blacklight-access_controls 0.5.1 → 0.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9848df97495a043646fee764f7dda99465041821
-  data.tar.gz: ba6e8f65ea7ed2c7968867b6b6e218b934e73379
+  metadata.gz: 1e7cd1735e1adbfc7b730e61d0b6deb065ef3d6c
+  data.tar.gz: d1d6ad746309d9c725eee9afee7a5d2000cfa262
 SHA512:
-  metadata.gz: c8530328e2494fc97e1646af356c6112437d192c2fcd7e7524cf728dc0442af1501dd06e5719a1a326d9fbc6bf92d74a57c798007418aaa944d229788270643a
-  data.tar.gz: 3979b92c05c708de3f47ab486abdeda3e383ad50369cdb3d04210c69e8bc701d328cc94ec042ecd409b4068828739a21c1d1affccf3f750beece6b552aa9b5a6
+  metadata.gz: 79b64f8758122bb057404ececc2322b8eb5b25511d96ad5a937234259860e1959dc45f79fbbef8c1f3ad4423e6fc81543363a78bf2ce780b8514d672d2e4fa64
+  data.tar.gz: 8b0e425f6f6f93e3087803a25b00212ece6dcb1d240cc5abd7d2004198f44183e3017c4b4702449fd56a15622327b0f92414349563344c960319579bbbdd6ae3

data/.gitignore

@@ -1,3 +1,4 @@
+.byebug_history
 .rvmrc
 Gemfile.lock
 

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--require spec_helper

data/.rubocop.yml

@@ -0,0 +1,15 @@
+inherit_from: .rubocop_todo.yml
+require: rubocop-rspec
+
+AllCops:
+  DisplayCopNames: true
+  Include:
+    - '**/Rakefile'
+  Exclude:
+    - '.internal_test_app/**/*'
+
+Rails:
+  Enabled: true
+
+Metrics/LineLength:
+  Max: 185

data/.rubocop_todo.yml

@@ -0,0 +1,156 @@
+# This configuration was generated by
+# `rubocop --auto-gen-config`
+# on 2016-08-24 16:11:34 -0700 using RuboCop version 0.42.0.
+# The point is for the user to remove these configuration records
+# one by one as the offenses are removed from the code base.
+# Note that changes in the inspected code, or installation of new
+# versions of RuboCop, may require this file to be generated again.
+
+# Manually added to prevent `unrecognized cop` warnings during execution.
+require: rubocop-rspec
+
+# Offense count: 4
+Metrics/AbcSize:
+  Max: 18
+
+# Offense count: 1
+# Configuration parameters: CountComments.
+Metrics/ModuleLength:
+  Max: 120
+
+# Offense count: 7
+# Configuration parameters: SkipBlocks.
+RSpec/DescribedClass:
+  Exclude:
+    - 'spec/unit/ability_spec.rb'
+
+# Offense count: 1
+# Configuration parameters: Max.
+RSpec/ExampleLength:
+  Exclude:
+    - 'spec/unit/ability_spec.rb'
+
+# Offense count: 3
+# Configuration parameters: CustomTransform.
+RSpec/FilePath:
+  Exclude:
+    - 'spec/unit/catalog_spec.rb'
+    - 'spec/unit/config_spec.rb'
+    - 'spec/unit/enforcement_spec.rb'
+
+# Offense count: 17
+# Configuration parameters: AssignmentOnly.
+RSpec/InstanceVariable:
+  Exclude:
+    - 'spec/unit/enforcement_spec.rb'
+
+# Offense count: 23
+RSpec/LeadingSubject:
+  Exclude:
+    - 'spec/unit/ability_spec.rb'
+    - 'spec/unit/enforcement_spec.rb'
+
+# Offense count: 7
+RSpec/MultipleExpectations:
+  Max: 6
+
+# Offense count: 24
+RSpec/NamedSubject:
+  Exclude:
+    - 'spec/unit/ability_spec.rb'
+    - 'spec/unit/catalog_spec.rb'
+    - 'spec/unit/config_spec.rb'
+    - 'spec/unit/enforcement_spec.rb'
+
+# Offense count: 30
+# Configuration parameters: MaxNesting.
+RSpec/NestedGroups:
+  Exclude:
+    - 'spec/unit/ability_spec.rb'
+    - 'spec/unit/catalog_spec.rb'
+    - 'spec/unit/enforcement_spec.rb'
+
+# Offense count: 2
+# Configuration parameters: EnforcedStyle, SupportedStyles.
+# SupportedStyles: not_to, to_not
+RSpec/NotToNot:
+  Exclude:
+    - 'spec/unit/catalog_spec.rb'
+    - 'spec/unit/enforcement_spec.rb'
+
+# Offense count: 1
+# Configuration parameters: IgnoreSymbolicNames.
+RSpec/VerifiedDoubles:
+  Exclude:
+    - 'spec/unit/ability_spec.rb'
+
+# Offense count: 5
+# Cop supports --auto-correct.
+# Configuration parameters: EnforcedStyle, SupportedStyles, IndentationWidth.
+# SupportedStyles: with_first_parameter, with_fixed_indentation
+Style/AlignParameters:
+  Exclude:
+    - 'lib/generators/blacklight/access_controls_generator.rb'
+
+# Offense count: 6
+# Cop supports --auto-correct.
+# Configuration parameters: EnforcedStyle, SupportedStyles, ProceduralMethods, FunctionalMethods, IgnoredMethods.
+# SupportedStyles: line_count_based, semantic, braces_for_chaining
+# ProceduralMethods: benchmark, bm, bmbm, create, each_with_object, measure, new, realtime, tap, with_object
+# FunctionalMethods: let, let!, subject, watch
+# IgnoredMethods: lambda, proc, it
+Style/BlockDelimiters:
+  Exclude:
+    - 'spec/unit/ability_spec.rb'
+
+# Offense count: 3
+# Cop supports --auto-correct.
+Style/BlockEndNewline:
+  Exclude:
+    - 'spec/unit/ability_spec.rb'
+
+# Offense count: 3
+# Configuration parameters: EnforcedStyle, SupportedStyles.
+# SupportedStyles: nested, compact
+Style/ClassAndModuleChildren:
+  Exclude:
+    - 'lib/blacklight-access_controls.rb'
+    - 'lib/blacklight/access_controls/permissions_cache.rb'
+    - 'lib/blacklight/access_controls/permissions_query.rb'
+
+# Offense count: 12
+Style/Documentation:
+  Exclude:
+    - 'spec/**/*'
+    - 'test/**/*'
+    - 'lib/blacklight-access_controls.rb'
+    - 'lib/blacklight/access_controls.rb'
+    - 'lib/blacklight/access_controls/ability.rb'
+    - 'lib/blacklight/access_controls/catalog.rb'
+    - 'lib/blacklight/access_controls/config.rb'
+    - 'lib/blacklight/access_controls/enforcement.rb'
+    - 'lib/blacklight/access_controls/permissions_cache.rb'
+    - 'lib/blacklight/access_controls/permissions_query.rb'
+    - 'lib/blacklight/access_controls/user.rb'
+    - 'lib/generators/blacklight/ability.rb'
+    - 'lib/generators/blacklight/access_controls_generator.rb'
+
+# Offense count: 1
+# Configuration parameters: ExpectMatchingDefinition, Regex, IgnoreExecutableScripts.
+Style/FileName:
+  Exclude:
+    - 'lib/blacklight-access_controls.rb'
+
+# Offense count: 3
+# Cop supports --auto-correct.
+Style/MultilineBlockLayout:
+  Exclude:
+    - 'spec/unit/ability_spec.rb'
+
+# Offense count: 6
+# Cop supports --auto-correct.
+# Configuration parameters: EnforcedStyle, SupportedStyles, AllowInnerSlashes.
+# SupportedStyles: slashes, percent_r, mixed
+Style/RegexpLiteral:
+  Exclude:
+    - 'spec/unit/enforcement_spec.rb'

data/Rakefile

@@ -7,6 +7,7 @@ end
 
 Bundler::GemHelper.install_tasks
 
+require 'rubocop/rake_task'
 require 'solr_wrapper'
 require 'solr_wrapper/rake_task'
 require 'engine_cart/rake_task'
@@ -17,27 +18,33 @@ RSpec::Core::RakeTask.new(:spec)
 task default: 'ci'
 
 def solr_config_dir
-  File.join(File.expand_path(File.dirname(__FILE__)), "solr_conf", "conf")
+  File.join(File.expand_path(File.dirname(__FILE__)), 'solr_conf', 'conf')
 end
 
 namespace :solr do
   desc 'Configure solr cores'
   task :config do
     SolrWrapper.wrap do |solr|
-      core = solr.create(name: 'development', dir: solr_config_dir)
-      core = solr.create(name: 'test', dir: solr_config_dir)
+      solr.create(name: 'development', dir: solr_config_dir)
+      solr.create(name: 'test', dir: solr_config_dir)
     end
   end
 
-  desc "Run test suite (with solr wrapper)"
+  desc 'Run test suite (with solr wrapper)'
   task :spec do
     SolrWrapper.wrap do |solr|
-      solr.with_collection(name:'test', dir: solr_config_dir) do |collection_name|
+      solr.with_collection(name: 'test', dir: solr_config_dir) do # |collection_name|
         Rake::Task['spec'].invoke
       end
     end
   end
 end
 
-desc "Run CI build"
-task ci: ['engine_cart:generate', 'solr:spec']
+desc 'Run CI build'
+task ci: ['rubocop', 'engine_cart:generate', 'solr:spec']
+
+desc 'Run style checker'
+RuboCop::RakeTask.new(:rubocop) do |task|
+  task.requires << 'rubocop-rspec'
+  task.fail_on_error = true
+end

data/VERSION

@@ -1 +1 @@
-0.5.1
+0.6.0

data/blacklight-access_controls.gemspec

@@ -27,4 +27,6 @@ Gem::Specification.new do |gem|
   gem.add_development_dependency "solr_wrapper"
   gem.add_development_dependency "factory_girl_rails", "~> 4.0"
   gem.add_development_dependency "database_cleaner"
+  gem.add_development_dependency 'rubocop'
+  gem.add_development_dependency 'rubocop-rspec'
 end

data/lib/blacklight/access_controls/ability.rb

@@ -17,7 +17,7 @@ module Blacklight
         self.ability_logic = [:discover_permissions, :read_permissions, :download_permissions]
       end
 
-      def initialize(user, options={})
+      def initialize(user, options = {})
         @current_user = user || guest_user
         @options = options
         @cache = Blacklight::AccessControls::PermissionsCache.new
@@ -36,8 +36,8 @@ module Blacklight
       end
 
       def grant_permissions
-        Rails.logger.debug("Usergroups are " + user_groups.inspect)
-        self.ability_logic.each do |method|
+        Rails.logger.debug('Usergroups are ' + user_groups.inspect)
+        ability_logic.each do |method|
           send(method)
         end
       end
@@ -161,7 +161,6 @@ module Blacklight
       end
 
       module ClassMethods
-
         def discover_group_field
           Blacklight::AccessControls.config.discover_group_field
         end
@@ -185,7 +184,6 @@ module Blacklight
         def download_user_field
           Blacklight::AccessControls.config.download_user_field
         end
-
       end
     end
   end

data/lib/blacklight/access_controls/catalog.rb

@@ -1,22 +1,19 @@
 # frozen_string_literal: true
-# This is behavior for the catalog controller.
-
 module Blacklight
   module AccessControls
+    # This is behavior for the catalog controller.
     module Catalog
       extend ActiveSupport::Concern
 
-      # Controller "before" filter for enforcing access controls
-      # on show actions.
-      # @param [Hash] opts (optional, not currently used)
-      def enforce_show_permissions(opts={})
+      # Controller "before" filter for enforcing access controls on show actions.
+      # @param [Hash] _opts (optional, not currently used)
+      def enforce_show_permissions(_opts = {})
         permissions = current_ability.permissions_doc(params[:id])
         unless can? :read, permissions
-          raise Blacklight::AccessControls::AccessDenied.new("You do not have sufficient access privileges to read this document, which has been marked private.", :read, params[:id])
+          raise Blacklight::AccessControls::AccessDenied.new('You do not have sufficient access privileges to read this document, which has been marked private.', :read, params[:id])
         end
         permissions
       end
-
     end
   end
 end

data/lib/blacklight/access_controls/config.rb

@@ -2,7 +2,6 @@
 module Blacklight
   module AccessControls
     class Config
-
       def initialize
         @user_model = default_user_model
 
@@ -26,29 +25,28 @@ module Blacklight
       end
 
       def default_discover_group_field
-        "discover_access_group_ssim"
+        'discover_access_group_ssim'
       end
 
       def default_discover_user_field
-        "discover_access_person_ssim"
+        'discover_access_person_ssim'
       end
 
       def default_read_group_field
-        "read_access_group_ssim"
+        'read_access_group_ssim'
       end
 
       def default_read_user_field
-        "read_access_person_ssim"
+        'read_access_person_ssim'
       end
 
       def default_download_group_field
-        "download_access_group_ssim"
+        'download_access_group_ssim'
       end
 
       def default_download_user_field
-        "download_access_person_ssim"
+        'download_access_person_ssim'
       end
-
     end
   end
 end

data/lib/blacklight/access_controls/enforcement.rb

@@ -1,22 +1,26 @@
 # frozen_string_literal: true
 module Blacklight
   module AccessControls
+    # Attributes and methods used to restrict access via Solr.
+    #
+    # Note: solr_access_filters_logic is an Array of Symbols.
+    # It sets defaults. Each symbol identifies a _method_ that must be in
+    # this class, taking two parameters (permission_types, ability).
+    # Can be changed in local apps or by plugins, e.g.:
+    #   CatalogController.include ModuleDefiningNewMethod
+    #   CatalogController.solr_access_filters_logic += [:new_method]
+    #   CatalogController.solr_access_filters_logic.delete(:we_dont_want)
     module Enforcement
       extend ActiveSupport::Concern
 
       included do
         extend Deprecation
-        attr_writer :current_ability
+        attr_writer :current_ability, :discovery_permissions
         deprecation_deprecate :current_ability=
 
         class_attribute :solr_access_filters_logic
+        alias_method :add_access_controls_to_solr_params, :apply_gated_discovery
 
-        # Set defaults. Each symbol identifies a _method_ that must be in
-        # this class, taking one parameter (permission_types)
-        # Can be changed in local apps or by plugins, eg:
-        # CatalogController.include ModuleDefiningNewMethod
-        # CatalogController.solr_access_filters_logic += [:new_method]
-        # CatalogController.solr_access_filters_logic.delete(:we_dont_want)
         self.solr_access_filters_logic = [:apply_group_permissions, :apply_user_permissions]
 
         # Apply appropriate access controls to all solr queries
@@ -25,71 +29,61 @@ module Blacklight
 
       delegate :current_ability, to: :scope
 
-      protected
-
-      def gated_discovery_filters(permission_types = discovery_permissions, ability = current_ability)
-        user_access_filters = []
-
-        # Grant access based on user id & group
-        solr_access_filters_logic.each do |method_name|
-          user_access_filters += send(method_name, permission_types, ability)
-        end
-        user_access_filters
+      # Which permission levels (logical OR) will grant you the ability to discover documents in a search.
+      # Override this method if you want it to be something other than the default, or hit the setter
+      def discovery_permissions
+        @discovery_permissions ||= %w(discover read)
       end
 
-      #
-      # Solr query modifications
-      #
+      protected
 
-      # Set solr_parameters to enforce appropriate permissions
-      # * Applies a lucene query to the solr :q parameter for gated discovery
-      # * Uses public_qt search handler if user does not have "read" permissions
-      # @param solr_parameters the current solr parameters
-      def add_access_controls_to_solr_params(solr_parameters)
-        apply_gated_discovery(solr_parameters)
+      # Grant access based on user id & group
+      # @return [Array{Array{String}}]
+      def gated_discovery_filters(permission_types = discovery_permissions, ability = current_ability)
+        solr_access_filters_logic.map { |method| send(method, permission_types, ability).reject(&:blank?) }.reject(&:empty?)
       end
 
-      # Which permission levels (logical OR) will grant you the ability to discover documents in a search.
-      # Override this method if you want it to be something other than the default
-      def discovery_permissions
-        @discovery_permissions ||= ["discover","read"]
-      end
-      def discovery_permissions= (permissions)
-        @discovery_permissions = permissions
-      end
+      ### Solr query modifications
 
-      # Controller before filter that sets up access-controlled lucene query in order to provide gated discovery behavior
-      # @param solr_parameters the current solr parameters
+      # Controller before_filter that sets up access-controlled lucene query to provide gated discovery behavior.
+      # Set solr_parameters to enforce appropriate permissions.
+      # @param [Hash{Object}] solr_parameters the current solr parameters, to be modified herein!
+      # @note Applies a lucene filter query to the solr :fq parameter for gated discovery.
       def apply_gated_discovery(solr_parameters)
         solr_parameters[:fq] ||= []
-        solr_parameters[:fq] << gated_discovery_filters.join(" OR ")
-        Rails.logger.debug("Solr parameters: #{ solr_parameters.inspect }")
+        solr_parameters[:fq] << gated_discovery_filters.reject(&:blank?).join(' OR ')
+        Rails.logger.debug("Solr parameters: #{solr_parameters.inspect}")
       end
 
+      # For groups
+      # @return [Array{String}] values are lucence syntax term queries suitable for :fq
+      # @example
+      #   [ "({!terms f=discover_access_group_ssim}public,faculty,africana-faculty,registered)",
+      #     "({!terms f=read_access_group_ssim}public,faculty,africana-faculty,registered)" ]
       def apply_group_permissions(permission_types, ability = current_ability)
-        # for groups
+        groups = ability.user_groups
+        return [] if groups.empty?
         permission_types.map do |type|
           field = solr_field_for(type, 'group')
-          groups = ability.user_groups
-          # The parens are required to properly OR the cases together.
-          "({!terms f=#{field}}#{groups.join(',')})"
+          "({!terms f=#{field}}#{groups.join(',')})" # parens required to properly OR the clauses together.
         end
       end
 
+      # For individual user access
+      # @return [Array{String}] values are lucence syntax term queries suitable for :fq
+      # @example ['discover_access_person_ssim:user_1@abc.com', 'read_access_person_ssim:user_1@abc.com']
       def apply_user_permissions(permission_types, ability = current_ability)
-        # for individual user access
-        user_access_filters = []
         user = ability.current_user
-        if user && user.user_key.present?
-          permission_types.each do |type|
-            user_access_filters << escape_filter(solr_field_for(type, 'user'), user.user_key)
-          end
+        return [] unless user && user.user_key.present?
+        permission_types.map do |type|
+          escape_filter(solr_field_for(type, 'user'), user.user_key)
         end
-        user_access_filters
       end
 
-      # Find the name of the solr field for this type of permission.
-      # e.g. "read_access_group_ssim" or "discover_access_person_ssim".
+      # @param [#to_s] permission_type a single value, e.g. "read" or "discover"
+      # @param [#to_s] permission_category a single value, e.g. "group" or "person"
+      # @return [String] name of the solr field for this type of permission
+      # @example return values: "read_access_group_ssim" or "discover_access_person_ssim"
       def solr_field_for(permission_type, permission_category)
         method_name = "#{permission_type}_#{permission_category}_field".to_sym
         Blacklight::AccessControls.config.send(method_name)

data/lib/blacklight/access_controls/permissions_cache.rb

@@ -1,8 +1,7 @@
 # frozen_string_literal: true
 class Blacklight::AccessControls::PermissionsCache
-
   def initialize
-    clear 
+    clear
   end
 
   def get(pid)
@@ -10,11 +9,10 @@ class Blacklight::AccessControls::PermissionsCache
   end
 
   def put(pid, doc)
-    @cache[pid] = doc 
+    @cache[pid] = doc
   end
 
   def clear
     @cache = {}
   end
-
 end

data/lib/blacklight/access_controls/permissions_query.rb

@@ -23,13 +23,13 @@ module Blacklight::AccessControls
     # Modeled on Blacklight::SolrHelper.get_permissions_solr_response_for_doc_id
     # @param [String] id of the documetn to retrieve
     # @param [Hash] extra_controller_params (optional)
-    def get_permissions_solr_response_for_doc_id(id=nil, extra_controller_params={})
-      raise Blacklight::Exceptions::InvalidSolrID.new("The application is trying to retrieve permissions without specifying an asset id") if id.nil?
+    def get_permissions_solr_response_for_doc_id(id = nil, extra_controller_params = {})
+      raise Blacklight::Exceptions::InvalidSolrID, 'The application is trying to retrieve permissions without specifying an asset id' if id.nil?
       solr_opts = permissions_solr_doc_params(id).merge(extra_controller_params)
-      response = Blacklight.default_index.connection.get('select', :params=> solr_opts)
+      response = Blacklight.default_index.connection.get('select', params: solr_opts)
       solr_response = Blacklight::Solr::Response.new(response, solr_opts)
 
-      raise Blacklight::Exceptions::InvalidSolrID.new("The solr permissions search handler didn't return anything for id \"#{id}\"") if solr_response.docs.empty?
+      raise Blacklight::Exceptions::InvalidSolrID, "The solr permissions search handler didn't return anything for id \"#{id}\"" if solr_response.docs.empty?
       permissions_document_class.new(solr_response.docs.first, solr_response)
     end
 
@@ -42,13 +42,13 @@ module Blacklight::AccessControls
     # This method is primary called by the get_permissions_solr_response_for_doc_id method.
     # Modeled on Blacklight::SolrHelper.solr_doc_params
     # @param [String] id of the documetn to retrieve
-    def permissions_solr_doc_params(id=nil)
+    def permissions_solr_doc_params(id = nil)
       id ||= params[:id]
       # just to be consistent with the other solr param methods:
       {
-        :qt => :permissions,
-        :id => id # this assumes the document request handler will map the 'id' param to the unique key field
+        qt: :permissions,
+        id: id # this assumes the document request handler will map the 'id' param to the unique key field
       }
     end
-  end    
+  end
 end

data/lib/blacklight/access_controls/user.rb

@@ -18,7 +18,6 @@ module Blacklight
       def user_key
         send(Devise.authentication_keys.first)
       end
-
     end
   end
 end

data/lib/blacklight-access_controls.rb

@@ -13,12 +13,11 @@ module Blacklight::AccessControls
       yield @config if block_given?
       @config
     end
-    alias :config :configure
+    alias config configure
   end
 
   # This error is raised when a user isn't allowed to access a given controller action.
   # This usually happens within a call to Enforcement#enforce_access_controls but can be
   # raised manually.
   class AccessDenied < ::CanCan::AccessDenied; end
-
 end

data/lib/generators/blacklight/ability.rb

@@ -1,5 +1,4 @@
 # frozen_string_literal: true
 class Ability
-  include CanCan::Ability
   include Blacklight::AccessControls::Ability
 end

data/lib/generators/blacklight/access_controls_generator.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 module Blacklight
   class AccessControlsGenerator < Rails::Generators::Base
-
     desc "This generator makes the following changes to your application:
 
 1. Includes Blacklight::AccessControls::User in the User class.
@@ -9,21 +8,19 @@ module Blacklight
 3. Adds access controls to CatalogController.
 4. Adds Ability class."
 
-
-    source_root File.expand_path("..", __FILE__)
+    source_root File.expand_path('..', __FILE__)
 
     class_option :user_model, aliases: '-m',
-      type: :string, default: 'User',
-      desc: "What is your user model called?"
+                              type: :string, default: 'User',
+                              desc: 'What is your user model called?'
 
     class_option :search_builders, aliases: '-b', type: :array,
-      default: Array(File.join('app', 'models', 'search_builder.rb')),
-      desc: "The path(s) to your search builder model(s)"
-
+                                   default: Array(File.join('app', 'models', 'search_builder.rb')),
+                                   desc: 'The path(s) to your search builder model(s)'
 
     def add_access_controls_to_user
       say_status('status', 'ADDING ACCESS CONTROLS TO USER MODEL', :yellow)
-      insert_into_file File.join('app','models', "#{options[:user_model].underscore}.rb"),
+      insert_into_file File.join('app', 'models', "#{options[:user_model].underscore}.rb"),
         "  include Blacklight::AccessControls::User\n\n",
         after: "include Blacklight::User\n"
     end
@@ -44,7 +41,7 @@ module Blacklight
   include Blacklight::AccessControls::Catalog
 
   # Apply the blacklight-access_controls
-  before_filter :enforce_show_permissions, only: :show
+  before_action :enforce_show_permissions, only: :show
 
       EOS
 
@@ -61,6 +58,5 @@ module Blacklight
       say_status('status', 'ADDING BLACKLIGHT ACCESS CONTROLS CONFIGURATION', :yellow)
       copy_file 'blacklight_access_controls.rb', 'config/initializers/blacklight_access_controls.rb'
     end
-
   end
 end

data/lib/generators/blacklight/blacklight_access_controls.rb

@@ -13,4 +13,4 @@ Blacklight::AccessControls.configure do |config|
   #
   # specify the user model
   # config.user_model = 'User'
-end
+end

data/spec/support/solr_support.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 module SolrSupport
-
   def create_solr_doc(hash)
     doc = SolrDocument.new(hash)
     solr = Blacklight.default_index.connection
@@ -8,5 +7,4 @@ module SolrSupport
     solr.commit
     doc
   end
-
 end

data/spec/test_app_templates/lib/generators/test_app_generator.rb

@@ -2,7 +2,7 @@
 require 'rails/generators'
 
 class TestAppGenerator < Rails::Generators::Base
-  source_root File.expand_path("../../../../spec/test_app_templates", __FILE__)
+  source_root File.expand_path('../../../../spec/test_app_templates', __FILE__)
 
   # if you need to generate any additional configuration
   # into the test app, this generator will be run immediately
@@ -10,7 +10,7 @@ class TestAppGenerator < Rails::Generators::Base
 
   def generate_blacklight
     say_status('status', 'GENERATING BLACKLIGHT', :yellow)
-    generate "blacklight:install", "--devise"
+    generate 'blacklight:install', '--devise'
   end
 
   def configure_blacklight
@@ -22,5 +22,4 @@ class TestAppGenerator < Rails::Generators::Base
   def run_access_controls_generator
     generate 'blacklight:access_controls'
   end
-
 end

data/spec/unit/ability_spec.rb

@@ -1,11 +1,10 @@
 # frozen_string_literal: true
-require 'spec_helper'
 require 'cancan/matchers'
 
 describe Ability do
   let(:ability) { Ability.new(user) }
 
-  describe "class methods" do
+  describe 'class methods' do
     it 'has keys for access control fields' do
       expect(Ability.read_group_field).to eq 'read_access_group_ssim'
       expect(Ability.read_user_field).to eq 'read_access_person_ssim'
@@ -16,11 +15,11 @@ describe Ability do
     end
   end
 
-  describe "Given an asset that has been made publicly discoverable" do
+  describe 'Given an asset that has been made publicly discoverable' do
     let(:asset) { SolrDocument.new(id: 'public_discovery',
-                  discover_access_group_ssim: ['public']) }
+                                   discover_access_group_ssim: ['public']) }
 
-    context "Then a not-signed-in user" do
+    context 'Then a not-signed-in user' do
       let(:user) { nil }
       subject { ability }
 
@@ -29,7 +28,7 @@ describe Ability do
       it { should_not be_able_to(:download, asset) }
     end
 
-    context "Then a registered user" do
+    context 'Then a registered user' do
       let(:user) { create(:user) }
       subject { ability }
 
@@ -54,11 +53,11 @@ describe Ability do
     end
   end
 
-  describe "Given an asset that has been made publicly readable" do
+  describe 'Given an asset that has been made publicly readable' do
     let(:asset) { SolrDocument.new(id: 'public_read',
-                  read_access_group_ssim: ['public']) }
+                                   read_access_group_ssim: ['public']) }
 
-    context "Then a not-signed-in user" do
+    context 'Then a not-signed-in user' do
       let(:user) { nil }
       subject { ability }
 
@@ -67,7 +66,7 @@ describe Ability do
       it { should_not be_able_to(:download, asset) }
     end
 
-    context "Then a registered user" do
+    context 'Then a registered user' do
       let(:user) { create(:user) }
       subject { ability }
 
@@ -92,12 +91,12 @@ describe Ability do
     end
   end
 
-  describe "Given an asset that has been made publicly downloadable" do
+  describe 'Given an asset that has been made publicly downloadable' do
     let(:id) { 'public_download' }
     let(:asset) { SolrDocument.new(id: id,
-                    download_access_group_ssim: ['public']) }
+                                   download_access_group_ssim: ['public']) }
 
-    context "Then a not-signed-in user" do
+    context 'Then a not-signed-in user' do
       let(:user) { nil }
       subject { ability }
 
@@ -106,7 +105,7 @@ describe Ability do
       it { should be_able_to(:download, asset) }
     end
 
-    context "Then a registered user" do
+    context 'Then a registered user' do
       let(:user) { create(:user) }
       subject { ability }
 
@@ -131,12 +130,11 @@ describe Ability do
     end
   end
 
-
-  describe "Given an asset to which a specific user has discovery access" do
+  describe 'Given an asset to which a specific user has discovery access' do
     let(:user_with_access) { create(:user) }
     let(:asset) { SolrDocument.new(id: 'user_disco', discover_access_person_ssim: [user_with_access.email]) }
 
-    context "Then a not-signed-in user" do
+    context 'Then a not-signed-in user' do
       let(:user) { nil }
       subject { ability }
 
@@ -145,7 +143,7 @@ describe Ability do
       it { should_not be_able_to(:download, asset) }
     end
 
-    context "Then a different registered user" do
+    context 'Then a different registered user' do
       let(:user) { create(:user) }
       subject { ability }
 
@@ -154,7 +152,7 @@ describe Ability do
       it { should_not be_able_to(:download, asset) }
     end
 
-    context "Then that user" do
+    context 'Then that user' do
       let(:user) { user_with_access }
       subject { ability }
 
@@ -164,11 +162,11 @@ describe Ability do
     end
   end
 
-  describe "Given an asset to which a specific user has read access" do
+  describe 'Given an asset to which a specific user has read access' do
     let(:user_with_access) { create(:user) }
     let(:asset) { SolrDocument.new(id: 'user_read', read_access_person_ssim: [user_with_access.email]) }
 
-    context "Then a not-signed-in user" do
+    context 'Then a not-signed-in user' do
       let(:user) { nil }
       subject { ability }
 
@@ -177,7 +175,7 @@ describe Ability do
       it { should_not be_able_to(:download, asset) }
     end
 
-    context "Then a different registered user" do
+    context 'Then a different registered user' do
       let(:user) { create(:user) }
       subject { ability }
 
@@ -186,7 +184,7 @@ describe Ability do
       it { should_not be_able_to(:download, asset) }
     end
 
-    context "Then that user" do
+    context 'Then that user' do
       let(:user) { user_with_access }
       subject { ability }
 
@@ -196,11 +194,11 @@ describe Ability do
     end
   end
 
-  describe "Given an asset to which a specific user has download access" do
+  describe 'Given an asset to which a specific user has download access' do
     let(:user_with_access) { create(:user) }
     let(:asset) { SolrDocument.new(id: 'user_read', download_access_person_ssim: [user_with_access.email]) }
 
-    context "Then a not-signed-in user" do
+    context 'Then a not-signed-in user' do
       let(:user) { nil }
       subject { ability }
 
@@ -209,7 +207,7 @@ describe Ability do
       it { should_not be_able_to(:download, asset) }
     end
 
-    context "Then a different registered user" do
+    context 'Then a different registered user' do
       let(:user) { create(:user) }
       subject { ability }
 
@@ -218,7 +216,7 @@ describe Ability do
       it { should_not be_able_to(:download, asset) }
     end
 
-    context "Then that user" do
+    context 'Then that user' do
       let(:user) { user_with_access }
       subject { ability }
 
@@ -228,7 +226,6 @@ describe Ability do
     end
   end
 
-
   describe '.user_class' do
     subject { Blacklight::AccessControls::Ability.user_class }
     it { is_expected.to eq User }
@@ -258,19 +255,19 @@ describe Ability do
     end
 
     context 'a user with groups' do
-      let(:user) { double(groups: ['group1', 'group2'], new_record?: false) }
+      let(:user) { double(groups: %w(group1 group2), new_record?: false) }
       it { is_expected.to include('group1', 'group2') }
     end
   end
 
-  describe "with a custom method" do
+  describe 'with a custom method' do
     let(:user) { create(:user) }
     subject { MyAbility.new(user) }
 
     before do
       class MyAbility
         include Blacklight::AccessControls::Ability
-        self.ability_logic +=[:setup_my_permissions]
+        self.ability_logic += [:setup_my_permissions]
 
         def setup_my_permissions
           can :accept, SolrDocument
@@ -285,5 +282,4 @@ describe Ability do
     # Make sure it called the custom method
     it { should be_able_to(:accept, SolrDocument) }
   end
-
 end

data/spec/unit/catalog_spec.rb

@@ -1,12 +1,10 @@
 # frozen_string_literal: true
-require 'spec_helper'
-
 describe Blacklight::AccessControls::Catalog do
   let(:controller) { CatalogController.new }
 
   describe '#enforce_show_permissions' do
     subject { controller.send(:enforce_show_permissions) }
-    let(:params) {{ id: doc.id }}
+    let(:params) { { id: doc.id } }
 
     before do
       allow(controller).to receive(:current_user).and_return(user)
@@ -38,5 +36,4 @@ describe Blacklight::AccessControls::Catalog do
       end
     end
   end
-
 end

data/spec/unit/config_spec.rb

@@ -1,6 +1,4 @@
 # frozen_string_literal: true
-require 'spec_helper'
-
 describe Blacklight::AccessControls::Config do
   let(:config) { described_class.new }
 
@@ -19,7 +17,7 @@ describe Blacklight::AccessControls::Config do
     subject { config.discover_group_field }
 
     it 'has a default value' do
-      expect(subject).to eq "discover_access_group_ssim"
+      expect(subject).to eq 'discover_access_group_ssim'
     end
 
     it 'can be set to a non-default value' do
@@ -32,7 +30,7 @@ describe Blacklight::AccessControls::Config do
     subject { config.discover_user_field }
 
     it 'has a default value' do
-      expect(subject).to eq "discover_access_person_ssim"
+      expect(subject).to eq 'discover_access_person_ssim'
     end
 
     it 'can be set to a non-default value' do
@@ -45,7 +43,7 @@ describe Blacklight::AccessControls::Config do
     subject { config.read_group_field }
 
     it 'has a default value' do
-      expect(subject).to eq "read_access_group_ssim"
+      expect(subject).to eq 'read_access_group_ssim'
     end
 
     it 'can be set to a non-default value' do
@@ -58,7 +56,7 @@ describe Blacklight::AccessControls::Config do
     subject { config.read_user_field }
 
     it 'has a default value' do
-      expect(subject).to eq "read_access_person_ssim"
+      expect(subject).to eq 'read_access_person_ssim'
     end
 
     it 'can be set to a non-default value' do
@@ -71,7 +69,7 @@ describe Blacklight::AccessControls::Config do
     subject { config.download_group_field }
 
     it 'has a default value' do
-      expect(subject).to eq "download_access_group_ssim"
+      expect(subject).to eq 'download_access_group_ssim'
     end
 
     it 'can be set to a non-default value' do
@@ -84,7 +82,7 @@ describe Blacklight::AccessControls::Config do
     subject { config.download_user_field }
 
     it 'has a default value' do
-      expect(subject).to eq "download_access_person_ssim"
+      expect(subject).to eq 'download_access_person_ssim'
     end
 
     it 'can be set to a non-default value' do
@@ -92,5 +90,4 @@ describe Blacklight::AccessControls::Config do
       expect(subject).to eq 'something else'
     end
   end
-
 end

data/spec/unit/enforcement_spec.rb

@@ -1,147 +1,121 @@
 # frozen_string_literal: true
-require 'spec_helper'
+class MyController # < ApplicationController
+  include Blacklight::AccessControls::Enforcement
+end
 
 describe Blacklight::AccessControls::Enforcement do
-  let(:controller) { CatalogController.new }
-  let(:search_builder) { SearchBuilder.new(method_chain, context) }
-  let(:method_chain) { SearchBuilder.default_processor_chain }
-  let(:context) { controller }
-
+  let(:controller) do
+    c = MyController.new
+    allow(c).to receive(:current_ability).and_return(ability)
+    c
+  end
   let(:user) { User.new }
   let(:ability) { Ability.new(user) }
+  subject { controller }
 
-  subject { search_builder }
+  describe '#discovery_permissions' do
+    it 'has defaults' do
+      expect(subject.discovery_permissions).to eq %w(discover read)
+    end
 
-  before do
-    allow(controller).to receive(:current_ability).and_return(ability)
+    it 'does getter/setter' do
+      subject.discovery_permissions = %w(discover read frobnicate)
+      expect(subject.discovery_permissions).to eq %w(discover read frobnicate)
+      subject.discovery_permissions << 'zazzo'
+      expect(subject.discovery_permissions).to eq %w(discover read frobnicate zazzo)
+    end
   end
 
-  describe "When I am searching for content" do
-    before do
-      @solr_parameters = {}
+  describe '#apply_gated_discovery' do
+    let(:fq_first) do
+      solr_parameters = {}
+      subject.send(:apply_gated_discovery, solr_parameters)
+      solr_parameters[:fq].first
     end
 
-    context "Given I am not logged in" do
-      before do
-        subject.send(:apply_gated_discovery, @solr_parameters)
+    # rubocop:disable RSpec/MessageExpectation
+    describe 'logger' do
+      # Expectation will be triggered by Ability class (that calls Rails.logger.debug earlier). So we double Ability to avoid false positive.
+      let(:ability) { instance_double(Ability, user_groups: [], current_user: user) }
+      it 'is called with debug' do
+        expect(Rails.logger).to receive(:debug).with(/^Solr parameters/)
+        controller.send(:apply_gated_discovery, {})
       end
+    end
 
+    context 'Given I am not logged in' do
       it "Then I should be treated as a member of the 'public' group" do
-        expect(@solr_parameters[:fq].first).to eq '({!terms f=discover_access_group_ssim}public) OR ({!terms f=read_access_group_ssim}public)'
+        expect(fq_first).to eq '({!terms f=discover_access_group_ssim}public) OR ({!terms f=read_access_group_ssim}public)'
       end
 
       it "Then I should not be treated as a member of the 'registered' group" do
-        expect(@solr_parameters[:fq].first).to_not match(/registered/)
+        expect(fq_first).to_not match(/registered/)
       end
     end
 
-    context "Given I am a registered user" do
+    context 'Given I am a registered user' do
+      let(:groups) { %w(faculty africana-faculty) }
       let(:user) do
         create(:user).tap do |u|
-          allow(u).to receive(:groups) { ["faculty", "africana-faculty"] }
+          allow(u).to receive(:groups) { groups }
         end
       end
 
-      before do
-        subject.send(:apply_gated_discovery, @solr_parameters)
-      end
-
-      it "searches for my groups" do
-        expect(@solr_parameters[:fq].first).to match(%r{\{!terms f=discover_access_group_ssim\}public,faculty,africana-faculty,registered})
-        expect(@solr_parameters[:fq].first).to match(%r{\{!terms f=read_access_group_ssim\}public,faculty,africana-faculty,registered})
+      it 'searches for my user key in discover and read fields' do
+        expect(fq_first).to match(/discover_access_person_ssim\:#{user.user_key}/)
+        expect(fq_first).to match(/read_access_person_ssim\:#{user.user_key}/)
       end
 
-      it "searches for my user key" do
-        ["discover","read"].each do |type|
-          expect(@solr_parameters[:fq].first).to match(/#{type}_access_person_ssim\:#{user.user_key}/)
-        end
-      end
-    end
-  end
-
-  describe "#except" do
-    let(:user) { build(:user) }
-    let(:ability) { Ability.new(user) }
-    subject { search_builder.except('foo') }
-
-    it "keeps the current_ability set" do
-      expect(subject.current_ability).to eq ability
-    end
-  end
-
-  describe "#append" do
-    let(:user) { build(:user) }
-    let(:ability) { Ability.new(user) }
-    subject { search_builder.append('foo') }
-
-    it "keeps the current_ability set" do
-      expect(subject.current_ability).to eq ability
-    end
-  end
-
-  describe "apply_gated_discovery" do
-    let(:user) do
-      create(:user).tap do |u|
-        allow(u).to receive(:groups) { groups }
+      it 'searches for my groups' do
+        expect(fq_first).to match(%r{\{!terms f=discover_access_group_ssim\}public,faculty,africana-faculty,registered})
+        expect(fq_first).to match(%r{\{!terms f=read_access_group_ssim\}public,faculty,africana-faculty,registered})
       end
-    end
-    let(:groups) { ["archivist","researcher"] }
-
-    before do
-      @solr_parameters = {}
-      subject.send(:apply_gated_discovery, @solr_parameters)
-    end
 
-    it "sets query fields for the user id checking against the discover, read fields" do
-      ["discover","read"].each do |type|
-        expect(@solr_parameters[:fq].first).to match(/#{type}_access_person_ssim\:#{user.user_key}/)
+      it 'does not build empty clauses' do
+        expect(controller).to receive(:apply_user_permissions).and_return(['({!terms f=discover_access_group_ssim}public,faculty,africana-faculty,registered)', '', nil])
+        expect(fq_first).not_to match(/ OR $/) # i.e. doesn't end w/ empty
       end
-    end
-
-    it "queries roles the user is a member of checking against the discover, read fields" do
-      expect(@solr_parameters[:fq].first).to match(%r{\{!terms f=discover_access_group_ssim\}public,archivist,researcher,registered})
-      expect(@solr_parameters[:fq].first).to match(%r{\{!terms f=read_access_group_ssim\}public,archivist,researcher,registered})
-    end
 
-    context 'slashes in the group names' do
-      let(:groups) { ["abc/123","cde/567"] }
+      context 'slashes in the group names' do
+        let(:groups) { ['abc/123', 'cde/567'] }
 
-      it "doesn't escape slashes" do
-        expect(@solr_parameters[:fq].first).to match(%r{\{!terms f=discover_access_group_ssim\}public,abc/123,cde/567,registered})
-        expect(@solr_parameters[:fq].first).to match(%r{\{!terms f=read_access_group_ssim\}public,abc/123,cde/567,registered})
+        it 'does not escape slashes' do
+          expect(fq_first).to match(%r{\{!terms f=discover_access_group_ssim\}public,abc/123,cde/567,registered})
+          expect(fq_first).to match(%r{\{!terms f=read_access_group_ssim\}public,abc/123,cde/567,registered})
+        end
       end
-    end
 
-    context 'spaces in the group names' do
-      let(:groups) { ["abc 123","cd/e 567"] }
+      context 'spaces in the group names' do
+        let(:groups) { ['abc 123', 'cd/e 567'] }
 
-      it "doesn't escape spaces in group names" do
-        expect(@solr_parameters[:fq].first).to match(%r{\{!terms f=discover_access_group_ssim\}public,abc 123,cd/e 567,registered})
-        expect(@solr_parameters[:fq].first).to match(%r{\{!terms f=read_access_group_ssim\}public,abc 123,cd/e 567,registered})
+        it 'does not escape spaces in group names' do
+          expect(fq_first).to match(%r{\{!terms f=discover_access_group_ssim\}public,abc 123,cd/e 567,registered})
+          expect(fq_first).to match(%r{\{!terms f=read_access_group_ssim\}public,abc 123,cd/e 567,registered})
+        end
       end
-    end
 
-    context 'colons in the groups names' do
-      let(:groups) { ["abc:123","cde:567"] }
+      context 'colons in the groups names' do
+        let(:groups) { ['abc:123', 'cde:567'] }
 
-      it "doesn't escape colons" do
-        expect(@solr_parameters[:fq].first).to match(%r{\{!terms f=discover_access_group_ssim\}public,abc:123,cde:567,registered})
-        expect(@solr_parameters[:fq].first).to match(%r{\{!terms f=read_access_group_ssim\}public,abc:123,cde:567,registered})
+        it 'does not escape colons' do
+          expect(fq_first).to match(%r{\{!terms f=discover_access_group_ssim\}public,abc:123,cde:567,registered})
+          expect(fq_first).to match(%r{\{!terms f=read_access_group_ssim\}public,abc:123,cde:567,registered})
+        end
       end
     end
   end
 
-  describe "apply_user_permissions" do
-    describe "when the user is a guest user (user key nil)" do
-      it "does not create filters" do
-        expect(subject.send(:apply_user_permissions, ["discover","read"])).to eq []
+  describe '#apply_user_permissions' do
+    describe 'when the user is a guest user (user key nil)' do
+      it 'does not create filters' do
+        expect(subject.send(:apply_user_permissions, %w(discover read))).to eq []
       end
     end
 
-    describe "when the user is a guest user (user key empty string)" do
+    describe 'when the user is a guest user (user key empty string)' do
       let(:user) { User.new(email: '') }
-      it "does not create filters" do
-        expect(subject.send(:apply_user_permissions, ["discover","read"])).to eq []
+      it 'does not create filters' do
+        expect(subject.send(:apply_user_permissions, %w(discover read))).to eq []
       end
     end
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: blacklight-access_controls
 version: !ruby/object:Gem::Version
-  version: 0.5.1
+  version: 0.6.0
 platform: ruby
 authors:
 - Chris Beer
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-06-08 00:00:00.000000000 Z
+date: 2016-09-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cancancan
@@ -139,6 +139,34 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Access controls for blacklight-based applications
 email:
 - blacklight-development@googlegroups.com
@@ -147,6 +175,9 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".gitignore"
+- ".rspec"
+- ".rubocop.yml"
+- ".rubocop_todo.yml"
 - ".travis.yml"
 - Gemfile
 - README.textile