pkp/pkp-lib#10486 adds validation to prevent an author of a rejected submission from editing metadata in the submission.

api/v1/submissions/PKPSubmissionHandler.inc.php

@@ -698,7 +698,7 @@ public function editPublication($slimRequest, $response, $args) {
 
 		// Prevent users from editing publications if they do not have permission. Except for admins.
 		$userRoles = $this->getAuthorizedContextObject(ASSOC_TYPE_USER_ROLES);
-		if (!in_array(ROLE_ID_SITE_ADMIN, $userRoles) && !Services::get('submission')->canEditPublication($submission->getId(), $currentUser->getId())) {
+		if (!in_array(ROLE_ID_SITE_ADMIN, $userRoles) && !Services::get('submission')->canEditPublication($submission, $currentUser->getId())) {
 			return $response->withStatus(403)->withJsonError('api.submissions.403.userCantEdit');
 		}
 

classes/security/authorization/internal/PublicationCanBeEditedPolicy.inc.php

@@ -37,7 +37,7 @@ public function effect()
 
 		// Prevent users from editing publications if they do not have permission. Except for admins.
 		$userRoles = $this->getAuthorizedContextObject(ASSOC_TYPE_USER_ROLES);
-		if (in_array(ROLE_ID_SITE_ADMIN, $userRoles) || Services::get('submission')->canEditPublication($submission->getId(), $this->_currentUser->getId())) {
+		if (in_array(ROLE_ID_SITE_ADMIN, $userRoles) || Services::get('submission')->canEditPublication($submission, $this->_currentUser->getId())) {
 			return AUTHORIZATION_PERMIT;
 		}
 

classes/services/PKPSubmissionService.inc.php

@@ -176,7 +176,7 @@ public function getProperties($submission, $props, $args = null) {
 
 		// Retrieve the submission's context for properties that require it
 		if (array_intersect(['_href', 'urlAuthorWorkflow', 'urlEditorialWorkflow'], $props)) {
-			$submissionContext = $request->getContext();
+                        $submissionContext = $request->getContext();
 			if (!$submissionContext || $submissionContext->getId() != $submission->getData('contextId')) {
 				$submissionContext = Services::get('context')->get($submission->getData('contextId'));
 			}
@@ -251,7 +251,7 @@ function($publication) use ($args, $submission, $submissionContext) {
 			}
 		}
 
-		$values = Services::get('schema')->addMissingMultilingualValues(SCHEMA_SUBMISSION, $values, $request->getContext()->getSupportedSubmissionLocales());
+		$values = Services::get('schema')->addMissingMultilingualValues(SCHEMA_SUBMISSION, $values, $submissionContext);
 
 		\HookRegistry::call('Submission::getProperties::values', array(&$values, $submission, $props, $args));
 
@@ -317,7 +317,7 @@ public function getPropertyReviewAssignments($submission) {
 
 			$request = \Application::get()->getRequest();
 			$currentUser = $request->getUser();
-			$context = $request->getContext();
+			$context = Services::get('context')->get($submission->getData('contextId'));
 			$dateFormatShort = $context->getLocalizedDateFormatShort();
 			$due = is_null($reviewAssignment->getDateDue()) ? null : strftime($dateFormatShort, strtotime($reviewAssignment->getDateDue()));
 			$responseDue = is_null($reviewAssignment->getDateResponseDue()) ? null : strftime($dateFormatShort, strtotime($reviewAssignment->getDateResponseDue()));
@@ -396,7 +396,7 @@ public function getPropertyStages($submission, $stageIds = null) {
 		}
 
 		$currentUser = \Application::get()->getRequest()->getUser();
-		$context = \Application::get()->getRequest()->getContext();
+		$context = Services::get('context')->get($submission->getData('contextId'));
 		$contextId = $context ? $context->getId() : CONTEXT_ID_NONE;
 
 		$stages = array();
@@ -550,11 +550,7 @@ public function getWorkflowUrlByUserRoles($submission, $userId = null) {
 			return false;
 		}
 
-		$submissionContext = $request->getContext();
-
-		if (!$submissionContext || $submissionContext->getId() != $submission->getData('contextId')) {
-			$submissionContext = Services::get('context')->get($submission->getData('contextId'));
-		}
+		$submissionContext = Services::get('context')->get($submission->getData('contextId'));
 
 		$dispatcher = $request->getDispatcher();
 
@@ -788,22 +784,38 @@ public function delete($submission) {
 	/**
 	 * Check if a user can edit a publications metadata
 	 *
-	 * @param int $submissionId
+	 * @param Submission $submission
 	 * @param int $userId
 	 * @return boolean
 	 */
-	public function canEditPublication($submissionId, $userId) {
+	public function canEditPublication($submission, $userId) {
+                $contextId = $submission->getData('contextId');
 		$stageAssignmentDao = DAORegistry::getDAO('StageAssignmentDAO'); /* @var $stageAssignmentDao StageAssignmentDAO */
-		$stageAssignments = $stageAssignmentDao->getBySubmissionAndUserIdAndStageId($submissionId, $userId, null)->toArray();
+		$stageAssignments = $stageAssignmentDao->getBySubmissionAndUserIdAndStageId($submission->getId(), $userId, null)->toArray();
+                $userIsAuthor = !empty($stageAssignmentDao->getBySubmissionAndRoleId($submission->getId(), ROLE_ID_AUTHOR, null, $userId)->toArray());
+                // If the submission is rejected and the user's only role is an author
+                if ($submission->getStatus() == STATUS_DECLINED && $userIsAuthor) {
+                        $userIsOnlyAuthorOrReader = true;
+                        $roleDao = DAORegistry::getDAO('RoleDAO'); /* @var $roleDao RoleDAO */
+                        $roles = $roleDao->getByUserId($userId, $contextId);
+                        foreach ($roles as $role) {
+                                if ($role->getRoleId() != ROLE_ID_AUTHOR && $role->getRoleId() != ROLE_ID_READER) {
+                                        $userIsOnlyAuthorOrReader = false;
+					break;
+                                }
+                        }
+                        if ($userIsOnlyAuthorOrReader) {
+				return false;
+			}
+                }
 		// Check for permission from stage assignments
 		foreach ($stageAssignments as $stageAssignment) {
 			if ($stageAssignment->getCanChangeMetadata()) {
 				return true;
 			}
 		}
 		// If user has no stage assigments, check if user can edit anyway ie. is manager
-		$context = Application::get()->getRequest()->getContext();
-		if (count($stageAssignments) == 0 && $this->_canUserAccessUnassignedSubmissions($context->getId(), $userId)) {
+		if (count($stageAssignments) == 0 && $this->_canUserAccessUnassignedSubmissions($contextId, $userId)) {
 			return true;
 		}
 		// Else deny access

controllers/grid/users/author/AuthorGridHandler.inc.php

@@ -256,7 +256,7 @@ function canAdminister($user) {
 		if ($submission->getDateSubmitted() == null) return true;
 
 		// The user may not be allowed to edit the metadata
-		if (Services::get('submission')->canEditPublication($submission->getId(), $user->getId())) {
+		if (Services::get('submission')->canEditPublication($submission, $user->getId())) {
 			return true;
 		}
 

pages/authorDashboard/PKPAuthorDashboardHandler.inc.php

@@ -287,7 +287,7 @@ function setupTemplate($request) {
 		// Check if current author can edit metadata
 		$userRoles = $this->getAuthorizedContextObject(ASSOC_TYPE_USER_ROLES);
 		$canEditPublication = true;
-		if (!in_array(ROLE_ID_SITE_ADMIN, $userRoles) && !Services::get('submission')->canEditPublication($submission->getId(), $user->getId())) {
+		if (!in_array(ROLE_ID_SITE_ADMIN, $userRoles) && !Services::get('submission')->canEditPublication($submission, $user->getId())) {
 			$canEditPublication =  false;
 		}
 

pages/workflow/PKPWorkflowHandler.inc.php

@@ -145,7 +145,7 @@ function index($args, $request) {
 		$currentStageId = $submission->getStageId();
 		$accessibleWorkflowStages = $this->getAuthorizedContextObject(ASSOC_TYPE_ACCESSIBLE_WORKFLOW_STAGES);
 		$canAccessPublication = false; // View title, metadata, etc.
-		$canEditPublication = Services::get('submission')->canEditPublication($submission->getId(), $request->getUser()->getId());
+		$canEditPublication = Services::get('submission')->canEditPublication($submission, $request->getUser()->getId());
 		$canAccessProduction = false; // Access to galleys and issue entry
 		$canPublish = false; // Ability to publish, unpublish and create versions
 		$canAccessEditorialHistory = false; // Access to activity log