feat: ORCID deposition for codecheckers + CODECHECK form in reviewer tab (#16)#126
feat: ORCID deposition for codecheckers + CODECHECK form in reviewer tab (#16)#126subhanLabs wants to merge 3 commits into
Conversation
…tab (#16) - Full OAuth 2.0 flow for codechecker ORCID authorisation - ORCID Member API peer-review deposition on publish and manually - CODECHECK metadata form injected into reviewer tab 3 (Download & Review) - ORCID section shown in editor workflow CODECHECK tab - codecheck_orcid_tokens DB table for token/deposit tracking - Reviewer role added to API handler - All settings read from plugin configuration
|
Thanks! Can you please clarify re. "Editor opens the CODECHECK tab in the editorial workflow" > the codechecker needs to be the one that opens the tab and initiates the authentication with ORCID, right? It would be great, because this is a crucial feature, if you could add a couple of screenshots or maybe even a screencast to document the completed functionality. |
nuest
left a comment
nuest
left a comment
There was a problem hiding this comment.
General comments first, detailed line-by-line review later.
There was a problem hiding this comment.
Does this mean we store the token forever and can edit the profile with that token?
Is there a way for a codechecker to stop allowing us to add data to their profile?
There was a problem hiding this comment.
Token storage:
Yes we store the token, but the scope is limited to /activities/update, we can only add/update peer-review records, nothing else on their profile.
Revoking access:
The codechecker must authorise themselves, we match their ORCID ID against the authenticated token, so no one else can authorise on their behalf. To stop allowing deposits, they can revoke access directly from their ORCID account under "Trusted organizations" which immediately invalidates our stored token.
| 'review-group-id' => $groupId, | ||
| 'review-identifiers' => $this->buildReviewIdentifiers($certificateDoi), | ||
| 'convening-organization' => $this->buildConveningOrganization($journal), | ||
| 'subject-type' => 'journal-article', |
There was a problem hiding this comment.
What subject types does the ORCID API know? Could there be the need here to switch to something else, like a preprint?
There was a problem hiding this comment.
The ORCID peer-review API supports these subject types: book, book-chapter, book-review, dataset, edited-book, encyclopedia-entry, journal-article, journal-issue, magazine-article, manual, newsletter-article, newspaper-article, online-resource, other, preprint, report, research-tool, supervised-student-publication, test, translation, website, working-paper.
You raise a valid point, if the submission is a preprint rather than a published journal article, preprint would be more accurate.
We could either hardcode journal-article since CODECHECK is journal-focused, or make the subject type configurable or derived from the submission type. What would you recommend, should we keep it fixed or add flexibility here?
|
|
||
| $payload = [ | ||
| 'reviewer-role' => 'reviewer', | ||
| 'review-type' => 'review', |
There was a problem hiding this comment.
What review types does the ORCID API know?
There was a problem hiding this comment.
The ORCID peer-review API does not have a codechecker role. The available roles are chair, editor, member, organizer, reviewer, reviewer-external, and senior-editor. We used reviewer as the closest match, Happy to change this if you have a preference.
There was a problem hiding this comment.
Should this file be actually added here?
There was a problem hiding this comment.
Good catch, that file was accidentally included. I have removed it.
| /** | ||
| * Triggered when an editor publishes an article. | ||
| */ | ||
| public function onPublicationPublish(string $hookName, array $args): bool |
There was a problem hiding this comment.
This ssems to require that the ORCID credentials must be provided by codecheckers before the publication.
_Is it also possible that a CODECHECK goes to the OJS backend after the article is published and then triggers the deposition?
There was a problem hiding this comment.
Yes, absolutely. The automatic deposition on publication is just a convenience, if the codechecker has not authorised before publication, or if the deposit fails, editors can still trigger it manually at any time using the "Deposit to ORCID" button in the CODECHECK workflow tab. The button remains available after publication so codecheckers can authorise and deposit retroactively.
| $depositService = new OrcidDepositService($this); | ||
| $results = $depositService->depositForSubmission($submission->getId()); | ||
| foreach ($results as $result) { | ||
| if ($result['status'] === 'success') { |
There was a problem hiding this comment.
Please make a proposal how to include user facing messaging about the results and failures here.
If that means we need a database table to capture the deposition state, then that is fine.
There was a problem hiding this comment.
I already store the deposition state in the codecheck_orcid_tokens table, each row has a deposit_status column (pending, success, failed), a put_code for successful deposits, and an error_message for failures.
The results are surfaced to editors in the CODECHECK workflow tab via the ORCID Deposition section, which shows each codechecker's current status badge (NOT AUTHORISED / PENDING / DEPOSITED / FAILED) and displays the error message inline when a deposit fails. This is loaded via the orcid-status API endpoint on every page load so the state is always current.
- Fix ORCID iD mismatch check to validate against all codecheckers - Remove city as required field, only name and country needed - Bundle ORCID icon locally instead of loading from orcid.org - Restrict auth button to reviewer form, editors see status only - Add Test ORCID Setup button in plugin settings - Add ORCID settings section to settings form and template
|
@subhanLabs For the sake of documentation, can you please update local docs or the README file which field mentioned in https://support.orcid.org/hc/en-us/articles/360006971333-Peer-Reviews your code sets, and what values are put in there? Thanks! |
|
@subhanLabs For the sake of documentation, please post a screenshot of the ORCID Deposition section here. |
2 participants
Summary
This PR implements two major features for the CODECHECK plugin:
Changes
New Classes
classes/Orcid/OrcidApiClient.php— low-level ORCID API HTTP clientclasses/Orcid/OrcidAuthHandler.php— handles OAuth 2.0 authorisation flow (startAuth/callback)classes/Orcid/OrcidDepositService.php— builds and deposits peer-review records to ORCIDclasses/Orcid/OrcidTokenDAO.php— manages token storage incodecheck_orcid_tokenstableclasses/Orcid/PeerReviewPayloadBuilder.php— constructs ORCID peer-review XML payloadclasses/Log/CodecheckLogger.php— structured logger with debug/info/error levelsModified Files
CodecheckPlugin.php— ORCID hooks, reviewer data injection, publish handlerapi/v1/CodecheckApiHandler.php— addedorcid-statusandorcid-depositendpoints, reviewer roleapi/v1/JsonResponse.php— made constructor args optional, addedresponse()convenience methodclasses/Constants.php— added all ORCID and GitHub constantsclasses/migration/CodecheckSchemaMigration.php— addedcodecheck_orcid_tokenstablelocale/en/locale.po— added ORCID and missing locale keysregistry/uiLocaleKeysBackend.json— added ORCID locale keysresources/js/main.js— ORCID section in workflow, reviewer form injection via MutationObserverresources/js/Components/CodecheckOrcidSection.vue— Vue component for ORCID authorisation and deposit UIHow it works
ORCID OAuth flow
codecheck_orcid_tokensReviewer form
CodecheckMetadataFormand optionallyCodecheckOrcidSectionif ORCID is enabledNotes
error_log()calls replaced withCodecheckLogger(debug/info/error levels)Closes #16