fix: allow section editors to access typesetting/galley views for assigned articles

ajrbyers · mauromsl · commit 1ea697f4c40d · 2026-04-29T12:37:48.000+01:00
diff --git a/src/security/decorators.py b/src/security/decorators.py
@@ -507,15 +507,34 @@ def typesetting_user_or_production_user_or_editor_required(func):
 
     @base_check_required
     def wrapper(request, *args, **kwargs):
+        article_id = kwargs.get("article_id", None)
+        galley_id = kwargs.get("galley_id", None)
+
         if (
             request.user.is_typesetter(request)
             or request.user.is_production(request)
             or request.user.is_editor(request)
             or request.user.is_staff
         ):
             return func(request, *args, **kwargs)
-        else:
-            deny_access(request)
+
+        elif article_id:
+            article = get_object_or_404(
+                models.Article,
+                pk=article_id,
+                journal=request.journal,
+            )
+            if request.user in article.section_editors():
+                return func(request, *args, **kwargs)
+        elif galley_id:
+            galley = get_object_or_404(
+                core_models.Galley,
+                pk=galley_id,
+            )
+            if request.user in galley.article.section_editors():
+                return func(request, *args, **kwargs)
+
+        deny_access(request)
 
     return wrapper
 
diff --git a/src/security/test_security.py b/src/security/test_security.py
@@ -3851,6 +3851,117 @@ def test_section_editor_production_no_or_bad_article_id(self):
         with self.assertRaises(PermissionDenied):
             decorated_func(request, **bad_kwargs)
 
+    def test_typesetting_user_or_production_user_or_editor_required_section_editor_article_id(
+        self,
+    ):
+        func = Mock()
+        decorated_func = (
+            decorators.typesetting_user_or_production_user_or_editor_required(
+                func,
+            )
+        )
+        kwargs = {
+            "article_id": self.article_in_production.pk,
+        }
+
+        success_request = self.prepare_request_with_user(
+            self.section_editor,
+            self.journal_one,
+            self.press,
+        )
+
+        decorated_func(success_request, **kwargs)
+        self.assertTrue(
+            func.called,
+            "typesetting_user_or_production_user_or_editor_required wrongly "
+            "blocks a SE assigned to the article.",
+        )
+
+        fail_request = self.prepare_request_with_user(
+            self.second_section_editor,
+            self.journal_one,
+            self.press,
+        )
+
+        with self.assertRaises(PermissionDenied):
+            decorated_func(fail_request, **kwargs)
+
+    def test_typesetting_user_or_production_user_or_editor_required_section_editor_no_ids(
+        self,
+    ):
+        func = Mock()
+        decorated_func = (
+            decorators.typesetting_user_or_production_user_or_editor_required(
+                func,
+            )
+        )
+
+        request = self.prepare_request_with_user(
+            self.section_editor,
+            self.journal_one,
+            self.press,
+        )
+
+        with self.assertRaises(PermissionDenied):
+            decorated_func(request)
+
+    def test_typesetting_user_or_production_user_or_editor_required_section_editor_bad_article_id(
+        self,
+    ):
+        func = Mock()
+        decorated_func = (
+            decorators.typesetting_user_or_production_user_or_editor_required(
+                func,
+            )
+        )
+        kwargs = {
+            "article_id": self.article_unassigned.pk,
+        }
+
+        request = self.prepare_request_with_user(
+            self.section_editor,
+            self.journal_one,
+            self.press,
+        )
+
+        with self.assertRaises(PermissionDenied):
+            decorated_func(request, **kwargs)
+
+    def test_typesetting_user_or_production_user_or_editor_required_section_editor_galley_id(
+        self,
+    ):
+        func = Mock()
+        decorated_func = (
+            decorators.typesetting_user_or_production_user_or_editor_required(
+                func,
+            )
+        )
+        kwargs = {
+            "galley_id": self.article_in_production_galley.pk,
+        }
+
+        success_request = self.prepare_request_with_user(
+            self.section_editor,
+            self.journal_one,
+            self.press,
+        )
+
+        decorated_func(success_request, **kwargs)
+        self.assertTrue(
+            func.called,
+            "typesetting_user_or_production_user_or_editor_required wrongly "
+            "blocks a SE accessing a galley for their assigned article.",
+        )
+
+        fail_request = self.prepare_request_with_user(
+            self.second_section_editor,
+            self.journal_one,
+            self.press,
+        )
+
+        with self.assertRaises(PermissionDenied):
+            decorated_func(fail_request, **kwargs)
+
     def test_loading_keyword_page_fail(self):
         func = Mock()
         decorated_func = decorators.keyword_page_enabled(func)
@@ -5197,6 +5308,11 @@ def setUpTestData(self):
         )
         self.production_section_editor_assignment.save()
 
+        self.article_in_production_galley = helpers.create_galley(
+            article=self.article_in_production,
+            label="HTML",
+        )
+
         self.article_editor_copyediting = submission_models.Article(
             owner=self.regular_user,
             title="A Test Article",
