diff --git a/scipost_django/journals/views.py b/scipost_django/journals/views.py
index 1dc8ae0cb92921dc7a8cca7be7c241b5e81f04fe..3a59fef9f91db1b4c7a58950e3a9a105823653ad 100644
--- a/scipost_django/journals/views.py
+++ b/scipost_django/journals/views.py
@@ -304,6 +304,10 @@ def journal_detail(request, doi_label):
or paginates its individual Publications.
"""
journal = get_object_or_404(Journal, doi_label=doi_label)
+ # Guard against inactive journals
+ if not (journal.active or request.user.is_staff):
+ raise PermissionDenied("Journal is not active")
+
accepted_submission_ids = [
sub.id
for sub in Submission.objects.accepted()
@@ -1010,7 +1014,9 @@ def _hx_citation_list_item_form(request, doi_label, index: int | None = None):
else:
index = len(publication.metadata["citation_list"])
form = CitationListItemForm(
- request.POST or None, instance=publication, index=index,
+ request.POST or None,
+ instance=publication,
+ index=index,
)
if request.method == "POST":
diff --git a/scipost_django/stats/views.py b/scipost_django/stats/views.py
index 6cf047d625edd6f56da86d8293b091e6f72ae088..e6aff044e0eb23f5ac34db6bb9f4a4a1368d39f4 100644
--- a/scipost_django/stats/views.py
+++ b/scipost_django/stats/views.py
@@ -5,6 +5,7 @@ __license__ = "AGPL v3"
import datetime
from django.contrib.auth.decorators import permission_required
+from django.core.exceptions import PermissionDenied
from django.shortcuts import get_object_or_404, render
from django.utils import timezone
@@ -66,6 +67,10 @@ def statistics(
}
if journal_doi_label:
journal = get_object_or_404(Journal, doi_label=journal_doi_label)
+ # Guard against inactive journals
+ if not (journal.active or request.user.is_staff):
+ raise PermissionDenied("Journal is not active")
+
context["journal"] = journal
if year:
context["year"] = year
diff --git a/scipost_django/submissions/views/__init__.py b/scipost_django/submissions/views/__init__.py
index 3f9064b46d20808d72df9ffb7a496ee0fc83a8ea..96ce8591c3e9584d6994d53afc48604995d28b0e 100644
--- a/scipost_django/submissions/views/__init__.py
+++ b/scipost_django/submissions/views/__init__.py
@@ -221,6 +221,10 @@ def submit_choose_preprint_server(request, journal_doi_label):
Choose a preprint server. If `thread_hash` is given as a GET parameter, this is a resubmission.
"""
journal = get_object_or_404(Journal, doi_label=journal_doi_label)
+ # Guard against inactive journals
+ if not (journal.active or request.user.is_staff):
+ raise PermissionDenied("Journal is not active")
+
preprint_servers = PreprintServer.objects.filter(
acad_fields=journal.college.acad_field
)
@@ -320,6 +324,11 @@ class RequestSubmissionView(LoginRequiredMixin, PermissionRequiredMixin, CreateV
"""
Redirect to `submit_choose_preprint_server` if preprint identifier is not known.
"""
+ # Guard against inactive journals
+ journal = get_object_or_404(Journal, doi_label=journal_doi_label)
+ if not (journal.active or request.user.is_staff):
+ raise PermissionDenied("Journal is not active")
+
if self.prefill_form.is_valid():
if self.prefill_form.is_resubmission():
resubmessage = (
@@ -2715,6 +2724,7 @@ def _hx_submission_update_target_proceedings_form(request, identifier_w_vn_nr):
context,
)
+
@permission_required("scipost.can_fix_College_decision")
def _hx_submission_update_collections(request, identifier_w_vn_nr):
submission = get_object_or_404(
@@ -2728,6 +2738,7 @@ def _hx_submission_update_collections(request, identifier_w_vn_nr):
},
)
+
@permission_required("scipost.can_fix_College_decision")
def _hx_submission_update_collections_form(request, identifier_w_vn_nr):
submission = get_object_or_404(