diff --git a/pages/reviewer/ReviewerHandler.php b/pages/reviewer/ReviewerHandler.php index 89dbae0eb0d..6c2aafb0f19 100644 --- a/pages/reviewer/ReviewerHandler.php +++ b/pages/reviewer/ReviewerHandler.php @@ -3,8 +3,8 @@ /** * @file pages/reviewer/ReviewerHandler.php * - * Copyright (c) 2014-2021 Simon Fraser University - * Copyright (c) 2003-2021 John Willinsky + * Copyright (c) 2014-2026 Simon Fraser University + * Copyright (c) 2003-2026 John Willinsky * Distributed under the GNU GPL v3. For full terms see the file docs/COPYING. * * @class ReviewerHandler @@ -17,12 +17,30 @@ namespace APP\pages\reviewer; use APP\core\Request; +use APP\facades\Repo; +use APP\submission\reviewer\form\ReviewerReviewStep3Form; +use APP\submission\Submission; +use PKP\core\PKPRequest; +use PKP\db\DAORegistry; use PKP\pages\reviewer\PKPReviewerHandler; +use PKP\security\AccessKeyManager; use PKP\security\authorization\SubmissionAccessPolicy; use PKP\security\Role; +use PKP\security\Validation; +use PKP\session\SessionManager; +use PKP\submission\reviewAssignment\ReviewAssignment; +use PKP\submission\reviewAssignment\ReviewAssignmentDAO; +use PKP\user\User; class ReviewerHandler extends PKPReviewerHandler { + + /** @var Submission */ + public $submission; + + /** @var User */ + public $user; + /** * Constructor */ @@ -39,20 +57,82 @@ public function __construct() } /** - * @see PKPHandler::authorize() - * - * @param Request $request - * @param array $args - * @param array $roleAssignments + * @copydoc PKPHandler::authorize() */ public function authorize($request, &$args, $roleAssignments) { + $context = $request->getContext(); + if ($context->getData('reviewerAccessKeysEnabled')) { + $this->_validateAccessKey($request); + } + $router = $request->getRouter(); $this->addPolicy(new SubmissionAccessPolicy( $request, $args, $roleAssignments )); + return parent::authorize($request, $args, $roleAssignments); } + + /** + * Tests if the request contains a valid access token. If this is the case + * the regular login process will be skipped + * + * @param Request $request + */ + protected function _validateAccessKey($request) + { + $accessKeyCode = $request->getUserVar('key'); + $reviewId = $request->getUserVar('reviewId'); + if (!($accessKeyCode && $reviewId)) { + return; + } + + // Check if the user is already logged in + $sessionManager = SessionManager::getManager(); + $session = $sessionManager->getUserSession(); + if ($session->getUserId()) { + return; + } + + $reviewAssignmentDao = DAORegistry::getDAO('ReviewAssignmentDAO'); /** @var ReviewAssignmentDAO $reviewAssignmentDao */ + $reviewAssignment = $reviewAssignmentDao->getById($reviewId); + if (!$reviewAssignment) { + return; + } // e.g. deleted review assignment + + $reviewSubmission = Repo::submission()->get($reviewAssignment->getSubmissionId()); + if (!$reviewSubmission || ($reviewSubmission->getId() != $reviewAssignment->getSubmissionId())) { + return; + } // e.g. deleted review assignment + + // Validate the access key + $context = $request->getContext(); + $accessKeyManager = new AccessKeyManager(); + $accessKeyHash = $accessKeyManager->generateKeyHash($accessKeyCode); + $accessKey = $accessKeyManager->validateKey( + $context->getId(), + $reviewAssignment->getReviewerId(), + $accessKeyHash + ); + if (!$accessKey) { + return; + } + + // Get the reviewer user object + $user = Repo::user()->get($accessKey->getUserId()); + if (!$user) { + return; + } + + // Register the user object in the session + $reason = null; + if (Validation::registerUserSession($user, $reason)) { + $this->submission = $reviewSubmission; + $this->user = $user; + } + } + }