pkp#8887 Ensure review assignment belongs to the expected submission

ipula · Dec 4, 2023 · a67e500 · a67e500
1 parent fea5785
commit a67e500
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 9 deletions.
diff --git a/classes/security/authorization/ReviewAssignmentFileWritePolicy.php b/classes/security/authorization/ReviewAssignmentFileWritePolicy.php
@@ -66,7 +66,7 @@ public function effect()
             return AuthorizationPolicy::AUTHORIZATION_DENY;
         }
 
-        $reviewAssignment = Repo::reviewAssignment()->get($this->_reviewAssignmentId);
+        $reviewAssignment = Repo::reviewAssignment()->get($this->_reviewAssignmentId, $submission->getId());
 
         if (!($reviewAssignment instanceof ReviewAssignment)) {
             return AuthorizationPolicy::AUTHORIZATION_DENY;

diff --git a/classes/submission/reviewAssignment/DAO.php b/classes/submission/reviewAssignment/DAO.php
@@ -14,6 +14,7 @@
 namespace PKP\submission\reviewAssignment;
 
 use APP\facades\Repo;
+use Illuminate\Database\Query\Builder;
 use Illuminate\Support\Facades\DB;
 use Illuminate\Support\LazyCollection;
 use PKP\core\EntityDAO;
@@ -76,21 +77,24 @@ public function newDataObject(): ReviewAssignment
     /**
      * Check if a review assignment exists
      */
-    public function exists(int $id): bool
+    public function exists(int $id, ?int $submissionId): bool
     {
         return DB::table($this->table)
-            ->where($this->primaryKeyColumn, '=', $id)
+            ->where($this->primaryKeyColumn, $id)
+            ->when($submissionId !== null, fn(Builder $query) => $query->where('submission_id', $submissionId))
             ->exists();
     }
 
     /**
      * Get a review assignment
      */
-    public function get(int $id): ?ReviewAssignment
+    public function get(int $id, ?int $submissionId = null): ?ReviewAssignment
     {
         $row = DB::table($this->table)
             ->where($this->primaryKeyColumn, $id)
+            ->when($submissionId !== null, fn(Builder $query) => $query->where('submission_id', $submissionId))
             ->first();
+
         return $row ? $this->fromRow($row) : null;
     }
 

diff --git a/classes/submission/reviewAssignment/Repository.php b/classes/submission/reviewAssignment/Repository.php
@@ -58,15 +58,15 @@ public function newDataObject(array $params = []): ReviewAssignment
     }
 
     /** @copydoc DAO::get() */
-    public function get(int $id): ?ReviewAssignment
+    public function get(int $id, ?int $submissionId = null): ?ReviewAssignment
     {
-        return $this->dao->get($id);
+        return $this->dao->get($id, $submissionId);
     }
 
     /** @copydoc DAO::exists() */
-    public function exists(int $id): bool
+    public function exists(int $id, ?int $submissionId = null): bool
     {
-        return $this->dao->exists($id);
+        return $this->dao->exists($id, $submissionId);
     }
 
     /** @copydoc DAO::getCollector() */

diff --git a/controllers/grid/files/attachment/ReviewerReviewAttachmentGridDataProvider.php b/controllers/grid/files/attachment/ReviewerReviewAttachmentGridDataProvider.php
@@ -109,7 +109,7 @@ public function loadData($filter = [])
     public function getAddFileAction($request)
     {
         $submission = $this->getSubmission();
-        $reviewAssignment = Repo::reviewAssignment()->get($this->_getReviewId());
+        $reviewAssignment = Repo::reviewAssignment()->get($this->_getReviewId(), $submission->getId());
 
         return new AddFileLinkAction(
             $request,