ddr-models 1.3.0 → 1.4.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +20 -3
- data/lib/ddr/models/has_content.rb +1 -3
- data/lib/ddr/models/version.rb +1 -1
- data/{app → spec/dummy/app}/models/solr_document.rb +1 -1
- data/spec/dummy/db/development.sqlite3 +0 -0
- data/spec/dummy/log/development.log +2449 -1445
- data/spec/dummy/log/test.log +58622 -52811
- data/spec/models/attachment_spec.rb +0 -6
- data/spec/spec_helper.rb +9 -2
- data/spec/support/shared_examples_for_has_content.rb +0 -7
- metadata +4 -24
- data/config/initializers/devise.rb~ +0 -245
- data/db/migrate/20141104181418_create_users.rb~ +0 -6
- data/lib/ddr/auth.rb~ +0 -47
- data/lib/ddr/auth/ability.rb~ +0 -204
- data/lib/ddr/auth/group_service.rb~ +0 -53
- data/lib/ddr/auth/grouper_service.rb~ +0 -77
- data/lib/ddr/auth/remote_group_service.rb~ +0 -35
- data/lib/ddr/auth/superuser.rb~ +0 -9
- data/lib/ddr/auth/user.rb~ +0 -65
- data/spec/factories/user_factories.rb~ +0 -7
- data/spec/features/grouper_integration_spec.rb~ +0 -21
- data/spec/models/ability_spec.rb~ +0 -245
- data/spec/models/superuser_spec.rb~ +0 -13
- data/spec/models/user_spec.rb~ +0 -56
- data/spec/services/group_service_spec.rb~ +0 -71
data/lib/ddr/auth/ability.rb~
DELETED
@@ -1,204 +0,0 @@
|
|
1
|
-
module Ddr
|
2
|
-
module Auth
|
3
|
-
class Ability
|
4
|
-
|
5
|
-
include Hydra::PolicyAwareAbility
|
6
|
-
|
7
|
-
def custom_permissions
|
8
|
-
action_aliases
|
9
|
-
discover_permissions
|
10
|
-
export_sets_permissions
|
11
|
-
events_permissions
|
12
|
-
batches_permissions
|
13
|
-
ingest_folders_permissions
|
14
|
-
metadata_files_permissions
|
15
|
-
attachment_permissions
|
16
|
-
children_permissions
|
17
|
-
upload_permissions
|
18
|
-
end
|
19
|
-
|
20
|
-
def action_aliases
|
21
|
-
# read aliases
|
22
|
-
alias_action :attachments, :collection_info, :components, :event, :events, :items, :targets, to: :read
|
23
|
-
# edit/update aliases
|
24
|
-
alias_action :permissions, :default_permissions, to: :update
|
25
|
-
end
|
26
|
-
|
27
|
-
def read_permissions
|
28
|
-
super
|
29
|
-
can :read, ActiveFedora::Datastream do |ds|
|
30
|
-
can? :read, ds.pid
|
31
|
-
end
|
32
|
-
end
|
33
|
-
|
34
|
-
def edit_permissions
|
35
|
-
super
|
36
|
-
can [:edit, :update, :destroy], ActiveFedora::Datastream do |action, ds|
|
37
|
-
can? action, ds.pid
|
38
|
-
end
|
39
|
-
end
|
40
|
-
|
41
|
-
def export_sets_permissions
|
42
|
-
can :create, ExportSet if authenticated_user?
|
43
|
-
can :manage, ExportSet, user: current_user
|
44
|
-
end
|
45
|
-
|
46
|
-
def events_permissions
|
47
|
-
can :read, Ddr::Events::Event, user: current_user
|
48
|
-
can :read, Ddr::Events::Event do |e|
|
49
|
-
can? :read, e.pid
|
50
|
-
end
|
51
|
-
end
|
52
|
-
|
53
|
-
def batches_permissions
|
54
|
-
can :manage, DulHydra::Batch::Models::Batch, :user_id => current_user.id
|
55
|
-
can :manage, DulHydra::Batch::Models::BatchObject do |batch_object|
|
56
|
-
can? :manage, batch_object.batch
|
57
|
-
end
|
58
|
-
end
|
59
|
-
|
60
|
-
def ingest_folders_permissions
|
61
|
-
can :create, IngestFolder if IngestFolder.permitted_folders(current_user).present?
|
62
|
-
can [:show, :procezz], IngestFolder, user: current_user
|
63
|
-
end
|
64
|
-
|
65
|
-
def metadata_files_permissions
|
66
|
-
can [:show, :procezz], MetadataFile, user: current_user
|
67
|
-
end
|
68
|
-
|
69
|
-
def download_permissions
|
70
|
-
can :download, ActiveFedora::Base do |obj|
|
71
|
-
if obj.is_a? Component
|
72
|
-
can?(:edit, obj) || (can?(:read, obj) && current_user.has_role?(obj, :downloader))
|
73
|
-
else
|
74
|
-
can? :read, obj
|
75
|
-
end
|
76
|
-
end
|
77
|
-
can :download, SolrDocument do |doc|
|
78
|
-
if doc.active_fedora_model == "Component"
|
79
|
-
can?(:edit, doc) || (can?(:read, doc) && current_user.has_role?(doc, :downloader))
|
80
|
-
else
|
81
|
-
can? :read, doc
|
82
|
-
end
|
83
|
-
end
|
84
|
-
can :download, ActiveFedora::Datastream do |ds|
|
85
|
-
if ds.dsid == Ddr::Datastreams::CONTENT and ds.digital_object.original_class == Component
|
86
|
-
can?(:edit, ds.pid) || (can?(:read, ds.pid) && current_user.has_role?(solr_doc(ds.pid), :downloader))
|
87
|
-
else
|
88
|
-
can? :read, ds.pid
|
89
|
-
end
|
90
|
-
end
|
91
|
-
end
|
92
|
-
|
93
|
-
def upload_permissions
|
94
|
-
can :upload, Ddr::Models::HasContent do |obj|
|
95
|
-
can?(:edit, obj)
|
96
|
-
end
|
97
|
-
end
|
98
|
-
|
99
|
-
def children_permissions
|
100
|
-
can :add_children, Ddr::Models::HasChildren do |obj|
|
101
|
-
can?(:edit, obj)
|
102
|
-
end
|
103
|
-
end
|
104
|
-
|
105
|
-
# Mimics Hydra::Ability#read_permissions
|
106
|
-
def discover_permissions
|
107
|
-
can :discover, String do |pid|
|
108
|
-
test_discover(pid)
|
109
|
-
end
|
110
|
-
|
111
|
-
can :discover, ActiveFedora::Base do |obj|
|
112
|
-
test_discover(obj.pid)
|
113
|
-
end
|
114
|
-
|
115
|
-
can :discover, SolrDocument do |obj|
|
116
|
-
cache.put(obj.id, obj)
|
117
|
-
test_discover(obj.id)
|
118
|
-
end
|
119
|
-
end
|
120
|
-
|
121
|
-
def attachment_permissions
|
122
|
-
can :add_attachment, Ddr::Models::HasAttachments do |obj|
|
123
|
-
can?(:edit, obj)
|
124
|
-
end
|
125
|
-
end
|
126
|
-
|
127
|
-
# Mimics Hydra::Ability#test_read + Hydra::PolicyAwareAbility#test_read in one method
|
128
|
-
def test_discover(pid)
|
129
|
-
Rails.logger.debug("[CANCAN] Checking discover permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
|
130
|
-
group_intersection = user_groups & discover_groups(pid)
|
131
|
-
result = !group_intersection.empty? || discover_persons(pid).include?(current_user.user_key)
|
132
|
-
result || test_discover_from_policy(pid)
|
133
|
-
end
|
134
|
-
|
135
|
-
# Mimics Hydra::PolicyAwareAbility#test_read_from_policy
|
136
|
-
def test_discover_from_policy(object_pid)
|
137
|
-
policy_pid = policy_pid_for(object_pid)
|
138
|
-
if policy_pid.nil?
|
139
|
-
return false
|
140
|
-
else
|
141
|
-
Rails.logger.debug("[CANCAN] -policy- Does the POLICY #{policy_pid} provide DISCOVER permissions for #{current_user.user_key}?")
|
142
|
-
group_intersection = user_groups & discover_groups_from_policy(policy_pid)
|
143
|
-
result = !group_intersection.empty? || discover_persons_from_policy(policy_pid).include?(current_user.user_key)
|
144
|
-
Rails.logger.debug("[CANCAN] -policy- decision: #{result}")
|
145
|
-
result
|
146
|
-
end
|
147
|
-
end
|
148
|
-
|
149
|
-
# Mimics Hydra::Ability#read_groups
|
150
|
-
def discover_groups(pid)
|
151
|
-
doc = permissions_doc(pid)
|
152
|
-
return [] if doc.nil?
|
153
|
-
dg = edit_groups(pid) | read_groups(pid) | (doc[self.class.discover_group_field] || [])
|
154
|
-
Rails.logger.debug("[CANCAN] discover_groups: #{dg.inspect}")
|
155
|
-
return dg
|
156
|
-
end
|
157
|
-
|
158
|
-
# Mimics Hydra::PolicyAwareAbility#read_groups_from_policy
|
159
|
-
def discover_groups_from_policy(policy_pid)
|
160
|
-
policy_permissions = policy_permissions_doc(policy_pid)
|
161
|
-
discover_group_field = Hydra.config[:permissions][:inheritable][:discover][:group]
|
162
|
-
dg = edit_groups_from_policy(policy_pid) | read_groups_from_policy(policy_pid) | ((policy_permissions == nil || policy_permissions.fetch(discover_group_field, nil) == nil) ? [] : policy_permissions.fetch(discover_group_field, nil))
|
163
|
-
Rails.logger.debug("[CANCAN] -policy- discover_groups: #{dg.inspect}")
|
164
|
-
return dg
|
165
|
-
end
|
166
|
-
|
167
|
-
# Mimics Hydra::Ability#read_persons
|
168
|
-
def discover_persons(pid)
|
169
|
-
doc = permissions_doc(pid)
|
170
|
-
return [] if doc.nil?
|
171
|
-
dp = edit_persons(pid) | read_persons(pid) | (doc[self.class.discover_person_field] || [])
|
172
|
-
Rails.logger.debug("[CANCAN] discover_persons: #{dp.inspect}")
|
173
|
-
return dp
|
174
|
-
end
|
175
|
-
|
176
|
-
def discover_persons_from_policy(policy_pid)
|
177
|
-
policy_permissions = policy_permissions_doc(policy_pid)
|
178
|
-
discover_individual_field = Hydra.config[:permissions][:inheritable][:discover][:individual]
|
179
|
-
dp = edit_persons_from_policy(policy_pid) | read_persons_from_policy(policy_pid) | ((policy_permissions == nil || policy_permissions.fetch(discover_individual_field, nil) == nil) ? [] : policy_permissions.fetch(discover_individual_field, nil))
|
180
|
-
Rails.logger.debug("[CANCAN] -policy- discover_persons: #{dp.inspect}")
|
181
|
-
return dp
|
182
|
-
end
|
183
|
-
|
184
|
-
def self.discover_person_field
|
185
|
-
Hydra.config[:permissions][:discover][:individual]
|
186
|
-
end
|
187
|
-
|
188
|
-
def self.discover_group_field
|
189
|
-
Hydra.config[:permissions][:discover][:group]
|
190
|
-
end
|
191
|
-
|
192
|
-
private
|
193
|
-
|
194
|
-
def authenticated_user?
|
195
|
-
current_user.persisted?
|
196
|
-
end
|
197
|
-
|
198
|
-
def solr_doc(pid)
|
199
|
-
SolrDocument.new(ActiveFedora::SolrService.query("id:\"#{pid}\"", rows: 1).first)
|
200
|
-
end
|
201
|
-
|
202
|
-
end
|
203
|
-
end
|
204
|
-
end
|
@@ -1,53 +0,0 @@
|
|
1
|
-
module Ddr
|
2
|
-
module Auth
|
3
|
-
class GroupService
|
4
|
-
|
5
|
-
class_attribute :include_role_mapper_groups
|
6
|
-
self.include_role_mapper_groups = RoleMapper.role_names.present? rescue false
|
7
|
-
|
8
|
-
def role_mapper_user_groups(user)
|
9
|
-
RoleMapper.roles(user) rescue []
|
10
|
-
end
|
11
|
-
|
12
|
-
def role_mapper_groups
|
13
|
-
RoleMapper.role_names rescue []
|
14
|
-
end
|
15
|
-
|
16
|
-
def groups
|
17
|
-
default_groups | append_groups
|
18
|
-
end
|
19
|
-
|
20
|
-
def user_groups(user)
|
21
|
-
default_user_groups(user) | append_user_groups(user)
|
22
|
-
end
|
23
|
-
|
24
|
-
def superuser_group
|
25
|
-
Ddr::Auth.superuser_group
|
26
|
-
end
|
27
|
-
|
28
|
-
def append_groups
|
29
|
-
[]
|
30
|
-
end
|
31
|
-
|
32
|
-
def append_user_groups(user)
|
33
|
-
[]
|
34
|
-
end
|
35
|
-
|
36
|
-
def default_groups
|
37
|
-
dg = [Ddr::Auth.everyone_group, Ddr::Auth.authenticated_users_group]
|
38
|
-
dg += role_mapper_groups if include_role_mapper_groups
|
39
|
-
dg
|
40
|
-
end
|
41
|
-
|
42
|
-
def default_user_groups(user)
|
43
|
-
dug = [Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_PUBLIC]
|
44
|
-
if user && user.persisted?
|
45
|
-
dug << Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_AUTHENTICATED
|
46
|
-
dug += role_mapper_user_groups(user) if include_role_mapper_groups
|
47
|
-
end
|
48
|
-
dug
|
49
|
-
end
|
50
|
-
|
51
|
-
end
|
52
|
-
end
|
53
|
-
end
|
@@ -1,77 +0,0 @@
|
|
1
|
-
require 'dul_hydra'
|
2
|
-
require 'grouper-rest-client'
|
3
|
-
|
4
|
-
module DulHydra
|
5
|
-
module Services
|
6
|
-
class GrouperService
|
7
|
-
|
8
|
-
class_attribute :config
|
9
|
-
|
10
|
-
def self.configured?
|
11
|
-
!config.nil?
|
12
|
-
end
|
13
|
-
|
14
|
-
# List of all grouper groups for the repository
|
15
|
-
def self.repository_groups
|
16
|
-
groups = []
|
17
|
-
begin
|
18
|
-
client do |c|
|
19
|
-
g = c.groups(DulHydra.remote_groups_name_filter)
|
20
|
-
groups = g if c.ok?
|
21
|
-
end
|
22
|
-
rescue Ddr::Models::Error
|
23
|
-
end
|
24
|
-
groups
|
25
|
-
end
|
26
|
-
|
27
|
-
def self.repository_group_names
|
28
|
-
repository_groups.collect { |g| g["name"] }
|
29
|
-
end
|
30
|
-
|
31
|
-
def self.user_groups(user)
|
32
|
-
groups = []
|
33
|
-
begin
|
34
|
-
client do |c|
|
35
|
-
request_body = {
|
36
|
-
"WsRestGetGroupsRequest" => {
|
37
|
-
"subjectLookups" => [{"subjectIdentifier" => subject_id(user)}]
|
38
|
-
}
|
39
|
-
}
|
40
|
-
# Have to use :call b/c grouper-rest-client :subjects method doesn't support POST
|
41
|
-
response = c.call("subjects", :post, request_body)
|
42
|
-
if c.ok?
|
43
|
-
result = response["WsGetGroupsResults"]["results"].first
|
44
|
-
# Have to manually filter results b/c Grouper WS version 1.5 does not support filter parameter
|
45
|
-
if result && result["wsGroups"]
|
46
|
-
groups = result["wsGroups"].select { |g| g["name"] =~ /^#{DulHydra.remote_groups_name_filter}/ }
|
47
|
-
end
|
48
|
-
end
|
49
|
-
end
|
50
|
-
rescue StandardError => e
|
51
|
-
Rails.logger.error e
|
52
|
-
end
|
53
|
-
groups
|
54
|
-
end
|
55
|
-
|
56
|
-
def self.user_group_names(user)
|
57
|
-
user_groups(user).collect { |g| g["name"] }
|
58
|
-
end
|
59
|
-
|
60
|
-
def self.subject_id(user)
|
61
|
-
user.user_key.split('@').first
|
62
|
-
end
|
63
|
-
|
64
|
-
private
|
65
|
-
|
66
|
-
def self.client
|
67
|
-
raise Ddr::Models::Error unless configured?
|
68
|
-
yield Grouper::Rest::Client::Resource.new(config["url"],
|
69
|
-
user: config["user"],
|
70
|
-
password: config["password"],
|
71
|
-
timeout: config.fetch("timeout", 5).to_i
|
72
|
-
)
|
73
|
-
end
|
74
|
-
|
75
|
-
end
|
76
|
-
end
|
77
|
-
end
|
@@ -1,35 +0,0 @@
|
|
1
|
-
module DulHydra
|
2
|
-
module Services
|
3
|
-
class RemoteGroupService < GroupService
|
4
|
-
|
5
|
-
attr_reader :env
|
6
|
-
|
7
|
-
def initialize(env = nil)
|
8
|
-
@env = env
|
9
|
-
end
|
10
|
-
|
11
|
-
def append_groups
|
12
|
-
GrouperService.repository_group_names
|
13
|
-
end
|
14
|
-
|
15
|
-
def append_user_groups(user)
|
16
|
-
if env && env.key?(DulHydra.remote_groups_env_key)
|
17
|
-
remote_groups
|
18
|
-
else
|
19
|
-
GrouperService.user_group_names(user)
|
20
|
-
end
|
21
|
-
end
|
22
|
-
|
23
|
-
def remote_groups
|
24
|
-
# get the raw list of values
|
25
|
-
groups = env[DulHydra.remote_groups_env_key].split(DulHydra.remote_groups_env_value_delim)
|
26
|
-
# munge values to proper Grouper group names, if necessary
|
27
|
-
groups = groups.collect { |g| g.sub(*DulHydra.remote_groups_env_value_sub) } if DulHydra.remote_groups_env_value_sub
|
28
|
-
# filter group list as configured
|
29
|
-
groups = groups.select { |g| g =~ /^#{DulHydra.remote_groups_name_filter}/ } if DulHydra.remote_groups_name_filter
|
30
|
-
groups
|
31
|
-
end
|
32
|
-
|
33
|
-
end
|
34
|
-
end
|
35
|
-
end
|
data/lib/ddr/auth/superuser.rb~
DELETED
data/lib/ddr/auth/user.rb~
DELETED
@@ -1,65 +0,0 @@
|
|
1
|
-
module Ddr
|
2
|
-
module Auth
|
3
|
-
module User
|
4
|
-
extend ActiveSupport::Concern
|
5
|
-
|
6
|
-
included do
|
7
|
-
include Blacklight::User
|
8
|
-
include Hydra::User
|
9
|
-
|
10
|
-
# has_many :batches, :inverse_of => :user, :class_name => DulHydra::Batch::Models::Batch
|
11
|
-
# has_many :ingest_folders, :inverse_of => :user
|
12
|
-
# has_many :metadata_files, :inverse_of => :user
|
13
|
-
# has_many :export_sets, :dependent => :destroy
|
14
|
-
has_many :events, inverse_of: :user, class_name: "Ddr::Events::Event"
|
15
|
-
|
16
|
-
delegate :can?, :cannot?, to: :ability
|
17
|
-
|
18
|
-
validates_uniqueness_of :username, :case_sensitive => false
|
19
|
-
validates_format_of :email, with: /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\z/
|
20
|
-
|
21
|
-
# TODO Remove :trackable, :validatable
|
22
|
-
devise :remote_user_authenticatable, :database_authenticatable, :rememberable, :trackable, :validatable
|
23
|
-
|
24
|
-
attr_writer :group_service
|
25
|
-
end
|
26
|
-
|
27
|
-
def group_service
|
28
|
-
@group_service ||= Ddr::Auth::GroupService.new
|
29
|
-
end
|
30
|
-
|
31
|
-
def to_s
|
32
|
-
user_key
|
33
|
-
end
|
34
|
-
|
35
|
-
def ability
|
36
|
-
@ability ||= ::Ability.new(self)
|
37
|
-
end
|
38
|
-
|
39
|
-
def groups
|
40
|
-
@groups ||= group_service.user_groups(self)
|
41
|
-
end
|
42
|
-
|
43
|
-
def member_of?(group)
|
44
|
-
group ? self.groups.include?(group) : false
|
45
|
-
end
|
46
|
-
|
47
|
-
def authorized_to_act_as_superuser?
|
48
|
-
member_of? group_service.superuser_group
|
49
|
-
end
|
50
|
-
|
51
|
-
def principal_name
|
52
|
-
user_key
|
53
|
-
end
|
54
|
-
|
55
|
-
def principals
|
56
|
-
groups.dup << principal_name
|
57
|
-
end
|
58
|
-
|
59
|
-
def has_role?(obj, role)
|
60
|
-
obj.principal_has_role?(principals, role)
|
61
|
-
end
|
62
|
-
|
63
|
-
end
|
64
|
-
end
|
65
|
-
end
|