blacklight-access_controls 0.1.0

data/solr_conf/conf/xslt/updateXml.xsl

@@ -0,0 +1,70 @@
+<!-- 
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ -->
+
+<!--
+  Simple transform of Solr query response into Solr Update XML compliant XML.
+  When used in the xslt response writer you will get UpdaateXML as output.
+  But you can also store a query response XML to disk and feed this XML to
+  the XSLTUpdateRequestHandler to index the content. Provided as example only.
+  See http://wiki.apache.org/solr/XsltUpdateRequestHandler for more info
+ -->
+<xsl:stylesheet version='1.0' xmlns:xsl='http://www.w3.org/1999/XSL/Transform'>
+  <xsl:output media-type="text/xml" method="xml" indent="yes"/>
+
+  <xsl:template match='/'>
+    <add>
+        <xsl:apply-templates select="response/result/doc"/>
+    </add>
+  </xsl:template>
+  
+  <!-- Ignore score (makes no sense to index) -->
+  <xsl:template match="doc/*[@name='score']" priority="100">
+  </xsl:template>
+
+  <xsl:template match="doc">
+    <xsl:variable name="pos" select="position()"/>
+    <doc>
+        <xsl:apply-templates>
+          <xsl:with-param name="pos"><xsl:value-of select="$pos"/></xsl:with-param>
+        </xsl:apply-templates>
+    </doc>
+  </xsl:template>
+
+  <!-- Flatten arrays to duplicate field lines -->
+  <xsl:template match="doc/arr" priority="100">
+      <xsl:variable name="fn" select="@name"/>
+      
+      <xsl:for-each select="*">
+		<xsl:element name="field">
+		    <xsl:attribute name="name"><xsl:value-of select="$fn"/></xsl:attribute>
+	        <xsl:value-of select="."/>
+		</xsl:element>
+      </xsl:for-each>
+  </xsl:template>
+
+
+  <xsl:template match="doc/*">
+      <xsl:variable name="fn" select="@name"/>
+
+	<xsl:element name="field">
+	    <xsl:attribute name="name"><xsl:value-of select="$fn"/></xsl:attribute>
+        <xsl:value-of select="."/>
+	</xsl:element>
+  </xsl:template>
+
+  <xsl:template match="*"/>
+</xsl:stylesheet>

data/spec/factories/user.rb

@@ -0,0 +1,6 @@
+FactoryGirl.define do
+  factory :user do
+    sequence(:email) { |n| "user_#{n}@example.com" }
+    password 'password'
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,29 @@
+ENV['RAILS_ENV'] ||= 'test'
+
+require 'engine_cart'
+EngineCart.load_application!
+
+require 'blacklight-access_controls'
+require 'factory_girl_rails'
+require 'database_cleaner'
+
+Dir['./spec/support/**/*.rb'].sort.each { |f| require f }
+
+RSpec.configure do |config|
+  config.include FactoryGirl::Syntax::Methods
+
+  config.include SolrSupport
+
+  config.before(:suite) do
+    DatabaseCleaner.clean_with :truncation
+  end
+
+  config.before(:each) do
+    DatabaseCleaner.strategy = :transaction
+    DatabaseCleaner.start
+  end
+
+  config.after(:each) do
+    DatabaseCleaner.clean
+  end
+end

data/spec/support/solr_support.rb

@@ -0,0 +1,11 @@
+module SolrSupport
+
+  def create_solr_doc(hash)
+    doc = SolrDocument.new(hash)
+    solr = Blacklight.default_index.connection
+    solr.add(doc)
+    solr.commit
+    doc
+  end
+
+end

data/spec/test_app_templates/blacklight.yml

@@ -0,0 +1,18 @@
+# = jetty_path key
+# each environment can have a jetty_path with absolute or relative
+# (to app root) path to a jetty/solr install. This is used
+# by the rake tasks that start up solr automatically for testing
+# and by rake solr:marc:index.  
+#
+# jetty_path is not used by a running Blacklight application
+# at all. In general you do NOT need to deploy solr in Jetty, you can deploy it
+# however you want.  
+# jetty_path is only required for rake tasks that need to know
+# how to start up solr, generally for automated testing. 
+
+development:
+  adapter: solr
+  url: <%= ENV['SOLR_URL'] || "http://127.0.0.1:8983/solr/development" %>
+test: &test
+  adapter: solr
+  url: <%= ENV['SOLR_URL'] || "http://127.0.0.1:8983/solr/test" %>

data/spec/test_app_templates/lib/generators/test_app_generator.rb

@@ -0,0 +1,25 @@
+require 'rails/generators'
+
+class TestAppGenerator < Rails::Generators::Base
+  source_root File.expand_path("../../../../spec/test_app_templates", __FILE__)
+
+  # if you need to generate any additional configuration
+  # into the test app, this generator will be run immediately
+  # after setting up the application
+
+  def generate_blacklight
+    say_status('status', 'GENERATING BLACKLIGHT', :yellow)
+    generate "blacklight:install", "--devise"
+  end
+
+  def configure_blacklight
+    say_status('status', 'CONFIGURING BLACKLIGHT', :yellow)
+    remove_file 'config/blacklight.yml'
+    copy_file 'blacklight.yml', 'config/blacklight.yml'
+  end
+
+  def run_access_controls_generator
+    generate 'blacklight:access_controls'
+  end
+
+end

data/spec/unit/ability_spec.rb

@@ -0,0 +1,202 @@
+require 'spec_helper'
+require 'cancan/matchers'
+
+describe Ability do
+  let(:ability) { Ability.new(user) }
+
+  describe "class methods" do
+    it 'has keys for access control fields' do
+      expect(Ability.read_group_field).to eq 'read_access_group_ssim'
+      expect(Ability.read_user_field).to eq 'read_access_person_ssim'
+      expect(Ability.discover_group_field).to eq 'discover_access_group_ssim'
+      expect(Ability.discover_user_field).to eq 'discover_access_person_ssim'
+    end
+  end
+
+  describe "Given an asset that has been made publicly discoverable" do
+    let(:asset) { SolrDocument.new(id: 'public_discovery',
+                  discover_access_group_ssim: ['public']) }
+
+    context "Then a not-signed-in user" do
+      let(:user) { nil }
+      subject { ability }
+
+      it { should     be_able_to(:discover, asset) }
+      it { should_not be_able_to(:read, asset) }
+    end
+
+    context "Then a registered user" do
+      let(:user) { create(:user) }
+      subject { ability }
+
+      it { should     be_able_to(:discover, asset) }
+      it { should_not be_able_to(:read, asset) }
+    end
+
+    context 'With an ID instead of a SolrDocument' do
+      let(:user) { create(:user) }
+      subject { ability }
+
+      let(:asset) {
+        create_solr_doc(id: 'public_discovery',
+                        discover_access_group_ssim: ['public'])
+      }
+
+      # It should still work, even if we just pass in an ID
+      it { should     be_able_to(:discover, asset.id) }
+      it { should_not be_able_to(:read, asset.id) }
+    end
+  end
+
+  describe "Given an asset that has been made publicly readable" do
+    let(:asset) { SolrDocument.new(id: 'public_read',
+                  read_access_group_ssim: ['public']) }
+
+    context "Then a not-signed-in user" do
+      let(:user) { nil }
+      subject { ability }
+
+      it { should be_able_to(:discover, asset) }
+      it { should be_able_to(:read, asset) }
+    end
+
+    context "Then a registered user" do
+      let(:user) { create(:user) }
+      subject { ability }
+
+      it { should be_able_to(:discover, asset) }
+      it { should be_able_to(:read, asset) }
+    end
+
+    context 'With an ID instead of a SolrDocument' do
+      let(:user) { create(:user) }
+      subject { ability }
+
+      let(:asset) {
+        create_solr_doc(id: 'public_read',
+                        read_access_group_ssim: ['public'])
+      }
+
+      # It should still work, even if we just pass in an ID
+      it { should be_able_to(:discover, asset.id) }
+      it { should be_able_to(:read, asset.id) }
+    end
+  end
+
+  describe "Given an asset to which a specific user has discovery access" do
+    let(:user_with_access) { create(:user) }
+    let(:asset) { SolrDocument.new(id: 'user_disco', discover_access_person_ssim: [user_with_access.email]) }
+
+    context "Then a not-signed-in user" do
+      let(:user) { nil }
+      subject { ability }
+
+      it { should_not be_able_to(:discover, asset) }
+      it { should_not be_able_to(:read, asset) }
+    end
+
+    context "Then a different registered user" do
+      let(:user) { create(:user) }
+      subject { ability }
+
+      it { should_not be_able_to(:discover, asset) }
+      it { should_not be_able_to(:read, asset) }
+    end
+
+    context "Then that user" do
+      let(:user) { user_with_access }
+      subject { ability }
+
+      it { should     be_able_to(:discover, asset) }
+      it { should_not be_able_to(:read, asset) }
+    end
+  end
+
+  describe "Given an asset to which a specific user has read access" do
+    let(:user_with_access) { create(:user) }
+    let(:asset) { SolrDocument.new(id: 'user_read', read_access_person_ssim: [user_with_access.email]) }
+
+    context "Then a not-signed-in user" do
+      let(:user) { nil }
+      subject { ability }
+
+      it { should_not be_able_to(:discover, asset) }
+      it { should_not be_able_to(:read, asset) }
+    end
+
+    context "Then a different registered user" do
+      let(:user) { create(:user) }
+      subject { ability }
+
+      it { should_not be_able_to(:discover, asset) }
+      it { should_not be_able_to(:read, asset) }
+    end
+
+    context "Then that user" do
+      let(:user) { user_with_access }
+      subject { ability }
+
+      it { should be_able_to(:discover, asset) }
+      it { should be_able_to(:read, asset) }
+    end
+  end
+
+
+  describe '.user_class' do
+    subject { Blacklight::AccessControls::Ability.user_class }
+    it { is_expected.to eq User }
+  end
+
+  describe '#guest_user' do
+    let(:user) { nil }
+    subject { ability.guest_user }
+
+    it 'is a new user' do
+      expect(subject).to be_a User
+      expect(subject.new_record?).to be_truthy
+    end
+  end
+
+  describe '#user_groups' do
+    subject { ability.user_groups }
+
+    context 'an unregistered user' do
+      let(:user) { build(:user) }
+      it { is_expected.to contain_exactly('public') }
+    end
+
+    context 'a registered user' do
+      let(:user) { create(:user) }
+      it { is_expected.to contain_exactly('registered', 'public') }
+    end
+
+    context 'a user with groups' do
+      let(:user) { double(groups: ['group1', 'group2'], new_record?: false) }
+      it { is_expected.to include('group1', 'group2') }
+    end
+  end
+
+  describe "with a custom method" do
+    let(:user) { create(:user) }
+    subject { MyAbility.new(user) }
+
+    before do
+      class MyAbility
+        include Blacklight::AccessControls::Ability
+        self.ability_logic +=[:setup_my_permissions]
+
+        def setup_my_permissions
+          can :accept, SolrDocument
+        end
+      end
+    end
+
+    after do
+      Object.send(:remove_const, :MyAbility)
+    end
+
+    # Make sure it called the custom method
+    it { should be_able_to(:accept, SolrDocument) }
+  end
+
+end

data/spec/unit/catalog_spec.rb

@@ -0,0 +1,41 @@
+require 'spec_helper'
+
+describe Blacklight::AccessControls::Catalog do
+  let(:controller) { CatalogController.new }
+
+  describe '#enforce_show_permissions' do
+    subject { controller.send(:enforce_show_permissions) }
+    let(:params) {{ id: doc.id }}
+
+    before do
+      allow(controller).to receive(:current_user).and_return(user)
+      allow(controller).to receive(:params).and_return(params)
+    end
+
+    context 'when user is not logged in' do
+      let(:doc) { create_solr_doc(id: '123') }
+      let(:user) { User.new }
+
+      it 'denies access' do
+        expect { subject }.to raise_error(Blacklight::AccessControls::AccessDenied)
+      end
+    end
+
+    context 'when user has access' do
+      let(:doc) { create_solr_doc(id: '123', read_access_person_ssim: user.email) }
+      let(:user) { build(:user) }
+
+      it 'allows access' do
+        expect { subject }.to_not raise_error
+      end
+
+      # So that you can override enforce_show_permissions
+      # to call "super" and then add more permissions checks
+      # after that without having to re-fetch the document.
+      it 'returns the permissions doc' do
+        expect(subject).to be_a(Blacklight::AccessControls::PermissionsSolrDocument)
+      end
+    end
+  end
+
+end

data/spec/unit/config_spec.rb

@@ -0,0 +1,69 @@
+require 'spec_helper'
+
+describe Blacklight::AccessControls::Config do
+  let(:config) { described_class.new }
+
+  describe '#user_model' do
+    it 'has a default value' do
+      expect(config.user_model).to eq 'User'
+    end
+
+    it 'can be set to a non-default value' do
+      config.user_model = 'Student'
+      expect(config.user_model).to eq 'Student'
+    end
+  end
+
+  describe '#discover_group_field' do
+    subject { config.discover_group_field }
+
+    it 'has a default value' do
+      expect(subject).to eq "discover_access_group_ssim"
+    end
+
+    it 'can be set to a non-default value' do
+      config.discover_group_field = 'something else'
+      expect(subject).to eq 'something else'
+    end
+  end
+
+  describe '#discover_user_field' do
+    subject { config.discover_user_field }
+
+    it 'has a default value' do
+      expect(subject).to eq "discover_access_person_ssim"
+    end
+
+    it 'can be set to a non-default value' do
+      config.discover_user_field = 'something else'
+      expect(subject).to eq 'something else'
+    end
+  end
+
+  describe '#read_group_field' do
+    subject { config.read_group_field }
+
+    it 'has a default value' do
+      expect(subject).to eq "read_access_group_ssim"
+    end
+
+    it 'can be set to a non-default value' do
+      config.read_group_field = 'something else'
+      expect(subject).to eq 'something else'
+    end
+  end
+
+  describe '#read_user_field' do
+    subject { config.read_user_field }
+
+    it 'has a default value' do
+      expect(subject).to eq "read_access_person_ssim"
+    end
+
+    it 'can be set to a non-default value' do
+      config.read_user_field = 'something else'
+      expect(subject).to eq 'something else'
+    end
+  end
+
+end