ddr-models 1.2.1 → 1.3.0

data/spec/factories/attachment_factories.rb

@@ -6,10 +6,6 @@ FactoryGirl.define do
     after(:build) do |a|
       a.upload File.new(File.join(Ddr::Models::Engine.root.to_s, 'spec', 'fixtures', 'sample.docx'))
     end
-  
-    trait :attached do
-      association :attached_to, :factory => :test_model_omnibus
-    end
   end
   
 end

data/spec/factories/collection_factories.rb

@@ -3,14 +3,6 @@ FactoryGirl.define do
   factory :collection do
     title [ "Test Collection" ]
     sequence(:identifier) { |n| [ "coll%05d" % n ] }
-
-    trait :has_item do
-      children { [ FactoryGirl.create(:item) ] }
-    end
-    
-    trait :has_target do
-      targets { [ FactoryGirl.create(:target) ] }
-    end
   end
 
 end

data/spec/factories/component_factories.rb

@@ -5,11 +5,6 @@ FactoryGirl.define do
     sequence(:identifier) { |n| [ "cmp%05d" % n ] }
     after(:build) do |c|
       c.upload File.new(File.join(Ddr::Models::Engine.root.to_s, "spec", "fixtures", "library-devil.tiff"))
-    end
-        
-    trait :has_parent do
-      item
-    end
-    
+    end    
   end
 end

data/spec/factories/item_factories.rb

@@ -3,14 +3,6 @@ FactoryGirl.define do
   factory :item do
     title [ "Test Item" ]
     sequence(:identifier) { |n| [ "item%05d" % n ] }
-
-    trait :member_of_collection do
-      collection
-    end
-    
-    trait :has_part do
-      children { [ FactoryGirl.create(:component) ] }
-    end
   end
 
 end

data/spec/factories/user_factories.rb~

@@ -0,0 +1,7 @@
+FactoryGirl.define do
+  factory :user, class: Ddr::Auth::User do
+    sequence(:username) { |n| "person#{n}" }
+    email { |u| "#{u.username}@example.com" }
+    password "secret"
+  end
+end

data/spec/features/grouper_integration_spec.rb~

@@ -0,0 +1,21 @@
+require 'spec_helper'
+require 'dul_hydra'
+
+describe "Grouper integration", :type => :feature do
+  let(:user) { FactoryGirl.create(:user) }
+  let(:object) { FactoryGirl.create(:collection) }
+  before do
+    object.title = [ "Grouper Works!" ]
+    object.read_groups = ["duke:library:repository:ddr:foo:bar"]
+    object.save!
+    Warden.on_next_request do |proxy|
+      proxy.env[DulHydra.remote_groups_env_key] = "urn:mace:duke.edu:groups:library:repository:ddr:foo:bar"
+      proxy.set_user user
+    end
+  end
+  it "should honor Grouper group access control" do
+    visit url_for(object)
+    expect(page).to have_content("Grouper Works!")
+  end
+  
+end

data/spec/models/ability_spec.rb

@@ -8,6 +8,17 @@ module Ddr
       subject { described_class.new(user) }
       let(:user) { FactoryGirl.create(:user) }
 
+      describe "collection permissions" do
+        before { allow(Ddr::Auth).to receive(:collection_creators_group) { "Collection Creators" } }
+        context "user is a collection creator" do
+          before { allow(user).to receive(:groups) { ["Collection Creators"] } }
+          it { is_expected.to be_able_to(:create, Collection) }
+        end
+        context "user is not a collection creator" do
+          it { is_expected.not_to be_able_to(:create, Collection) }
+        end
+      end
+
       describe "#upload_permissions", uploads: true do
         let(:resource) { FactoryGirl.build(:component) }
         context "user has edit permission" do
@@ -181,30 +192,6 @@ module Ddr
         end
       end
 
-      # describe "#export_sets_permissions", export_sets: true do
-      #   let(:resource) { ExportSet.new(user: user) }
-      #   context "associated user" do
-      #     it { is_expected.to be_able_to(:manage, resource) }
-      #   end
-      #   context "other user" do
-      #     subject { described_class.new(other_user) }
-      #     let(:other_user) { FactoryGirl.create(:user) }
-      #     it { is_expected.not_to be_able_to(:read, resource) }
-      #   end
-      # end
-      
-      # describe "#ingest_folders_permissions", ingest_folders: true do
-      #   let(:resource) { IngestFolder }
-      #   context "user has no permitted ingest folders" do
-      #     before { allow(resource).to receive(:permitted_folders).with(user).and_return([]) }
-      #     it { is_expected.not_to be_able_to(:create, resource) }
-      #   end
-      #   context "user has at least one permitted ingest folder" do
-      #     before { allow(resource).to receive(:permitted_folders).with(user).and_return(['dir']) }
-      #     it { is_expected.to be_able_to(:create, resource) }
-      #   end
-      # end
-
       describe "#attachment_permissions", attachments: true do
         context "object can have attachments" do
           let(:resource) { FactoryGirl.build(:test_model_omnibus) }

data/spec/models/ability_spec.rb~

@@ -0,0 +1,245 @@
+require 'spec_helper'
+require 'dul_hydra'
+require 'cancan/matchers'
+
+describe Ability, type: :model, abilities: true do
+
+  subject { described_class.new(user) }
+  let(:user) { FactoryGirl.create(:user) }
+
+  describe "#upload_permissions", uploads: true do
+    let(:resource) { FactoryGirl.build(:component) }
+    context "user has edit permission" do
+      before { subject.can(:edit, resource) }
+      it { is_expected.to be_able_to(:upload, resource) }
+    end
+    context "user does not have edit permission" do
+      before { subject.cannot(:edit, resource) }
+      it { is_expected.not_to be_able_to(:upload, resource) }
+    end
+  end
+
+  describe "#download_permissions", downloads: true do
+    context "on an object" do
+      context "which is a Component", components: true do
+        let!(:resource) { FactoryGirl.create(:component) }
+        context "and user does NOT have the downloader role" do
+          context "and user has edit permission" do
+            before do
+              resource.edit_users = [user.user_key]
+              resource.save
+            end
+            it { is_expected.to be_able_to(:download, resource) }
+          end
+          context "and user has read permission" do
+            before do
+              resource.read_users = [user.user_key]
+              resource.save
+            end
+            it { is_expected.not_to be_able_to(:download, resource) }
+          end
+          context "and user lacks read permission" do
+            it { is_expected.not_to be_able_to(:download, resource) }
+          end
+        end
+
+        context "and user has the downloader role", roles: true do
+          before do
+            resource.roleAssignments.downloader << user.principal_name
+            resource.save
+          end
+          context "and user has edit permission" do
+            before do
+              resource.edit_users = [user.user_key]
+              resource.save
+            end
+            it { is_expected.to be_able_to(:download, resource) }
+          end
+          context "and user has read permission" do
+            before do
+              resource.read_users = [user.user_key]
+              resource.save
+            end
+            it { is_expected.to be_able_to(:download, resource) }
+          end
+          context "and user lacks read permission" do
+            it { is_expected.not_to be_able_to(:download, resource) }
+          end          
+        end
+      end
+
+      context "which is not a Component" do
+        let(:resource) { FactoryGirl.create(:test_content) }
+        context "and user has read permission" do
+          before do
+            resource.read_users = [user.user_key]
+            resource.save
+          end
+          it { is_expected.to be_able_to(:download, resource) }
+        end
+        context "and user lacks read permission" do
+          it { is_expected.not_to be_able_to(:download, resource) }
+        end                  
+      end
+    end
+
+    context "on a datastream", datastreams: true do
+
+      context "named 'content'", content: true do
+        let(:resource) { obj.content }
+        context "and object is a Component", components: true do
+          let(:obj) { FactoryGirl.create(:component) }
+          context "and user does not have the downloader role" do
+            context "and user has read permission on the object" do
+              before do
+                obj.read_users = [user.user_key]
+                obj.save
+              end
+              it { is_expected.not_to be_able_to(:download, resource) }
+            end
+            context "and user lacks read permission on the object" do
+              it { is_expected.not_to be_able_to(:download, resource) }
+            end
+          end
+
+          context "and user has the downloader role", roles: true do
+            before do
+              obj.roleAssignments.downloader << user.principal_name
+              obj.save
+            end
+            context "and user has read permission on the object" do
+              before do
+                obj.read_users = [user.user_key]
+                obj.save
+              end
+              it { is_expected.to be_able_to(:download, resource) }
+            end
+            context "and user lacks read permission on the object" do
+              it { is_expected.not_to be_able_to(:download, resource) }
+            end          
+          end
+        end
+
+        context "and object is not a Component" do
+          let(:obj) { FactoryGirl.create(:test_content) }
+          context "and user has read permission on the object" do
+            before do
+              obj.read_users = [user.user_key]
+              obj.save
+            end
+            it { is_expected.to be_able_to(:download, resource) }
+          end
+          context "and user lacks read permission on the object" do
+            it { is_expected.not_to be_able_to(:download, resource) }
+          end                  
+        end
+
+      end
+
+      context "not named 'content'" do
+        let(:obj) { FactoryGirl.create(:test_model) }
+        let(:resource) { obj.descMetadata }
+        context "and user has read permission on the object" do
+          before do
+            obj.read_users = [user.user_key]
+            obj.save
+          end
+          it { is_expected.to be_able_to(:download, resource) }
+        end
+        context "and user lacks read permission on the object" do
+          it { is_expected.not_to be_able_to(:download, resource) }
+        end        
+      end
+
+    end
+
+  end # download_permissions
+
+  describe "#discover_permissions" do
+    # TODO
+  end
+
+  describe "#events_permissions", events: true do
+    let(:object) { FactoryGirl.create(:test_model) }
+    let(:resource) { Ddr::Events::Event.new(pid: object.pid) }
+    context "event is associated with a user" do
+      before { resource.user = user }
+      it { is_expected.to be_able_to(:read, resource) }
+    end
+    context "event is not associated with a user" do      
+      context "and can read object" do
+        before do
+          object.read_users = [user.user_key]
+          object.save!
+        end
+        it { is_expected.to be_able_to(:read, resource) }
+      end
+      context "and cannot read object" do
+        it { is_expected.not_to be_able_to(:read, resource) }
+      end
+    end
+  end
+
+  describe "#export_sets_permissions", export_sets: true do
+    let(:resource) { ExportSet.new(user: user) }
+    context "associated user" do
+      it { is_expected.to be_able_to(:manage, resource) }
+    end
+    context "other user" do
+      subject { described_class.new(other_user) }
+      let(:other_user) { FactoryGirl.create(:user) }
+      it { is_expected.not_to be_able_to(:read, resource) }
+    end
+  end
+  
+  describe "#ingest_folders_permissions", ingest_folders: true do
+    let(:resource) { IngestFolder }
+    context "user has no permitted ingest folders" do
+      before { allow(resource).to receive(:permitted_folders).with(user).and_return([]) }
+      it { is_expected.not_to be_able_to(:create, resource) }
+    end
+    context "user has at least one permitted ingest folder" do
+      before { allow(resource).to receive(:permitted_folders).with(user).and_return(['dir']) }
+      it { is_expected.to be_able_to(:create, resource) }
+    end
+  end
+
+  describe "#attachment_permissions", attachments: true do
+    context "object can have attachments" do
+      let(:resource) { FactoryGirl.build(:test_model_omnibus) }
+      context "and user lacks edit rights" do
+        before { subject.cannot(:edit, resource) }
+        it { is_expected.not_to be_able_to(:add_attachment, resource) }
+      end
+      context "and user has edit rights" do
+        before { subject.can(:edit, resource) }
+        it { is_expected.to be_able_to(:add_attachment, resource) }
+      end
+    end
+    context "object cannot have attachments" do
+      let(:resource) { FactoryGirl.build(:test_model) }
+      before { subject.can(:edit, resource) }
+      it { is_expected.not_to be_able_to(:add_attachment, resource) }
+    end
+  end
+
+  describe "#children_permissions", children: true do
+    context "user has edit rights on object" do
+      before { subject.can(:edit, resource) }
+      context "and object can have children" do
+        let(:resource) { FactoryGirl.build(:collection) }
+        it { is_expected.to be_able_to(:add_children, resource) }
+      end
+      context "but object cannot have children" do
+        let(:resource) { FactoryGirl.build(:component) }
+        it { is_expected.not_to be_able_to(:add_children, resource) }
+      end
+    end
+    context "user lacks edit rights on attached_to object" do
+      let(:resource) { FactoryGirl.build(:collection) }
+      before { subject.cannot(:edit, resource) }
+      it { is_expected.not_to be_able_to(:add_children, resource) }
+    end    
+  end
+
+end

data/spec/models/superuser_spec.rb~

@@ -0,0 +1,13 @@
+require 'spec_helper'
+require 'cancan/matchers'
+
+module Ddr
+  module Auth
+    describe Superuser, type: :model, abilities: true do
+      subject { described_class.new }
+      it "should be able to manage all" do
+        expect(subject).to be_able_to(:manage, :all)
+      end
+    end
+  end
+end

data/spec/models/user_spec.rb~

@@ -0,0 +1,56 @@
+require 'spec_helper'
+
+describe User, :type => :model do
+
+  subject { FactoryGirl.build(:user) }
+
+  describe "#member_of?" do
+    it "should return true if the user is a member of the group" do
+      allow(subject).to receive(:groups).and_return(["foo", "bar"])
+      expect(subject).to be_member_of("foo")
+    end
+    it "should return false if the user is not a member of the group" do
+      allow(subject).to receive(:groups).and_return(["foo", "bar"])
+      expect(subject).not_to be_member_of("baz")
+    end
+  end
+
+  describe "#authorized_to_act_as_superuser?" do
+    it "should return false if the superuser group is not defined (nil)" do
+      DulHydra.superuser_group = nil
+      expect(subject).not_to be_authorized_to_act_as_superuser
+    end
+    it "should return false if the user is not a member of the superuser group" do
+      DulHydra.superuser_group = "superusers"
+      allow(subject).to receive(:groups).and_return(["normal"])
+      expect(subject).not_to be_authorized_to_act_as_superuser
+    end
+    it "should return true if the user is a member of the superuser group" do
+      DulHydra.superuser_group = "superusers"
+      allow(subject).to receive(:groups).and_return(["superusers"])
+      expect(subject).to be_authorized_to_act_as_superuser
+    end
+  end
+
+  describe "#principal_name" do
+    it "should return the principal name for the user" do
+      expect(subject.principal_name).to eq subject.user_key
+    end
+  end
+
+  describe "#principals" do
+    it "should be a list of the user's groups + the user's principal_name" do
+      allow(subject).to receive(:groups) { ["foo", "bar"] }
+      expect(subject.principals).to match_array ["foo", "bar", subject.principal_name]
+    end
+  end
+
+  describe "#has_role?" do
+    let(:obj) { double }
+    it "should send :principal_has_role? to the object with the user's principals" do
+      expect(obj).to receive(:principal_has_role?).with(subject.principals, :administrator)
+      subject.has_role?(obj, :administrator)
+    end
+  end
+
+end