From c811510119e71da4f26da3069809314f85c54b8c Mon Sep 17 00:00:00 2001
From: Taslan Graham <gtaslan1@gmail.com>
Date: Wed, 13 Nov 2024 12:31:31 -0500
Subject: [PATCH] pkp/pkp-lib#10571 add additional access checks

---
 classes/emailTemplate/DAO.php                 |  3 ---
 classes/emailTemplate/Repository.php          |  3 +--
 controllers/grid/queries/form/QueryForm.php   |  1 -
 .../form/AdvancedSearchReviewerForm.php       | 25 +++++++++++--------
 4 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/classes/emailTemplate/DAO.php b/classes/emailTemplate/DAO.php
index 9cececadc54..1763e6f7f7c 100644
--- a/classes/emailTemplate/DAO.php
+++ b/classes/emailTemplate/DAO.php
@@ -449,7 +449,4 @@ protected function getUniqueKey(EmailTemplate $emailTemplate): string
 
         return $key;
     }
-
-
-
 }
diff --git a/classes/emailTemplate/Repository.php b/classes/emailTemplate/Repository.php
index af416779309..3d1cb637a97 100644
--- a/classes/emailTemplate/Repository.php
+++ b/classes/emailTemplate/Repository.php
@@ -277,7 +277,7 @@ public function isTemplateAccessibleToUser(User $user, EmailTemplate $template,
     /**
      * Filters a list of EmailTemplates to return only those accessible by a specified user.
      *
-     * @param Enumerable $templates List of EmailTemplate objects to filter.
+     * @param Enumerable $templates List of EmailTemplates to filter.
      * @param User $user The user whose access level is used for filtering.
      *
      * @return Collection Filtered list of EmailTemplate objects accessible to the user.
@@ -369,5 +369,4 @@ private function markTemplateAsUnrestricted(EmailTemplate $emailTemplate, bool $
                 ->delete();
         }
     }
-
 }
diff --git a/controllers/grid/queries/form/QueryForm.php b/controllers/grid/queries/form/QueryForm.php
index cce3d2b1920..41881ae42a4 100644
--- a/controllers/grid/queries/form/QueryForm.php
+++ b/controllers/grid/queries/form/QueryForm.php
@@ -315,7 +315,6 @@ public function fetch($request, $template = null, $display = false, $actionArgs
             }
         }
 
-
         $templateMgr->assign('templates', $templateKeySubjectPairs);
 
         // Get currently selected participants in the query
diff --git a/controllers/grid/users/reviewer/form/AdvancedSearchReviewerForm.php b/controllers/grid/users/reviewer/form/AdvancedSearchReviewerForm.php
index 4e718773a4d..01fa561f784 100644
--- a/controllers/grid/users/reviewer/form/AdvancedSearchReviewerForm.php
+++ b/controllers/grid/users/reviewer/form/AdvancedSearchReviewerForm.php
@@ -77,7 +77,10 @@ public function initData()
 
         $templates = Repo::emailTemplate()->getCollector($context->getId())
             ->filterByKeys([ReviewRequest::getEmailTemplateKey(), ReviewRequestSubsequent::getEmailTemplateKey()])
-            ->getMany()
+            ->getMany();
+
+        $templates = Repo::emailTemplate()
+            ->filterTemplatesByUserAccess($templates, $request->getUser(), $context->getId())
             ->mapWithKeys(function (EmailTemplate $item, int $key) use ($mailable) {
                 return [$item->getData('key') => Mail::compileParams($item->getLocalizedData('body'), $mailable->viewData)];
             });
@@ -258,22 +261,24 @@ public function fetch($request, $template = null, $display = false)
 
     protected function getEmailTemplates(): array
     {
-        $subsequentTemplate = Repo::emailTemplate()->getByKey(
-            Application::get()->getRequest()->getContext()->getId(),
-            ReviewRequestSubsequent::getEmailTemplateKey()
-        );
+        $contextId = Application::get()->getRequest()->getContext()->getId();
+        $subsequentTemplate = Repo::emailTemplate()->getByKey($contextId, ReviewRequestSubsequent::getEmailTemplateKey());
 
         $alternateTemplates = Repo::emailTemplate()->getCollector(Application::get()->getRequest()->getContext()->getId())
             ->alternateTo([ReviewRequestSubsequent::getEmailTemplateKey()])
             ->getMany();
 
-        $templateKeys = array_merge(
-            parent::getEmailTemplates(),
-            [ReviewRequestSubsequent::getEmailTemplateKey() => $subsequentTemplate->getLocalizedData('name')]
-        );
+        $templateKeys = parent::getEmailTemplates();
+        $user = Application::get()->getRequest()->getUser();
+
+        if(Repo::emailTemplate()->isTemplateAccessibleToUser($user, $subsequentTemplate, $contextId)) {
+            $templateKeys[ReviewRequestSubsequent::getEmailTemplateKey()] = $subsequentTemplate->getLocalizedData('name');
+        }
 
         foreach ($alternateTemplates as $alternateTemplate) {
-            $templateKeys[$alternateTemplate->getData('key')] = $alternateTemplate->getLocalizedData('name');
+            if (Repo::emailTemplate()->isTemplateAccessibleToUser($user, $subsequentTemplate, $contextId)) {
+                $templateKeys[$alternateTemplate->getData('key')] = $alternateTemplate->getLocalizedData('name');
+            }
         }
 
         return $templateKeys;