OJS 3 - The current role does not have access to this operation

ojs3
ojs

#1

Hi!

Wen a Reviewer try to open a file, the ojs displays a JSON response:

{
    "status": false,
    "content": "The current role does not have access to this operation.",
    "elementId": "0"
}

I’ve checked and the user has the Reviewer ROLE on the Journal.


#2

Hi @asmecher, can you help me with this?


#3

I think the problem is in:
/lib/pkp/classes/security/authorization/internal/SubmissionFileAssignedReviewerAccessPolicy.inc.php

doing some tests:

function effect() {
   $request = $this->getRequest();

   // Get the user
   $user = $request->getUser();
   if (!is_a($user, 'PKPUser')) return AUTHORIZATION_DENY;

   // Get the submission file
   $submissionFile = $this->getSubmissionFile($request);
   if (!is_a($submissionFile, 'SubmissionFile')) return AUTHORIZATION_DENY;

   $reviewAssignmentDao = DAORegistry::getDAO('ReviewAssignmentDAO');
   $reviewAssignments = $reviewAssignmentDao->getByUserId($user->getId());
   $reviewFilesDao = DAORegistry::getDAO('ReviewFilesDAO');
   foreach ($reviewAssignments as $reviewAssignment) {
      if (!$reviewAssignment->getDateConfirmed()) continue;
      echo("\nteste1 ");
      echo($submissionFile->getSubmissionId() == $reviewAssignment->getSubmissionId());
      echo("\nteste2 ");
      echo($submissionFile->getFileStage() == SUBMISSION_FILE_REVIEW_FILE);
      echo("\nteste3 ");
      echo($submissionFile->getViewable());
      echo("\nteste4 ");
      echo($reviewFilesDao->check($reviewAssignment->getId(), $submissionFile->getFileId()));
      dump();
      if (
         $submissionFile->getSubmissionId() == $reviewAssignment->getSubmissionId() &&
         $submissionFile->getFileStage() == SUBMISSION_FILE_REVIEW_FILE &&
         $submissionFile->getViewable() &&
         $reviewFilesDao->check($reviewAssignment->getId(), $submissionFile->getFileId())
      ) {
         return AUTHORIZATION_PERMIT;
      }
   }

   // If a pass condition wasn't found above, deny access.
   return AUTHORIZATION_DENY;
}

I’ve received the following output:

teste1 teste2 1 teste3 teste4 0


#4

I have also the same message from the reviewers:

{"status":false,"content":"The current role does not have access to this operation.","elementId":"0"}

and from Section editors accessing the files in review tab a similar one:

{"status":false,"content":"##user.authorization.seriesAssignment##","elementId":"0"}

Please help as our journal reviewer process is stopped now in this case? @rafaelmansilha did you solve the problem?


#5

Hi @vebaev,

While I wait for a patch, I made a change in the code that allowed them to download the file:

Location: lib/pkp/classes/security/authorization/internal/SubmissionFileAssignedReviewerAccessPolicy.inc.php

Comented:

if (
	$submissionFile->getSubmissionId() == $reviewAssignment->getSubmissionId() &&
	$submissionFile->getFileStage() == SUBMISSION_FILE_REVIEW_FILE &&
	$submissionFile->getViewable() &&
	$reviewFilesDao->check($reviewAssignment->getId(), $submissionFile->getFileId())
) {

Replace the commented if with:

if($submissionFile->getFileStage() == SUBMISSION_FILE_REVIEW_FILE){`

This has allowed him to continue with the work, but I still do not know if this causes any complications in system security

Regards,
Rafael Mansilha.


#6

Hi @rafaelmansilha and @vebaev,

Could either of you make a copy of your database available for me to download? A reviewer name, submission ID, and file ID and revision number would be helpful in order to get quickly to the content you’re having trouble with.

Regards,
Alec Smecher
Public Knowledge Project Team


Section editors cannot download file submission and got error (OJS3)?
#7

I do not know how to make a copy of the DB but I also found a workaround - assigning an additional role of Journal Assistant to each of the Section Editosr solve the issue.


#8

@asmecher, All tables?


#9

Hi @rafaelmansilha,

Yes, please! Feel free to anonymize any content you like.

Regards,
Alec Smecher
Public Knowledge Project Team


#10

Hi @rafaelmansilha,

Did you manage to pass along a database dump? If so, please remind me when/where – it’s possible that you did and I lost it :wink:

Thanks,
Alec Smecher
Public Knowledge Project Team


#11

Hi @asmecher,

Sorry to take time to respond, I’m away on qualification, but on the Monday I’ll arrange, can I make it available through a link in Google Drive, or do you prefer otherwise?


#12

Hi @rafaelmansilha,

Yes, that would be fine!

Regards,
Alec Smecher
Public Knowledge Project Team


#13

Hmmm… I could reproduce it for the section editor, thus I can take a look what is going on there… but I couldn’t reproduce it for the reviewers :-\


#14

@asmecher, if a section editor is assigned to a submission, he/she can access the files only if he/she is also assigned to that section of the submission, s. https://github.com/pkp/pkp-lib/blob/master/classes/security/authorization/SubmissionFileAccessPolicy.inc.php#L178-L181 and https://github.com/pkp/pkp-lib/blob/master/classes/security/authorization/internal/SectionAssignmentPolicy.inc.php#L53-L58. Does this make sense? – This would mean that all section editors would have to be assigned to appropriate sections.
Maybe it would be more correct to check if the section editor is assigned to the submission i.e. a stage assignment exists for that submission and that section editor?
Also, would this way all section editors assigned to that section be able to access the submission? If so, is that correct?
THANKS!!!


#15

Hi @rafaelmansilha

It seems that your file for some reason is not viewable and the file submission ID seems not to mach the one for that review assignment (any review assignment for that logged in reviewer) :open_mouth: Could you please check it also in your DB? I.e. the column viewable in the submission_files table for that submission, as well as submission_id in the submission_files and review_assignments table. Could you also see if there is an entry in the DB table review_files for that review and file ID?

Thanks!
Bozana


#16

Hi @bozana,

Hmm, I think we might have two lines of thought happening at the same time –

  • Assignments of section editors to sections has an effect on permissions
  • Assignments of section editors to submissions has an effect on permissions

The approach we used in OJS 2.x was to use the section editor/section assignments to create automatic assignments to articles upon submission, and thereafter just consider section editor/article assignments.

Perhaps it makes sense to review the parts of the code that rely on the section editor/section association and pursue the same strategy we used in OJS 2.x – I suspect it wouldn’t be invasive, and would provide the most flexibility.

Regards,
Alec Smecher
Public Knowledge Project Team


#17

Hi @bozana, Sorry for the delay, I was on vacation.

submission_files
File: '13533', 
submission_id: '2574',
viewable: '0',

review_assignments
review_id: '2121', 
submission_id: '2574',

review_files
review_id: '2121', 
file_id: '13533'

@asmecher, Sorry for not sending the database yet, I was on vacation, and my coworkers started upgrading to version 3.0.1, when we finalize the tests of the update, I’ll send it.

Regards, Rafael Mansilha.


#18

Hi @rafaelmansilha

Yes, it seems there is a problem with the viewable values, s. https://github.com/pkp/pkp-lib/issues/2092. Thus, you could eventually just remove this condition from your if statement above for now: $submissionFile->getViewable()

Best,
Bozana


#19

Thanks @bozana, i’ve changed the code!

@asmecher, do you still need the database dump?

Regards,
Rafael Mansilha.


#20

Hi @rafaelmansilha,

Just to confirm, did that change resolve the problem for you?

Regards,
Alec Smecher
Public Knowledge Project Team