ddr-core 0.2.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/LICENSE.txt +12 -0
- data/README.md +27 -0
- data/Rakefile +30 -0
- data/app/assets/config/ddr_core_manifest.js +0 -0
- data/app/controllers/users/omniauth_callbacks_controller.rb +11 -0
- data/app/controllers/users/sessions_controller.rb +15 -0
- data/app/models/concerns/ddr/captionable.rb +25 -0
- data/app/models/concerns/ddr/describable.rb +108 -0
- data/app/models/concerns/ddr/governable.rb +25 -0
- data/app/models/concerns/ddr/has_admin_metadata.rb +141 -0
- data/app/models/concerns/ddr/has_attachments.rb +10 -0
- data/app/models/concerns/ddr/has_children.rb +10 -0
- data/app/models/concerns/ddr/has_content.rb +132 -0
- data/app/models/concerns/ddr/has_extracted_text.rb +10 -0
- data/app/models/concerns/ddr/has_intermediate_file.rb +25 -0
- data/app/models/concerns/ddr/has_multires_image.rb +14 -0
- data/app/models/concerns/ddr/has_parent.rb +18 -0
- data/app/models/concerns/ddr/has_struct_metadata.rb +21 -0
- data/app/models/concerns/ddr/has_thumbnail.rb +33 -0
- data/app/models/concerns/ddr/solr_document_behavior.rb +429 -0
- data/app/models/concerns/ddr/streamable.rb +25 -0
- data/app/models/ddr/admin_set.rb +28 -0
- data/app/models/ddr/attachment.rb +14 -0
- data/app/models/ddr/collection.rb +28 -0
- data/app/models/ddr/component.rb +31 -0
- data/app/models/ddr/contact.rb +23 -0
- data/app/models/ddr/digest.rb +8 -0
- data/app/models/ddr/file.rb +40 -0
- data/app/models/ddr/item.rb +36 -0
- data/app/models/ddr/language.rb +31 -0
- data/app/models/ddr/media_type.rb +22 -0
- data/app/models/ddr/resource.rb +94 -0
- data/app/models/ddr/rights_statement.rb +25 -0
- data/app/models/ddr/target.rb +17 -0
- data/config/initializers/devise.rb +262 -0
- data/config/locales/ddr-core.en.yml +85 -0
- data/config/routes.rb +3 -0
- data/db/migrate/20141104181418_create_users.rb +34 -0
- data/db/migrate/20141107124012_add_columns_to_user.rb +46 -0
- data/lib/ddr-core.rb +1 -0
- data/lib/ddr/auth.rb +80 -0
- data/lib/ddr/auth/ability.rb +18 -0
- data/lib/ddr/auth/ability_definitions.rb +26 -0
- data/lib/ddr/auth/ability_definitions/admin_set_ability_definitions.rb +9 -0
- data/lib/ddr/auth/ability_definitions/alias_ability_definitions.rb +23 -0
- data/lib/ddr/auth/ability_definitions/attachment_ability_definitions.rb +13 -0
- data/lib/ddr/auth/ability_definitions/collection_ability_definitions.rb +28 -0
- data/lib/ddr/auth/ability_definitions/component_ability_definitions.rb +13 -0
- data/lib/ddr/auth/ability_definitions/item_ability_definitions.rb +13 -0
- data/lib/ddr/auth/ability_definitions/lock_ability_definitions.rb +13 -0
- data/lib/ddr/auth/ability_definitions/publication_ability_definitions.rb +16 -0
- data/lib/ddr/auth/ability_definitions/role_based_ability_definitions.rb +39 -0
- data/lib/ddr/auth/ability_definitions/superuser_ability_definitions.rb +9 -0
- data/lib/ddr/auth/ability_factory.rb +10 -0
- data/lib/ddr/auth/abstract_ability.rb +48 -0
- data/lib/ddr/auth/affiliation.rb +14 -0
- data/lib/ddr/auth/affiliation_groups.rb +20 -0
- data/lib/ddr/auth/anonymous_ability.rb +7 -0
- data/lib/ddr/auth/auth_context.rb +109 -0
- data/lib/ddr/auth/auth_context_factory.rb +13 -0
- data/lib/ddr/auth/detached_auth_context.rb +19 -0
- data/lib/ddr/auth/dynamic_groups.rb +13 -0
- data/lib/ddr/auth/effective_permissions.rb +12 -0
- data/lib/ddr/auth/effective_roles.rb +9 -0
- data/lib/ddr/auth/failure_app.rb +16 -0
- data/lib/ddr/auth/group.rb +40 -0
- data/lib/ddr/auth/grouper_gateway.rb +70 -0
- data/lib/ddr/auth/groups.rb +32 -0
- data/lib/ddr/auth/ldap_gateway.rb +74 -0
- data/lib/ddr/auth/permissions.rb +18 -0
- data/lib/ddr/auth/remote_groups.rb +14 -0
- data/lib/ddr/auth/role_based_access_controls_enforcement.rb +56 -0
- data/lib/ddr/auth/roles.rb +28 -0
- data/lib/ddr/auth/roles/role.rb +121 -0
- data/lib/ddr/auth/roles/role_type.rb +23 -0
- data/lib/ddr/auth/roles/role_types.rb +52 -0
- data/lib/ddr/auth/superuser_ability.rb +7 -0
- data/lib/ddr/auth/test_helpers.rb +22 -0
- data/lib/ddr/auth/user.rb +54 -0
- data/lib/ddr/auth/web_auth_context.rb +29 -0
- data/lib/ddr/core.rb +110 -0
- data/lib/ddr/core/engine.rb +8 -0
- data/lib/ddr/core/version.rb +5 -0
- data/lib/ddr/error.rb +16 -0
- data/lib/ddr/files.rb +13 -0
- data/lib/ddr/fits.rb +189 -0
- data/lib/ddr/index.rb +29 -0
- data/lib/ddr/index/abstract_query_result.rb +22 -0
- data/lib/ddr/index/connection.rb +38 -0
- data/lib/ddr/index/csv_query_result.rb +84 -0
- data/lib/ddr/index/document_builder.rb +9 -0
- data/lib/ddr/index/field.rb +35 -0
- data/lib/ddr/index/field_attribute.rb +22 -0
- data/lib/ddr/index/fields.rb +154 -0
- data/lib/ddr/index/filter.rb +139 -0
- data/lib/ddr/index/query.rb +82 -0
- data/lib/ddr/index/query_builder.rb +185 -0
- data/lib/ddr/index/query_clause.rb +112 -0
- data/lib/ddr/index/query_params.rb +40 -0
- data/lib/ddr/index/query_result.rb +102 -0
- data/lib/ddr/index/response.rb +30 -0
- data/lib/ddr/index/sort_order.rb +28 -0
- data/lib/ddr/index/unique_key_field.rb +12 -0
- data/lib/ddr/managers.rb +9 -0
- data/lib/ddr/managers/manager.rb +13 -0
- data/lib/ddr/managers/technical_metadata_manager.rb +141 -0
- data/lib/ddr/structure.rb +188 -0
- data/lib/ddr/structures/agent.rb +49 -0
- data/lib/ddr/structures/component_type_term.rb +29 -0
- data/lib/ddr/structures/div.rb +64 -0
- data/lib/ddr/structures/f_locat.rb +54 -0
- data/lib/ddr/structures/file.rb +52 -0
- data/lib/ddr/structures/file_grp.rb +35 -0
- data/lib/ddr/structures/file_sec.rb +22 -0
- data/lib/ddr/structures/fptr.rb +31 -0
- data/lib/ddr/structures/mets_hdr.rb +37 -0
- data/lib/ddr/structures/mptr.rb +49 -0
- data/lib/ddr/structures/struct_map.rb +40 -0
- data/lib/ddr/utils.rb +185 -0
- data/lib/ddr/vocab.rb +22 -0
- data/lib/ddr/vocab/asset.rb +51 -0
- data/lib/ddr/vocab/contact.rb +9 -0
- data/lib/ddr/vocab/display.rb +9 -0
- data/lib/ddr/vocab/duke_terms.rb +13 -0
- data/lib/ddr/vocab/rdf_vocabulary_parser.rb +43 -0
- data/lib/ddr/vocab/roles.rb +25 -0
- data/lib/ddr/vocab/sources/duketerms.rdf +870 -0
- data/lib/ddr/vocab/vocabulary.rb +37 -0
- data/lib/ddr/workflow.rb +8 -0
- data/lib/tasks/ddr/core_tasks.rake +4 -0
- metadata +428 -0
|
@@ -0,0 +1,85 @@
|
|
|
1
|
+
en:
|
|
2
|
+
ddr:
|
|
3
|
+
core:
|
|
4
|
+
errors:
|
|
5
|
+
incorrect_resource_class: "%{subject} must be a %{resource_class}"
|
|
6
|
+
index:
|
|
7
|
+
fields:
|
|
8
|
+
aleph_id:
|
|
9
|
+
label: "Aleph ID"
|
|
10
|
+
aspace_id:
|
|
11
|
+
label: "ArchivesSpace ID"
|
|
12
|
+
common_model_name:
|
|
13
|
+
label: "Common Model Name"
|
|
14
|
+
doi:
|
|
15
|
+
label: DOI
|
|
16
|
+
ead_id:
|
|
17
|
+
label: "EAD ID"
|
|
18
|
+
id:
|
|
19
|
+
label: ID
|
|
20
|
+
heading: id
|
|
21
|
+
local_id:
|
|
22
|
+
label: "Local ID"
|
|
23
|
+
permanent_id:
|
|
24
|
+
label: "Permanent ID"
|
|
25
|
+
permanent_url:
|
|
26
|
+
label: "Permanent URL"
|
|
27
|
+
resource_model:
|
|
28
|
+
label: Model
|
|
29
|
+
heading: model
|
|
30
|
+
streamable_media_url:
|
|
31
|
+
label: "Streamable Media URL"
|
|
32
|
+
created_at:
|
|
33
|
+
label: "Creation Date"
|
|
34
|
+
heading: creation_date
|
|
35
|
+
updated_at:
|
|
36
|
+
label: "Modification Date"
|
|
37
|
+
heading: modification_date
|
|
38
|
+
techmd_color_space:
|
|
39
|
+
label: "Color Space"
|
|
40
|
+
heading: color_space
|
|
41
|
+
techmd_creating_application:
|
|
42
|
+
label: "Creating Application"
|
|
43
|
+
heading: creating_application
|
|
44
|
+
techmd_creation_time:
|
|
45
|
+
label: "Creation Time"
|
|
46
|
+
heading: creation_time
|
|
47
|
+
techmd_file_size:
|
|
48
|
+
label: "File Size"
|
|
49
|
+
heading: "file_size"
|
|
50
|
+
techmd_fits_version:
|
|
51
|
+
label: "FITS Version"
|
|
52
|
+
heading: fits_version
|
|
53
|
+
techmd_fits_datetime:
|
|
54
|
+
label: "FITS Run At"
|
|
55
|
+
heading: fits_datetime
|
|
56
|
+
techmd_format_label:
|
|
57
|
+
label: "Format Label"
|
|
58
|
+
heading: format_label
|
|
59
|
+
techmd_format_version:
|
|
60
|
+
label: "Format Version"
|
|
61
|
+
heading: format_version
|
|
62
|
+
techmd_image_height:
|
|
63
|
+
label: "Image Height"
|
|
64
|
+
heading: image_height
|
|
65
|
+
techmd_image_width:
|
|
66
|
+
label: "Image Width"
|
|
67
|
+
heading: image_width
|
|
68
|
+
techmd_md5:
|
|
69
|
+
label: MD5
|
|
70
|
+
heading: md5
|
|
71
|
+
techmd_media_type:
|
|
72
|
+
label: "Media Type"
|
|
73
|
+
heading: media_type
|
|
74
|
+
techmd_modification_time:
|
|
75
|
+
label: "Modification Time"
|
|
76
|
+
heading: modification_time
|
|
77
|
+
techmd_pronom_identifier:
|
|
78
|
+
label: "PRONOM Unique ID"
|
|
79
|
+
heading: "pronom_uid"
|
|
80
|
+
techmd_valid:
|
|
81
|
+
label: Valid
|
|
82
|
+
heading: valid
|
|
83
|
+
techmd_well_formed:
|
|
84
|
+
label: "Well-formed"
|
|
85
|
+
heading: well_formed
|
data/config/routes.rb
ADDED
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
class CreateUsers < ActiveRecord::Migration[4.2]
|
|
2
|
+
def up
|
|
3
|
+
unless table_exists?("users")
|
|
4
|
+
create_table "users" do |t|
|
|
5
|
+
t.string "email", default: "", null: false
|
|
6
|
+
t.string "encrypted_password", default: "", null: false
|
|
7
|
+
t.string "reset_password_token"
|
|
8
|
+
t.datetime "reset_password_sent_at"
|
|
9
|
+
t.datetime "remember_created_at"
|
|
10
|
+
t.integer "sign_in_count", default: 0
|
|
11
|
+
t.datetime "current_sign_in_at"
|
|
12
|
+
t.datetime "last_sign_in_at"
|
|
13
|
+
t.string "current_sign_in_ip"
|
|
14
|
+
t.string "last_sign_in_ip"
|
|
15
|
+
t.datetime "created_at", null: false
|
|
16
|
+
t.datetime "updated_at", null: false
|
|
17
|
+
t.string "username", default: "", null: false
|
|
18
|
+
t.string "first_name"
|
|
19
|
+
t.string "middle_name"
|
|
20
|
+
t.string "nickname"
|
|
21
|
+
t.string "last_name"
|
|
22
|
+
t.string "display_name"
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
add_index "users", ["email"], name: "index_users_on_email"
|
|
26
|
+
add_index "users", ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true
|
|
27
|
+
add_index "users", ["username"], name: "index_users_on_username", unique: true
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
def down
|
|
32
|
+
raise ActiveRecord::IrreversibleMigration
|
|
33
|
+
end
|
|
34
|
+
end
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
class AddColumnsToUser < ActiveRecord::Migration[4.2]
|
|
2
|
+
def up
|
|
3
|
+
if table_exists?("users")
|
|
4
|
+
unless column_exists?("users", "username")
|
|
5
|
+
add_column "users", "username", :string, default: "", null: false
|
|
6
|
+
end
|
|
7
|
+
unless column_exists?("users", "first_name")
|
|
8
|
+
add_column "users", "first_name", :string
|
|
9
|
+
end
|
|
10
|
+
unless column_exists?("users", "middle_name")
|
|
11
|
+
add_column "users", "middle_name", :string
|
|
12
|
+
end
|
|
13
|
+
unless column_exists?("users", "nickname")
|
|
14
|
+
add_column "users", "nickname", :string
|
|
15
|
+
end
|
|
16
|
+
unless column_exists?("users", "last_name")
|
|
17
|
+
add_column "users", "last_name", :string
|
|
18
|
+
end
|
|
19
|
+
unless column_exists?("users", "display_name")
|
|
20
|
+
add_column "users", "display_name", :string
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
# If the email index exists and is set such that email must be unique (which is the initial
|
|
24
|
+
# setting typically set by Devise(?)), remove and we'll re-add it as non-unique below.
|
|
25
|
+
if index_exists?("users", ["email"])
|
|
26
|
+
if index_exists?("users", ["email"], unique: true)
|
|
27
|
+
remove_index "users", ["email"]
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
# Either the email index didn't exist when we started or, more likely, we removed above
|
|
32
|
+
# because it existed but required email to be unique.
|
|
33
|
+
unless index_exists?("users", ["email"])
|
|
34
|
+
add_index "users", ["email"], name: "index_users_on_email"
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
unless index_exists?("users", ["username"])
|
|
38
|
+
add_index "users", ["username"], name: "index_users_on_username", unique: true
|
|
39
|
+
end
|
|
40
|
+
end
|
|
41
|
+
end
|
|
42
|
+
|
|
43
|
+
def down
|
|
44
|
+
raise ActiveRecord::IrreversibleMigration
|
|
45
|
+
end
|
|
46
|
+
end
|
data/lib/ddr-core.rb
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
require 'ddr/core'
|
data/lib/ddr/auth.rb
ADDED
|
@@ -0,0 +1,80 @@
|
|
|
1
|
+
module Ddr
|
|
2
|
+
module Auth
|
|
3
|
+
extend ActiveSupport::Autoload
|
|
4
|
+
|
|
5
|
+
autoload :Ability
|
|
6
|
+
autoload :AbilityDefinitions
|
|
7
|
+
autoload :AbilityFactory
|
|
8
|
+
autoload :AbstractAbility
|
|
9
|
+
autoload :Affiliation
|
|
10
|
+
autoload :AffiliationGroups
|
|
11
|
+
autoload :AnonymousAbility
|
|
12
|
+
autoload :AuthContext
|
|
13
|
+
autoload :AuthContextFactory
|
|
14
|
+
autoload :DetachedAuthContext
|
|
15
|
+
autoload :DynamicGroups
|
|
16
|
+
autoload :EffectivePermissions
|
|
17
|
+
autoload :EffectiveRoles
|
|
18
|
+
autoload :FailureApp
|
|
19
|
+
autoload :Group
|
|
20
|
+
autoload :GrouperGateway
|
|
21
|
+
autoload :Groups
|
|
22
|
+
autoload :LdapGateway
|
|
23
|
+
autoload :Permissions
|
|
24
|
+
autoload :RemoteGroups
|
|
25
|
+
autoload :RoleBasedAccessControlsEnforcement
|
|
26
|
+
autoload :Roles
|
|
27
|
+
autoload :SuperuserAbility
|
|
28
|
+
autoload :User
|
|
29
|
+
autoload :WebAuthContext
|
|
30
|
+
|
|
31
|
+
autoload_under 'ability_definitions' do
|
|
32
|
+
autoload :AdminSetAbilityDefinitions
|
|
33
|
+
autoload :AliasAbilityDefinitions
|
|
34
|
+
autoload :AttachmentAbilityDefinitions
|
|
35
|
+
autoload :CollectionAbilityDefinitions
|
|
36
|
+
autoload :ComponentAbilityDefinitions
|
|
37
|
+
autoload :ItemAbilityDefinitions
|
|
38
|
+
autoload :PublicationAbilityDefinitions
|
|
39
|
+
autoload :LockAbilityDefinitions
|
|
40
|
+
autoload :RoleBasedAbilityDefinitions
|
|
41
|
+
autoload :SuperuserAbilityDefinitions
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
# Name of group whose members are authorized to act as superuser
|
|
45
|
+
mattr_accessor :superuser_group
|
|
46
|
+
|
|
47
|
+
# Name of group whose members are authorized to create Collections
|
|
48
|
+
mattr_accessor :collection_creators_group
|
|
49
|
+
|
|
50
|
+
# Name of group whose members are authorized to act as a metadata manager
|
|
51
|
+
mattr_accessor :metadata_managers_group
|
|
52
|
+
|
|
53
|
+
# Whether to require Shibboleth authentication
|
|
54
|
+
mattr_accessor :require_shib_user_authn do
|
|
55
|
+
false
|
|
56
|
+
end
|
|
57
|
+
|
|
58
|
+
# Grouper gateway implementation
|
|
59
|
+
mattr_accessor :grouper_gateway do
|
|
60
|
+
GrouperGateway
|
|
61
|
+
end
|
|
62
|
+
|
|
63
|
+
# LDAP gateway implementation
|
|
64
|
+
mattr_accessor :ldap_gateway do
|
|
65
|
+
LdapGateway
|
|
66
|
+
end
|
|
67
|
+
|
|
68
|
+
mattr_accessor :default_ability do
|
|
69
|
+
"::Ability"
|
|
70
|
+
end
|
|
71
|
+
|
|
72
|
+
def self.repository_group_filter
|
|
73
|
+
if filter = ENV["REPOSITORY_GROUP_FILTER"]
|
|
74
|
+
return filter
|
|
75
|
+
end
|
|
76
|
+
raise Ddr::Error, "The \"REPOSITORY_GROUP_FILTER\" environment variable is not set."
|
|
77
|
+
end
|
|
78
|
+
|
|
79
|
+
end
|
|
80
|
+
end
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
module Ddr
|
|
2
|
+
module Auth
|
|
3
|
+
class Ability < AbstractAbility
|
|
4
|
+
|
|
5
|
+
self.ability_definitions = [ AliasAbilityDefinitions,
|
|
6
|
+
CollectionAbilityDefinitions,
|
|
7
|
+
ItemAbilityDefinitions,
|
|
8
|
+
ComponentAbilityDefinitions,
|
|
9
|
+
AttachmentAbilityDefinitions,
|
|
10
|
+
RoleBasedAbilityDefinitions,
|
|
11
|
+
PublicationAbilityDefinitions,
|
|
12
|
+
LockAbilityDefinitions,
|
|
13
|
+
AdminSetAbilityDefinitions,
|
|
14
|
+
]
|
|
15
|
+
|
|
16
|
+
end
|
|
17
|
+
end
|
|
18
|
+
end
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
require "delegate"
|
|
2
|
+
|
|
3
|
+
module Ddr
|
|
4
|
+
module Auth
|
|
5
|
+
#
|
|
6
|
+
# A class which applies ability definitions to the delegated ability class
|
|
7
|
+
# when `#call` is invoked.
|
|
8
|
+
#
|
|
9
|
+
# @abstract
|
|
10
|
+
#
|
|
11
|
+
class AbilityDefinitions < SimpleDelegator
|
|
12
|
+
|
|
13
|
+
# Applies ability definitions to the ability and return it
|
|
14
|
+
def self.call(ability)
|
|
15
|
+
new(ability).call
|
|
16
|
+
ability
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
# Applies abilities definitions with `can` and `cannot`.
|
|
20
|
+
def call
|
|
21
|
+
raise NotImplementedError, "Subclasses must implement `#call`."
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
end
|
|
25
|
+
end
|
|
26
|
+
end
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
module Ddr
|
|
2
|
+
module Auth
|
|
3
|
+
class AliasAbilityDefinitions < AbilityDefinitions
|
|
4
|
+
|
|
5
|
+
FILE_REQUIRES_DOWNLOAD = %i( content extracted_text )
|
|
6
|
+
DEFAULT_FILE_PERMISSION = :read
|
|
7
|
+
|
|
8
|
+
DOWNLOAD_ALIASES = Ddr::Resource::FILE_FIELDS.each_with_object({}) do |field, memo|
|
|
9
|
+
action = [ :download, field ].join('_').to_sym # e.g., :download_content
|
|
10
|
+
memo[action] = FILE_REQUIRES_DOWNLOAD.include?(field) ? :download : DEFAULT_FILE_PERMISSION
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
def call
|
|
14
|
+
alias_action :upload, to: :replace
|
|
15
|
+
alias_action :add_attachment, to: :add_children
|
|
16
|
+
DOWNLOAD_ALIASES.each do |action, permission|
|
|
17
|
+
alias_action action, to: permission
|
|
18
|
+
end
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
end
|
|
22
|
+
end
|
|
23
|
+
end
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
module Ddr
|
|
2
|
+
module Auth
|
|
3
|
+
class CollectionAbilityDefinitions < AbilityDefinitions
|
|
4
|
+
|
|
5
|
+
def call
|
|
6
|
+
if member_of? Ddr::Auth.collection_creators_group
|
|
7
|
+
can :create, Ddr::Collection
|
|
8
|
+
end
|
|
9
|
+
can :export, Ddr::Collection do |obj|
|
|
10
|
+
has_policy_permission?(obj, Permissions::READ)
|
|
11
|
+
end
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
private
|
|
15
|
+
|
|
16
|
+
def policy_permissions(obj)
|
|
17
|
+
obj.policy_roles
|
|
18
|
+
.select { |r| agents.include?(r.agent) }
|
|
19
|
+
.map(&:permissions).flatten.uniq
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
def has_policy_permission?(obj, perm)
|
|
23
|
+
policy_permissions(obj).include?(perm)
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
module Ddr
|
|
2
|
+
module Auth
|
|
3
|
+
class LockAbilityDefinitions < AbilityDefinitions
|
|
4
|
+
|
|
5
|
+
DENIED_WHEN_LOCKED = [ :add_children, :update, :replace, :arrange, :grant ]
|
|
6
|
+
|
|
7
|
+
def call
|
|
8
|
+
cannot DENIED_WHEN_LOCKED, Ddr::Resource, :locked? => true
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
end
|
|
12
|
+
end
|
|
13
|
+
end
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
module Ddr
|
|
2
|
+
module Auth
|
|
3
|
+
class PublicationAbilityDefinitions < AbilityDefinitions
|
|
4
|
+
|
|
5
|
+
def call
|
|
6
|
+
cannot :publish, Ddr::Resource do |obj|
|
|
7
|
+
obj.published? || !obj.publishable?
|
|
8
|
+
end
|
|
9
|
+
cannot :unpublish, Ddr::Resource do |obj|
|
|
10
|
+
!obj.published?
|
|
11
|
+
end
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
end
|
|
15
|
+
end
|
|
16
|
+
end
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
module Ddr
|
|
2
|
+
module Auth
|
|
3
|
+
class RoleBasedAbilityDefinitions < AbilityDefinitions
|
|
4
|
+
|
|
5
|
+
def call
|
|
6
|
+
Permissions::ALL.each do |permission|
|
|
7
|
+
can permission, [ Ddr::Resource, ::SolrDocument, String ] do |obj|
|
|
8
|
+
has_permission? permission, obj
|
|
9
|
+
end
|
|
10
|
+
end
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
private
|
|
14
|
+
|
|
15
|
+
def has_permission?(permission, object_or_id)
|
|
16
|
+
permissions(object_or_id).include? permission
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
def permissions(object_or_id)
|
|
20
|
+
case object_or_id
|
|
21
|
+
when Ddr::Resource, ::SolrDocument
|
|
22
|
+
cached_permissions(object_or_id.id) do
|
|
23
|
+
object_or_id.effective_permissions(agents)
|
|
24
|
+
end
|
|
25
|
+
when String
|
|
26
|
+
cached_permissions(object_or_id) do
|
|
27
|
+
doc = ::SolrDocument.find(object_or_id) # raises SolrDocument::NotFound
|
|
28
|
+
doc.effective_permissions(agents)
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
def cached_permissions(pid, &block)
|
|
34
|
+
cache[pid] ||= block.call
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
end
|
|
38
|
+
end
|
|
39
|
+
end
|