Skip to content

pkp/pkp-lib#12374 Fix issue preventing users from accepting invitations while logged out #12433

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
taslangraham wants to merge 1 commit into
base: main
Choose a base branch
from
+23 −1
Open

pkp/pkp-lib#12374 Fix issue preventing users from accepting invitations while logged out #12433

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions api/v1/_i18n/I18nController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
use Illuminate\Http\Response;
use Illuminate\Support\Facades\Route;
use PKP\core\PKPBaseController;
use PKP\core\PKPRequest;
use PKP\facades\Locale;

class I18nController extends PKPBaseController
Expand Down Expand Up @@ -49,6 +50,16 @@ public function getGroupRoutes(): void
Route::get('ui.js', $this->getTranslations(...))->name('_i18n.getTranslations');
}


/**
* @copydoc \PKP\core\PKPBaseController::authorize()
*/
public function authorize(PKPRequest $request, array &$args, array $roleAssignments): bool
{
// No authorization required for publicly accessible endpoint
Copy link
Member

@asmecher asmecher Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will bypass e.g. HttpsPolicy, which should apply. Could you see if there's another way that doesn't require short-cutting the authorize function? I worry this will have other knock-on effects.

Copy link
Contributor Author

@taslangraham taslangraham Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@asmecher
Maybe something like the following would suffice.

    // api/v1/_i18n/I18nController.php::authorize()
    public function authorize(PKPRequest $request, array &$args, array $roleAssignments): bool
    {
        $this->addPolicy(new class extends \PKP\security\authorization\AuthorizationPolicy {
            public function effect(): int {
                return self::AUTHORIZATION_PERMIT;
            }
        });
        return parent::authorize($request, $args, $roleAssignments);
    }

This adds an anonymous policy class which grants access to the endpoints, but still allows the authorization checks in the base PKPBaseController class to take effect. What do you think?

If we go with this approach then that anonymous policy could be moved to an actual policy class.

Copy link
Member

@asmecher asmecher Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@taslangraham, that looks promising, but before you go that route -- can you check whether a call to markRoleAssignmentsChecked would be enough? If I remember correctly, the auth code doesn't like it when code is run without an role-checking auth policy, because there's a risk that someone will forget to add the auth policy. This function will let the auth code know that it's not a mistake, we actually do want to run without a policy added.

Copy link
Contributor Author

@taslangraham taslangraham Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@asmecher

I checked, and the markRoleAssignmentsChecked method alone isn't enough. Based on what you described though, if we go the route I suggested above, then it likely should be updated to also call markRoleAssignmentsChecked.

return true;
}

/**
* Provides javascript file which includes all translations used in Vue.js UI.
*/
Expand Down
11 changes: 11 additions & 0 deletions api/v1/invitations/InvitationController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,13 @@ class InvitationController extends PKPBaseController
public const PARAM_ID = 'invitationId';
public const PARAM_KEY = 'key';

public array $publicActions = [
'receive',
'finalize',
'refine',
'decline',
];

public $actionsInvite = [
'get',
'populate',
Expand Down Expand Up @@ -184,6 +191,10 @@ public function authorize(PKPRequest $request, array &$args, array $roleAssignme
$invitationId = (int) $this->getParameter(self::PARAM_ID);
$invitationKey = $this->getParameter(self::PARAM_KEY);

if(in_array($actionName, $this->publicActions)){
$this->setEnforceRestrictedSite(false);
}

if (in_array($actionName, $this->requiresType)) {
if (!isset($invitationType)) {
throw new Exception("Parameter with the name '" . self::PARAM_TYPE . "' needs to be declared");
Expand Down
2 changes: 1 addition & 1 deletion classes/security/authorization/RestrictedSiteAccessPolicy.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ public function effect(): int
*/
private function _getLoginExemptions(): array
{
$exemptions = ['user', 'login', 'help', 'header', 'sidebar', 'payment'];
$exemptions = ['user', 'login', 'help', 'header', 'sidebar', 'payment', 'invitation'];
Hook::call('RestrictedSiteAccessPolicy::_getLoginExemptions', [[&$exemptions]]);
return $exemptions;
}
Expand Down