Problem
The function that processes tick marks on the prepublication checklist needs journal to be in the request, to pass security checks:
|
@require_POST |
|
@editor_user_required |
|
def publish_article_check(request, article_id): |
|
""" |
|
A POST only view that updates checklist items on the prepublication page. |
|
:param request: HttpRequest object |
|
:param article_id: Artcle object PK |
|
:return: HttpResponse object |
|
""" |
|
article = get_object_or_404( |
|
submission_models.Article, |
|
Q(stage=submission_models.STAGE_READY_FOR_PUBLICATION) | |
|
Q(stage=submission_models.STAGE_PUBLISHED), |
|
pk=article_id, |
|
journal=request.journal, |
|
) |
But the JavaScript that creates the URL only considers domain mode journals and hard-codes the POST url:
|
"url": "/publish/article/" + {{ article.pk }} + "/check/", |
As a result, the middleware does not know what the journal is, and adds no journal onto the request object. So when the user clicks a tick mark, nothing happens, and permission denied is logged unseen on the server.
Proposed solution
Use Django url to form the URL in the JS so it works for both path and domain mode.
Problem
The function that processes tick marks on the prepublication checklist needs
journalto be in the request, to pass security checks:janeway/src/journal/views.py
Lines 1266 to 1281 in 14ec665
But the JavaScript that creates the URL only considers domain mode journals and hard-codes the POST url:
janeway/src/templates/admin/journal/publish_article.html
Line 276 in 14ec665
As a result, the middleware does not know what the journal is, and adds no journal onto the request object. So when the user clicks a tick mark, nothing happens, and permission denied is logged unseen on the server.
Proposed solution
Use Django
urlto form the URL in the JS so it works for both path and domain mode.