Reviewer's link allowing open access

One of our editors pointed out another possible bug in the latest release (3.1.0.0). In the emails the system sends out to the reviewers after a review is submitted, there’s a direct login link back to their review. It’s in the form (after the journal url):

…/reviewer/submission?submissionId=101&reviewId=98&key=V2D7r49V

This takes the reviewer straight back to their review and handles the login for them. Unfortunately (I think), anyone with that link is given login access to that reviewer’s area of the site. I realize the risk is small, but it is there - particularly if a reviewer also happens to be a journal manager!

In this case, it came to light because the reviewer replied to an email so the editor saw the link and tried it. It works even in browsers that haven’t accessed OJS before.

Any ideas?

You can disable it. See Settings Workflow Review. There is a setting called One Click Reviewer Access.

But basically if someone can access reviewers email, they can also change the password and log in.

Aaaa, thanks! Much appreciated!

Not a big problem… we’re not talking about huge security issues here.

Regards…