Merge pull request #11225 from Hafsa-Naeem/i10263-stable_3_5_0-fix

Vitaliy-1 · web-flow · commit 4c1620f4d629 · 2025-05-01T14:23:49.000+03:00
#10263 Relax editing metadata on published/posted materials
diff --git a/api/v1/submissions/PKPSubmissionController.php b/api/v1/submissions/PKPSubmissionController.php
@@ -71,6 +71,9 @@
 use PKP\submission\reviewAssignment\ReviewAssignment;
 use PKP\submissionFile\SubmissionFile;
 use PKP\userGroup\UserGroup;
+use PKP\observers\events\MetadataChanged;
+use PKP\stageAssignment\StageAssignment;
+
 
 class PKPSubmissionController extends PKPBaseController
 {
@@ -1237,16 +1240,12 @@ public function editPublication(Request $illuminateRequest): JsonResponse
             ], Response::HTTP_FORBIDDEN);
         }
 
-        // Publications can not be edited when they are published
-        if ($publication->getData('status') === PKPSubmission::STATUS_PUBLISHED) {
-            return response()->json([
-                'error' => __('api.publication.403.cantEditPublished'),
-            ], Response::HTTP_FORBIDDEN);
-        }
-
-        // Prevent users from editing publications if they do not have permission. Except for admins.
+        // only proceed if user is allowed to edit publications
         $userRoles = $this->getAuthorizedContextObject(Application::ASSOC_TYPE_USER_ROLES);
-        if (!in_array(Role::ROLE_ID_SITE_ADMIN, $userRoles) && !Repo::submission()->canEditPublication($submission->getId(), $currentUser->getId())) {
+        if (
+            !in_array(Role::ROLE_ID_SITE_ADMIN, $userRoles) &&
+            !Repo::submission()->canEditPublication($submission->getId(), $currentUser->getId())
+        ) {
             return response()->json([
                 'error' => __('api.submissions.403.userCantEdit'),
             ], Response::HTTP_FORBIDDEN);
@@ -1276,6 +1275,8 @@ public function editPublication(Request $illuminateRequest): JsonResponse
 
         Repo::publication()->edit($publication, $params);
         $publication = Repo::publication()->get($publication->getId());
+        event(new MetadataChanged($submission));
+
 
         $userGroups = UserGroup::withContextIds($submission->getData('contextId'))->cursor();
 
@@ -1335,6 +1336,17 @@ public function publishPublication(Request $illuminateRequest): JsonResponse
 
         Repo::publication()->publish($publication);
 
+        $stageAssignments = StageAssignment::withSubmissionIds([$submission->getId()])
+            ->get();
+
+        foreach ($stageAssignments as $stageAssignment) {
+            $userGroup = $stageAssignment->userGroup;
+            if ($userGroup && $userGroup->roleId === Role::ROLE_ID_AUTHOR){
+                $stageAssignment->canChangeMetadata = 0;
+                $stageAssignment->save();
+            }
+        }
+
         $publication = Repo::publication()->get($publication->getId());
 
         $userGroups = UserGroup::withContextIds($submission->getData('contextId'))->cursor();
@@ -1531,13 +1543,6 @@ public function addContributor(Request $illuminateRequest): JsonResponse
             ], Response::HTTP_FORBIDDEN);
         }
 
-        // Publications can not be edited when they are published
-        if ($publication->getData('status') === PKPSubmission::STATUS_PUBLISHED) {
-            return response()->json([
-                'error' => __('api.publication.403.cantEditPublished'),
-            ], Response::HTTP_FORBIDDEN);
-        }
-
         $params = $this->convertStringsToSchema(PKPSchemaService::SCHEMA_AUTHOR, $illuminateRequest->input());
         $params['publicationId'] = $publication->getId();
 
@@ -1603,12 +1608,6 @@ public function deleteContributor(Request $illuminateRequest): JsonResponse
             ], Response::HTTP_NOT_FOUND);
         }
 
-        // Publications can not be edited when they are published
-        if ($publication->getData('status') === PKPSubmission::STATUS_PUBLISHED) {
-            return response()->json([
-                'error' => __('api.publication.403.cantEditPublished'),
-            ], Response::HTTP_FORBIDDEN);
-        }
 
         if ($submission->getId() !== $publication->getData('submissionId')) {
             return response()->json([
@@ -1665,13 +1664,6 @@ public function editContributor(Request $illuminateRequest): JsonResponse
             ], Response::HTTP_FORBIDDEN);
         }
 
-        // Publications can not be edited when they are published
-        if ($publication->getData('status') === PKPSubmission::STATUS_PUBLISHED) {
-            return response()->json([
-                'error' => __('api.publication.403.cantEditPublished'),
-            ], Response::HTTP_FORBIDDEN);
-        }
-
         $params = $this->convertStringsToSchema(PKPSchemaService::SCHEMA_AUTHOR, $illuminateRequest->input());
         $params['id'] = $author->getId();
 
@@ -1758,13 +1750,6 @@ public function saveContributorsOrder(Request $illuminateRequest): JsonResponse
             ], Response::HTTP_FORBIDDEN);
         }
 
-        // Publications can not be edited when they are published
-        if ($publication->getData('status') === PKPSubmission::STATUS_PUBLISHED) {
-            return response()->json([
-                'error' => __('api.publication.403.cantEditPublished'),
-            ], Response::HTTP_FORBIDDEN);
-        }
-
         if (!empty($params['sortedAuthors'])) {
             $authors = [];
             foreach ($params['sortedAuthors'] as $author) {
diff --git a/classes/author/Repository.php b/classes/author/Repository.php
@@ -130,8 +130,6 @@ public function validate($author, $props, Submission $submission, Context $conte
                 $publication = Repo::publication()->get($props['publicationId']);
                 if (!$publication) {
                     $validator->errors()->add('publicationId', __('author.publicationNotFound'));
-                } elseif ($publication->getData('status') === PKPSubmission::STATUS_PUBLISHED) {
-                    $validator->errors()->add('publicationId', __('author.editPublishedDisabled'));
                 }
             }
         });
diff --git a/classes/galley/Repository.php b/classes/galley/Repository.php
@@ -152,8 +152,6 @@ public function validate(?Galley $object, array $props, array $allowedLocales, s
                 $publication = Repo::publication()->get($props['publicationId']);
                 if (!$publication) {
                     $validator->errors()->add('publicationId', __('galley.publicationNotFound'));
-                } elseif (in_array($publication->getData('status'), [Submission::STATUS_PUBLISHED, Submission::STATUS_SCHEDULED])) {
-                    $validator->errors()->add('publicationId', __('galley.editPublishedDisabled'));
                 }
             }
         });
diff --git a/classes/security/authorization/internal/RepresentationUploadAccessPolicy.php b/classes/security/authorization/internal/RepresentationUploadAccessPolicy.php
@@ -89,10 +89,6 @@ public function dataObjectEffect()
         }
 
         // Representations can not be modified on published publications
-        if ($publication->getData('status') === PKPSubmission::STATUS_PUBLISHED) {
-            $this->setAdvice(AuthorizationPolicy::AUTHORIZATION_ADVICE_DENY_MESSAGE, 'galley.editPublishedDisabled');
-            return AuthorizationPolicy::AUTHORIZATION_DENY;
-        }
 
         $this->addAuthorizedContextObject(Application::ASSOC_TYPE_REPRESENTATION, $representation);
 
diff --git a/classes/submission/Repository.php b/classes/submission/Repository.php
@@ -514,18 +514,32 @@ public function canCurrentUserDelete(Submission $submission): bool
      */
     public function canEditPublication(int $submissionId, int $userId): bool
     {
-        // Replaces StageAssignmentDAO::getBySubmissionAndUserIdAndStageId
-        $stageAssignments = StageAssignment::withSubmissionIds([$submissionId])
+        // block authors can never edit a published publication even if an editor granted them canChangeMetadata
+        $assignments = StageAssignment::withSubmissionIds([$submissionId])
             ->withUserId($userId)
             ->get();
 
-        // Check for permission from stage assignments
-        if ($stageAssignments->contains(fn ($stageAssignment) => $stageAssignment->canChangeMetadata)) {
+        $submission = $this->get($submissionId);
+        // any published or scheduled then probe
+        $hasLockedPublication = $submission
+            && $submission->getData('publications')
+                ->contains(fn($p) =>
+                    in_array(
+                        $p->getData('status'),
+                        [Submission::STATUS_PUBLISHED, Submission::STATUS_SCHEDULED]
+                    )
+                );
+
+        if ($hasLockedPublication && !$assignments->contains(fn($sa) => $sa->userGroup && $sa->userGroup->roleId !== Role::ROLE_ID_AUTHOR)) {
+            return false;
+        }
+
+        if ($assignments->contains(fn($sa) => $sa->canChangeMetadata)) {
             return true;
         }
         // If user has no stage assigments, check if user can edit anyway ie. is manager
         $context = Application::get()->getRequest()->getContext();
-        if ($stageAssignments->isEmpty() && $this->_canUserAccessUnassignedSubmissions($context->getId(), $userId)) {
+        if ($assignments->isEmpty() && $this->_canUserAccessUnassignedSubmissions($context->getId(), $userId)) {
             return true;
         }
         // Else deny access
diff --git a/classes/task/PublishSubmissions.php b/classes/task/PublishSubmissions.php
@@ -20,6 +20,8 @@
 use APP\submission\Submission;
 use PKP\core\Core;
 use PKP\scheduledTask\ScheduledTask;
+use PKP\observers\events\MetadataChanged;
+
 
 class PublishSubmissions extends ScheduledTask
 {
@@ -50,6 +52,8 @@ public function executeActions(): bool
                 $datePublished = $submission->getCurrentPublication()->getData('datePublished');
                 if ($datePublished && strtotime($datePublished) <= strtotime(Core::getCurrentDate())) {
                     Repo::publication()->publish($submission->getCurrentPublication());
+                    // dispatch the MetadataChanged event after publishing
+                    event(new MetadataChanged($submission));
                 }
             }
         }
diff --git a/controllers/grid/users/author/AuthorGridHandler.php b/controllers/grid/users/author/AuthorGridHandler.php
@@ -275,9 +275,6 @@ public function canAdminister($user)
         $submission = $this->getSubmission();
         $userRoles = $this->getAuthorizedContextObject(Application::ASSOC_TYPE_USER_ROLES);
 
-        if ($publication->getData('status') === PKPSubmission::STATUS_PUBLISHED) {
-            return false;
-        }
 
         if (in_array(Role::ROLE_ID_SITE_ADMIN, $userRoles)) {
             return true;
diff --git a/locale/en/submission.po b/locale/en/submission.po
@@ -39,6 +39,9 @@ msgstr "Please provide a ROR affiliation or at least one affiliation name."
 msgid "author.affiliationNamePrimaryLocaleMissing"
 msgstr "Please provide affiliation name in the submission primary locale."
 
+msgid "publication.editorEditWarning"
+msgstr "Warning: This version has been published. Editing it may impact the published content."
+
 msgid "ror.nameRequired"
 msgstr "A ROR name is required."
 

Original file line number	Diff line number	Diff line change
`@@ -130,8 +130,6 @@ public function validate($author, $props, Submission $submission, Context $conte`
`130`	`130`	`$publication = Repo::publication()->get($props['publicationId']);`
`131`	`131`	`if (!$publication) {`
`132`	`132`	`$validator->errors()->add('publicationId', __('author.publicationNotFound'));`
`133`		`- } elseif ($publication->getData('status') === PKPSubmission::STATUS_PUBLISHED) {`
`134`		`- $validator->errors()->add('publicationId', __('author.editPublishedDisabled'));`
`135`	`133`	`}`
`136`	`134`	`}`
`137`	`135`	`});`
Original file line number	Diff line number	Diff line change
`@@ -152,8 +152,6 @@ public function validate(?Galley $object, array $props, array $allowedLocales, s`
`152`	`152`	`$publication = Repo::publication()->get($props['publicationId']);`
`153`	`153`	`if (!$publication) {`
`154`	`154`	`$validator->errors()->add('publicationId', __('galley.publicationNotFound'));`
`155`		`- } elseif (in_array($publication->getData('status'), [Submission::STATUS_PUBLISHED, Submission::STATUS_SCHEDULED])) {`
`156`		`- $validator->errors()->add('publicationId', __('galley.editPublishedDisabled'));`
`157`	`155`	`}`
`158`	`156`	`}`
`159`	`157`	`});`
Original file line number	Diff line number	Diff line change
`@@ -89,10 +89,6 @@ public function dataObjectEffect()`
`89`	`89`	`}`
`90`	`90`
`91`	`91`	`// Representations can not be modified on published publications`
`92`		`- if ($publication->getData('status') === PKPSubmission::STATUS_PUBLISHED) {`
`93`		`- $this->setAdvice(AuthorizationPolicy::AUTHORIZATION_ADVICE_DENY_MESSAGE, 'galley.editPublishedDisabled');`
`94`		`- return AuthorizationPolicy::AUTHORIZATION_DENY;`
`95`		`- }`
`96`	`92`
`97`	`93`	`$this->addAuthorizedContextObject(Application::ASSOC_TYPE_REPRESENTATION, $representation);`
`98`	`94`
Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,8 @@`
`20`	`20`	`use APP\submission\Submission;`
`21`	`21`	`use PKP\core\Core;`
`22`	`22`	`use PKP\scheduledTask\ScheduledTask;`
	`23`	`+use PKP\observers\events\MetadataChanged;`
	`24`	`+`
`23`	`25`
`24`	`26`	`class PublishSubmissions extends ScheduledTask`
`25`	`27`	`{`
`@@ -50,6 +52,8 @@ public function executeActions(): bool`
`50`	`52`	`$datePublished = $submission->getCurrentPublication()->getData('datePublished');`
`51`	`53`	`if ($datePublished && strtotime($datePublished) <= strtotime(Core::getCurrentDate())) {`
`52`	`54`	`Repo::publication()->publish($submission->getCurrentPublication());`
	`55`	`+ // dispatch the MetadataChanged event after publishing`
	`56`	`+ event(new MetadataChanged($submission));`
`53`	`57`	`}`
`54`	`58`	`}`
`55`	`59`	`}`