hydra-access-controls 0.0.1

data/.gitignore

@@ -0,0 +1,18 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+*.swp

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in hydra-access-controls.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2012 TODO: Write your name
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,29 @@
+# Hydra::Access::Controls
+
+TODO: Write a gem description
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'hydra-access-controls'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install hydra-access-controls
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Added some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,16 @@
+#!/usr/bin/env rake
+require "bundler/gem_tasks"
+require 'rspec/core/rake_task'
+
+desc 'Default: run specs.'
+task :default => :spec
+
+desc "Run specs"
+RSpec::Core::RakeTask.new do |t|
+  # if ENV['COVERAGE'] and RUBY_VERSION =~ /^1.8/
+  #   t.rcov = true
+  #   t.rcov_opts = %w{--exclude spec\/*,gems\/*,ruby\/* --aggregate coverage.data}
+  # end
+end
+
+

data/hydra-access-controls.gemspec

@@ -0,0 +1,25 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path('../lib/hydra-access-controls/version', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.authors       = ["Justin Coyne"]
+  gem.email         = ["justin.coyne@yourmediashelf.com"]
+  gem.description   = %q{Access controls for project hydra}
+  gem.summary       = %q{Access controls for project hydra}
+  gem.homepage      = ""
+
+  gem.files         = `git ls-files`.split($\)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.name          = "hydra-access-controls"
+  gem.require_paths = ["lib"]
+  gem.version       = Hydra::Access::Controls::VERSION
+
+  gem.add_dependency 'activesupport'
+  gem.add_dependency 'active-fedora'
+  gem.add_dependency 'cancan'
+  gem.add_dependency 'deprecation'
+
+  gem.add_development_dependency 'rspec'
+  
+end

data/lib/ability.rb

@@ -0,0 +1,6 @@
+# Allows you to use CanCan to control access to Models
+require 'cancan'
+class Ability
+  include CanCan::Ability
+  include Hydra::Ability
+end

data/lib/hydra-access-controls.rb

@@ -0,0 +1,17 @@
+require 'active_support'
+require 'active-fedora'
+require 'deprecation'
+require "hydra-access-controls/version"
+require 'hydra/model_mixins'
+require 'hydra/datastream'
+
+module Hydra
+  extend ActiveSupport::Autoload
+  autoload :AccessControlsEnforcement
+  autoload :AccessControlsEvaluation
+  autoload :Ability
+  autoload :RoleMapperBehavior
+end
+require 'ability'
+require 'role_mapper'
+

data/lib/hydra-access-controls/version.rb

@@ -0,0 +1,7 @@
+module Hydra
+  module Access
+    module Controls
+      VERSION = "0.0.1"
+    end
+  end
+end

data/lib/hydra/ability.rb

@@ -0,0 +1,137 @@
+# this code will move to lib/hydra/access_controls/ability.rb (with the appropriate namespace changes) in Hydra 5.0
+# Code for CanCan access to Hydra models
+module Hydra::Ability
+  include Hydra::AccessControlsEnforcement
+
+  def initialize(user, session=nil)
+    user ||= User.new # guest user (not logged in)
+    hydra_default_permissions(user, session)
+  end
+
+  ## You can override this method if you are using a different AuthZ (such as LDAP)
+  def user_groups(user, session)
+    return @user_groups if @user_groups
+    @user_groups = RoleMapper.roles(user_key(user)) + default_user_groups
+    @user_groups << 'registered' unless user.new_record?
+    @user_groups
+  end
+
+  def default_user_groups
+    # # everyone is automatically a member of the group 'public'
+    ['public']
+  end
+  
+
+  def hydra_default_permissions(user, session)
+    logger.debug("Usergroups are " + user_groups(user, session).inspect)
+    if Deprecation.silence(Hydra::SuperuserAttributes) { user.is_being_superuser?(session) }
+      can :manage, :all
+    else
+      edit_permissions(user, session)
+      read_permissions(user, session)
+      custom_permissions(user, session)
+    end
+  end
+
+  def edit_permissions(user, session)
+    can :edit, String do |pid|
+      test_edit(pid, user, session)
+    end 
+
+    can :edit, ActiveFedora::Base do |obj|
+      test_edit(obj.pid, user, session)
+    end
+ 
+    can :edit, SolrDocument do |obj|
+      @permissions_solr_document = obj
+      test_edit(obj.id, user, session)
+    end       
+
+  end
+
+  def read_permissions(user, session)
+    can :read, String do |pid|
+      test_read(pid, user, session)
+    end
+
+    can :read, ActiveFedora::Base do |obj|
+      test_read(obj.pid, user, session)
+    end 
+    
+    can :read, SolrDocument do |obj|
+      @permissions_solr_document = obj
+      test_read(obj.id, user, session)
+    end 
+  end
+
+
+  ## Override custom permissions in your own app to add more permissions beyond what is defined by default.
+  def custom_permissions(user, session)
+  end
+  
+  protected
+
+  def permissions_doc(pid)
+    return @permissions_solr_document if @permissions_solr_document
+    response, @permissions_solr_document = get_permissions_solr_response_for_doc_id(pid)
+    @permissions_solr_document
+  end
+
+
+  def test_edit(pid, user, session)
+    permissions_doc(pid)
+    logger.debug("CANCAN Checking edit permissions for user: #{user}")
+    group_intersection = user_groups(user, session) & edit_groups
+    result = !group_intersection.empty? || edit_persons.include?(user_key(user))
+    logger.debug("CANCAN decision: #{result}")
+    result
+  end   
+  
+  def test_read(pid, user, session)
+    permissions_doc(pid)
+    logger.debug("CANCAN Checking edit permissions for user: #{user}")
+    group_intersection = user_groups(user, session) & read_groups
+    result = !group_intersection.empty? || read_persons.include?(user_key(user))
+    logger.debug("CANCAN decision: #{result}")
+    result
+  end 
+  
+  def edit_groups
+    edit_group_field = Hydra.config[:permissions][:edit][:group]
+    eg = ((@permissions_solr_document == nil || @permissions_solr_document.fetch(edit_group_field,nil) == nil) ? [] : @permissions_solr_document.fetch(edit_group_field,nil))
+    logger.debug("edit_groups: #{eg.inspect}")
+    return eg
+  end
+
+  # edit implies read, so read_groups is the union of edit and read groups
+  def read_groups
+    read_group_field = Hydra.config[:permissions][:read][:group]
+    rg = edit_groups | ((@permissions_solr_document == nil || @permissions_solr_document.fetch(read_group_field,nil) == nil) ? [] : @permissions_solr_document.fetch(read_group_field,nil))
+    logger.debug("read_groups: #{rg.inspect}")
+    return rg
+  end
+
+  def edit_persons
+    edit_person_field = Hydra.config[:permissions][:edit][:individual]
+    ep = ((@permissions_solr_document == nil || @permissions_solr_document.fetch(edit_person_field,nil) == nil) ? [] : @permissions_solr_document.fetch(edit_person_field,nil))
+    logger.debug("edit_persons: #{ep.inspect}")
+    return ep
+  end
+
+  # edit implies read, so read_persons is the union of edit and read persons
+  def read_persons
+    read_individual_field = Hydra.config[:permissions][:read][:individual]
+    rp = edit_persons | ((@permissions_solr_document == nil || @permissions_solr_document.fetch(read_individual_field,nil) == nil) ? [] : @permissions_solr_document.fetch(read_individual_field,nil))
+    logger.debug("read_persons: #{rp.inspect}")
+    return rp
+  end
+
+  
+  # get the currently configured user identifier.  Can be overridden to return whatever (ie. login, email, etc)
+  # defaults to using whatever you have set as the Devise authentication_key
+  def user_key(user)
+    user.send(Devise.authentication_keys.first)
+  end
+
+
+end

data/lib/hydra/access_controls_enforcement.rb

@@ -0,0 +1,234 @@
+# will move to lib/hydra/access_control folder/namespace in release 5.x
+module Hydra::AccessControlsEnforcement
+  
+  def self.included(klass)
+    klass.send(:include, Hydra::AccessControlsEvaluation)
+  end
+  
+  #
+  #   Access Controls Enforcement Filters
+  #
+  
+  # Controller "before" filter that delegates enforcement based on the controller action
+  # Action-specific implementations are enforce_index_permissions, enforce_show_permissions, etc.
+  # @param [Hash] opts (optional, not currently used)
+  #
+  # @example
+  #   class CatalogController < ApplicationController  
+  #     before_filter :enforce_access_controls
+  #   end
+  def enforce_access_controls(opts={})
+    controller_action = params[:action].to_s
+    controller_action = "edit" if params[:action] == "destroy" 
+    delegate_method = "enforce_#{controller_action}_permissions"
+    if self.respond_to?(delegate_method.to_sym, true)
+      self.send(delegate_method.to_sym)
+    else
+      true
+    end
+  end
+  
+  
+  #
+  #  Solr integration
+  #
+  
+  # returns a params hash with the permissions info for a single solr document 
+  # If the id arg is nil, then the value is fetched from params[:id]
+  # This method is primary called by the get_permissions_solr_response_for_doc_id method.
+  # Modeled on Blacklight::SolrHelper.solr_doc_params
+  # @param [String] id of the documetn to retrieve
+  def permissions_solr_doc_params(id=nil)
+    id ||= params[:id]
+    # just to be consistent with the other solr param methods:
+    {
+      :qt => :permissions,
+      :id => id # this assumes the document request handler will map the 'id' param to the unique key field
+    }
+  end
+  
+  # a solr query method
+  # retrieve a solr document, given the doc id
+  # Modeled on Blacklight::SolrHelper.get_permissions_solr_response_for_doc_id
+  # @param [String] id of the documetn to retrieve
+  # @param [Hash] extra_controller_params (optional)
+  def get_permissions_solr_response_for_doc_id(id=nil, extra_controller_params={})
+    raise Blacklight::Exceptions::InvalidSolrID.new("The application is trying to retrieve permissions without specifying an asset id") if id.nil?
+    solr_response = Blacklight.solr.find permissions_solr_doc_params(id).merge(extra_controller_params)
+    raise Blacklight::Exceptions::InvalidSolrID.new("The solr permissions search handler didn't return anything for id \"#{id}\"") if solr_response.docs.empty?
+    document = SolrDocument.new(solr_response.docs.first, solr_response)
+    [solr_response, document]
+  end
+  
+  # Loads permissions info into @permissions_solr_response and @permissions_solr_document
+  def load_permissions_from_solr(id=params[:id], extra_controller_params={})
+    unless !@permissions_solr_document.nil? && !@permissions_solr_response.nil?
+      @permissions_solr_response, @permissions_solr_document = get_permissions_solr_response_for_doc_id(id, extra_controller_params)
+    end
+  end
+  
+  private
+
+  # If someone hits the show action while their session's viewing_context is in edit mode, 
+  # this will redirect them to the edit action.
+  # If they do not have sufficient privileges to edit documents, it will silently switch their session to browse mode.
+  def enforce_viewing_context_for_show_requests
+    if params[:viewing_context] == "browse"
+      session[:viewing_context] = params[:viewing_context]
+    elsif session[:viewing_context] == "edit"
+      if can? :edit, params[:id]
+        logger.debug("enforce_viewing_context_for_show_requests redirecting to edit")
+        if params[:files]
+          redirect_to :action=>:edit, :files=>true
+        else
+          redirect_to :action=>:edit
+        end
+      else
+        session[:viewing_context] = "browse"
+      end
+    end
+  end
+  
+  #
+  # Action-specific enforcement
+  #
+  
+  # Controller "before" filter for enforcing access controls on show actions
+  # @param [Hash] opts (optional, not currently used)
+  def enforce_show_permissions(opts={})
+    load_permissions_from_solr
+    unless @permissions_solr_document['access_t'] && (@permissions_solr_document['access_t'].first == "public" || @permissions_solr_document['access_t'].first == "Public")
+      if @permissions_solr_document["embargo_release_date_dt"] 
+        embargo_date = Date.parse(@permissions_solr_document["embargo_release_date_dt"].split(/T/)[0])
+        if embargo_date > Date.parse(Time.now.to_s)
+          ### Assuming we're using devise and have only one authentication key
+          unless current_user && can?(:edit, params[:id])
+            raise Hydra::AccessDenied.new("This item is under embargo.  You do not have sufficient access privileges to read this document.", :edit, params[:id])
+          end
+        end
+      end
+      unless can? :read, params[:id] 
+        raise Hydra::AccessDenied.new("You do not have sufficient access privileges to read this document, which has been marked private.", :read, params[:id])
+      end
+    end
+  end
+  
+  # Controller "before" filter for enforcing access controls on edit actions
+  # @param [Hash] opts (optional, not currently used)
+  def enforce_edit_permissions(opts={})
+    logger.debug("Enforcing edit permissions")
+    load_permissions_from_solr
+    if !can? :edit, params[:id]
+      session[:viewing_context] = "browse"
+      raise Hydra::AccessDenied.new("You do not have sufficient privileges to edit this document. You have been redirected to the read-only view.", :edit, params[:id])
+    else
+      session[:viewing_context] = "edit"
+    end
+  end
+
+  ## proxies to enforce_edit_permssions.  This method is here for you to override
+  def enforce_update_permissions(opts={})
+    enforce_edit_permissions(opts)
+  end
+
+  ## proxies to enforce_edit_permssions.  This method is here for you to override
+  def enforce_delete_permissions(opts={})
+    enforce_edit_permissions(opts)
+  end
+
+  # Controller "before" filter for enforcing access controls on index actions
+  # Currently does nothing, instead relies on 
+  # @param [Hash] opts (optional, not currently used)
+  def enforce_index_permissions(opts={})
+    # Do nothing. Relies on enforce_search_permissions being included in the Controller's solr_search_params_logic
+    return true
+  end
+  
+  #
+  # Solr query modifications
+  #
+  
+  # Set solr_parameters to enforce appropriate permissions 
+  # * Applies a lucene query to the solr :q parameter for gated discovery
+  # * Uses public_qt search handler if user does not have "read" permissions
+  # @param solr_parameters the current solr parameters
+  # @param user_parameters the current user-subitted parameters
+  #
+  # @example This method should be added to your Catalog Controller's solr_search_params_logic
+  #   class CatalogController < ApplicationController 
+  #     include Hydra::Catalog
+  #     CatalogController.solr_search_params_logic << :add_access_controls_to_solr_params
+  #   end
+  def add_access_controls_to_solr_params(solr_parameters, user_parameters)
+    apply_gated_discovery(solr_parameters, user_parameters)
+  end
+
+  
+  # Which permission levels (logical OR) will grant you the ability to discover documents in a search.
+  # Override this method if you want it to be something other than the default
+  def discovery_permissions
+    ["edit","discover","read"]
+  end
+
+  # Contrller before filter that sets up access-controlled lucene query in order to provide gated discovery behavior
+  # @param solr_parameters the current solr parameters
+  # @param user_parameters the current user-subitted parameters
+  def apply_gated_discovery(solr_parameters, user_parameters)
+    solr_parameters[:fq] ||= []
+    # Grant access to public content
+    permission_types = discovery_permissions
+    user_access_filters = []
+    
+    permission_types.each do |type|
+      user_access_filters << "#{type}_access_group_t:public"
+    end
+    
+    # Grant access based on user id & role
+    unless current_user.nil?
+      # for roles
+      ::RoleMapper.roles(user_key).each_with_index do |role, i|
+        permission_types.each do |type|
+          user_access_filters << "#{type}_access_group_t:#{role}"
+        end
+      end
+      # for individual person access
+      permission_types.each do |type|
+        user_access_filters << "#{type}_access_person_t:#{user_key}"        
+      end
+      if Deprecation.silence(Hydra::SuperuserAttributes) { current_user.is_being_superuser?(session) }
+        permission_types.each do |type|
+          user_access_filters << "#{type}_access_person_t:[* TO *]"        
+        end
+      end
+      
+      # Enforcing Embargo at Query time has been disabled.  
+      # If you want to do this, set up your own solr_search_params before_filter that injects the appropriate :fq constraints for a field that expresses your objects' embargo status.
+      #
+      # include docs in results if the embargo date is NOT in the future OR if the current user is depositor
+      # embargo_query = "(NOT embargo_release_date_dt:[NOW TO *]) OR depositor_t:#{user_key}"
+      # embargo_query = "(NOT embargo_release_date_dt:[NOW TO *]) OR (embargo_release_date_dt:[NOW TO *] AND  depositor_t:#{user_key}) AND NOT (NOT depositor_t:#{user_key} AND embargo_release_date_dt:[NOW TO *])"
+      # solr_parameters[:fq] << embargo_query         
+    end
+    solr_parameters[:fq] << user_access_filters.join(" OR ")
+    logger.debug("Solr parameters: #{ solr_parameters.inspect }")
+  end
+  
+  
+  # proxy for {enforce_index_permissions}
+  def enforce_search_permissions
+    enforce_index_permissions
+  end
+
+  # proxy for {enforce_show_permissions}
+  def enforce_read_permissions
+    enforce_show_permissions
+  end
+  
+  # This filters out objects that you want to exclude from search results.  By default it only excludes FileAssets
+  # @param solr_parameters the current solr parameters
+  # @param user_parameters the current user-subitted parameters
+  def exclude_unwanted_models(solr_parameters, user_parameters)
+    solr_parameters[:fq] ||= []
+    solr_parameters[:fq] << "-has_model_s:\"info:fedora/afmodel:FileAsset\""
+  end
+end