ddr-models 2.4.15 → 2.4.16
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/ddr/auth.rb +5 -0
- data/lib/ddr/auth/ability.rb +3 -1
- data/lib/ddr/auth/ability_definitions/admin_set_ability_definitions.rb +9 -0
- data/lib/ddr/auth/ability_factory.rb +2 -25
- data/lib/ddr/auth/abstract_ability.rb +2 -1
- data/lib/ddr/auth/auth_context.rb +18 -0
- data/lib/ddr/auth/auth_context_factory.rb +0 -2
- data/lib/ddr/models/version.rb +1 -1
- data/spec/auth/ability_factory_spec.rb +18 -1
- data/spec/auth/ability_spec.rb +19 -0
- data/spec/support/shared_examples_for_auth_contexts.rb +33 -0
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: f83d8acaf696ecb6e92b5958efd1d09c9727acf1
|
|
4
|
+
data.tar.gz: d6af219cbb3395901762d0eb5f4a1f60c6b2ce0e
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 76e0f78041619d77258e3877f2dc587cb204e18c75b1be5e85ab7c883ac45ec5dec92cbfc2ab8d77306677d300bb831e2e1ce5dfa7e0e67a41d3f1adeb4a8963
|
|
7
|
+
data.tar.gz: 4f6c466ac5ed669cd23babebff7ef3b7cb2a0f62c957b02e6967121f6b75f950e62b77440994cfc7ffc942690be7b5558f0d119f9ffa0747404d5d72517479c3
|
data/lib/ddr/auth.rb
CHANGED
|
@@ -32,6 +32,7 @@ module Ddr
|
|
|
32
32
|
autoload :WebAuthContext
|
|
33
33
|
|
|
34
34
|
autoload_under 'ability_definitions' do
|
|
35
|
+
autoload :AdminSetAbilityDefinitions
|
|
35
36
|
autoload :AliasAbilityDefinitions
|
|
36
37
|
autoload :AttachmentAbilityDefinitions
|
|
37
38
|
autoload :CollectionAbilityDefinitions
|
|
@@ -108,6 +109,10 @@ module Ddr
|
|
|
108
109
|
"::Ability"
|
|
109
110
|
end
|
|
110
111
|
|
|
112
|
+
mattr_accessor :metadata_managers_group do
|
|
113
|
+
ENV["METADATA_MANAGERS_GROUP"]
|
|
114
|
+
end
|
|
115
|
+
|
|
111
116
|
def self.repository_group_filter
|
|
112
117
|
if filter = ENV["REPOSITORY_GROUP_FILTER"]
|
|
113
118
|
return filter
|
data/lib/ddr/auth/ability.rb
CHANGED
|
@@ -1,32 +1,9 @@
|
|
|
1
1
|
module Ddr::Auth
|
|
2
2
|
class AbilityFactory
|
|
3
3
|
|
|
4
|
-
private_class_method :new
|
|
5
|
-
|
|
6
4
|
def self.call(user = nil, env = nil)
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
attr_reader :auth_context
|
|
11
|
-
|
|
12
|
-
delegate :anonymous?, :superuser?, to: :auth_context
|
|
13
|
-
|
|
14
|
-
def initialize(user, env)
|
|
15
|
-
@auth_context = AuthContextFactory.call(user, env)
|
|
16
|
-
end
|
|
17
|
-
|
|
18
|
-
def call
|
|
19
|
-
if anonymous?
|
|
20
|
-
AnonymousAbility.new(auth_context)
|
|
21
|
-
elsif superuser?
|
|
22
|
-
SuperuserAbility.new(auth_context)
|
|
23
|
-
else
|
|
24
|
-
default_ability.new(auth_context)
|
|
25
|
-
end
|
|
26
|
-
end
|
|
27
|
-
|
|
28
|
-
def default_ability
|
|
29
|
-
Ddr::Auth::default_ability.constantize
|
|
5
|
+
auth_context = AuthContextFactory.call(user, env)
|
|
6
|
+
auth_context.ability
|
|
30
7
|
end
|
|
31
8
|
|
|
32
9
|
end
|
|
@@ -17,7 +17,8 @@ module Ddr::Auth
|
|
|
17
17
|
|
|
18
18
|
attr_reader :auth_context
|
|
19
19
|
|
|
20
|
-
delegate :anonymous?, :authenticated?, :
|
|
20
|
+
delegate :anonymous?, :authenticated?, :metadata_manager?,
|
|
21
|
+
:user, :groups, :agents, :member_of?,
|
|
21
22
|
:authorized_to_act_as_superuser?,
|
|
22
23
|
to: :auth_context
|
|
23
24
|
|
|
@@ -9,6 +9,20 @@ module Ddr::Auth
|
|
|
9
9
|
@env = env
|
|
10
10
|
end
|
|
11
11
|
|
|
12
|
+
def ability
|
|
13
|
+
if anonymous?
|
|
14
|
+
AnonymousAbility.new(self)
|
|
15
|
+
elsif superuser?
|
|
16
|
+
SuperuserAbility.new(self)
|
|
17
|
+
else
|
|
18
|
+
default_ability_class.new(self)
|
|
19
|
+
end
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
def default_ability_class
|
|
23
|
+
Ddr::Auth::default_ability.constantize
|
|
24
|
+
end
|
|
25
|
+
|
|
12
26
|
# Return whether a user is absent from the auth context.
|
|
13
27
|
# @return [Boolean]
|
|
14
28
|
def anonymous?
|
|
@@ -27,6 +41,10 @@ module Ddr::Auth
|
|
|
27
41
|
env && env.key?("warden") && env["warden"].authenticate?(scope: :superuser)
|
|
28
42
|
end
|
|
29
43
|
|
|
44
|
+
def metadata_manager?
|
|
45
|
+
member_of? Ddr::Auth.metadata_managers_group
|
|
46
|
+
end
|
|
47
|
+
|
|
30
48
|
# Return the user agent for this context.
|
|
31
49
|
# @return [String] or nil, if auth context is anonymous/
|
|
32
50
|
def agent
|
data/lib/ddr/models/version.rb
CHANGED
|
@@ -1,7 +1,24 @@
|
|
|
1
1
|
module Ddr::Auth
|
|
2
2
|
RSpec.describe AbilityFactory do
|
|
3
3
|
|
|
4
|
-
|
|
4
|
+
describe ".call" do
|
|
5
|
+
subject { described_class.call(user, env) }
|
|
6
|
+
|
|
7
|
+
describe "anonymous context" do
|
|
8
|
+
let(:user) { nil }
|
|
9
|
+
let(:env) { Hash.new }
|
|
10
|
+
it { is_expected.to be_a(AnonymousAbility) }
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
describe "superuser context" do
|
|
14
|
+
let(:user) { FactoryGirl.create(:user) }
|
|
15
|
+
let(:env) { Hash.new }
|
|
16
|
+
before {
|
|
17
|
+
allow_any_instance_of(AuthContext).to receive(:superuser?) { true }
|
|
18
|
+
}
|
|
19
|
+
it { is_expected.to be_a(SuperuserAbility) }
|
|
20
|
+
end
|
|
21
|
+
end
|
|
5
22
|
|
|
6
23
|
end
|
|
7
24
|
end
|
data/spec/auth/ability_spec.rb
CHANGED
|
@@ -56,6 +56,23 @@ module Ddr::Auth
|
|
|
56
56
|
end
|
|
57
57
|
end
|
|
58
58
|
|
|
59
|
+
describe "AdminSet abilities" do
|
|
60
|
+
describe "export" do
|
|
61
|
+
describe "when the user is a metadata manager" do
|
|
62
|
+
before {
|
|
63
|
+
allow(auth_context).to receive(:metadata_manager?) { true }
|
|
64
|
+
}
|
|
65
|
+
it { is_expected.to be_able_to(:export, Ddr::Models::AdminSet) }
|
|
66
|
+
end
|
|
67
|
+
describe "when the user is a metadata manager" do
|
|
68
|
+
before {
|
|
69
|
+
allow(auth_context).to receive(:metadata_manager?) { false }
|
|
70
|
+
}
|
|
71
|
+
it { is_expected.not_to be_able_to(:export, Ddr::Models::AdminSet) }
|
|
72
|
+
end
|
|
73
|
+
end
|
|
74
|
+
end
|
|
75
|
+
|
|
59
76
|
describe "Collection abilities" do
|
|
60
77
|
describe "create" do
|
|
61
78
|
before do
|
|
@@ -63,6 +80,7 @@ module Ddr::Auth
|
|
|
63
80
|
end
|
|
64
81
|
describe "when the user is a collection creator" do
|
|
65
82
|
before do
|
|
83
|
+
allow(auth_context).to receive(:member_of?) { false }
|
|
66
84
|
allow(auth_context).to receive(:member_of?).with("collection_creators") { true }
|
|
67
85
|
end
|
|
68
86
|
it { should be_able_to(:create, Collection) }
|
|
@@ -70,6 +88,7 @@ module Ddr::Auth
|
|
|
70
88
|
|
|
71
89
|
describe "when the user is not a collection creator" do
|
|
72
90
|
before do
|
|
91
|
+
allow(auth_context).to receive(:member_of?) { false }
|
|
73
92
|
allow(auth_context).to receive(:member_of?).with("collection_creators") { false }
|
|
74
93
|
end
|
|
75
94
|
it { should_not be_able_to(:create, Collection) }
|
|
@@ -23,6 +23,39 @@ module Ddr::Auth
|
|
|
23
23
|
end
|
|
24
24
|
end
|
|
25
25
|
|
|
26
|
+
describe "#metadata_manager?" do
|
|
27
|
+
describe "when a user is present" do
|
|
28
|
+
before { allow(subject).to receive(:user) { double(agent: "bob@example.com") } }
|
|
29
|
+
describe "and there is no metadata managers group" do
|
|
30
|
+
before {
|
|
31
|
+
allow(Ddr::Auth).to receive(:metadata_managers_group) { nil }
|
|
32
|
+
}
|
|
33
|
+
its(:metadata_manager?) { should be false }
|
|
34
|
+
end
|
|
35
|
+
describe "and there is a metadata managers group" do
|
|
36
|
+
before {
|
|
37
|
+
allow(Ddr::Auth).to receive(:metadata_managers_group) { "metadata_managers" }
|
|
38
|
+
}
|
|
39
|
+
describe "and the auth context is a member of the group" do
|
|
40
|
+
before {
|
|
41
|
+
allow(subject).to receive(:groups) { [ Group.new("metadata_managers") ] }
|
|
42
|
+
}
|
|
43
|
+
its(:metadata_manager?) { should be true }
|
|
44
|
+
end
|
|
45
|
+
describe "and the auth context is not a member of the group" do
|
|
46
|
+
before {
|
|
47
|
+
allow(subject).to receive(:groups) { [ Group.new("foo"), Group.new("bar") ] }
|
|
48
|
+
}
|
|
49
|
+
its(:metadata_manager?) { should be false }
|
|
50
|
+
end
|
|
51
|
+
end
|
|
52
|
+
end
|
|
53
|
+
describe "when no user is present" do
|
|
54
|
+
before { allow(subject).to receive(:user) { nil } }
|
|
55
|
+
its(:metadata_manager?) { should be false }
|
|
56
|
+
end
|
|
57
|
+
end
|
|
58
|
+
|
|
26
59
|
describe "#duke_agent?" do
|
|
27
60
|
describe "when the auth context is anonymous" do
|
|
28
61
|
before { allow(subject).to receive(:user) { nil } }
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: ddr-models
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.4.
|
|
4
|
+
version: 2.4.16
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jim Coble
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2016-09-
|
|
12
|
+
date: 2016-09-26 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: rails
|
|
@@ -404,6 +404,7 @@ files:
|
|
|
404
404
|
- lib/ddr/auth.rb
|
|
405
405
|
- lib/ddr/auth/ability.rb
|
|
406
406
|
- lib/ddr/auth/ability_definitions.rb
|
|
407
|
+
- lib/ddr/auth/ability_definitions/admin_set_ability_definitions.rb
|
|
407
408
|
- lib/ddr/auth/ability_definitions/alias_ability_definitions.rb
|
|
408
409
|
- lib/ddr/auth/ability_definitions/attachment_ability_definitions.rb
|
|
409
410
|
- lib/ddr/auth/ability_definitions/collection_ability_definitions.rb
|