#10263 Prevent authors from editing publication metadata even if granted permission by editor

Hafsa-Naeem · Hafsa-Naeem · commit d26aa0fc3b9e · 2025-04-30T23:10:36.000+05:00
diff --git a/classes/submission/Repository.php b/classes/submission/Repository.php
@@ -514,6 +514,25 @@ public function canCurrentUserDelete(Submission $submission): bool
      */
     public function canEditPublication(int $submissionId, int $userId): bool
     {
+        // block authors can never edit a published publication even if an editor granted them canChangeMetadata
+        $submission = $this->get($submissionId);
+        if ($submission) {
+            $currentPub = $submission->getCurrentPublication();
+            if (
+                $currentPub
+                && $currentPub->getData('status') === Submission::STATUS_PUBLISHED
+            ) {
+                // fetch this user’s stage assignments
+                $assignments = StageAssignment::withSubmissionIds([$submissionId])->withUserId($userId)->get();
+
+                // if all of their assignments are to an author group then block them
+                $hasNonAuthor = $assignments->contains(fn($sa) => $sa->userGroup && $sa->userGroup->roleId !== Role::ROLE_ID_AUTHOR);
+                if (!$hasNonAuthor) {
+                    return false;
+                }
+            }
+        }
+        
         // Replaces StageAssignmentDAO::getBySubmissionAndUserIdAndStageId
         $stageAssignments = StageAssignment::withSubmissionIds([$submissionId])
             ->withUserId($userId)
