From 9e6f8fde667353649ee7d18ad892341e6adbe1f9 Mon Sep 17 00:00:00 2001 From: Vlad0n20 Date: Thu, 28 Aug 2025 16:20:27 +0300 Subject: [PATCH] Update permissions for write preprint contributors --- api/actions/permissions.py | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/api/actions/permissions.py b/api/actions/permissions.py index dec41f32c3b..a10108e7b28 100644 --- a/api/actions/permissions.py +++ b/api/actions/permissions.py @@ -46,7 +46,19 @@ def has_object_permission(self, request, view, obj): else: # Moderators and node admins can trigger state changes. is_node_admin = target is not None and target.has_permission(auth.user, osf_permissions.ADMIN) - if not (is_node_admin or auth.user.has_perm('view_submissions', provider)): + is_write_contributor = target is not None and target.has_permission(auth.user, osf_permissions.WRITE) + + provisional_write_allowed = False + if is_write_contributor: + try: + serializer = view.get_serializer(data=request.data) + serializer.is_valid(raise_exception=True) + trigger = serializer.validated_data.get('trigger') + provisional_write_allowed = trigger == ReviewTriggers.SUBMIT.value + except Exception: + provisional_write_allowed = False + + if not (is_node_admin or auth.user.has_perm('view_submissions', provider) or provisional_write_allowed): return False # User can trigger state changes on this reviewable, but can they use this trigger in particular? @@ -54,4 +66,6 @@ def has_object_permission(self, request, view, obj): serializer.is_valid(raise_exception=True) trigger = serializer.validated_data.get('trigger') permission = TRIGGER_PERMISSIONS[trigger] + if permission is None and is_write_contributor and trigger == ReviewTriggers.SUBMIT.value: + return True return permission is None or request.user.has_perm(permission, target.provider)