CenterForOpenScience · brianjgeiger · Apr 24, 2025 · Apr 24, 2025
diff --git a/admin/preprints/views.py b/admin/preprints/views.py
@@ -23,6 +23,7 @@
 from api.preprints.serializers import PreprintSerializer
 
 from osf.exceptions import PreprintStateError
+from rest_framework.exceptions import PermissionDenied as DrfPermissionDenied
 
 from osf.management.commands.fix_preprints_has_data_links_and_why_no_data import process_wrong_why_not_data_preprints
 from osf.models import (
@@ -193,34 +194,37 @@ class PreprintReVersion(PreprintMixin, View):
     """
     permission_required = 'osf.change_node'
 
-    @transaction.atomic
     def post(self, request, *args, **kwargs):
         preprint = self.get_object()
 
         file_versions = request.POST.getlist('file_versions')
         if not file_versions:
             return HttpResponse('At least one file version should be attached.', status=400)
 
-        versions = preprint.get_preprint_versions()
-        for version in versions:
-            version.upgrade_version()
-
-        new_preprint, data_to_update = Preprint.create_version(
-            create_from_guid=preprint._id,
-            assign_version_number=1,
-            auth=request,
-            ignore_permission=True,
-        )
-        primary_file = copy_files(preprint.primary_file, target_node=new_preprint, identifier__in=file_versions)
-        data_to_update['primary_file'] = primary_file
-
-        # FIXME: currently it's not possible to ignore permission when update subjects
-        # via serializer, remove this logic if deprecated
-        subjects = data_to_update.pop('subjects', None)
-        if subjects:
-            new_preprint.set_subjects([subjects], auth=request, ignore_permission=True)
-
-        PreprintSerializer(new_preprint, context={'request': request, 'ignore_permission': True}).update(new_preprint, data_to_update)
+        try:
+            with transaction.atomic():
+                versions = preprint.get_preprint_versions()
+                for version in versions:
+                    version.upgrade_version()
+
+                new_preprint, data_to_update = Preprint.create_version(
+                    create_from_guid=preprint._id,
+                    assign_version_number=1,
+                    auth=request,
+                    ignore_permission=True,
+                )
+                primary_file = copy_files(preprint.primary_file, target_node=new_preprint, identifier__in=file_versions)
+                data_to_update['primary_file'] = primary_file
+
+                # FIXME: currently it's not possible to ignore permission when update subjects
+                # via serializer, remove this logic if deprecated
+                subjects = data_to_update.pop('subjects', None)
+                if subjects:
+                    new_preprint.set_subjects([subjects], auth=request, ignore_permission=True)
+
+                PreprintSerializer(new_preprint, context={'request': request, 'ignore_permission': True}).update(new_preprint, data_to_update)
+        except DrfPermissionDenied as exc:
+            return HttpResponse(f'Not enough permissions to perform this action : {str(exc)}', status=400)
 
         return JsonResponse({'redirect': self.get_success_url(new_preprint._id)})
 

diff --git a/api/preprints/serializers.py b/api/preprints/serializers.py
@@ -369,22 +369,17 @@ def update(self, preprint, validated_data):
 
             if 'prereg_link_info' in validated_data:
                 preprint.update_prereg_link_info(auth, validated_data['prereg_link_info'], ignore_permission=ignore_permission)
+
+            if 'data_links' in validated_data:
+                preprint.update_data_links(auth, validated_data['data_links'], ignore_permission=ignore_permission)
+            else:
+                if updated_has_data_links == 'no' and preprint.data_links:
+                    preprint.update_data_links(auth, [], ignore_permission=ignore_permission)
         except PreprintStateError as e:
             raise exceptions.ValidationError(detail=str(e))
         except PermissionsError:
             raise exceptions.PermissionDenied(detail='Must have admin permissions to update author assertion fields.')
 
-        if 'data_links' in validated_data:
-            try:
-                preprint.update_data_links(auth, validated_data['data_links'], ignore_permission=ignore_permission)
-            except PreprintStateError as e:
-                raise exceptions.ValidationError(detail=str(e))
-            except PermissionsError:
-                raise exceptions.PermissionDenied(detail='Must have admin permissions to update author assertion fields.')
-        else:
-            if updated_has_data_links == 'no' and preprint.data_links:
-                preprint.update_data_links(auth, [], ignore_permission=ignore_permission)
-
         published = validated_data.pop('is_published', None)
         if published and preprint.provider.is_reviewed:
             url = absolute_reverse(
@@ -440,7 +435,7 @@ def update(self, preprint, validated_data):
 
         if 'license_type' in validated_data or 'license' in validated_data:
             license_details = get_license_details(preprint, validated_data)
-            self.set_field(preprint.set_preprint_license, license_details, auth)
+            self.set_field(preprint.set_preprint_license, license_details, auth, ignore_permission=ignore_permission)
 
         if 'original_publication_date' in validated_data:
             preprint.original_publication_date = validated_data['original_publication_date'] or None
@@ -455,7 +450,7 @@ def update(self, preprint, validated_data):
                 )
             self.set_field(preprint.set_published, published, auth, ignore_permission=ignore_permission)
             recently_published = published
-            preprint.set_privacy('public', log=False, save=True)
+            preprint.set_privacy('public', log=False, save=True, ignore_permission=ignore_permission)
 
         try:
             preprint.full_clean()

diff --git a/osf/models/preprint.py b/osf/models/preprint.py
@@ -897,8 +897,9 @@ def set_published(self, published, auth, save=False, **kwargs):
         if save:
             self.save()
 
-    def set_preprint_license(self, license_detail, auth, save=False):
-        license_record, license_changed = set_license(self, license_detail, auth, node_type='preprint')
+    @require_permission([WRITE])
+    def set_preprint_license(self, license_detail, auth, save=False, **kwargs):
+        license_record, license_changed = set_license(self, license_detail, auth, node_type='preprint', **kwargs)
 
         if license_changed:
             self.add_log(

diff --git a/website/project/licenses/__init__.py b/website/project/licenses/__init__.py
@@ -6,7 +6,7 @@
 from osf.utils import permissions
 
 
-def set_license(node, license_detail, auth, node_type='node'):
+def set_license(node, license_detail, auth, node_type='node', ignore_permission=False):
     NodeLicense = apps.get_model('osf.NodeLicense')
     NodeLicenseRecord = apps.get_model('osf.NodeLicenseRecord')
 
@@ -26,7 +26,7 @@ def set_license(node, license_detail, auth, node_type='node'):
     ):
         return {}, False
 
-    if not node.has_permission(auth.user, permissions.WRITE):
+    if not ignore_permission and not node.has_permission(auth.user, permissions.WRITE):
         raise framework_exceptions.PermissionsError(f'You need admin or write permissions to change a {node_type}\'s license')
 
     try: