feat #5053 Use a form and POST for more security

joemull · joemull · commit c7411a13c12e · 2025-12-08T13:31:16.000Z
diff --git a/src/submission/forms.py b/src/submission/forms.py
@@ -569,3 +569,15 @@ def save(self, commit=True):
         if commit:
             affiliation.save()
         return affiliation
+
+
+class FrozenAuthorAccountForm(forms.ModelForm):
+    """
+    A form to power the view that lets users link an existing
+    author record to an existing account record.
+    Not intended for use entering a new author record.
+    """
+
+    class Meta:
+        model = models.FrozenAuthor
+        fields = ("author",)
diff --git a/src/submission/logic.py b/src/submission/logic.py
@@ -634,7 +634,8 @@ def get_current_authors(article, request):
         if author.email and not author.author:
             try:
                 unlinked_account = core_models.Account.objects.get(
-                    email__iexact=author.email
+                    email__iexact=author.email,
+                    accountrole__role__slug="author",
                 )
             except (
                 core_models.Account.DoesNotExist,
diff --git a/src/submission/tests/test_views.py b/src/submission/tests/test_views.py
@@ -354,15 +354,15 @@ def test_edit_author_save_author(self):
     def test_link_author_to_account(self):
         self.client.force_login(self.kathleen)
 
-        # Create unlinked author record with same email as existing user
+        email = "cwexmgdydil9hbgiw99l@example.org"
+        # Create an unlinked author record
         frozen_author, _created = models.FrozenAuthor.objects.get_or_create(
             article=self.article,
-            first_name="T.",
-            middle_name="S.",
-            last_name="Eliot",
-            frozen_email=self.eliot.email,
+            frozen_email=email,
         )
-        self.client.get(
+        # Create an account with the same email
+        account = helpers.create_user(email, ["author"], self.journal_one)
+        self.client.post(
             reverse(
                 "submission_link_author_to_account",
                 kwargs={
@@ -375,5 +375,5 @@ def test_link_author_to_account(self):
         frozen_author.refresh_from_db()
         self.assertEqual(
             frozen_author.author,
-            self.eliot,
+            account,
         )
diff --git a/src/submission/views.py b/src/submission/views.py
@@ -1024,21 +1024,32 @@ def order_authors(request, article_id):
     return HttpResponse("Thanks")
 
 
-@login_required
+@require_POST
 @user_can_edit_article
 def link_author_to_account(request, article_id, author_id):
     next_url = request.GET.get("next", "")
+
     article = get_object_or_404(models.Article, pk=article_id, journal=request.journal)
     author = get_object_or_404(models.FrozenAuthor, pk=author_id, article=article)
-    account = get_object_or_404(core_models.Account, email__iexact=author.email)
-    author.author = account
-    author.save()
-    messages.add_message(
-        request,
-        messages.SUCCESS,
-        "%(author_name)s (%(email)s) is now linked to a user account."
-        % {"author_name": author.full_name(), "email": author.email},
+    account = get_object_or_404(
+        core_models.Account,
+        email__iexact=author.email,
+        accountrole__role__slug="author",
     )
+
+    author_account_form = forms.FrozenAuthorAccountForm(
+        {"author": account.pk},
+        instance=author,
+    )
+    if author_account_form.is_valid():
+        author_account_form.save()
+        messages.add_message(
+            request,
+            messages.SUCCESS,
+            "%(author_name)s (%(email)s) is now linked to a user account."
+            % {"author_name": author.full_name(), "email": author.email},
+        )
+
     if next_url:
         return redirect(next_url)
     else:
diff --git a/src/templates/admin/elements/current_authors_inner.html b/src/templates/admin/elements/current_authors_inner.html
@@ -43,9 +43,17 @@ <h2>{% trans "Current authors" %}</h2>
                         this author ({{ unlinked_account.email }}), but they are not linked yet.
                         Would you like to link the author to the account?
                       </p>
-                      {% url_with_return "submission_link_author_to_account" article.pk author.pk as href %}
-                      {% trans "Link Account" as link_account %}
-                      {% include "elements/a_create.html" with href=href label=link_account %}
+                      <form
+                        method="POST"
+                        action="{% url_with_return "submission_link_author_to_account" article.pk author.pk %}">
+                        {% csrf_token %}
+                        <div class="button-group no-bottom-margin">
+                          <button class="button hollow secondary">
+                            <span class="fa fa-plus"></span>
+                            {% trans "Link Account" %}
+                          </button>
+                        </div>
+                      </form>
                     </div>
                   {% endif %}
                   <div class="flex gap-2 direction-column-small">
