blacklight-access_controls 0.6.2 → 0.7.0.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: c08621f2787c992b840763f78bfbbd0da777c238
-  data.tar.gz: 9a0333f2b7a1f34835afeb65e24e08465b595845
+SHA256:
+  metadata.gz: ad6262064035e0af1ebfcae414a52f18073874ba0d4ef695fd01cf22e3ef2c06
+  data.tar.gz: 2f4f590ed542157b3d0e09335cb66a9ac90132908494a3d797ca041fb037ecb4
 SHA512:
-  metadata.gz: 894505d49a44f7dfa2ae0e993314f086da84add4dd7aa1bcb578fedd2333ee01c9a55f783b1a682cb840f1cb450a19e6ffffc03bfab4052f3c195471961a5d55
-  data.tar.gz: 5bbe9d38b52bf2d19e5da972a8a895bc985a2761ee1b263205198239d03c2294413e10b64d92b5978a14f3942b6f3ef553955911661ec36555d6611fb0b859fa
+  metadata.gz: bf9cd42d89e6315c6e8c65d46341f995e4d0d668a24fa62e98c06d5bcee80c45c49deb81a47a18625cae26574e3d0f6f0ee34b95278a6420a5b6f4b40b126a6a
+  data.tar.gz: 11de766eb48a9d94ed7aa6c1b8483a7e78d7bb4166ebbba8cf549b1b4b66171e633e418e3482b29e46245acb7c47b5db634e3b1520c0e29583128ea23bde75c5

data/.rubocop.yml

@@ -8,28 +8,29 @@ AllCops:
   Exclude:
     - '.internal_test_app/**/*'
 
+
 Bundler/DuplicatedGem:
   Enabled: false
 
-Style/FileName:
+Metrics/BlockLength:
+  Exclude:
+    - 'spec/**/*'
+
+Metrics/LineLength:
+  Max: 185
+
+Naming/FileName:
   Exclude:
     - 'Gemfile'
     - 'blacklight-access_controls.gemspec'
     - 'lib/blacklight-access_controls.rb'
 
-Style/MixinGrouping:
-  Enabled: false # pending fix of https://github.com/bbatsov/rubocop/issues/4172
-
 Rails:
   Enabled: true
 
-Metrics/BlockLength:
-  Exclude:
-    - 'spec/**/*'
-
-Metrics/LineLength:
-  Max: 185
-
 RSpec/MessageSpies:
   Enabled: false
-  
+
+RSpec/NestedGroups:
+  Exclude:
+   - 'spec/**/*_spec.rb'

data/.rubocop_todo.yml

@@ -1,28 +1,25 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config`
-# on 2016-08-24 16:11:34 -0700 using RuboCop version 0.42.0.
+# on 2017-09-06 09:54:51 -0700 using RuboCop version 0.49.1.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
 # versions of RuboCop, may require this file to be generated again.
 
-# Manually added to prevent `unrecognized cop` warnings during execution.
-require: rubocop-rspec
-
-# Offense count: 4
+# Offense count: 3
 Metrics/AbcSize:
-  Max: 18
+  Max: 16
 
 # Offense count: 1
 # Configuration parameters: CountComments.
 Metrics/ModuleLength:
   Max: 120
 
-# Offense count: 7
-# Configuration parameters: SkipBlocks.
-RSpec/DescribedClass:
+RSpec/ContextWording:
   Exclude:
     - 'spec/unit/ability_spec.rb'
+    - 'spec/unit/enforcement_spec.rb'
+    - 'spec/unit/blacklight/access_controls/search_builder_spec.rb'
 
 # Offense count: 1
 # Configuration parameters: Max.
@@ -31,26 +28,14 @@ RSpec/ExampleLength:
     - 'spec/unit/ability_spec.rb'
 
 # Offense count: 3
-# Configuration parameters: CustomTransform.
+# Configuration parameters: CustomTransform, IgnoreMethods.
 RSpec/FilePath:
   Exclude:
     - 'spec/unit/catalog_spec.rb'
     - 'spec/unit/config_spec.rb'
     - 'spec/unit/enforcement_spec.rb'
 
-# Offense count: 17
-# Configuration parameters: AssignmentOnly.
-RSpec/InstanceVariable:
-  Exclude:
-    - 'spec/unit/enforcement_spec.rb'
-
-# Offense count: 23
-RSpec/LeadingSubject:
-  Exclude:
-    - 'spec/unit/ability_spec.rb'
-    - 'spec/unit/enforcement_spec.rb'
-
-# Offense count: 7
+# Offense count: 15
 RSpec/MultipleExpectations:
   Max: 6
 
@@ -62,53 +47,12 @@ RSpec/NamedSubject:
     - 'spec/unit/config_spec.rb'
     - 'spec/unit/enforcement_spec.rb'
 
-# Offense count: 30
-# Configuration parameters: MaxNesting.
-RSpec/NestedGroups:
-  Exclude:
-    - 'spec/unit/ability_spec.rb'
-    - 'spec/unit/catalog_spec.rb'
-    - 'spec/unit/enforcement_spec.rb'
-
-# Offense count: 2
-# Configuration parameters: EnforcedStyle, SupportedStyles.
-# SupportedStyles: not_to, to_not
-RSpec/NotToNot:
-  Exclude:
-    - 'spec/unit/catalog_spec.rb'
-    - 'spec/unit/enforcement_spec.rb'
-
 # Offense count: 1
 # Configuration parameters: IgnoreSymbolicNames.
 RSpec/VerifiedDoubles:
   Exclude:
     - 'spec/unit/ability_spec.rb'
 
-# Offense count: 5
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle, SupportedStyles, IndentationWidth.
-# SupportedStyles: with_first_parameter, with_fixed_indentation
-Style/AlignParameters:
-  Exclude:
-    - 'lib/generators/blacklight/access_controls_generator.rb'
-
-# Offense count: 6
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle, SupportedStyles, ProceduralMethods, FunctionalMethods, IgnoredMethods.
-# SupportedStyles: line_count_based, semantic, braces_for_chaining
-# ProceduralMethods: benchmark, bm, bmbm, create, each_with_object, measure, new, realtime, tap, with_object
-# FunctionalMethods: let, let!, subject, watch
-# IgnoredMethods: lambda, proc, it
-Style/BlockDelimiters:
-  Exclude:
-    - 'spec/unit/ability_spec.rb'
-
-# Offense count: 3
-# Cop supports --auto-correct.
-Style/BlockEndNewline:
-  Exclude:
-    - 'spec/unit/ability_spec.rb'
-
 # Offense count: 3
 # Configuration parameters: EnforcedStyle, SupportedStyles.
 # SupportedStyles: nested, compact
@@ -118,7 +62,7 @@ Style/ClassAndModuleChildren:
     - 'lib/blacklight/access_controls/permissions_cache.rb'
     - 'lib/blacklight/access_controls/permissions_query.rb'
 
-# Offense count: 12
+# Offense count: 10
 Style/Documentation:
   Exclude:
     - 'spec/**/*'
@@ -126,31 +70,9 @@ Style/Documentation:
     - 'lib/blacklight-access_controls.rb'
     - 'lib/blacklight/access_controls.rb'
     - 'lib/blacklight/access_controls/ability.rb'
-    - 'lib/blacklight/access_controls/catalog.rb'
     - 'lib/blacklight/access_controls/config.rb'
-    - 'lib/blacklight/access_controls/enforcement.rb'
     - 'lib/blacklight/access_controls/permissions_cache.rb'
     - 'lib/blacklight/access_controls/permissions_query.rb'
     - 'lib/blacklight/access_controls/user.rb'
     - 'lib/generators/blacklight/ability.rb'
     - 'lib/generators/blacklight/access_controls_generator.rb'
-
-# Offense count: 1
-# Configuration parameters: ExpectMatchingDefinition, Regex, IgnoreExecutableScripts.
-Style/FileName:
-  Exclude:
-    - 'lib/blacklight-access_controls.rb'
-
-# Offense count: 3
-# Cop supports --auto-correct.
-Style/MultilineBlockLayout:
-  Exclude:
-    - 'spec/unit/ability_spec.rb'
-
-# Offense count: 6
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle, SupportedStyles, AllowInnerSlashes.
-# SupportedStyles: slashes, percent_r, mixed
-Style/RegexpLiteral:
-  Exclude:
-    - 'spec/unit/enforcement_spec.rb'

data/.travis.yml

@@ -8,7 +8,6 @@ rvm:
   - 2.3.1
 
 env:
- - "RAILS_VERSION=4.2.7.1"
  - "RAILS_VERSION=5.0.0.1"
 
 global_env:

data/Rakefile

@@ -1,4 +1,3 @@
-#!/usr/bin/env rake
 begin
   require 'bundler/setup'
 rescue LoadError
@@ -18,7 +17,7 @@ RSpec::Core::RakeTask.new(:spec)
 task default: 'ci'
 
 def solr_config_dir
-  File.join(File.expand_path(File.dirname(__FILE__)), 'solr_conf', 'conf')
+  File.join(__dir__, 'solr_conf', 'conf')
 end
 
 namespace :solr do

data/VERSION

@@ -1 +1 @@
-0.6.2
+0.7.0.rc1

data/blacklight-access_controls.gemspec

@@ -15,18 +15,18 @@ Gem::Specification.new do |gem|
   gem.version       = version
   gem.license       = 'APACHE2'
 
-  gem.required_ruby_version = '>= 1.9.3'
+  gem.required_ruby_version = '>= 2.1.0'
 
-  gem.add_dependency 'cancancan', '~> 1.8'
   gem.add_dependency 'blacklight', '~> 6.0'
+  gem.add_dependency 'cancancan', '~> 1.8'
   gem.add_dependency 'deprecation', '~> 1.0'
 
-  gem.add_development_dependency 'rake', '~> 11.3'
-  gem.add_development_dependency 'rspec', '~> 3.1'
-  gem.add_development_dependency 'engine_cart', '~> 1.0'
-  gem.add_development_dependency 'solr_wrapper'
-  gem.add_development_dependency 'factory_girl_rails', '~> 4.0'
   gem.add_development_dependency 'database_cleaner'
-  gem.add_development_dependency 'rubocop'
+  gem.add_development_dependency 'engine_cart', '~> 1.0'
+  gem.add_development_dependency 'factory_bot_rails', '~> 4.8'
+  gem.add_development_dependency 'rake', '~> 12.3'
+  gem.add_development_dependency 'rspec', '~> 3.1'
+  gem.add_development_dependency 'rubocop', '~> 0.52.1'
   gem.add_development_dependency 'rubocop-rspec'
+  gem.add_development_dependency 'solr_wrapper'
 end

data/lib/blacklight/access_controls.rb

@@ -10,6 +10,7 @@ module Blacklight
     autoload :PermissionsCache
     autoload :Ability
     autoload :Enforcement
+    autoload :SearchBuilder
     autoload :Catalog
   end
 end

data/lib/blacklight/access_controls/ability.rb

@@ -15,7 +15,7 @@ module Blacklight
         # permission methods to ability_logic, like so:
         # self.ability_logic += [:setup_my_permissions]
         class_attribute :ability_logic
-        self.ability_logic = %i(discover_permissions read_permissions download_permissions)
+        self.ability_logic = %i[discover_permissions read_permissions download_permissions]
       end
 
       def initialize(user, options = {})
@@ -55,6 +55,7 @@ module Blacklight
       end
 
       def read_permissions
+        # Loading an object from your datastore might be slow (e.g. Fedora), so assume that if a string is passed, it's an object id
         can :read, String do |id|
           test_read(id)
         end

data/lib/blacklight/access_controls/catalog.rb

@@ -15,6 +15,11 @@ module Blacklight
         end
         permissions
       end
+
+      # This will work for BL 6, but will need to move to SearchService in BL 7
+      def search_builder
+        Blacklight::AccessControls::SearchBuilder.new(self, current_ability)
+      end
     end
   end
 end

data/lib/blacklight/access_controls/enforcement.rb

@@ -19,10 +19,11 @@ module Blacklight
         attr_writer :current_ability, :discovery_permissions
         deprecation_deprecate :current_ability=
 
+        Deprecation.warn(self, 'Blacklight::AccessControls::Enforcement is deprecated and will be removed in 1.0')
         class_attribute :solr_access_filters_logic
         alias_method :add_access_controls_to_solr_params, :apply_gated_discovery
 
-        self.solr_access_filters_logic = %i(apply_group_permissions apply_user_permissions)
+        self.solr_access_filters_logic = %i[apply_group_permissions apply_user_permissions]
 
         # Apply appropriate access controls to all solr queries
         self.default_processor_chain += [:add_access_controls_to_solr_params] if respond_to?(:default_processor_chain)
@@ -33,7 +34,7 @@ module Blacklight
       # Which permission levels (logical OR) will grant you the ability to discover documents in a search.
       # Override this method if you want it to be something other than the default, or hit the setter
       def discovery_permissions
-        @discovery_permissions ||= %w(discover read)
+        @discovery_permissions ||= %w[discover read]
       end
 
       protected

data/lib/blacklight/access_controls/search_builder.rb

@@ -0,0 +1,102 @@
+# frozen_string_literal: true
+
+module Blacklight
+  module AccessControls
+    # SearchBuilder that restricts access via Solr.
+    #
+    # Note: solr_access_filters_logic is an Array of Symbols.
+    # It sets defaults. Each symbol identifies a _method_ that must be in
+    # this class, taking two parameters (permission_types, ability).
+    # Can be changed in local apps or by plugins, e.g.:
+    #   Blacklight::AccessControls::SearchBuilder.solr_access_filters_logic += [:new_method]
+    #   Blacklight::AccessControls::SearchBuilder.solr_access_filters_logic.delete(:we_dont_want)
+    class SearchBuilder < ::SearchBuilder
+      class_attribute :solr_access_filters_logic
+      self.solr_access_filters_logic = %i[apply_group_permissions apply_user_permissions]
+
+      # Apply appropriate access controls to all solr queries
+      self.default_processor_chain += [:apply_gated_discovery]
+
+      # @param scope [Object] typically the controller instance
+      # @param ability [Ability] the current user ability
+      # @param permission_types [Array<String>] Which permission levels (logical OR) will grant you the ability to discover documents in a search.
+      def initialize(scope, ability:, permission_types: default_permission_types)
+        if self.class.included_modules.include? Blacklight::AccessControls::Enforcement
+          raise 'You may not use Blacklight::AccessControls::SearchBuilder and ' \
+                'include Blacklight::AccessControls::Enforcement on SearchBuilder at the same time'
+        end
+        super(scope)
+        @ability = ability
+        @permission_types = permission_types
+      end
+
+      attr_reader :ability, :permission_types
+
+      def default_permission_types
+        %w[discover read]
+      end
+
+      private
+
+      # Grant access based on user id & group
+      # @return [Array{Array{String}}]
+      def gated_discovery_filters
+        solr_access_filters_logic.map { |method| send(method).reject(&:blank?) }.reject(&:empty?)
+      end
+
+      ### Solr query modifications
+
+      # Controller before_filter that sets up access-controlled lucene query to provide gated discovery behavior.
+      # Set solr_parameters to enforce appropriate permissions.
+      # @param [Hash{Object}] solr_parameters the current solr parameters, to be modified herein!
+      # @note Applies a lucene filter query to the solr :fq parameter for gated discovery.
+      def apply_gated_discovery(solr_parameters)
+        solr_parameters[:fq] ||= []
+        solr_parameters[:fq] << gated_discovery_filters.reject(&:blank?).join(' OR ')
+        Rails.logger.debug("Solr parameters: #{solr_parameters.inspect}")
+      end
+
+      # For groups
+      # @return [Array{String}] values are lucence syntax term queries suitable for :fq
+      # @example
+      #   [ "({!terms f=discover_access_group_ssim}public,faculty,africana-faculty,registered)",
+      #     "({!terms f=read_access_group_ssim}public,faculty,africana-faculty,registered)" ]
+      def apply_group_permissions
+        groups = ability.user_groups
+        return [] if groups.empty?
+        permission_types.map do |type|
+          field = solr_field_for(type, 'group')
+          "({!terms f=#{field}}#{groups.join(',')})" # parens required to properly OR the clauses together.
+        end
+      end
+
+      # For individual user access
+      # @return [Array{String}] values are lucence syntax term queries suitable for :fq
+      # @example ['discover_access_person_ssim:user_1@abc.com', 'read_access_person_ssim:user_1@abc.com']
+      def apply_user_permissions
+        user = ability.current_user
+        return [] unless user && user.user_key.present?
+        permission_types.map do |type|
+          escape_filter(solr_field_for(type, 'user'), user.user_key)
+        end
+      end
+
+      # @param [#to_s] permission_type a single value, e.g. "read" or "discover"
+      # @param [#to_s] permission_category a single value, e.g. "group" or "person"
+      # @return [String] name of the solr field for this type of permission
+      # @example return values: "read_access_group_ssim" or "discover_access_person_ssim"
+      def solr_field_for(permission_type, permission_category)
+        method_name = "#{permission_type}_#{permission_category}_field".to_sym
+        Blacklight::AccessControls.config.send(method_name)
+      end
+
+      def escape_filter(key, value)
+        [key, escape_value(value)].join(':')
+      end
+
+      def escape_value(value)
+        RSolr.solr_escape(value).gsub(/ /, '\ ')
+      end
+    end
+  end
+end

data/lib/generators/blacklight/access_controls_generator.rb

@@ -3,7 +3,6 @@
 module Blacklight
   class AccessControlsGenerator < Rails::Generators::Base
     desc "This generator makes the following changes to your application:
-
 1. Includes Blacklight::AccessControls::User in the User class.
 2. Includes Blacklight::AccessControls::Enforcement in the SearchBuilder class.
 3. Adds access controls to CatalogController.
@@ -22,32 +21,23 @@ module Blacklight
     def add_access_controls_to_user
       say_status('status', 'ADDING ACCESS CONTROLS TO USER MODEL', :yellow)
       insert_into_file File.join('app', 'models', "#{options[:user_model].underscore}.rb"),
-        "  include Blacklight::AccessControls::User\n\n",
-        after: "include Blacklight::User\n"
-    end
-
-    def add_access_controls_to_search_builder
-      say_status('status', 'ADDING ACCESS CONTROLS TO SEARCH BUILDERS', :yellow)
-      options[:search_builders].each do |file_path|
-        insert_into_file file_path,
-          "  include Blacklight::AccessControls::Enforcement\n\n",
-          after: "include Blacklight::Solr::SearchBuilderBehavior\n"
-      end
+                       "  include Blacklight::AccessControls::User\n\n",
+                       after: "include Blacklight::User\n"
     end
 
     def add_access_controls_to_catalog_controller
       say_status('status', 'ADDING ACCESS CONTROLS TO CATALOG CONTROLLER', :yellow)
 
-      string_to_insert = <<-EOS
+      string_to_insert = <<-ADDITIONS
   include Blacklight::AccessControls::Catalog
 
   # Apply the blacklight-access_controls
   before_action :enforce_show_permissions, only: :show
 
-      EOS
+      ADDITIONS
 
       insert_into_file 'app/controllers/catalog_controller.rb',
-        string_to_insert, after: "include Blacklight::Catalog\n"
+                       string_to_insert, after: "include Blacklight::Catalog\n"
     end
 
     def add_cancan_ability