From 7362ce52fc798a6d95f7e76f111ed9fbe200ff23 Mon Sep 17 00:00:00 2001
From: John Tordoff <>
Date: Thu, 25 Jul 2024 14:00:25 -0400
Subject: [PATCH] allow read permissions for non-public contributors

---
 api/base/permissions.py | 2 +-
 osf/models/preprint.py  | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/api/base/permissions.py b/api/base/permissions.py
index 8b3c7247f7a..70663eba4f8 100644
--- a/api/base/permissions.py
+++ b/api/base/permissions.py
@@ -170,6 +170,6 @@ def has_object_permission(self, request, view, obj):
         resource = obj['self']
 
         if request.method in permissions.SAFE_METHODS:
-            return resource.is_public or resource.can_view(auth)
+            return resource.is_public or resource.has_permission(auth.user, 'read') or resource.can_view(auth)
         else:
             return resource.can_edit(auth)
diff --git a/osf/models/preprint.py b/osf/models/preprint.py
index db7cc4c37d5..ff7a5f88c5e 100644
--- a/osf/models/preprint.py
+++ b/osf/models/preprint.py
@@ -893,7 +893,9 @@ def can_edit(self, auth=None, user=None):
             raise ValueError('Cannot pass both `auth` and `user`')
         user = user or auth.user
 
-        return user and self.has_permission(user, WRITE)
+        return (
+            user and ((self.has_permission(user, WRITE) and self.has_submitted_preprint) or self.has_permission(user, ADMIN))
+        )
 
     def get_contributor_order(self):
         # Method needed for ContributorMixin