pkp/pkp-lib#8307 Validate author_id (stable-3_3_0)

classes/services/PKPAuthorService.inc.php

@@ -29,9 +29,9 @@ class PKPAuthorService implements EntityReadInterface, EntityWriteInterface, Ent
 	/**
 	 * @copydoc \PKP\Services\interfaces\EntityReadInterface::get()
 	 */
-	public function get($authorId) {
+	public function get($authorId, $publicationId = null) {
 		$authorDao = DAORegistry::getDAO('AuthorDAO'); /* @var $authorDao AuthorDAO */
-		return $authorDao->getById($authorId);
+		return $authorDao->getById($authorId, $publicationId);
 	}
 
 	/**

classes/submission/PKPAuthorDAO.inc.php

@@ -50,12 +50,15 @@ function newDataObject() {
 
 	/**
 	 * @copydoc SchemaDAO::getById()
-	 * Overrides the parent implementation to add the submission_locale column
+	 * Overrides the parent implementation to add the submission_locale column and validate publication_id
 	 */
-	public function getById($objectId) {
+	public function getById($objectId, $publicationId = null) {
+		$params = [(int) $objectId];
+		if ($publicationId !== null) $params[] = (int) $publicationId;
 		$result = $this->retrieve(
-			'SELECT a.*, s.locale AS submission_locale FROM authors a JOIN publications p ON (a.publication_id = p.publication_id) JOIN submissions s ON (s.submission_id = p.submission_id) WHERE author_id = ?',
-			[(int) $objectId]
+			'SELECT a.*, s.locale AS submission_locale FROM authors a JOIN publications p ON (a.publication_id = p.publication_id) JOIN submissions s ON (s.submission_id = p.submission_id) WHERE author_id = ?'
+			. ($publicationId !== null ? ' AND p.publication_id = ?' : ''),
+			$params
 		);
 		$row = $result->current();
 		return $row ? $this->_fromRow((array) $row) : null;

controllers/grid/users/author/AuthorGridHandler.inc.php

@@ -207,7 +207,7 @@ function getDataElementSequence($gridDataElement) {
 	function setDataElementSequence($request, $rowId, $gridDataElement, $newSequence) {
 		if (!$this->canAdminister($request->getUser())) return;
 		$authorDao = DAORegistry::getDAO('AuthorDAO'); /* @var $authorDao AuthorDAO */
-		$author = $authorDao->getById($rowId);
+		$author = $authorDao->getById($rowId, $this->getPublication()->getId());
 		$author->setSequence($newSequence);
 		$authorDao->updateObject($author);
 	}
@@ -299,7 +299,7 @@ function editAuthor($args, $request) {
 		$authorId = (int) $request->getUserVar('authorId');
 
 		$authorDao = DAORegistry::getDAO('AuthorDAO'); /* @var $authorDao AuthorDAO */
-		$author = $authorDao->getById($authorId);
+		$author = $authorDao->getById($authorId, $this->getPublication()->getId());
 
 		// Form handling
 		import('controllers.grid.users.author.form.AuthorForm');
@@ -326,7 +326,7 @@ function updateAuthor($args, $request) {
 		$authorId = (int) $request->getUserVar('authorId');
 		$publication = $this->getPublication();
 
-		$author = Services::get('author')->get($authorId);
+		$author = Services::get('author')->get($authorId, $publication->getId());
 
 		// Form handling
 		import('controllers.grid.users.author.form.AuthorForm');
@@ -408,7 +408,7 @@ function addUser($args, $request) {
 
 		$authorDao = DAORegistry::getDAO('AuthorDAO'); /* @var $authorDao AuthorDAO */
 		$userDao = DAORegistry::getDAO('UserDAO'); /* @var $userDao UserDAO */
-		$author = $authorDao->getById($authorId);
+		$author = $authorDao->getById($authorId, $this->getPublication()->getId());
 
 		if ($author !== null && $userDao->userExistsByEmail($author->getEmail())) {
 			// We don't have administrative rights over this user.

controllers/grid/users/author/AuthorGridRow.inc.php

@@ -90,7 +90,7 @@ function initialize($request, $template = null) {
 
 				$authorDao = DAORegistry::getDAO('AuthorDAO'); /* @var $authorDao AuthorDAO */
 				$userDao = DAORegistry::getDAO('UserDAO'); /* @var $userDao UserDAO */
-				$author = $authorDao->getById($rowId);
+				$author = $authorDao->getById($rowId, $this->getPublication()->getId());
 
 				if ($author && !$userDao->userExistsByEmail($author->getEmail())) {
 					$this->addAction(