Skip to content

Add missing one-click login to OMP 3.4 #2291

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ajnyga wants to merge 1 commit into
base: stable-3_4_0
Choose a base branch
from
+87 −7
Open

Add missing one-click login to OMP 3.4 #2291

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
94 changes: 87 additions & 7 deletions pages/reviewer/ReviewerHandler.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@
/**
* @file pages/reviewer/ReviewerHandler.php
*
* Copyright (c) 2014-2021 Simon Fraser University
* Copyright (c) 2003-2021 John Willinsky
* Copyright (c) 2014-2026 Simon Fraser University
* Copyright (c) 2003-2026 John Willinsky
* Distributed under the GNU GPL v3. For full terms see the file docs/COPYING.
*
* @class ReviewerHandler
Expand All @@ -17,12 +17,30 @@
namespace APP\pages\reviewer;

use APP\core\Request;
use APP\facades\Repo;
use APP\submission\reviewer\form\ReviewerReviewStep3Form;
use APP\submission\Submission;
use PKP\core\PKPRequest;
use PKP\db\DAORegistry;
use PKP\pages\reviewer\PKPReviewerHandler;
use PKP\security\AccessKeyManager;
use PKP\security\authorization\SubmissionAccessPolicy;
use PKP\security\Role;
use PKP\security\Validation;
use PKP\session\SessionManager;
use PKP\submission\reviewAssignment\ReviewAssignment;
use PKP\submission\reviewAssignment\ReviewAssignmentDAO;
use PKP\user\User;

class ReviewerHandler extends PKPReviewerHandler
{

/** @var Submission */
public $submission;

/** @var User */
public $user;

/**
* Constructor
*/
Expand All @@ -39,20 +57,82 @@ public function __construct()
}

/**
* @see PKPHandler::authorize()
*
* @param Request $request
* @param array $args
* @param array $roleAssignments
* @copydoc PKPHandler::authorize()
*/
public function authorize($request, &$args, $roleAssignments)
{
$context = $request->getContext();
if ($context->getData('reviewerAccessKeysEnabled')) {
$this->_validateAccessKey($request);
}

$router = $request->getRouter();
$this->addPolicy(new SubmissionAccessPolicy(
$request,
$args,
$roleAssignments
));

return parent::authorize($request, $args, $roleAssignments);
}

/**
* Tests if the request contains a valid access token. If this is the case
* the regular login process will be skipped
*
* @param Request $request
*/
protected function _validateAccessKey($request)
{
$accessKeyCode = $request->getUserVar('key');
$reviewId = $request->getUserVar('reviewId');
if (!($accessKeyCode && $reviewId)) {
return;
}

// Check if the user is already logged in
$sessionManager = SessionManager::getManager();
$session = $sessionManager->getUserSession();
if ($session->getUserId()) {
return;
}

$reviewAssignmentDao = DAORegistry::getDAO('ReviewAssignmentDAO'); /** @var ReviewAssignmentDAO $reviewAssignmentDao */
$reviewAssignment = $reviewAssignmentDao->getById($reviewId);
if (!$reviewAssignment) {
return;
} // e.g. deleted review assignment

$reviewSubmission = Repo::submission()->get($reviewAssignment->getSubmissionId());
if (!$reviewSubmission || ($reviewSubmission->getId() != $reviewAssignment->getSubmissionId())) {

@asmecher asmecher Jun 10, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The $reviewSubmission->getId() != $reviewAssignment->getSubmissionId() will always be false here, since we're getting the submission from the review assignment.

However, there's no check to make sure that the review assignment and the review are from the current journal!

return;
} // e.g. deleted review assignment

// Validate the access key
$context = $request->getContext();
$accessKeyManager = new AccessKeyManager();
$accessKeyHash = $accessKeyManager->generateKeyHash($accessKeyCode);
$accessKey = $accessKeyManager->validateKey(
$context->getId(),
$reviewAssignment->getReviewerId(),
$accessKeyHash
);
if (!$accessKey) {
return;
}

// Get the reviewer user object
$user = Repo::user()->get($accessKey->getUserId());
if (!$user) {
return;
}

// Register the user object in the session
$reason = null;
if (Validation::registerUserSession($user, $reason)) {
$this->submission = $reviewSubmission;
$this->user = $user;
}
}

}
Loading