow stage component can only be called if there's a
// valid submission in the request.
import('lib.pkp.classes.security.authorization.internal.SubmissionRequiredPolicy');
$this->addPolicy(new SubmissionRequiredPolicy($request, $args, $submissionParameterName));
$this->_addUserAccessibleWorkflowStageRequiredPolicy($request);
// Users can access all whitelisted operations for submissions and workflow stages...
$roleBasedPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES);
foreach ($roleAssignments as $roleId => $operations) {
$roleBasedPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, $roleId, $operations));
}
$this->addPolicy($roleBasedPolicy);
// ... if they can access the requested workflow stage.
import('lib.pkp.classes.security.authorization.internal.UserAccessibleWorkflowStagePolicy');
$this->addPolicy(new UserAccessibleWorkflowStagePolicy($stageId));
}
/**
* Constructor
* @param $request PKPRequest
* @param $args array request parameters
* @param $roleAssignments array
* @param $stageId int
*/
function __construct($request, $args, $roleAssignments, $stageId)
{
parent::__construct($request);
// We need a valid workflow stage.
import('lib.pkp.classes.security.authorization.WorkflowStageAccessPolicy');
$this->addPolicy(new WorkflowStageAccessPolicy($request, $args, $roleAssignments, 'submissionId', $stageId));
// We need a query matching the submission in the request.
import('lib.pkp.classes.security.authorization.internal.QueryRequiredPolicy');
$this->addPolicy(new QueryRequiredPolicy($request, $args));
// Authors, context managers and sub editors potentially have
// access to queries. We'll have to define
// differentiated policies for those roles in a policy set.
$queryAccessPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES);
//
// Managerial role
//
if (isset($roleAssignments[ROLE_ID_MANAGER])) {
// Managers have all access to all queries.
$queryAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_MANAGER, $roleAssignments[ROLE_ID_MANAGER]));
}
//
// Assistants
//
if (isset($roleAssignments[ROLE_ID_ASSISTANT])) {
// 1) Assistants can access all operations on queries...
$assistantQueryAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$assistantQueryAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_ASSISTANT, $roleAssignments[ROLE_ID_ASSISTANT]));
// 2) ... but only if they have access to the workflow stage.
import('lib.pkp.classes.security.authorization.WorkflowStageAccessPolicy');
// pulled from context-specific class path.
$assistantQueryAccessPolicy->addPolicy(new WorkflowStageAccessPolicy($request, $args, $roleAssignments, 'submissionId', $stageId));
// 3) ... and the assistant is assigned to the query.
import('lib.pkp.classes.security.authorization.internal.QueryAssignedToUserAccessPolicy');
$assistantQueryAccessPolicy->addPolicy(new QueryAssignedToUserAccessPolicy($request));
$queryAccessPolicy->addPolicy($assistantQueryAccessPolicy);
}
//
// Authors
//
if (isset($roleAssignments[ROLE_ID_AUTHOR])) {
// 1) Authors can access read operations on queries...
$authorQueryAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$authorQueryAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_AUTHOR, $roleAssignments[ROLE_ID_AUTHOR]));
// 2) ... but only if they are assigned to the workflow stage as an stage participant...
import('lib.pkp.classes.security.authorization.WorkflowStageAccessPolicy');
$authorQueryAccessPolicy->addPolicy(new WorkflowStageAccessPolicy($request, $args, $roleAssignments, 'submissionId', $stageId));
// 3) ... and the author is assigned to the query.
import('lib.pkp.classes.security.authorization.internal.QueryAssignedToUserAccessPolicy');
$authorQueryAccessPolicy->addPolicy(new QueryAssignedToUserAccessPolicy($request));
$queryAccessPolicy->addPolicy($authorQueryAccessPolicy);
}
//
// Sub editor role
//
if (isset($roleAssignments[ROLE_ID_SUB_EDITOR])) {
// 1) Sub editors can access all operations on submissions ...
$subEditorQueryAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$subEditorQueryAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_SUB_EDITOR, $roleAssignments[ROLE_ID_SUB_EDITOR]));
// 2) ... but only if they have been assigned to the requested submission.
import('lib.pkp.classes.security.authorization.internal.UserAccessibleWorkflowStageRequiredPolicy');
$subEditorQueryAccessPolicy->addPolicy(new UserAccessibleWorkflowStageRequiredPolicy($request));
$queryAccessPolicy->addPolicy($subEditorQueryAccessPolicy);
}
$this->addPolicy($queryAccessPolicy);
return $queryAccessPolicy;
}
/**
* Constructor
* @param $request PKPRequest
* @param $args array request parameters
* @param $roleAssignments array
* @param $submissionParameterName string the request parameter we
* expect the submission id in.
*/
function PKPSubmissionAccessPolicy($request, $args, $roleAssignments, $submissionParameterName = 'submissionId')
{
parent::ContextPolicy($request);
$this->_baseSubmissionAccessPolicy = $this->buildSubmissionAccessPolicy($request, $args, $roleAssignments, $submissionParameterName);
}
/**
* Constructor
* @param $request PKPRequest
* @param $args array request parameters
* @param $roleAssignments array
* @param $mode int bitfield SIGNOFF_ACCESS_...
* @param $stageId int
*/
function SignoffAccessPolicy($request, $args, $roleAssignments, $mode, $stageId)
{
parent::ContextPolicy($request);
// We need a submission matching the file in the request.
import('lib.pkp.classes.security.authorization.internal.SignoffExistsAccessPolicy');
$this->addPolicy(new SignoffExistsAccessPolicy($request, $args));
// We need a valid workflow stage.
import('lib.pkp.classes.security.authorization.internal.WorkflowStageRequiredPolicy');
$this->addPolicy(new WorkflowStageRequiredPolicy($stageId));
// Authors, context managers and sub editors potentially have
// access to signoffs. We'll have to define
// differentiated policies for those roles in a policy set.
$signoffAccessPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES);
//
// Managerial role
//
if (isset($roleAssignments[ROLE_ID_MANAGER])) {
// Managers have all access to all signoffs.
$signoffAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_MANAGER, $roleAssignments[ROLE_ID_MANAGER]));
}
//
// Assistants
//
if (isset($roleAssignments[ROLE_ID_ASSISTANT])) {
// 1) Assistants can access all operations on signoffs...
$assistantSignoffAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$assistantSignoffAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_ASSISTANT, $roleAssignments[ROLE_ID_ASSISTANT]));
// 2) ... but only if they have access to the workflow stage.
import('lib.pkp.classes.security.authorization.WorkflowStageAccessPolicy');
// pulled from context-specific class path.
$assistantSignoffAccessPolicy->addPolicy(new WorkflowStageAccessPolicy($request, $args, $roleAssignments, 'submissionId', $stageId));
$signoffAccessPolicy->addPolicy($assistantSignoffAccessPolicy);
}
//
// Authors
//
if (isset($roleAssignments[ROLE_ID_AUTHOR])) {
if ($mode & SIGNOFF_ACCESS_READ) {
// 1) Authors can access read operations on signoffs...
$authorSignoffAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$authorSignoffAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_AUTHOR, $roleAssignments[ROLE_ID_AUTHOR]));
// 2) ... but only if they are assigned to the workflow stage as an stage participant.
import('lib.pkp.classes.security.authorization.WorkflowStageAccessPolicy');
$authorSignoffAccessPolicy->addPolicy(new WorkflowStageAccessPolicy($request, $args, $roleAssignments, 'submissionId', $stageId));
$signoffAccessPolicy->addPolicy($authorSignoffAccessPolicy);
}
}
//
// Sub editor role
//
if (isset($roleAssignments[ROLE_ID_SUB_EDITOR])) {
// 1) Section editors can access all operations on signoffs ...
$sectionEditorFileAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$sectionEditorFileAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_SUB_EDITOR, $roleAssignments[ROLE_ID_SUB_EDITOR]));
// 2) ... but only if the requested signoff submission is part of their section.
import('lib.pkp.classes.security.authorization.internal.SectionAssignmentPolicy');
$sectionEditorFileAccessPolicy->addPolicy(new SectionAssignmentPolicy($request));
$signoffAccessPolicy->addPolicy($sectionEditorFileAccessPolicy);
}
//
// User owns the signoff (all roles): permit
//
import('lib.pkp.classes.security.authorization.internal.SignoffAssignedToUserAccessPolicy');
$userOwnsSignoffPolicy = new SignoffAssignedToUserAccessPolicy($request);
$signoffAccessPolicy->addPolicy($userOwnsSignoffPolicy);
$this->addPolicy($signoffAccessPolicy);
return $signoffAccessPolicy;
}
/**
* Constructor
* @param $request PKPRequest
* @param $args array request parameters
* @param $roleAssignments array
* @param $submissionParameterName string the request parameter we
* expect the submission id in.
*/
function SubmissionAccessPolicy($request, $args, $roleAssignments, $submissionParameterName = 'submissionId')
{
parent::ContextPolicy($request);
// We need a submission in the request.
import('lib.pkp.classes.security.authorization.internal.SubmissionRequiredPolicy');
$this->addPolicy(new SubmissionRequiredPolicy($request, $args, $submissionParameterName));
// Authors, managers and sub editors potentially have
// access to submissions. We'll have to define differentiated
// policies for those roles in a policy set.
$submissionAccessPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES);
//
// Managerial role
//
if (isset($roleAssignments[ROLE_ID_MANAGER])) {
// Managers have access to all submissions.
$submissionAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_MANAGER, $roleAssignments[ROLE_ID_MANAGER]));
}
//
// Author role
//
if (isset($roleAssignments[ROLE_ID_AUTHOR])) {
// 1) Author role user groups can access whitelisted operations ...
$authorSubmissionAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$authorSubmissionAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_AUTHOR, $roleAssignments[ROLE_ID_AUTHOR], 'user.authorization.authorRoleMissing'));
// 2) ... if they meet one of the following requirements:
$authorSubmissionAccessOptionsPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES);
// 2a) ...the requested submission is their own ...
import('lib.pkp.classes.security.authorization.internal.SubmissionAuthorPolicy');
$authorSubmissionAccessOptionsPolicy->addPolicy(new SubmissionAuthorPolicy($request));
// 2b) ...OR, at least one workflow stage has been assigned to them in the requested submission.
import('lib.pkp.classes.security.authorization.internal.UserAccessibleWorkflowStageRequiredPolicy');
$authorSubmissionAccessOptionsPolicy->addPolicy(new UserAccessibleWorkflowStageRequiredPolicy($request));
$authorSubmissionAccessPolicy->addPolicy($authorSubmissionAccessOptionsPolicy);
$submissionAccessPolicy->addPolicy($authorSubmissionAccessPolicy);
}
//
// Reviewer role
//
if (isset($roleAssignments[ROLE_ID_REVIEWER])) {
// 1) Reviewers can access whitelisted operations ...
$reviewerSubmissionAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$reviewerSubmissionAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_REVIEWER, $roleAssignments[ROLE_ID_REVIEWER]));
// 2) ... but only if they have been assigned to the submission as reviewers.
import('lib.pkp.classes.security.authorization.internal.ReviewAssignmentAccessPolicy');
$reviewerSubmissionAccessPolicy->addPolicy(new ReviewAssignmentAccessPolicy($request));
$submissionAccessPolicy->addPolicy($reviewerSubmissionAccessPolicy);
}
//
// Assistant role
//
if (isset($roleAssignments[ROLE_ID_ASSISTANT])) {
// 1) Assistants can access whitelisted operations ...
$contextSubmissionAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$contextSubmissionAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_ASSISTANT, $roleAssignments[ROLE_ID_ASSISTANT]));
// 2) ... but only if they have been assigned to the submission workflow.
import('lib.pkp.classes.security.authorization.internal.UserAccessibleWorkflowStageRequiredPolicy');
$contextSubmissionAccessPolicy->addPolicy(new UserAccessibleWorkflowStageRequiredPolicy($request));
$submissionAccessPolicy->addPolicy($contextSubmissionAccessPolicy);
}
//
// Sub editor role
//
if (isset($roleAssignments[ROLE_ID_SUB_EDITOR])) {
// 1) Sub editors can access all operations on submissions ...
$subEditorSubmissionAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$subEditorSubmissionAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_SUB_EDITOR, $roleAssignments[ROLE_ID_SUB_EDITOR]));
// 2) ... but only if the requested submission is part of their series/section.
// but only if ...
$subEditorAssignmentOrSectionPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES);
// 2a) ... the requested submission is part of their series/sectoin...
import('lib.pkp.classes.security.authorization.internal.SectionAssignmentPolicy');
$subEditorAssignmentOrSectionPolicy->addPolicy(new SectionAssignmentPolicy($request));
// 2b) ... or they have been assigned to the requested submission.
import('lib.pkp.classes.security.authorization.internal.UserAccessibleWorkflowStageRequiredPolicy');
$subEditorAssignmentOrSectionPolicy->addPolicy(new UserAccessibleWorkflowStageRequiredPolicy($request));
$subEditorSubmissionAccessPolicy->addPolicy($subEditorAssignmentOrSectionPolicy);
$submissionAccessPolicy->addPolicy($subEditorSubmissionAccessPolicy);
}
$this->addPolicy($submissionAccessPolicy);
return $submissionAccessPolicy;
}
/**
* Constructor
* @param $request PKPRequest
* @param $args array request parameters
* @param $roleAssignments array
* @param $mode int bitfield SIGNOFF_ACCESS_...
* @param $stageId int
*/
function PKPSignoffAccessPolicy($request, $args, $roleAssignments, $mode, $stageId)
{
parent::ContextPolicy($request);
$this->_baseSignoffAccessPolicy = $this->buildSignoffAccessPolicy($request, $args, $roleAssignments, $mode, $stageId);
}
