ddr-models 1.3.0 → 1.4.0

data/lib/ddr/auth/ability.rb~

@@ -1,204 +0,0 @@
-module Ddr
-  module Auth
-    class Ability
-
-      include Hydra::PolicyAwareAbility
-
-      def custom_permissions
-        action_aliases
-        discover_permissions
-        export_sets_permissions
-        events_permissions
-        batches_permissions
-        ingest_folders_permissions
-        metadata_files_permissions
-        attachment_permissions
-        children_permissions
-        upload_permissions
-      end
-
-      def action_aliases
-        # read aliases
-        alias_action :attachments, :collection_info, :components, :event, :events, :items, :targets, to: :read
-        # edit/update aliases
-        alias_action :permissions, :default_permissions, to: :update
-      end
-
-      def read_permissions
-        super
-        can :read, ActiveFedora::Datastream do |ds|
-          can? :read, ds.pid
-        end
-      end
-
-      def edit_permissions
-        super
-        can [:edit, :update, :destroy], ActiveFedora::Datastream do |action, ds|
-          can? action, ds.pid
-        end
-      end
-
-      def export_sets_permissions
-        can :create, ExportSet if authenticated_user?
-        can :manage, ExportSet, user: current_user
-      end
-
-      def events_permissions
-        can :read, Ddr::Events::Event, user: current_user
-        can :read, Ddr::Events::Event do |e|
-          can? :read, e.pid
-        end
-      end
-      
-      def batches_permissions
-        can :manage, DulHydra::Batch::Models::Batch, :user_id => current_user.id
-        can :manage, DulHydra::Batch::Models::BatchObject do |batch_object|
-          can? :manage, batch_object.batch
-        end
-      end
-
-      def ingest_folders_permissions
-        can :create, IngestFolder if IngestFolder.permitted_folders(current_user).present?
-        can [:show, :procezz], IngestFolder, user: current_user
-      end
-      
-      def metadata_files_permissions
-        can [:show, :procezz], MetadataFile, user: current_user
-      end
-      
-      def download_permissions
-        can :download, ActiveFedora::Base do |obj|
-          if obj.is_a? Component
-            can?(:edit, obj) || (can?(:read, obj) && current_user.has_role?(obj, :downloader))
-          else
-            can? :read, obj
-          end
-        end
-        can :download, SolrDocument do |doc|
-          if doc.active_fedora_model == "Component"
-            can?(:edit, doc) || (can?(:read, doc) && current_user.has_role?(doc, :downloader))
-          else
-            can? :read, doc
-          end
-        end
-        can :download, ActiveFedora::Datastream do |ds|
-          if ds.dsid == Ddr::Datastreams::CONTENT and ds.digital_object.original_class == Component
-            can?(:edit, ds.pid) || (can?(:read, ds.pid) && current_user.has_role?(solr_doc(ds.pid), :downloader))
-          else
-            can? :read, ds.pid
-          end
-        end
-      end
-
-      def upload_permissions
-        can :upload, Ddr::Models::HasContent do |obj|
-          can?(:edit, obj)
-        end
-      end
-
-      def children_permissions
-        can :add_children, Ddr::Models::HasChildren do |obj|
-          can?(:edit, obj)
-        end
-      end
-
-      # Mimics Hydra::Ability#read_permissions
-      def discover_permissions
-        can :discover, String do |pid|
-          test_discover(pid)
-        end
-
-        can :discover, ActiveFedora::Base do |obj|
-          test_discover(obj.pid)
-        end 
-        
-        can :discover, SolrDocument do |obj|
-          cache.put(obj.id, obj)
-          test_discover(obj.id)
-        end 
-      end
-
-      def attachment_permissions
-        can :add_attachment, Ddr::Models::HasAttachments do |obj|
-          can?(:edit, obj)
-        end
-      end
-
-      # Mimics Hydra::Ability#test_read + Hydra::PolicyAwareAbility#test_read in one method
-      def test_discover(pid)
-        Rails.logger.debug("[CANCAN] Checking discover permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
-        group_intersection = user_groups & discover_groups(pid)
-        result = !group_intersection.empty? || discover_persons(pid).include?(current_user.user_key)
-        result || test_discover_from_policy(pid)
-      end 
-
-      # Mimics Hydra::PolicyAwareAbility#test_read_from_policy
-      def test_discover_from_policy(object_pid)
-        policy_pid = policy_pid_for(object_pid)
-        if policy_pid.nil?
-          return false
-        else
-          Rails.logger.debug("[CANCAN] -policy- Does the POLICY #{policy_pid} provide DISCOVER permissions for #{current_user.user_key}?")
-          group_intersection = user_groups & discover_groups_from_policy(policy_pid)
-          result = !group_intersection.empty? || discover_persons_from_policy(policy_pid).include?(current_user.user_key)
-          Rails.logger.debug("[CANCAN] -policy- decision: #{result}")
-          result
-        end
-      end 
-
-      # Mimics Hydra::Ability#read_groups
-      def discover_groups(pid)
-        doc = permissions_doc(pid)
-        return [] if doc.nil?
-        dg = edit_groups(pid) | read_groups(pid) | (doc[self.class.discover_group_field] || [])
-        Rails.logger.debug("[CANCAN] discover_groups: #{dg.inspect}")
-        return dg
-      end
-
-      # Mimics Hydra::PolicyAwareAbility#read_groups_from_policy
-      def discover_groups_from_policy(policy_pid)
-        policy_permissions = policy_permissions_doc(policy_pid)
-        discover_group_field = Hydra.config[:permissions][:inheritable][:discover][:group]
-        dg = edit_groups_from_policy(policy_pid) | read_groups_from_policy(policy_pid) | ((policy_permissions == nil || policy_permissions.fetch(discover_group_field, nil) == nil) ? [] : policy_permissions.fetch(discover_group_field, nil))
-        Rails.logger.debug("[CANCAN] -policy- discover_groups: #{dg.inspect}")
-        return dg
-      end
-
-      # Mimics Hydra::Ability#read_persons
-      def discover_persons(pid)
-        doc = permissions_doc(pid)
-        return [] if doc.nil?
-        dp = edit_persons(pid) | read_persons(pid) | (doc[self.class.discover_person_field] || [])
-        Rails.logger.debug("[CANCAN] discover_persons: #{dp.inspect}")
-        return dp
-      end
-
-      def discover_persons_from_policy(policy_pid)
-        policy_permissions = policy_permissions_doc(policy_pid)
-        discover_individual_field = Hydra.config[:permissions][:inheritable][:discover][:individual]
-        dp = edit_persons_from_policy(policy_pid) | read_persons_from_policy(policy_pid) | ((policy_permissions == nil || policy_permissions.fetch(discover_individual_field, nil) == nil) ? [] : policy_permissions.fetch(discover_individual_field, nil))
-        Rails.logger.debug("[CANCAN] -policy- discover_persons: #{dp.inspect}")
-        return dp
-      end
-
-      def self.discover_person_field 
-        Hydra.config[:permissions][:discover][:individual]
-      end
-
-      def self.discover_group_field
-        Hydra.config[:permissions][:discover][:group]
-      end
-
-      private
-
-      def authenticated_user?
-        current_user.persisted?
-      end
-
-      def solr_doc(pid)
-        SolrDocument.new(ActiveFedora::SolrService.query("id:\"#{pid}\"", rows: 1).first)
-      end
-
-    end
-  end
-end

data/lib/ddr/auth/group_service.rb~

@@ -1,53 +0,0 @@
-module Ddr
-  module Auth
-    class GroupService
-
-      class_attribute :include_role_mapper_groups
-      self.include_role_mapper_groups = RoleMapper.role_names.present? rescue false
-
-      def role_mapper_user_groups(user)
-        RoleMapper.roles(user) rescue []
-      end
-
-      def role_mapper_groups
-        RoleMapper.role_names rescue []
-      end
-
-      def groups
-        default_groups | append_groups
-      end
-
-      def user_groups(user)
-        default_user_groups(user) | append_user_groups(user)
-      end
-
-      def superuser_group
-        Ddr::Auth.superuser_group
-      end
-
-      def append_groups
-        []
-      end
-
-      def append_user_groups(user)
-        []
-      end
-
-      def default_groups
-        dg = [Ddr::Auth.everyone_group, Ddr::Auth.authenticated_users_group]
-        dg += role_mapper_groups if include_role_mapper_groups
-        dg
-      end
-
-      def default_user_groups(user)
-        dug = [Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_PUBLIC]
-        if user && user.persisted?
-          dug << Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_AUTHENTICATED
-          dug += role_mapper_user_groups(user) if include_role_mapper_groups
-        end
-        dug
-      end
-
-    end
-  end
-end

data/lib/ddr/auth/grouper_service.rb~

@@ -1,77 +0,0 @@
-require 'dul_hydra'
-require 'grouper-rest-client'
-
-module DulHydra
-  module Services
-    class GrouperService
-
-      class_attribute :config
-
-      def self.configured?
-        !config.nil?
-      end
-
-      # List of all grouper groups for the repository
-      def self.repository_groups
-        groups = []
-        begin
-          client do |c|
-            g = c.groups(DulHydra.remote_groups_name_filter)
-            groups = g if c.ok?
-          end
-        rescue Ddr::Models::Error
-        end
-        groups
-      end
-
-      def self.repository_group_names
-        repository_groups.collect { |g| g["name"] }
-      end
-
-      def self.user_groups(user)
-        groups = []
-        begin
-          client do |c|
-            request_body = { 
-              "WsRestGetGroupsRequest" => {
-                "subjectLookups" => [{"subjectIdentifier" => subject_id(user)}]
-              }
-            }
-            # Have to use :call b/c grouper-rest-client :subjects method doesn't support POST
-            response = c.call("subjects", :post, request_body)
-            if c.ok?
-              result = response["WsGetGroupsResults"]["results"].first
-              # Have to manually filter results b/c Grouper WS version 1.5 does not support filter parameter
-              if result && result["wsGroups"]
-                groups = result["wsGroups"].select { |g| g["name"] =~ /^#{DulHydra.remote_groups_name_filter}/ }
-              end
-            end
-          end
-        rescue StandardError => e
-          Rails.logger.error e
-        end
-        groups
-      end
-
-      def self.user_group_names(user)
-        user_groups(user).collect { |g| g["name"] }
-      end
-      
-      def self.subject_id(user)
-        user.user_key.split('@').first
-      end
-
-      private
-
-      def self.client
-        raise Ddr::Models::Error unless configured?
-        yield Grouper::Rest::Client::Resource.new(config["url"], 
-                                                  user: config["user"], 
-                                                  password: config["password"],
-                                                  timeout: config.fetch("timeout", 5).to_i
-                                                  )
-      end
-
-    end
-  end
-end

data/lib/ddr/auth/remote_group_service.rb~

@@ -1,35 +0,0 @@
-module DulHydra
-  module Services
-    class RemoteGroupService < GroupService
-
-      attr_reader :env
-
-      def initialize(env = nil)
-        @env = env
-      end
-
-      def append_groups
-        GrouperService.repository_group_names
-      end
-
-      def append_user_groups(user)
-        if env && env.key?(DulHydra.remote_groups_env_key)
-          remote_groups
-        else
-          GrouperService.user_group_names(user)
-        end
-      end
-
-      def remote_groups
-        # get the raw list of values
-        groups = env[DulHydra.remote_groups_env_key].split(DulHydra.remote_groups_env_value_delim)
-        # munge values to proper Grouper group names, if necessary
-        groups = groups.collect { |g| g.sub(*DulHydra.remote_groups_env_value_sub) } if DulHydra.remote_groups_env_value_sub
-        # filter group list as configured
-        groups = groups.select { |g| g =~ /^#{DulHydra.remote_groups_name_filter}/ } if DulHydra.remote_groups_name_filter
-        groups
-      end
-
-    end
-  end
-end

data/lib/ddr/auth/superuser.rb~

@@ -1,9 +0,0 @@
-class Superuser
-
-  include CanCan::Ability
-
-  def initialize
-    can :manage, :all
-  end
-
-end

data/lib/ddr/auth/user.rb~

@@ -1,65 +0,0 @@
-module Ddr
-  module Auth
-    module User
-      extend ActiveSupport::Concern
-
-      included do
-        include Blacklight::User
-        include Hydra::User
-
-        # has_many :batches, :inverse_of => :user, :class_name => DulHydra::Batch::Models::Batch
-        # has_many :ingest_folders, :inverse_of => :user
-        # has_many :metadata_files, :inverse_of => :user
-        # has_many :export_sets, :dependent => :destroy
-        has_many :events, inverse_of: :user, class_name: "Ddr::Events::Event"
-
-        delegate :can?, :cannot?, to: :ability
-
-        validates_uniqueness_of :username, :case_sensitive => false
-        validates_format_of :email, with: /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\z/
-
-        # TODO Remove :trackable, :validatable
-        devise :remote_user_authenticatable, :database_authenticatable, :rememberable, :trackable, :validatable
-
-        attr_writer :group_service
-      end
-
-      def group_service
-        @group_service ||= Ddr::Auth::GroupService.new
-      end
-
-      def to_s
-        user_key
-      end
-
-      def ability
-        @ability ||= ::Ability.new(self)
-      end
-
-      def groups
-        @groups ||= group_service.user_groups(self)
-      end
-
-      def member_of?(group)
-        group ? self.groups.include?(group) : false
-      end
-      
-      def authorized_to_act_as_superuser?
-        member_of? group_service.superuser_group
-      end
-
-      def principal_name
-        user_key
-      end
-
-      def principals
-        groups.dup << principal_name
-      end
-
-      def has_role?(obj, role)
-        obj.principal_has_role?(principals, role)
-      end
-
-    end
-  end
-end