fix: fixes to editor assignment, permissions and form migration
Three fixes:
- Any logged in user could access any manuscript if they knew the URL, e.g.
http://localhost:4000/kotahi/versions/288d71a6-66c6-4524-9acb-f87ad86aaf3a/submit
. See #1501 (closed). Seems like this was a longstanding issue. I've tightened access restrictions so the manuscript data can only be retrieved if the manuscript is published, or if the user is an admin or group-manager or an author, editor, reviewer or invited reviewer of the manuscript. - Editor assignment wasn't working on the decision page, "Teams" tab (see #1321 (closed)). The three editor assignment controls were supposed to create a new editor/handlingEditor/seniorEditor team if one did not yet exist, but this step was erroneously being skipped, and the control was trying to add an editor to a non-existent team.
- A migration I recently added was losing form metadata such as
form.structure.name
while removing invalid/improperly-defined fields. The result was that forms containing undefined fields were losing their title, description and popup settings during the course of migration. I've fixed the migration, and also tweaked the dynamic forms code so it doesn't crash if for some reason it has to render a form with no title -- though that should hopefully never happen now.