Merge pull request #11431 from Hafsa-Naeem/i10263-main-fix

#10263 Relax editing metadata on published/posted materials

Author: Hafsa-Naeem

api/v1/submissions/PKPSubmissionController.php

@@ -77,6 +77,9 @@
 use PKP\submission\reviewAssignment\ReviewAssignment;
 use PKP\submissionFile\SubmissionFile;
 use PKP\userGroup\UserGroup;
+use PKP\observers\events\MetadataChanged;
+use PKP\stageAssignment\StageAssignment;
+
 
 class PKPSubmissionController extends PKPBaseController
 {
@@ -1337,16 +1340,12 @@ public function editPublication(Request $illuminateRequest): JsonResponse
             ], Response::HTTP_FORBIDDEN);
         }
 
-        // Publications can not be edited when they are published
-        if ($publication->getData('status') === PKPPublication::STATUS_PUBLISHED) {
-            return response()->json([
-                'error' => __('api.publication.403.cantEditPublished'),
-            ], Response::HTTP_FORBIDDEN);
-        }
-
-        // Prevent users from editing publications if they do not have permission. Except for admins.
+        // only proceed if user is allowed to edit publications
         $userRoles = $this->getAuthorizedContextObject(Application::ASSOC_TYPE_USER_ROLES);
-        if (!in_array(Role::ROLE_ID_SITE_ADMIN, $userRoles) && !Repo::submission()->canEditPublication($submission->getId(), $currentUser->getId())) {
+        if (
+            !in_array(Role::ROLE_ID_SITE_ADMIN, $userRoles) &&
+            !Repo::submission()->canEditPublication($submission->getId(), $currentUser->getId())
+        ) {
             return response()->json([
                 'error' => __('api.submissions.403.userCantEdit'),
             ], Response::HTTP_FORBIDDEN);
@@ -1396,6 +1395,8 @@ public function editPublication(Request $illuminateRequest): JsonResponse
 
         Repo::publication()->edit($publication, $params);
         $publication = Repo::publication()->get($publication->getId());
+        event(new MetadataChanged($submission));
+
 
         $userGroups = UserGroup::withContextIds($submission->getData('contextId'))->cursor();
 
@@ -1455,6 +1456,17 @@ public function publishPublication(Request $illuminateRequest): JsonResponse
 
         Repo::publication()->publish($publication);
 
+        $stageAssignments = StageAssignment::withSubmissionIds([$submission->getId()])
+            ->get();
+
+        foreach ($stageAssignments as $stageAssignment) {
+            $userGroup = $stageAssignment->userGroup;
+            if ($userGroup && $userGroup->roleId === Role::ROLE_ID_AUTHOR){
+                $stageAssignment->canChangeMetadata = 0;
+                $stageAssignment->save();
+            }
+        }
+
         $publication = Repo::publication()->get($publication->getId());
 
         $userGroups = UserGroup::withContextIds($submission->getData('contextId'))->cursor();
@@ -1745,12 +1757,6 @@ public function deleteContributor(Request $illuminateRequest): JsonResponse
             ], Response::HTTP_NOT_FOUND);
         }
 
-        // Publications can not be edited when they are published
-        if ($publication->getData('status') === PKPPublication::STATUS_PUBLISHED) {
-            return response()->json([
-                'error' => __('api.publication.403.cantEditPublished'),
-            ], Response::HTTP_FORBIDDEN);
-        }
 
         if ($submission->getId() !== $publication->getData('submissionId')) {
             return response()->json([
@@ -1807,13 +1813,6 @@ public function editContributor(Request $illuminateRequest): JsonResponse
             ], Response::HTTP_FORBIDDEN);
         }
 
-        // Publications can not be edited when they are published
-        if ($publication->getData('status') === PKPPublication::STATUS_PUBLISHED) {
-            return response()->json([
-                'error' => __('api.publication.403.cantEditPublished'),
-            ], Response::HTTP_FORBIDDEN);
-        }
-
         $params = $this->convertStringsToSchema(PKPSchemaService::SCHEMA_AUTHOR, $illuminateRequest->input());
         $params['id'] = $author->getId();
 
@@ -1900,13 +1899,6 @@ public function saveContributorsOrder(Request $illuminateRequest): JsonResponse
             ], Response::HTTP_FORBIDDEN);
         }
 
-        // Publications can not be edited when they are published
-        if ($publication->getData('status') === PKPPublication::STATUS_PUBLISHED) {
-            return response()->json([
-                'error' => __('api.publication.403.cantEditPublished'),
-            ], Response::HTTP_FORBIDDEN);
-        }
-
         if (!empty($params['sortedAuthors'])) {
             $authors = [];
             foreach ($params['sortedAuthors'] as $author) {

classes/author/Repository.php

@@ -138,8 +138,6 @@ public function validate($author, $props, Submission $submission, Context $conte
                 $publication = Repo::publication()->get($props['publicationId']);
                 if (!$publication) {
                     $validator->errors()->add('publicationId', __('author.publicationNotFound'));
-                } elseif ($publication->getData('status') === PKPPublication::STATUS_PUBLISHED) {
-                    $validator->errors()->add('publicationId', __('author.editPublishedDisabled'));
                 }
             }
             // userGroupId must be an Author group within the current context

classes/galley/Repository.php

@@ -153,8 +153,6 @@ public function validate(?Galley $object, array $props, array $allowedLocales, s
                 $publication = Repo::publication()->get($props['publicationId']);
                 if (!$publication) {
                     $validator->errors()->add('publicationId', __('galley.publicationNotFound'));
-                } elseif (in_array($publication->getData('status'), [Publication::STATUS_PUBLISHED, Publication::STATUS_SCHEDULED])) {
-                    $validator->errors()->add('publicationId', __('galley.editPublishedDisabled'));
                 }
             }
         });

classes/security/authorization/PublicationWritePolicy.php

@@ -37,9 +37,9 @@ public function __construct($request, &$args, $roleAssignments, $submissionIdPar
         // Can the user access this publication?
         $this->addPolicy(new PublicationAccessPolicy($request, $args, $roleAssignments, $submissionIdParameter, $publicationIdParameter));
 
-        // Is the user assigned to this submission in one of these roles, and does this role
-        // have access to the _current_ stage of the submission?
-        $this->addPolicy(new StageRolePolicy([Role::ROLE_ID_MANAGER, Role::ROLE_ID_SITE_ADMIN, Role::ROLE_ID_SUB_EDITOR, Role::ROLE_ID_ASSISTANT, Role::ROLE_ID_AUTHOR]));
+        // only require stage assignment for non-privileged roles.
+        // managers and Site Admins can edit without being participants.
+        $this->addPolicy(new StageRolePolicy([Role::ROLE_ID_SUB_EDITOR, Role::ROLE_ID_ASSISTANT, Role::ROLE_ID_AUTHOR]));
 
         // Can the user edit the publication?
         $this->addPolicy(new PublicationCanBeEditedPolicy($request, 'api.submissions.403.userCantEdit'));

classes/security/authorization/internal/RepresentationUploadAccessPolicy.php

@@ -90,12 +90,6 @@ public function dataObjectEffect()
             return AuthorizationPolicy::AUTHORIZATION_DENY;
         }
 
-        // Representations can not be modified on published publications
-        if ($publication->getData('status') === PKPPublication::STATUS_PUBLISHED) {
-            $this->setAdvice(AuthorizationPolicy::AUTHORIZATION_ADVICE_DENY_MESSAGE, 'galley.editPublishedDisabled');
-            return AuthorizationPolicy::AUTHORIZATION_DENY;
-        }
-
         $this->addAuthorizedContextObject(Application::ASSOC_TYPE_REPRESENTATION, $representation);
 
         return AuthorizationPolicy::AUTHORIZATION_PERMIT;

classes/submission/Repository.php

@@ -524,18 +524,39 @@ public function canCurrentUserDelete(Submission $submission): bool
      */
     public function canEditPublication(int $submissionId, int $userId): bool
     {
-        // Replaces StageAssignmentDAO::getBySubmissionAndUserIdAndStageId
-        $stageAssignments = StageAssignment::withSubmissionIds([$submissionId])
+        // block authors can never edit a published publication even if an editor granted them canChangeMetadata
+        $assignments = StageAssignment::withSubmissionIds([$submissionId])
             ->withUserId($userId)
             ->get();
 
-        // Check for permission from stage assignments
-        if ($stageAssignments->contains(fn ($stageAssignment) => $stageAssignment->canChangeMetadata)) {
+        $submission = $this->get($submissionId);
+
+        // if user has no stage assigments, check if user can edit anyway ie. is manager
+        $context = Application::get()->getRequest()->getContext();
+        if ($this->_canUserAccessUnassignedSubmissions($context->getId(), $userId)) {
+            return true;
+        }
+
+        // any published or scheduled then probe
+        $hasLockedPublication = $submission?->getData('publications')
+            ->contains(
+                fn (Publication $p) =>
+                    in_array(
+                        $p->getData('status'),
+                        [Submission::STATUS_PUBLISHED, Submission::STATUS_SCHEDULED]
+                    )
+            );
+
+        if ($hasLockedPublication && !$assignments->contains(fn (StageAssignment $sa) => $sa->userGroup && $sa->userGroup->roleId != Role::ROLE_ID_AUTHOR)) {
+            return false;
+        }
+
+        if ($assignments->contains(fn($sa) => $sa->canChangeMetadata)) {
             return true;
         }
         // If user has no stage assigments, check if user can edit anyway ie. is manager
         $context = Application::get()->getRequest()->getContext();
-        if ($stageAssignments->isEmpty() && $this->_canUserAccessUnassignedSubmissions($context->getId(), $userId)) {
+        if ($assignments->isEmpty() && $this->_canUserAccessUnassignedSubmissions($context->getId(), $userId)) {
             return true;
         }
         // Else deny access

classes/task/PublishSubmissions.php

@@ -20,6 +20,7 @@
 use APP\submission\Submission;
 use PKP\core\Core;
 use PKP\scheduledTask\ScheduledTask;
+use PKP\observers\events\MetadataChanged;
 
 class PublishSubmissions extends ScheduledTask
 {
@@ -50,6 +51,8 @@ public function executeActions(): bool
                 $datePublished = $submission->getCurrentPublication()->getData('datePublished');
                 if ($datePublished && strtotime($datePublished) <= strtotime(Core::getCurrentDate())) {
                     Repo::publication()->publish($submission->getCurrentPublication());
+                    // dispatch the MetadataChanged event after publishing
+                    event(new MetadataChanged($submission));
                 }
             }
         }

controllers/grid/users/author/AuthorGridHandler.php

@@ -276,9 +276,6 @@ public function canAdminister($user)
         $submission = $this->getSubmission();
         $userRoles = $this->getAuthorizedContextObject(Application::ASSOC_TYPE_USER_ROLES);
 
-        if ($publication->getData('status') === PKPPublication::STATUS_PUBLISHED) {
-            return false;
-        }
 
         if (in_array(Role::ROLE_ID_SITE_ADMIN, $userRoles)) {
             return true;

locale/en/submission.po

@@ -39,6 +39,9 @@ msgstr "Please provide a ROR affiliation or at least one affiliation name."
 msgid "author.affiliationNamePrimaryLocaleMissing"
 msgstr "Please provide affiliation name in the submission primary locale."
 
+msgid "publication.editorEditWarning"
+msgstr "Warning: This version has been published. Editing it may impact the published content."
+
 msgid "ror.nameRequired"
 msgstr "A ROR name is required."