One of our editors pointed out another possible bug in the latest release (22.214.171.124). In the emails the system sends out to the reviewers after a review is submitted, there’s a direct login link back to their review. It’s in the form (after the journal url):
This takes the reviewer straight back to their review and handles the login for them. Unfortunately (I think), anyone with that link is given login access to that reviewer’s area of the site. I realize the risk is small, but it is there - particularly if a reviewer also happens to be a journal manager!
In this case, it came to light because the reviewer replied to an email so the editor saw the link and tried it. It works even in browsers that haven’t accessed OJS before.