Skip to content

Commit

Permalink
*5540* Implement validation (authorization) - fixed a few authorizati…
Browse files Browse the repository at this point in the history 
…on bugs in FilterGridHandler and CitationGridHandler
  • Loading branch information
@fgrandel
fgrandel committed Jul 14, 2010
1 parent 353142e commit 53eab3d
Show file tree
Hide file tree
Showing 5 changed files with 16 additions and 14 deletions.
3 changes: 1 addition & 2 deletions classes/controllers/grid/filter/FilterGridHandler.inc.php
View file
Expand Up @@ -39,8 +39,7 @@ function FilterGridHandler() {
function authorize(&$request, &$args, $roleAssignments) {
// Make sure the user can change the journal setup.
import('classes.security.authorization.OjsJournalSetupPolicy');
$this->addPolicy(new OjsJournalSetupPolicy($request));

$this->addPolicy(new OjsJournalSetupPolicy($request, $roleAssignments));
return parent::authorize($request, $args, $roleAssignments);
}
}
7 changes: 4 additions & 3 deletions classes/security/authorization/OjsJournalSetupPolicy.inc.php
View file
Expand Up @@ -11,19 +11,20 @@
* @brief Class to control access to OJS' journal setup components
*/

import('lib.pkp.classes.security.authorization.OjsJournalPolicy');
import('classes.security.authorization.OjsJournalPolicy');

class OjsJournalSetupPolicy extends OjsJournalPolicy {
/**
* Constructor
* @param $request PKPRequest
* @param $roleAssignments array
*/
function OjsJournalSetupPolicy(&$request) {
function OjsJournalSetupPolicy(&$request, $roleAssignments) {
parent::OjsJournalPolicy($request);

// Only journal managers may access setup pages.
import('lib.pkp.classes.security.authorization.RoleBasedHandlerOperationPolicy');
$this->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_JOURNAL_MANAGER, 'You are not a journal manager!'));
$this->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_JOURNAL_MANAGER, $roleAssignments[ROLE_ID_JOURNAL_MANAGER], 'You are not a journal manager!'));
}
}

Expand Down
13 changes: 8 additions & 5 deletions classes/security/authorization/OjsSubmissionEditingPolicy.inc.php
View file
Expand Up @@ -18,8 +18,11 @@ class OjsSubmissionEditingPolicy extends OjsJournalPolicy {
/**
* Constructor
* @param $request PKPRequest
* @param $args array
* @param $roleAssignments array
* @param $submissionParameterName string
*/
function OjsSubmissionEditingPolicy(&$request, &$args, $submissionParameterName = 'articleId') {
function OjsSubmissionEditingPolicy(&$request, &$args, $roleAssignments, $submissionParameterName = 'articleId') {
parent::OjsJournalPolicy($request);

// Editorial components can only be called if there's a
Expand All @@ -35,16 +38,16 @@ function OjsSubmissionEditingPolicy(&$request, &$args, $submissionParameterName
//
// Editor role
//
// Editors can access all operations for all submissions.
$editorialRolePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_EDITOR));
// Editors can access all remote operations for all submissions.
$editorialRolePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_EDITOR, $roleAssignments[ROLE_ID_EDITOR]));


//
// Section editor role
//
// 1) Series editors can access all operations ...
// 1) Series editors can access all remote operations ...
$sectionEditorPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$sectionEditorPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_SECTION_EDITOR));
$sectionEditorPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_SECTION_EDITOR, $roleAssignments[ROLE_ID_SECTION_EDITOR]));

// 2) ... but only if the requested submission has been explicitly assigned to them.
import('classes.security.authorization.SectionSubmissionAssignmentPolicy');
Expand Down
5 changes: 2 additions & 3 deletions controllers/grid/citation/CitationGridHandler.inc.php
View file
Expand Up @@ -39,8 +39,7 @@ function CitationGridHandler() {
function authorize(&$request, &$args, $roleAssignments) {
// Make sure the user can edit the submission in the request.
import('classes.security.authorization.OjsSubmissionEditingPolicy');
$this->addPolicy(new OjsSubmissionEditingPolicy($request, $args, 'assocId'));

$this->addPolicy(new OjsSubmissionEditingPolicy($request, $args, $roleAssignments, 'assocId'));
return parent::authorize($request, $args, $roleAssignments);
}

Expand All @@ -51,7 +50,7 @@ function authorize(&$request, &$args, $roleAssignments) {
function initialize(&$request) {
// Associate the citation editor with the authorized article.
$this->setAssocType(ASSOC_TYPE_ARTICLE);
$article =& $this->getAuthorizationContextObject(ASSOC_TYPE_ARTICLE);
$article =& $this->getAuthorizedContextObject(ASSOC_TYPE_ARTICLE);
assert(is_a($article, 'Article'));
$this->setAssocObject($article);

Expand Down
2 changes: 1 addition & 1 deletion lib/pkp
Submodule pkp updated 76 files
+1 −2 classes/citation/output/abnt/NlmCitationSchemaAbntFilter.inc.php
+28 −24 classes/citation/output/abnt/nlm-citation.tpl
+1 −1 classes/citation/output/apa/NlmCitationSchemaApaFilter.inc.php
+2 −1 classes/citation/output/apa/nlm-citation.tpl
+57 −0 classes/citation/output/mla/NlmCitationSchemaMlaFilter.inc.php
+16 −0 classes/citation/output/mla/locale/en_US/locale.xml
+31 −0 classes/citation/output/mla/nlm-citation-persons.tpl
+46 −0 classes/citation/output/mla/nlm-citation.tpl
+57 −0 classes/citation/output/vancouver/NlmCitationSchemaVancouverFilter.inc.php
+16 −0 classes/citation/output/vancouver/locale/en_US/locale.xml
+20 −0 classes/citation/output/vancouver/nlm-citation-persons.tpl
+45 −0 classes/citation/output/vancouver/nlm-citation.tpl
+3 −12 classes/controllers/grid/CategoryGridHandler.inc.php
+1 −1 classes/controllers/grid/GridCellProvider.inc.php
+5 −9 classes/controllers/grid/GridHandler.inc.php
+2 −2 classes/controllers/grid/GridRow.inc.php
+9 −37 classes/controllers/grid/citation/PKPCitationGridHandler.inc.php
+6 −6 classes/controllers/grid/citation/PKPCitationGridRow.inc.php
+3 −3 classes/controllers/grid/citation/form/CitationForm.inc.php
+3 −26 classes/controllers/grid/filter/PKPFilterGridHandler.inc.php
+6 −6 classes/controllers/grid/filter/PKPFilterGridRow.inc.php
+3 −7 classes/controllers/listbuilder/ListbuilderHandler.inc.php
+7 −0 classes/core/DataObject.inc.php
+4 −0 classes/core/PKPApplication.inc.php
+2 −20 classes/core/PKPComponentRouter.inc.php
+11 −2 classes/core/PKPPageRouter.inc.php
+80 −2 classes/core/PKPRouter.inc.php
+127 −58 classes/form/Form.inc.php
+183 −45 classes/handler/PKPHandler.inc.php
+5 −2 classes/handler/validation/HandlerValidator.inc.php
+47 −0 classes/handler/validation/HandlerValidatorPolicy.inc.php
+7 −60 classes/handler/validation/HandlerValidatorRoles.inc.php
+20 −22 classes/linkAction/LinkAction.inc.php
+233 −0 classes/security/authorization/AuthorizationDecisionManager.inc.php
+186 −0 classes/security/authorization/AuthorizationPolicy.inc.php
+46 −0 classes/security/authorization/ContextRequiredPolicy.inc.php
+81 −0 classes/security/authorization/HandlerOperationPolicy.inc.php
+57 −0 classes/security/authorization/HttpsPolicy.inc.php
+129 −0 classes/security/authorization/LoggedInWithValidUserGroupPolicy.inc.php
+97 −0 classes/security/authorization/PolicySet.inc.php
+45 −0 classes/security/authorization/PublicHandlerOperationPolicy.inc.php
+73 −0 classes/security/authorization/RestrictedSiteAccessPolicy.inc.php
+196 −0 classes/security/authorization/RoleBasedHandlerOperationPolicy.inc.php
+104 −0 classes/security/authorization/SubmissionRequiredPolicy.inc.php
+2 −2 classes/site/VersionDAO.inc.php
+13 −4 classes/submission/PKPAuthor.inc.php
+27 −2 classes/submission/PKPAuthorDAO.inc.php
+41 −1 classes/submission/Submission.inc.php
+3 −3 classes/submission/reviewAssignment/PKPReviewAssignment.inc.php
+90 −1 classes/template/PKPTemplateManager.inc.php
+16 −7 classes/user/PKPUser.inc.php
+3 −7 classes/user/PKPUserDAO.inc.php
+31 −21 controllers/api/user/RoleApiHandler.inc.php
+8 −1 controllers/grid/filter/LookupFilterGridHandler.inc.php
+8 −1 controllers/grid/filter/ParserFilterGridHandler.inc.php
+41 −43 js/tablednd.js
+4 −11 pages/manager/PKPAnnouncementHandler.inc.php
+36 −0 styles/content.css
+1 −1 templates/controllers/grid/citation/form/citationForm.tpl
+4 −4 templates/controllers/grid/grid.tpl
+1 −1 templates/controllers/grid/gridCategoryRow.tpl
+1 −1 templates/controllers/grid/gridCell.tpl
+1 −1 templates/controllers/grid/gridRowWithActions.tpl
+1 −0 templates/controllers/listbuilder/listbuilderGridRow.tpl
+1 −1 templates/form/button.tpl
+10 −0 templates/form/link.tpl
+5 −5 templates/linkAction/linkAction.tpl
+70 −9 tests/classes/citation/output/NlmCitationSchemaCitationOutputFormatFilterTest.inc.php
+7 −4 tests/classes/citation/output/abnt/NlmCitationSchemaAbntFilterTest.inc.php
+11 −7 tests/classes/citation/output/apa/NlmCitationSchemaApaFilterTest.inc.php
+13 −0 tests/classes/citation/output/mla/MockLocale.inc.php
+59 −0 tests/classes/citation/output/mla/NlmCitationSchemaMlaFilterTest.inc.php
+13 −0 tests/classes/citation/output/vancouver/MockLocale.inc.php
+59 −0 tests/classes/citation/output/vancouver/NlmCitationSchemaVancouverFilterTest.inc.php
+3 −4 tests/classes/core/MockCitationGridHandler.inc.php
+27 −14 tests/classes/handler/validation/HandlerValidatorRolesTest.inc.php

0 comments on commit 53eab3d

Please sign in to comment.