Users can access pages of a manuscript, without being assigned a role
Expected behaviour
A user (not admin/group manager role) should only be able to see manuscripts they are authors, reviewers or editors of. The manuscripts a user should be able to access should also be listed in the main dashboard of their submissions/to review/editor of.
Current behaviour
A user can access any manuscript page, if given a url for it, without any role assigned.
Steps to reproduce
- Login as an admin (any other user could be valid for the test case)
- Create a new manuscript
- The new url of the manuscript will be similar to this: (https://nbdt.cloud68.co/kotahi/versions/05634472-c8c9-45a9-b201-d5a8ce4b8a5b/submit). Copy that.
- On a new browser login as a normal user.
- Paste on the browser the url from point 3.
- You are able to access the submission page, also by changing the last part /submit to /decision and /review, you can access the other pages.
This was tested on nbdt test site and also in aperture test site. The only difference in case of aperture the /decision page can't be accessed.
Environment
Firefox and Brave browsers.