ddr-models 1.3.0 → 1.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +20 -3
- data/lib/ddr/models/has_content.rb +1 -3
- data/lib/ddr/models/version.rb +1 -1
- data/{app → spec/dummy/app}/models/solr_document.rb +1 -1
- data/spec/dummy/db/development.sqlite3 +0 -0
- data/spec/dummy/log/development.log +2449 -1445
- data/spec/dummy/log/test.log +58622 -52811
- data/spec/models/attachment_spec.rb +0 -6
- data/spec/spec_helper.rb +9 -2
- data/spec/support/shared_examples_for_has_content.rb +0 -7
- metadata +4 -24
- data/config/initializers/devise.rb~ +0 -245
- data/db/migrate/20141104181418_create_users.rb~ +0 -6
- data/lib/ddr/auth.rb~ +0 -47
- data/lib/ddr/auth/ability.rb~ +0 -204
- data/lib/ddr/auth/group_service.rb~ +0 -53
- data/lib/ddr/auth/grouper_service.rb~ +0 -77
- data/lib/ddr/auth/remote_group_service.rb~ +0 -35
- data/lib/ddr/auth/superuser.rb~ +0 -9
- data/lib/ddr/auth/user.rb~ +0 -65
- data/spec/factories/user_factories.rb~ +0 -7
- data/spec/features/grouper_integration_spec.rb~ +0 -21
- data/spec/models/ability_spec.rb~ +0 -245
- data/spec/models/superuser_spec.rb~ +0 -13
- data/spec/models/user_spec.rb~ +0 -56
- data/spec/services/group_service_spec.rb~ +0 -71
data/lib/ddr/auth/ability.rb~
DELETED
@@ -1,204 +0,0 @@
|
|
1
|
-
module Ddr
|
2
|
-
module Auth
|
3
|
-
class Ability
|
4
|
-
|
5
|
-
include Hydra::PolicyAwareAbility
|
6
|
-
|
7
|
-
def custom_permissions
|
8
|
-
action_aliases
|
9
|
-
discover_permissions
|
10
|
-
export_sets_permissions
|
11
|
-
events_permissions
|
12
|
-
batches_permissions
|
13
|
-
ingest_folders_permissions
|
14
|
-
metadata_files_permissions
|
15
|
-
attachment_permissions
|
16
|
-
children_permissions
|
17
|
-
upload_permissions
|
18
|
-
end
|
19
|
-
|
20
|
-
def action_aliases
|
21
|
-
# read aliases
|
22
|
-
alias_action :attachments, :collection_info, :components, :event, :events, :items, :targets, to: :read
|
23
|
-
# edit/update aliases
|
24
|
-
alias_action :permissions, :default_permissions, to: :update
|
25
|
-
end
|
26
|
-
|
27
|
-
def read_permissions
|
28
|
-
super
|
29
|
-
can :read, ActiveFedora::Datastream do |ds|
|
30
|
-
can? :read, ds.pid
|
31
|
-
end
|
32
|
-
end
|
33
|
-
|
34
|
-
def edit_permissions
|
35
|
-
super
|
36
|
-
can [:edit, :update, :destroy], ActiveFedora::Datastream do |action, ds|
|
37
|
-
can? action, ds.pid
|
38
|
-
end
|
39
|
-
end
|
40
|
-
|
41
|
-
def export_sets_permissions
|
42
|
-
can :create, ExportSet if authenticated_user?
|
43
|
-
can :manage, ExportSet, user: current_user
|
44
|
-
end
|
45
|
-
|
46
|
-
def events_permissions
|
47
|
-
can :read, Ddr::Events::Event, user: current_user
|
48
|
-
can :read, Ddr::Events::Event do |e|
|
49
|
-
can? :read, e.pid
|
50
|
-
end
|
51
|
-
end
|
52
|
-
|
53
|
-
def batches_permissions
|
54
|
-
can :manage, DulHydra::Batch::Models::Batch, :user_id => current_user.id
|
55
|
-
can :manage, DulHydra::Batch::Models::BatchObject do |batch_object|
|
56
|
-
can? :manage, batch_object.batch
|
57
|
-
end
|
58
|
-
end
|
59
|
-
|
60
|
-
def ingest_folders_permissions
|
61
|
-
can :create, IngestFolder if IngestFolder.permitted_folders(current_user).present?
|
62
|
-
can [:show, :procezz], IngestFolder, user: current_user
|
63
|
-
end
|
64
|
-
|
65
|
-
def metadata_files_permissions
|
66
|
-
can [:show, :procezz], MetadataFile, user: current_user
|
67
|
-
end
|
68
|
-
|
69
|
-
def download_permissions
|
70
|
-
can :download, ActiveFedora::Base do |obj|
|
71
|
-
if obj.is_a? Component
|
72
|
-
can?(:edit, obj) || (can?(:read, obj) && current_user.has_role?(obj, :downloader))
|
73
|
-
else
|
74
|
-
can? :read, obj
|
75
|
-
end
|
76
|
-
end
|
77
|
-
can :download, SolrDocument do |doc|
|
78
|
-
if doc.active_fedora_model == "Component"
|
79
|
-
can?(:edit, doc) || (can?(:read, doc) && current_user.has_role?(doc, :downloader))
|
80
|
-
else
|
81
|
-
can? :read, doc
|
82
|
-
end
|
83
|
-
end
|
84
|
-
can :download, ActiveFedora::Datastream do |ds|
|
85
|
-
if ds.dsid == Ddr::Datastreams::CONTENT and ds.digital_object.original_class == Component
|
86
|
-
can?(:edit, ds.pid) || (can?(:read, ds.pid) && current_user.has_role?(solr_doc(ds.pid), :downloader))
|
87
|
-
else
|
88
|
-
can? :read, ds.pid
|
89
|
-
end
|
90
|
-
end
|
91
|
-
end
|
92
|
-
|
93
|
-
def upload_permissions
|
94
|
-
can :upload, Ddr::Models::HasContent do |obj|
|
95
|
-
can?(:edit, obj)
|
96
|
-
end
|
97
|
-
end
|
98
|
-
|
99
|
-
def children_permissions
|
100
|
-
can :add_children, Ddr::Models::HasChildren do |obj|
|
101
|
-
can?(:edit, obj)
|
102
|
-
end
|
103
|
-
end
|
104
|
-
|
105
|
-
# Mimics Hydra::Ability#read_permissions
|
106
|
-
def discover_permissions
|
107
|
-
can :discover, String do |pid|
|
108
|
-
test_discover(pid)
|
109
|
-
end
|
110
|
-
|
111
|
-
can :discover, ActiveFedora::Base do |obj|
|
112
|
-
test_discover(obj.pid)
|
113
|
-
end
|
114
|
-
|
115
|
-
can :discover, SolrDocument do |obj|
|
116
|
-
cache.put(obj.id, obj)
|
117
|
-
test_discover(obj.id)
|
118
|
-
end
|
119
|
-
end
|
120
|
-
|
121
|
-
def attachment_permissions
|
122
|
-
can :add_attachment, Ddr::Models::HasAttachments do |obj|
|
123
|
-
can?(:edit, obj)
|
124
|
-
end
|
125
|
-
end
|
126
|
-
|
127
|
-
# Mimics Hydra::Ability#test_read + Hydra::PolicyAwareAbility#test_read in one method
|
128
|
-
def test_discover(pid)
|
129
|
-
Rails.logger.debug("[CANCAN] Checking discover permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
|
130
|
-
group_intersection = user_groups & discover_groups(pid)
|
131
|
-
result = !group_intersection.empty? || discover_persons(pid).include?(current_user.user_key)
|
132
|
-
result || test_discover_from_policy(pid)
|
133
|
-
end
|
134
|
-
|
135
|
-
# Mimics Hydra::PolicyAwareAbility#test_read_from_policy
|
136
|
-
def test_discover_from_policy(object_pid)
|
137
|
-
policy_pid = policy_pid_for(object_pid)
|
138
|
-
if policy_pid.nil?
|
139
|
-
return false
|
140
|
-
else
|
141
|
-
Rails.logger.debug("[CANCAN] -policy- Does the POLICY #{policy_pid} provide DISCOVER permissions for #{current_user.user_key}?")
|
142
|
-
group_intersection = user_groups & discover_groups_from_policy(policy_pid)
|
143
|
-
result = !group_intersection.empty? || discover_persons_from_policy(policy_pid).include?(current_user.user_key)
|
144
|
-
Rails.logger.debug("[CANCAN] -policy- decision: #{result}")
|
145
|
-
result
|
146
|
-
end
|
147
|
-
end
|
148
|
-
|
149
|
-
# Mimics Hydra::Ability#read_groups
|
150
|
-
def discover_groups(pid)
|
151
|
-
doc = permissions_doc(pid)
|
152
|
-
return [] if doc.nil?
|
153
|
-
dg = edit_groups(pid) | read_groups(pid) | (doc[self.class.discover_group_field] || [])
|
154
|
-
Rails.logger.debug("[CANCAN] discover_groups: #{dg.inspect}")
|
155
|
-
return dg
|
156
|
-
end
|
157
|
-
|
158
|
-
# Mimics Hydra::PolicyAwareAbility#read_groups_from_policy
|
159
|
-
def discover_groups_from_policy(policy_pid)
|
160
|
-
policy_permissions = policy_permissions_doc(policy_pid)
|
161
|
-
discover_group_field = Hydra.config[:permissions][:inheritable][:discover][:group]
|
162
|
-
dg = edit_groups_from_policy(policy_pid) | read_groups_from_policy(policy_pid) | ((policy_permissions == nil || policy_permissions.fetch(discover_group_field, nil) == nil) ? [] : policy_permissions.fetch(discover_group_field, nil))
|
163
|
-
Rails.logger.debug("[CANCAN] -policy- discover_groups: #{dg.inspect}")
|
164
|
-
return dg
|
165
|
-
end
|
166
|
-
|
167
|
-
# Mimics Hydra::Ability#read_persons
|
168
|
-
def discover_persons(pid)
|
169
|
-
doc = permissions_doc(pid)
|
170
|
-
return [] if doc.nil?
|
171
|
-
dp = edit_persons(pid) | read_persons(pid) | (doc[self.class.discover_person_field] || [])
|
172
|
-
Rails.logger.debug("[CANCAN] discover_persons: #{dp.inspect}")
|
173
|
-
return dp
|
174
|
-
end
|
175
|
-
|
176
|
-
def discover_persons_from_policy(policy_pid)
|
177
|
-
policy_permissions = policy_permissions_doc(policy_pid)
|
178
|
-
discover_individual_field = Hydra.config[:permissions][:inheritable][:discover][:individual]
|
179
|
-
dp = edit_persons_from_policy(policy_pid) | read_persons_from_policy(policy_pid) | ((policy_permissions == nil || policy_permissions.fetch(discover_individual_field, nil) == nil) ? [] : policy_permissions.fetch(discover_individual_field, nil))
|
180
|
-
Rails.logger.debug("[CANCAN] -policy- discover_persons: #{dp.inspect}")
|
181
|
-
return dp
|
182
|
-
end
|
183
|
-
|
184
|
-
def self.discover_person_field
|
185
|
-
Hydra.config[:permissions][:discover][:individual]
|
186
|
-
end
|
187
|
-
|
188
|
-
def self.discover_group_field
|
189
|
-
Hydra.config[:permissions][:discover][:group]
|
190
|
-
end
|
191
|
-
|
192
|
-
private
|
193
|
-
|
194
|
-
def authenticated_user?
|
195
|
-
current_user.persisted?
|
196
|
-
end
|
197
|
-
|
198
|
-
def solr_doc(pid)
|
199
|
-
SolrDocument.new(ActiveFedora::SolrService.query("id:\"#{pid}\"", rows: 1).first)
|
200
|
-
end
|
201
|
-
|
202
|
-
end
|
203
|
-
end
|
204
|
-
end
|
@@ -1,53 +0,0 @@
|
|
1
|
-
module Ddr
|
2
|
-
module Auth
|
3
|
-
class GroupService
|
4
|
-
|
5
|
-
class_attribute :include_role_mapper_groups
|
6
|
-
self.include_role_mapper_groups = RoleMapper.role_names.present? rescue false
|
7
|
-
|
8
|
-
def role_mapper_user_groups(user)
|
9
|
-
RoleMapper.roles(user) rescue []
|
10
|
-
end
|
11
|
-
|
12
|
-
def role_mapper_groups
|
13
|
-
RoleMapper.role_names rescue []
|
14
|
-
end
|
15
|
-
|
16
|
-
def groups
|
17
|
-
default_groups | append_groups
|
18
|
-
end
|
19
|
-
|
20
|
-
def user_groups(user)
|
21
|
-
default_user_groups(user) | append_user_groups(user)
|
22
|
-
end
|
23
|
-
|
24
|
-
def superuser_group
|
25
|
-
Ddr::Auth.superuser_group
|
26
|
-
end
|
27
|
-
|
28
|
-
def append_groups
|
29
|
-
[]
|
30
|
-
end
|
31
|
-
|
32
|
-
def append_user_groups(user)
|
33
|
-
[]
|
34
|
-
end
|
35
|
-
|
36
|
-
def default_groups
|
37
|
-
dg = [Ddr::Auth.everyone_group, Ddr::Auth.authenticated_users_group]
|
38
|
-
dg += role_mapper_groups if include_role_mapper_groups
|
39
|
-
dg
|
40
|
-
end
|
41
|
-
|
42
|
-
def default_user_groups(user)
|
43
|
-
dug = [Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_PUBLIC]
|
44
|
-
if user && user.persisted?
|
45
|
-
dug << Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_AUTHENTICATED
|
46
|
-
dug += role_mapper_user_groups(user) if include_role_mapper_groups
|
47
|
-
end
|
48
|
-
dug
|
49
|
-
end
|
50
|
-
|
51
|
-
end
|
52
|
-
end
|
53
|
-
end
|
@@ -1,77 +0,0 @@
|
|
1
|
-
require 'dul_hydra'
|
2
|
-
require 'grouper-rest-client'
|
3
|
-
|
4
|
-
module DulHydra
|
5
|
-
module Services
|
6
|
-
class GrouperService
|
7
|
-
|
8
|
-
class_attribute :config
|
9
|
-
|
10
|
-
def self.configured?
|
11
|
-
!config.nil?
|
12
|
-
end
|
13
|
-
|
14
|
-
# List of all grouper groups for the repository
|
15
|
-
def self.repository_groups
|
16
|
-
groups = []
|
17
|
-
begin
|
18
|
-
client do |c|
|
19
|
-
g = c.groups(DulHydra.remote_groups_name_filter)
|
20
|
-
groups = g if c.ok?
|
21
|
-
end
|
22
|
-
rescue Ddr::Models::Error
|
23
|
-
end
|
24
|
-
groups
|
25
|
-
end
|
26
|
-
|
27
|
-
def self.repository_group_names
|
28
|
-
repository_groups.collect { |g| g["name"] }
|
29
|
-
end
|
30
|
-
|
31
|
-
def self.user_groups(user)
|
32
|
-
groups = []
|
33
|
-
begin
|
34
|
-
client do |c|
|
35
|
-
request_body = {
|
36
|
-
"WsRestGetGroupsRequest" => {
|
37
|
-
"subjectLookups" => [{"subjectIdentifier" => subject_id(user)}]
|
38
|
-
}
|
39
|
-
}
|
40
|
-
# Have to use :call b/c grouper-rest-client :subjects method doesn't support POST
|
41
|
-
response = c.call("subjects", :post, request_body)
|
42
|
-
if c.ok?
|
43
|
-
result = response["WsGetGroupsResults"]["results"].first
|
44
|
-
# Have to manually filter results b/c Grouper WS version 1.5 does not support filter parameter
|
45
|
-
if result && result["wsGroups"]
|
46
|
-
groups = result["wsGroups"].select { |g| g["name"] =~ /^#{DulHydra.remote_groups_name_filter}/ }
|
47
|
-
end
|
48
|
-
end
|
49
|
-
end
|
50
|
-
rescue StandardError => e
|
51
|
-
Rails.logger.error e
|
52
|
-
end
|
53
|
-
groups
|
54
|
-
end
|
55
|
-
|
56
|
-
def self.user_group_names(user)
|
57
|
-
user_groups(user).collect { |g| g["name"] }
|
58
|
-
end
|
59
|
-
|
60
|
-
def self.subject_id(user)
|
61
|
-
user.user_key.split('@').first
|
62
|
-
end
|
63
|
-
|
64
|
-
private
|
65
|
-
|
66
|
-
def self.client
|
67
|
-
raise Ddr::Models::Error unless configured?
|
68
|
-
yield Grouper::Rest::Client::Resource.new(config["url"],
|
69
|
-
user: config["user"],
|
70
|
-
password: config["password"],
|
71
|
-
timeout: config.fetch("timeout", 5).to_i
|
72
|
-
)
|
73
|
-
end
|
74
|
-
|
75
|
-
end
|
76
|
-
end
|
77
|
-
end
|
@@ -1,35 +0,0 @@
|
|
1
|
-
module DulHydra
|
2
|
-
module Services
|
3
|
-
class RemoteGroupService < GroupService
|
4
|
-
|
5
|
-
attr_reader :env
|
6
|
-
|
7
|
-
def initialize(env = nil)
|
8
|
-
@env = env
|
9
|
-
end
|
10
|
-
|
11
|
-
def append_groups
|
12
|
-
GrouperService.repository_group_names
|
13
|
-
end
|
14
|
-
|
15
|
-
def append_user_groups(user)
|
16
|
-
if env && env.key?(DulHydra.remote_groups_env_key)
|
17
|
-
remote_groups
|
18
|
-
else
|
19
|
-
GrouperService.user_group_names(user)
|
20
|
-
end
|
21
|
-
end
|
22
|
-
|
23
|
-
def remote_groups
|
24
|
-
# get the raw list of values
|
25
|
-
groups = env[DulHydra.remote_groups_env_key].split(DulHydra.remote_groups_env_value_delim)
|
26
|
-
# munge values to proper Grouper group names, if necessary
|
27
|
-
groups = groups.collect { |g| g.sub(*DulHydra.remote_groups_env_value_sub) } if DulHydra.remote_groups_env_value_sub
|
28
|
-
# filter group list as configured
|
29
|
-
groups = groups.select { |g| g =~ /^#{DulHydra.remote_groups_name_filter}/ } if DulHydra.remote_groups_name_filter
|
30
|
-
groups
|
31
|
-
end
|
32
|
-
|
33
|
-
end
|
34
|
-
end
|
35
|
-
end
|
data/lib/ddr/auth/superuser.rb~
DELETED
data/lib/ddr/auth/user.rb~
DELETED
@@ -1,65 +0,0 @@
|
|
1
|
-
module Ddr
|
2
|
-
module Auth
|
3
|
-
module User
|
4
|
-
extend ActiveSupport::Concern
|
5
|
-
|
6
|
-
included do
|
7
|
-
include Blacklight::User
|
8
|
-
include Hydra::User
|
9
|
-
|
10
|
-
# has_many :batches, :inverse_of => :user, :class_name => DulHydra::Batch::Models::Batch
|
11
|
-
# has_many :ingest_folders, :inverse_of => :user
|
12
|
-
# has_many :metadata_files, :inverse_of => :user
|
13
|
-
# has_many :export_sets, :dependent => :destroy
|
14
|
-
has_many :events, inverse_of: :user, class_name: "Ddr::Events::Event"
|
15
|
-
|
16
|
-
delegate :can?, :cannot?, to: :ability
|
17
|
-
|
18
|
-
validates_uniqueness_of :username, :case_sensitive => false
|
19
|
-
validates_format_of :email, with: /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\z/
|
20
|
-
|
21
|
-
# TODO Remove :trackable, :validatable
|
22
|
-
devise :remote_user_authenticatable, :database_authenticatable, :rememberable, :trackable, :validatable
|
23
|
-
|
24
|
-
attr_writer :group_service
|
25
|
-
end
|
26
|
-
|
27
|
-
def group_service
|
28
|
-
@group_service ||= Ddr::Auth::GroupService.new
|
29
|
-
end
|
30
|
-
|
31
|
-
def to_s
|
32
|
-
user_key
|
33
|
-
end
|
34
|
-
|
35
|
-
def ability
|
36
|
-
@ability ||= ::Ability.new(self)
|
37
|
-
end
|
38
|
-
|
39
|
-
def groups
|
40
|
-
@groups ||= group_service.user_groups(self)
|
41
|
-
end
|
42
|
-
|
43
|
-
def member_of?(group)
|
44
|
-
group ? self.groups.include?(group) : false
|
45
|
-
end
|
46
|
-
|
47
|
-
def authorized_to_act_as_superuser?
|
48
|
-
member_of? group_service.superuser_group
|
49
|
-
end
|
50
|
-
|
51
|
-
def principal_name
|
52
|
-
user_key
|
53
|
-
end
|
54
|
-
|
55
|
-
def principals
|
56
|
-
groups.dup << principal_name
|
57
|
-
end
|
58
|
-
|
59
|
-
def has_role?(obj, role)
|
60
|
-
obj.principal_has_role?(principals, role)
|
61
|
-
end
|
62
|
-
|
63
|
-
end
|
64
|
-
end
|
65
|
-
end
|