Hi!
Wen a Reviewer try to open a file, the ojs displays a JSON response:
{
"status": false,
"content": "The current role does not have access to this operation.",
"elementId": "0"
}
I’ve checked and the user has the Reviewer ROLE on the Journal.
I think the problem is in:
/lib/pkp/classes/security/authorization/internal/SubmissionFileAssignedReviewerAccessPolicy.inc.php
doing some tests:
function effect() {
$request = $this->getRequest();
// Get the user
$user = $request->getUser();
if (!is_a($user, 'PKPUser')) return AUTHORIZATION_DENY;
// Get the submission file
$submissionFile = $this->getSubmissionFile($request);
if (!is_a($submissionFile, 'SubmissionFile')) return AUTHORIZATION_DENY;
$reviewAssignmentDao = DAORegistry::getDAO('ReviewAssignmentDAO');
$reviewAssignments = $reviewAssignmentDao->getByUserId($user->getId());
$reviewFilesDao = DAORegistry::getDAO('ReviewFilesDAO');
foreach ($reviewAssignments as $reviewAssignment) {
if (!$reviewAssignment->getDateConfirmed()) continue;
echo("\nteste1 ");
echo($submissionFile->getSubmissionId() == $reviewAssignment->getSubmissionId());
echo("\nteste2 ");
echo($submissionFile->getFileStage() == SUBMISSION_FILE_REVIEW_FILE);
echo("\nteste3 ");
echo($submissionFile->getViewable());
echo("\nteste4 ");
echo($reviewFilesDao->check($reviewAssignment->getId(), $submissionFile->getFileId()));
dump();
if (
$submissionFile->getSubmissionId() == $reviewAssignment->getSubmissionId() &&
$submissionFile->getFileStage() == SUBMISSION_FILE_REVIEW_FILE &&
$submissionFile->getViewable() &&
$reviewFilesDao->check($reviewAssignment->getId(), $submissionFile->getFileId())
) {
return AUTHORIZATION_PERMIT;
}
}
// If a pass condition wasn't found above, deny access.
return AUTHORIZATION_DENY;
}
I’ve received the following output:
teste1 teste2 1 teste3 teste4 0
I have also the same message from the reviewers:
{"status":false,"content":"The current role does not have access to this operation.","elementId":"0"}
and from Section editors accessing the files in review tab a similar one:
{"status":false,"content":"##user.authorization.seriesAssignment##","elementId":"0"}
Please help as our journal reviewer process is stopped now in this case? @rafaelmansilha did you solve the problem?
Hi @vebaev,
While I wait for a patch, I made a change in the code that allowed them to download the file:
Location: lib/pkp/classes/security/authorization/internal/SubmissionFileAssignedReviewerAccessPolicy.inc.php
Comented:
if (
$submissionFile->getSubmissionId() == $reviewAssignment->getSubmissionId() &&
$submissionFile->getFileStage() == SUBMISSION_FILE_REVIEW_FILE &&
$submissionFile->getViewable() &&
$reviewFilesDao->check($reviewAssignment->getId(), $submissionFile->getFileId())
) {
Replace the commented if with:
if($submissionFile->getFileStage() == SUBMISSION_FILE_REVIEW_FILE){`
This has allowed him to continue with the work, but I still do not know if this causes any complications in system security
Regards,
Rafael Mansilha.
Hi @rafaelmansilha and @vebaev,
Could either of you make a copy of your database available for me to download? A reviewer name, submission ID, and file ID and revision number would be helpful in order to get quickly to the content you’re having trouble with.
Regards,
Alec Smecher
Public Knowledge Project Team
I do not know how to make a copy of the DB but I also found a workaround - assigning an additional role of Journal Assistant to each of the Section Editosr solve the issue.
Hi @rafaelmansilha,
Yes, please! Feel free to anonymize any content you like.
Regards,
Alec Smecher
Public Knowledge Project Team
Hi @rafaelmansilha,
Did you manage to pass along a database dump? If so, please remind me when/where – it’s possible that you did and I lost it 
Thanks,
Alec Smecher
Public Knowledge Project Team
Hi @asmecher,
Sorry to take time to respond, I’m away on qualification, but on the Monday I’ll arrange, can I make it available through a link in Google Drive, or do you prefer otherwise?
Hmmm… I could reproduce it for the section editor, thus I can take a look what is going on there… but I couldn’t reproduce it for the reviewers :-\
@asmecher, if a section editor is assigned to a submission, he/she can access the files only if he/she is also assigned to that section of the submission, s. https://github.com/pkp/pkp-lib/blob/master/classes/security/authorization/SubmissionFileAccessPolicy.inc.php#L178-L181 and https://github.com/pkp/pkp-lib/blob/master/classes/security/authorization/internal/SectionAssignmentPolicy.inc.php#L53-L58. Does this make sense? – This would mean that all section editors would have to be assigned to appropriate sections.
Maybe it would be more correct to check if the section editor is assigned to the submission i.e. a stage assignment exists for that submission and that section editor?
Also, would this way all section editors assigned to that section be able to access the submission? If so, is that correct?
THANKS!!!
It seems that your file for some reason is not viewable and the file submission ID seems not to mach the one for that review assignment (any review assignment for that logged in reviewer) 
Could you please check it also in your DB? I.e. the column viewable in the submission_files table for that submission, as well as submission_id in the submission_files and review_assignments table. Could you also see if there is an entry in the DB table review_files for that review and file ID?
Thanks!
Bozana
Hi @bozana,
Hmm, I think we might have two lines of thought happening at the same time –
The approach we used in OJS 2.x was to use the section editor/section assignments to create automatic assignments to articles upon submission, and thereafter just consider section editor/article assignments.
Perhaps it makes sense to review the parts of the code that rely on the section editor/section association and pursue the same strategy we used in OJS 2.x – I suspect it wouldn’t be invasive, and would provide the most flexibility.
Regards,
Alec Smecher
Public Knowledge Project Team
Hi @bozana, Sorry for the delay, I was on vacation.
submission_files
File: '13533',
submission_id: '2574',
viewable: '0',
review_assignments
review_id: '2121',
submission_id: '2574',
review_files
review_id: '2121',
file_id: '13533'
@asmecher, Sorry for not sending the database yet, I was on vacation, and my coworkers started upgrading to version 3.0.1, when we finalize the tests of the update, I’ll send it.
Regards, Rafael Mansilha.
Yes, it seems there is a problem with the viewable values, s. [OJS] Reviewer doesn't have adequate permission to download review file · Issue #2092 · pkp/pkp-lib · GitHub. Thus, you could eventually just remove this condition from your if statement above for now: $submissionFile->getViewable()
Best,
Bozana
Thanks @bozana, i’ve changed the code!
@asmecher, do you still need the database dump?
Regards,
Rafael Mansilha.
Hi @rafaelmansilha,
Just to confirm, did that change resolve the problem for you?
Regards,
Alec Smecher
Public Knowledge Project Team