Don't allow submitters to review their own artwork

2025-07-13 01:52:02 -04:00 · 2024-01-13 16:33:57 -06:00 · 2024-01-13 16:33:57 -06:00 · f992da84ae
commit f992da84ae
parent 47973970b6
5 changed files with 53 additions and 33 deletions
--- a/config/sql/se/Benefits.sql
+++ b/config/sql/se/Benefits.sql
@ -1,10 +1,11 @@
 CREATE TABLE `Benefits` (
  `UserId` int(10) unsigned NOT NULL,
-  `CanAccessFeeds` tinyint(1) unsigned NOT NULL,
-  `CanVote` tinyint(1) unsigned NOT NULL,
-  `CanBulkDownload` tinyint(1) unsigned NOT NULL,
-  `CanUploadArtwork` tinyint(1) unsigned NOT NULL,
-  `CanReviewArtwork` tinyint(1) unsigned NOT NULL,
+  `CanAccessFeeds` tinyint(1) unsigned NOT NULL DEFAULT 0,
+  `CanVote` tinyint(1) unsigned NOT NULL DEFAULT 0,
+  `CanBulkDownload` tinyint(1) unsigned NOT NULL DEFAULT 0,
+  `CanUploadArtwork` tinyint(1) unsigned NOT NULL DEFAULT 0,
+  `CanReviewArtwork` tinyint(1) unsigned NOT NULL DEFAULT 0,
+  `CanReviewOwnArtwork` tinyint(1) unsigned NOT NULL DEFAULT 0,
  PRIMARY KEY (`UserId`),
  KEY `idxBenefits` (`CanAccessFeeds`,`CanVote`,`CanBulkDownload`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
--- a/lib/Benefits.php
+++ b/lib/Benefits.php
@ -5,4 +5,5 @@ class Benefits{
 	public bool $CanBulkDownload = false;
 	public bool $CanUploadArtwork = false;
 	public bool $CanReviewArtwork = false;
+	public bool $CanReviewOwnArtwork = false;
 }
--- a/www/artworks/get.php
+++ b/www/artworks/get.php
@ -129,10 +129,11 @@ catch(Exceptions\ArtworkNotFoundException){
 		<? } ?>

 		<? if($isAdminView){ ?>
-			<h2>Reviewer options</h2>
+			<h2>Editor options</h2>
 			<p>Review the metadata and PD proof for this artwork submission. Approve to make it available for future producers.</p>
 			<form method="post" action="<?= $artwork->Url ?>">
 				<input type="hidden" name="_method" value="PATCH" />
+				<? if(($artwork->SubmitterUserId != $GLOBALS['User']->UserId) || $GLOBALS['User']->Benefits->CanReviewOwnArtwork){ ?>
 					<label class="select">
 						<span>Artwork approval status</span>
 						<span>
@ -144,6 +145,7 @@ catch(Exceptions\ArtworkNotFoundException){
 							</select>
 						</span>
 					</label>
+				<? } ?>
 				<label>
 					<span>In use by</span>
 					<span>Ebook file system slug, like <code>c-s-lewis_poetry</code>. If not in use, leave this blank.</span>
--- a/www/artworks/new.php
+++ b/www/artworks/new.php
@ -19,6 +19,8 @@ try{
 		throw new Exceptions\InvalidPermissionsException();
 	}

+	$isAdminView = $GLOBALS['User']->Benefits->CanReviewArtwork ?? false;
+
 	// We got here because an artwork was successfully submitted
 	if($created){
 		http_response_code(201);
@ -36,7 +38,7 @@ try{
 		$artwork = new Artwork();
 		$artwork->Artist = new Artist();

-		if($GLOBALS['User']->Benefits->CanReviewArtwork){
+		if($GLOBALS['User']->Benefits->CanReviewOwnArtwork){
 			$artwork->Status = COVER_ARTWORK_STATUS_APPROVED;
 		}
 	}
@ -231,9 +233,10 @@ catch(Exceptions\InvalidPermissionsException){
 					<textarea maxlength="1024" name="artwork-notes"><?= Formatter::ToPlainText($artwork->Notes) ?></textarea>
 				</label>
 			</fieldset>
-			<? if($GLOBALS['User']->Benefits->CanReviewArtwork){ ?>
+			<? if($isAdminView){ ?>
 			<fieldset>
-				<legend>Reviewer options</legend>
+				<legend>Editor options</legend>
+				<? if($GLOBALS['User']->Benefits->CanReviewOwnArtwork){ ?>
 					<label class="select">
 						<span>Artwork approval status</span>
 						<span>
@ -245,6 +248,7 @@ catch(Exceptions\InvalidPermissionsException){
 							</select>
 						</span>
 					</label>
+				<? } ?>
 				<label>
 					<span>In use by</span>
 					<span>Ebook file system slug, like <code>c-s-lewis_poetry</code>. If not in use, leave this blank.</span>
--- a/www/artworks/post.php
+++ b/www/artworks/post.php
@ -44,7 +44,8 @@ try{
 		$artwork->Notes = HttpInput::Str(POST, 'artwork-notes', false);

 		// Only approved reviewers can set the status to anything but unverified when uploading
-		if($artwork->Status != COVER_ARTWORK_STATUS_UNVERIFIED && !$GLOBALS['User']->Benefits->CanReviewArtwork){
+		// The submitter cannot review their own submissions unless they have special permission
+		if($artwork->Status != COVER_ARTWORK_STATUS_UNVERIFIED && !$GLOBALS['User']->Benefits->CanReviewOwnArtwork){
 			throw new Exceptions\InvalidPermissionsException();
 		}

@ -82,7 +83,6 @@ try{
 		$artwork->CompletedYear = HttpInput::Int(POST, 'artwork-year') ?? $artwork->CompletedYear;
 		$artwork->CompletedYearIsCirca = HttpInput::Bool(POST, 'artwork-year-is-circa', false) ?? $artwork->CompletedYearIsCirca;
 		$artwork->Tags = HttpInput::Str(POST, 'artwork-tags', false) ?? $artwork->Tags;
-		$artwork->Status = HttpInput::Str(POST, 'artwork-status', false) ?? $artwork->Status;
 		$artwork->EbookWwwFilesystemPath = HttpInput::Str(POST, 'artwork-ebook-www-filesystem-path', false) ?? $artwork->EbookWwwFilesystemPath;
 		$artwork->IsPublishedInUs = HttpInput::Bool(POST, 'artwork-is-published-in-us', false) ?? $artwork->IsPublishedInUs;
 		$artwork->PublicationYear = HttpInput::Int(POST, 'artwork-publication-year') ?? $artwork->PublicationYear;
@ -95,6 +95,18 @@ try{

 		$artwork->ReviewerUserId = $GLOBALS['User']->UserId;

+		$newStatus = HttpInput::Str(POST, 'artwork-status', false);
+		if($newStatus !== null){
+			if($artwork->Status != $newStatus){
+				// Is the user attempting to review their own artwork?
+				if($artwork->Status != COVER_ARTWORK_STATUS_UNVERIFIED && $GLOBALS['User']->UserId == $artwork->SubmitterUserId && !$GLOBALS['User']->Benefits->CanReviewOwnArtwork){
+					throw new Exceptions\InvalidPermissionsException();
+				}
+			}
+
+			$artwork->Status = $newStatus;
+		}
+
 		$artwork->Save();

 		$_SESSION['artwork'] = $artwork;