texture icon indicating copy to clipboard operation
texture copied to clipboard

Published 20 hours ago verified publisher icon pkp

Authorization improvements

Open NateWr opened this issue 5 years ago • 1 comments

The SubmissionFileAccessPolicy at https://github.com/pkp/texture/blob/master/TextureHandler.inc.php#L64 should use SUBMISSION_FILE_ACCESS_MODIFY instead of SUBMISSION_FILE_ACCESS_READ. This will prevent authors from making modifications which they are generally not allowed to do. If there is a need for author preview/editing, I guess we need to figure out what that looks like with the existing submission file access policies.

Wherever $request->getUserVar('submissionId') is used, use $submission = $this->getAuthorizedContextObject(ASSOC_TYPE_SUBMISSION); instead. For example here: https://github.com/pkp/texture/blob/master/TextureHandler.inc.php#L101. Generally the auth policies should prevent this code from being reached, but this ensures that if the code is fired we are using an authenticated object instead of the unauthorized data passed by the user. (It will also save some database hits.)

NateWr avatar Sep 23 '20 10:09 NateWr

Thanks for the tip Nate. I have that in many places, will change accordingly and test it.

withanage avatar Sep 23 '20 18:09 withanage