From 699cdaa35886da360080a3b85d7396fe9db60f46 Mon Sep 17 00:00:00 2001
From: Jorran de Wit <jorrandewit@outlook.com>
Date: Fri, 12 May 2017 23:26:03 +0200
Subject: [PATCH] Return Author check on Submission submit

---
 submissions/forms.py | 12 +++++++++++-
 submissions/views.py | 32 ++++++++++----------------------
 2 files changed, 21 insertions(+), 23 deletions(-)

diff --git a/submissions/forms.py b/submissions/forms.py
index 19cf53bb2..064196bd5 100644
--- a/submissions/forms.py
+++ b/submissions/forms.py
@@ -2,7 +2,7 @@ from django import forms
 from django.core.validators import RegexValidator
 
 from .constants import ASSIGNMENT_BOOL, ASSIGNMENT_REFUSAL_REASONS,\
-                       REPORT_ACTION_CHOICES, REPORT_REFUSAL_CHOICES, SUBMISSION_CYCLES
+                       REPORT_ACTION_CHOICES, REPORT_REFUSAL_CHOICES
 from .models import Submission, RefereeInvitation, Report, EICRecommendation
 
 from scipost.constants import SCIPOST_SUBJECT_AREAS
@@ -77,6 +77,16 @@ class SubmissionForm(forms.ModelForm):
             'placeholder': 'Optional: names of referees whose reports should be treated with caution (+ short reason)',
             'rows': 3})
 
+    def check_user_may_submit(self, current_user):
+        """
+        Important check!
+
+        The submitting user must be an author of the submission.
+        Also possibly may be extended to check permissions and give ultimate submission
+        power to certain user groups.
+        """
+        return current_user.last_name in self.cleaned_data['author_list']
+
     def update_submission_data(self):
         """
         Some fields should not be accessible in the HTML form by the user and should be
diff --git a/submissions/views.py b/submissions/views.py
index ce94d8f6c..712898a51 100644
--- a/submissions/views.py
+++ b/submissions/views.py
@@ -109,28 +109,7 @@ class PrefillUsingIdentifierView(PermissionRequiredMixin, FormView):
 
 class SubmissionCreateView(PermissionRequiredMixin, CreateView):
     model = Submission
-    fields = [
-        'is_resubmission',
-        'discipline',
-        'submitted_to_journal',
-        'submission_type',
-        'domain',
-        'subject_area',
-        'secondary_areas',
-        'title',
-        'author_list',
-        'abstract',
-        'arxiv_identifier_w_vn_nr',
-        'arxiv_identifier_wo_vn_nr',
-        'arxiv_vn_nr',
-        'arxiv_link',
-        'metadata',
-        'author_comments',
-        'list_of_changes',
-        'remarks_for_editors',
-        'referees_suggested',
-        'referees_flagged'
-    ]
+    form_class = SubmissionForm
 
     template_name = 'submissions/new_submission.html'
     permission_required = 'scipost.can_submit_manuscript'
@@ -148,6 +127,15 @@ class SubmissionCreateView(PermissionRequiredMixin, CreateView):
         submitted_by = Contributor.objects.get(user=self.request.user)
         form.instance.submitted_by = submitted_by
 
+        # Temporary until moved to new Arxiv Caller
+        # Check submitting user for authorship !
+        # With the new Arxiv caller, this message should already be given in the prefil form!
+        if not form.check_user_may_submit(self.request.user):
+            msg = ('Your name does not match that of any of the authors. '
+                   'You are not authorized to submit this preprint.')
+            messages.error(self.request, msg)
+            return redirect('submissions:prefill_using_identifier')
+
         # Save all the information contained in the form
         submission = form.save()
 
-- 
GitLab