Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authorization improvements #84

Open
NateWr opened this issue Sep 23, 2020 · 1 comment
Open

Authorization improvements #84

NateWr opened this issue Sep 23, 2020 · 1 comment
Assignees
@withanage

Comments

@NateWr
Copy link

NateWr commented Sep 23, 2020

The SubmissionFileAccessPolicy at https://github.com/pkp/texture/blob/master/TextureHandler.inc.php#L64 should use SUBMISSION_FILE_ACCESS_MODIFY instead of SUBMISSION_FILE_ACCESS_READ. This will prevent authors from making modifications which they are generally not allowed to do. If there is a need for author preview/editing, I guess we need to figure out what that looks like with the existing submission file access policies.

Wherever $request->getUserVar('submissionId') is used, use $submission = $this->getAuthorizedContextObject(ASSOC_TYPE_SUBMISSION); instead. For example here: https://github.com/pkp/texture/blob/master/TextureHandler.inc.php#L101. Generally the auth policies should prevent this code from being reached, but this ensures that if the code is fired we are using an authenticated object instead of the unauthorized data passed by the user. (It will also save some database hits.)
@withanage withanage self-assigned this Sep 23, 2020
@withanage
Copy link
Member

Thanks for the tip Nate. I have that in many places, will change accordingly and test it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@withanage withanage

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@withanage @NateWr