/** * Constructor * @param $request PKPRequest * @param $args array request parameters * @param $roleAssignments array * @param $submissionParameterName string the request parameter we expect * the submission id in. */ function OmpSubmissionAccessPolicy(&$request, $args, $roleAssignments, $submissionParameterName = 'monographId') { parent::PressPolicy($request); // We need a submission in the request. import('classes.security.authorization.internal.MonographRequiredPolicy'); $this->addPolicy(new MonographRequiredPolicy($request, $args, $submissionParameterName)); // Authors, press managers and series editors potentially have access // to submissions. We'll have to define differentiated policies for those // roles in a policy set. $submissionAccessPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES); // // Managerial role // if (isset($roleAssignments[ROLE_ID_PRESS_MANAGER])) { // Press managers have access to all submissions. $submissionAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_PRESS_MANAGER, $roleAssignments[ROLE_ID_PRESS_MANAGER])); } // // Series editor role // if (isset($roleAssignments[ROLE_ID_SERIES_EDITOR])) { // 1) Series editors can access all operations on submissions ... $seriesEditorSubmissionAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES); $seriesEditorSubmissionAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_SERIES_EDITOR, $roleAssignments[ROLE_ID_SERIES_EDITOR])); // 2) ... but only if the requested submission is part of their series. import('classes.security.authorization.internal.SeriesAssignmentPolicy'); $seriesEditorSubmissionAccessPolicy->addPolicy(new SeriesAssignmentPolicy($request)); $submissionAccessPolicy->addPolicy($seriesEditorSubmissionAccessPolicy); } // // Author role // if (isset($roleAssignments[ROLE_ID_AUTHOR])) { // 1) Author role user groups can access whitelisted operations ... $authorSubmissionAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES); $authorSubmissionAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_AUTHOR, $roleAssignments[ROLE_ID_AUTHOR])); // 2) ... if the requested submission is their own ... import('classes.security.authorization.internal.MonographAuthorPolicy'); $authorSubmissionAccessPolicy->addPolicy(new MonographAuthorPolicy($request)); $submissionAccessPolicy->addPolicy($authorSubmissionAccessPolicy); } // // Reviewer role // if (isset($roleAssignments[ROLE_ID_REVIEWER])) { // 1) Reviewers can access whitelisted operations ... $reviewerSubmissionAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES); $reviewerSubmissionAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_REVIEWER, $roleAssignments[ROLE_ID_REVIEWER])); // 2) ... but only if they have been assigned to the submission as reviewers. import('classes.security.authorization.internal.ReviewAssignmentAccessPolicy'); $reviewerSubmissionAccessPolicy->addPolicy(new ReviewAssignmentAccessPolicy($request)); $submissionAccessPolicy->addPolicy($reviewerSubmissionAccessPolicy); } $this->addPolicy($submissionAccessPolicy); }
/** * Constructor * @param $request PKPRequest * @param $roleAssignments array */ function OmpPressAccessPolicy(&$request, $roleAssignments) { parent::PressPolicy($request); // On press level we don't have role-specific conditions // so we can simply add all role assignments. It's ok if // any of these role conditions permits access. $pressRolePolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES); import('lib.pkp.classes.security.authorization.RoleBasedHandlerOperationPolicy'); foreach ($roleAssignments as $role => $operations) { $pressRolePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, $role, $operations)); } $this->addPolicy($pressRolePolicy); }
/** * Constructor * @param $request PKPRequest * @param $args array request arguments * @param $roleAssignments array */ function OmpWorkflowStageAccessPolicy(&$request, &$args, $roleAssignments, $submissionParameterName = 'monographId', $stageId = null) { parent::PressPolicy($request); // A workflow stage component can only be called if there's a // valid series editor submission in the request. import('classes.security.authorization.internal.SeriesEditorSubmissionRequiredPolicy'); $this->addPolicy(new SeriesEditorSubmissionRequiredPolicy($request, $args, $submissionParameterName)); // Create a "permit overrides" policy set that specifies // role-specific access to submission stage operations. $workflowStagePolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES); // // Managerial role // if (isset($roleAssignments[ROLE_ID_PRESS_MANAGER])) { // Press managers can access all whitelisted operations for all submissions and all workflow stages. $workflowStagePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_PRESS_MANAGER, $roleAssignments[ROLE_ID_PRESS_MANAGER])); } // // Series editor role // if (isset($roleAssignments[ROLE_ID_SERIES_EDITOR])) { // 1) Series editors can access whitelisted operations ... $seriesEditorWorkflowStagePolicy = new PolicySet(COMBINING_DENY_OVERRIDES); $seriesEditorWorkflowStagePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_SERIES_EDITOR, $roleAssignments[ROLE_ID_SERIES_EDITOR])); // 2) ... if the requested workflow stage has been assigned to them in the press settings ... import('classes.security.authorization.internal.WorkflowSettingsAssignmentPolicy'); $seriesEditorWorkflowStagePolicy->addPolicy(new WorkflowSettingsAssignmentPolicy($request)); // 3) ... but only if the requested submission is part of their series. import('classes.security.authorization.internal.SeriesAssignmentPolicy'); $seriesEditorWorkflowStagePolicy->addPolicy(new SeriesAssignmentPolicy($request)); $workflowStagePolicy->addPolicy($seriesEditorWorkflowStagePolicy); } // // Press role // if (isset($roleAssignments[ROLE_ID_PRESS_ASSISTANT])) { // 1) Press role user groups can access whitelisted operations ... $pressRoleWorkflowStagePolicy = new PolicySet(COMBINING_DENY_OVERRIDES); $pressRoleWorkflowStagePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_PRESS_ASSISTANT, $roleAssignments[ROLE_ID_PRESS_ASSISTANT])); // 2) ... but only if the requested workflow stage has been assigned to them in the requested submission. import('classes.security.authorization.internal.WorkflowSubmissionAssignmentPolicy'); $pressRoleWorkflowStagePolicy->addPolicy(new WorkflowSubmissionAssignmentPolicy($request, $stageId)); $workflowStagePolicy->addPolicy($pressRoleWorkflowStagePolicy); } // // Author role // if (isset($roleAssignments[ROLE_ID_AUTHOR])) { // 1) Author role user groups can access whitelisted operations ... $authorRoleWorkflowStagePolicy = new PolicySet(COMBINING_DENY_OVERRIDES); $authorRoleWorkflowStagePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_AUTHOR, $roleAssignments[ROLE_ID_AUTHOR])); // 2) ... if the requested submission is their own ... import('classes.security.authorization.internal.MonographAuthorPolicy'); $authorRoleWorkflowStagePolicy->addPolicy(new MonographAuthorPolicy($request)); // 3) ... and only if the requested workflow stage has been assigned to them in the requested submission. import('classes.security.authorization.internal.WorkflowSubmissionAssignmentPolicy'); $authorRoleWorkflowStagePolicy->addPolicy(new WorkflowSubmissionAssignmentPolicy($request, $stageId)); $workflowStagePolicy->addPolicy($authorRoleWorkflowStagePolicy); } // Add the role-specific policies to this policy set. $this->addPolicy($workflowStagePolicy); }