Authorization improvements #84
Description
The SubmissionFileAccessPolicy at https://github.com/pkp/texture/blob/master/TextureHandler.inc.php#L64 should use SUBMISSION_FILE_ACCESS_MODIFY instead of SUBMISSION_FILE_ACCESS_READ. This will prevent authors from making modifications which they are generally not allowed to do. If there is a need for author preview/editing, I guess we need to figure out what that looks like with the existing submission file access policies.
Wherever $request->getUserVar('submissionId') is used, use $submission = $this->getAuthorizedContextObject(ASSOC_TYPE_SUBMISSION); instead. For example here: https://github.com/pkp/texture/blob/master/TextureHandler.inc.php#L101. Generally the auth policies should prevent this code from being reached, but this ensures that if the code is fired we are using an authenticated object instead of the unauthorized data passed by the user. (It will also save some database hits.)