hydra-access-controls 0.0.1

data/lib/hydra/access_controls_evaluation.rb

@@ -0,0 +1,38 @@
+# will move to lib/hydra/access_control folder/namespace in release 5.x
+# Provides methods for determining permissions
+# If you include this into a Controller, it will also make a number of these methods available as view helpers.
+module Hydra::AccessControlsEvaluation
+  
+  def self.included(klass)
+    if klass.respond_to?(:helper_method)
+      klass.helper_method(:editor?)
+      klass.helper_method(:reader?)
+      klass.helper_method(:test_permission?)
+    end
+  end
+  
+  # Test the current user's permissions.  This method is used by the editor? and reader? methods
+  # @param [Symbol] permission_type valid options: :edit, :read
+  # This is available as a view helper method as well as within your controllers.
+  # @example
+  #   test_permission(:edit)
+  def test_permission(permission_type)    
+    ActiveSupport::Deprecation.warn("test_permission has been deprecated. Use can? instead") 
+    can? permission_type, @permissions_solr_document
+  end
+
+  # Test whether the the current user has edit permissions.  
+  # This is available as a view helper method as well as within your controllers.
+  def editor?
+    logger.warn("editor? has been deprecated. Use can? instead")
+    can? :edit, @permissions_solr_document
+  end
+  
+  # Test whether the the current user has read permissions.  
+  # This is available as a view helper method as well as within your controllers.
+  def reader?
+    logger.warn("reader? has been deprecated. Use can? instead")
+    can? :read, @permissions_solr_document
+  end
+
+end

data/lib/hydra/datastream.rb

@@ -0,0 +1,6 @@
+module Hydra
+  module Datastream
+    extend ActiveSupport::Autoload
+    autoload :RightsMetadata
+  end
+end

data/lib/hydra/datastream/rights_metadata.rb

@@ -0,0 +1,192 @@
+require 'active_support/core_ext/string'
+module Hydra
+  module Datastream
+    # Implements Hydra RightsMetadata XML terminology for asserting access permissions
+    class RightsMetadata < ActiveFedora::NokogiriDatastream       
+      
+      set_terminology do |t|
+        t.root(:path=>"rightsMetadata", :xmlns=>"http://hydra-collab.stanford.edu/schemas/rightsMetadata/v1", :schema=>"http://github.com/projecthydra/schemas/tree/v1/rightsMetadata.xsd") 
+        t.copyright {
+          t.machine {
+            t.uvalicense
+            t.cclicense   
+            t.license     
+          }
+          t.human_readable(:path=>"human")
+          t.license(:proxy=>[:machine, :license ])            
+          t.cclicense(:proxy=>[:machine, :cclicense ])                  
+        }
+        t.access {
+          t.human_readable(:path=>"human")
+          t.machine {
+            t.group
+            t.person
+          }
+          t.person(:proxy=>[:machine, :person])
+          t.group(:proxy=>[:machine, :group])
+          # accessor :access_person, :term=>[:access, :machine, :person]
+        }
+        t.discover_access(:ref=>[:access], :attributes=>{:type=>"discover"})
+        t.read_access(:ref=>[:access], :attributes=>{:type=>"read"})
+        t.edit_access(:ref=>[:access], :attributes=>{:type=>"edit"})
+        # A bug in OM prevnts us from declaring proxy terms at the root of a Terminology
+        # t.access_person(:proxy=>[:access,:machine,:person])
+        # t.access_group(:proxy=>[:access,:machine,:group])
+        
+        t.embargo {
+          t.human_readable(:path=>"human")
+          t.machine{
+            t.date(:type =>"release")
+          }
+          t.embargo_release_date(:proxy => [:machine, :date])
+        }    
+      end
+
+      # Generates an empty Mods Article (used when you call ModsArticle.new without passing in existing xml)
+      def self.xml_template
+        builder = Nokogiri::XML::Builder.new do |xml|
+          xml.rightsMetadata(:version=>"0.1", "xmlns"=>"http://hydra-collab.stanford.edu/schemas/rightsMetadata/v1") {
+            xml.copyright {
+              xml.human
+              xml.machine {
+                xml.uvalicense "no"
+              }
+            }
+            xml.access(:type=>"discover") {
+              xml.human
+              xml.machine
+            }
+            xml.access(:type=>"read") {
+              xml.human 
+              xml.machine
+            }
+            xml.access(:type=>"edit") {
+              xml.human
+              xml.machine
+            }
+            xml.embargo{
+              xml.human
+              xml.machine
+            }        
+          }
+        end
+        return builder.doc
+      end
+        
+      # Returns the permissions for the selected person/group
+      # If new_access_level is provided, updates the selected person/group access_level to the one specified 
+      # A new_access_level of "none" will remove all access_levels for the selected person/group
+      # @param [Hash] selector hash in format {type => identifier}
+      # @param new_access_level (default nil)
+      # @return Hash in format {type => access_level}.  
+      # 
+      # ie. 
+      # permissions({:person=>"person123"})
+      # => {"person123"=>"edit"}
+      # permissions({:person=>"person123"}, "read")
+      # => {"person123"=>"read"}
+      # permissions({:person=>"person123"})
+      # => {"person123"=>"read"}
+      def permissions(selector, new_access_level=nil)
+        type = selector.keys.first.to_sym
+        actor = selector.values.first
+        if new_access_level.nil?
+          xpath = self.class.terminology.xpath_for(:access, type, actor)
+          nodeset = self.find_by_terms(xpath)
+          if nodeset.empty?
+            return "none"
+          else
+            return nodeset.first.ancestors("access").first.attributes["type"].text
+          end
+        else
+          remove_all_permissions(selector)
+          unless new_access_level == "none" 
+            access_type_symbol = "#{new_access_level}_access".to_sym
+            result = self.update_values([access_type_symbol, type] => {"-1"=>actor})
+          end
+          self.dirty = true
+          return new_access_level
+        end
+          
+      end
+      
+      # Reports on which groups have which permissions
+      # @return Hash in format {group_name => group_permissions, group_name => group_permissions}
+      def groups
+        return quick_search_by_type(:group)
+      end
+      
+      # Reports on which groups have which permissions
+      # @return Hash in format {person_name => person_permissions, person_name => person_permissions}
+      def individuals
+        return quick_search_by_type(:person)
+      end
+      
+      # Updates permissions for all of the persons and groups in a hash
+      # @param params ex. {"group"=>{"group1"=>"discover","group2"=>"edit"}, "person"=>{"person1"=>"read","person2"=>"discover"}}
+      # Currently restricts actor type to group or person.  Any others will be ignored
+      def update_permissions(params)
+        params.fetch("group", {}).each_pair {|group_id, access_level| self.permissions({"group"=>group_id}, access_level)}
+        params.fetch("person", {}).each_pair {|group_id, access_level| self.permissions({"person"=>group_id}, access_level)}
+      end
+      
+      # @param [Symbol] type (either :group or :person)
+      # @return 
+      # This method limits the response to known access levels.  Probably runs a bit faster than .permissions().
+      def quick_search_by_type(type)
+        result = {}
+        [{:discover_access=>"discover"},{:read_access=>"read"},{:edit_access=>"edit"}].each do |access_levels_hash|
+          access_level = access_levels_hash.keys.first
+          access_level_name = access_levels_hash.values.first
+          self.find_by_terms(*[access_level, type]).each do |entry|
+            result[entry.text] = access_level_name
+          end
+        end
+        return result
+      end
+
+      attr_reader :embargo_release_date
+      def embargo_release_date=(release_date)
+        release_date = release_date.to_s if release_date.is_a? Date
+        begin
+          Date.parse(release_date)
+        rescue 
+          return "INVALID DATE"
+        end
+        self.update_values({[:embargo,:machine,:date]=>release_date})
+      end
+      def embargo_release_date(opts={})
+        embargo_release_date = self.find_by_terms(*[:embargo,:machine,:date]).first ? self.find_by_terms(*[:embargo,:machine,:date]).first.text : nil
+        if embargo_release_date.present? && opts[:format] && opts[:format] == :solr_date
+          embargo_release_date << "T23:59:59Z"
+        end
+        embargo_release_date
+      end
+      def under_embargo?
+        (embargo_release_date && Date.today < embargo_release_date.to_date) ? true : false
+      end
+
+      def to_solr(solr_doc=Hash.new)
+        super(solr_doc)
+        ::Solrizer::Extractor.insert_solr_field_value(solr_doc, "embargo_release_date_dt", embargo_release_date(:format=>:solr_date)) if embargo_release_date
+        solr_doc
+      end
+
+
+
+
+      
+      private
+      # Purge all access given group/person 
+      def remove_all_permissions(selector)
+        return unless ng_xml
+        type = selector.keys.first.to_sym
+        actor = selector.values.first
+        xpath = self.class.terminology.xpath_for(:access, type, actor)
+        nodes_to_purge = self.find_by_terms(xpath)
+        nodes_to_purge.each {|node| node.remove}
+      end
+      
+    end
+  end
+end

data/lib/hydra/model_mixins.rb

@@ -0,0 +1,7 @@
+module Hydra
+  module ModelMixins
+    extend ActiveSupport::Autoload
+    autoload :RightsMetadata
+  end
+end
+

data/lib/hydra/model_mixins/rights_metadata.rb

@@ -0,0 +1,357 @@
+module Hydra
+  module ModelMixins
+    module RightsMetadata
+
+
+      ## Updates those permissions that are provided to it. Does not replace any permissions unless they are provided
+      # @example
+      #  obj.permissions= [{:name=>"group1", :access=>"discover", :type=>'group'},
+      #  {:name=>"group2", :access=>"discover", :type=>'group'}]
+      def permissions=(params)
+        perm_hash = {'person' => rightsMetadata.individuals, 'group'=> rightsMetadata.groups}
+
+        params.each do |row|
+          if row[:type] == 'user'
+            perm_hash['person'][row[:name]] = row[:access]
+          else
+            perm_hash['group'][row[:name]] = row[:access]
+          end
+        end
+        
+        rightsMetadata.update_permissions(perm_hash)
+      end
+
+
+      ## Returns a list with all the permissions on the object.
+      # @example
+      #  [{:name=>"group1", :access=>"discover", :type=>'group'},
+      #  {:name=>"group2", :access=>"discover", :type=>'group'},
+      #  {:name=>"user2", :access=>"read", :type=>'user'},
+      #  {:name=>"user1", :access=>"edit", :type=>'user'},
+      #  {:name=>"user3", :access=>"read", :type=>'user'}]
+      def permissions
+        (rightsMetadata.groups.map {|x| {:type=>'group', :access=>x[1], :name=>x[0] }} + 
+          rightsMetadata.individuals.map {|x| {:type=>'user', :access=>x[1], :name=>x[0]}})
+
+      end
+    
+      # Return a list of groups that have discover permission
+      def discover_groups
+        rightsMetadata.groups.map {|k, v| k if v == 'discover'}.compact
+      end
+
+      # Grant discover permissions to the groups specified. Revokes discover permission for all other groups.
+      # @param[Array] groups a list of group names
+      # @example
+      #  r.discover_groups= ['one', 'two', 'three']
+      #  r.discover_groups 
+      #  => ['one', 'two', 'three']
+      #
+      def discover_groups=(groups)
+        set_discover_groups(groups, discover_groups)
+      end
+
+      # Grant discover permissions to the groups specified. Revokes discover permission for all other groups.
+      # @param[String] groups a list of group names
+      # @example
+      #  r.discover_groups_string= 'one, two, three'
+      #  r.discover_groups 
+      #  => ['one', 'two', 'three']
+      #
+      def discover_groups_string=(groups)
+        self.discover_groups=groups.split(/[\s,]+/)
+      end
+
+      # Display the groups a comma delimeted string
+      def discover_groups_string
+        self.discover_groups.join(', ')
+      end
+
+      # Grant discover permissions to the groups specified. Revokes discover permission for
+      # any of the eligible_groups that are not in groups.
+      # This may be used when different users are responsible for setting different
+      # groups.  Supply the groups the current user is responsible for as the 
+      # 'eligible_groups'
+      # @param[Array] groups a list of groups
+      # @param[Array] eligible_groups the groups that are eligible to have their discover permssion revoked. 
+      # @example
+      #  r.discover_groups = ['one', 'two', 'three']
+      #  r.discover_groups 
+      #  => ['one', 'two', 'three']
+      #  r.set_discover_groups(['one'], ['three'])
+      #  r.discover_groups
+      #  => ['one', 'two']  ## 'two' was not eligible to be removed
+      #
+      def set_discover_groups(groups, eligible_groups)
+        set_entities(:discover, :group, groups, eligible_groups)
+      end
+
+      def discover_users
+        rightsMetadata.individuals.map {|k, v| k if v == 'discover'}.compact
+      end
+
+      # Grant discover permissions to the users specified. Revokes discover permission for all other users.
+      # @param[Array] users a list of usernames
+      # @example
+      #  r.discover_users= ['one', 'two', 'three']
+      #  r.discover_users 
+      #  => ['one', 'two', 'three']
+      #
+      def discover_users=(users)
+        set_discover_users(users, discover_users)
+      end
+
+      # Grant discover permissions to the groups specified. Revokes discover permission for all other users.
+      # @param[String] users a list of usernames
+      # @example
+      #  r.discover_users_string= 'one, two, three'
+      #  r.discover_users 
+      #  => ['one', 'two', 'three']
+      #
+      def discover_users_string=(users)
+        self.discover_users=users.split(/[\s,]+/)
+      end
+
+      # Display the users as a comma delimeted string
+      def discover_users_string
+        self.discover_users.join(', ')
+      end
+
+      # Grant discover permissions to the users specified. Revokes discover permission for
+      # any of the eligible_users that are not in users.
+      # This may be used when different users are responsible for setting different
+      # users.  Supply the users the current user is responsible for as the 
+      # 'eligible_users'
+      # @param[Array] users a list of users
+      # @param[Array] eligible_users the users that are eligible to have their discover permssion revoked. 
+      # @example
+      #  r.discover_users = ['one', 'two', 'three']
+      #  r.discover_users 
+      #  => ['one', 'two', 'three']
+      #  r.set_discover_users(['one'], ['three'])
+      #  r.discover_users
+      #  => ['one', 'two']  ## 'two' was not eligible to be removed
+      #
+      def set_discover_users(users, eligible_users)
+        set_entities(:discover, :person, users, eligible_users)
+      end
+
+      # Return a list of groups that have discover permission
+      def read_groups
+        rightsMetadata.groups.map {|k, v| k if v == 'read'}.compact
+      end
+
+      # Grant read permissions to the groups specified. Revokes read permission for all other groups.
+      # @param[Array] groups a list of group names
+      # @example
+      #  r.read_groups= ['one', 'two', 'three']
+      #  r.read_groups 
+      #  => ['one', 'two', 'three']
+      #
+      def read_groups=(groups)
+        set_read_groups(groups, read_groups)
+      end
+
+      # Grant read permissions to the groups specified. Revokes read permission for all other groups.
+      # @param[String] groups a list of group names
+      # @example
+      #  r.read_groups_string= 'one, two, three'
+      #  r.read_groups 
+      #  => ['one', 'two', 'three']
+      #
+      def read_groups_string=(groups)
+        self.read_groups=groups.split(/[\s,]+/)
+      end
+
+      # Display the groups a comma delimeted string
+      def read_groups_string
+        self.read_groups.join(', ')
+      end
+
+      # Grant read permissions to the groups specified. Revokes read permission for
+      # any of the eligible_groups that are not in groups.
+      # This may be used when different users are responsible for setting different
+      # groups.  Supply the groups the current user is responsible for as the 
+      # 'eligible_groups'
+      # @param[Array] groups a list of groups
+      # @param[Array] eligible_groups the groups that are eligible to have their read permssion revoked. 
+      # @example
+      #  r.read_groups = ['one', 'two', 'three']
+      #  r.read_groups 
+      #  => ['one', 'two', 'three']
+      #  r.set_read_groups(['one'], ['three'])
+      #  r.read_groups
+      #  => ['one', 'two']  ## 'two' was not eligible to be removed
+      #
+      def set_read_groups(groups, eligible_groups)
+        set_entities(:read, :group, groups, eligible_groups)
+      end
+
+      def read_users
+        rightsMetadata.individuals.map {|k, v| k if v == 'read'}.compact
+      end
+
+      # Grant read permissions to the users specified. Revokes read permission for all other users.
+      # @param[Array] users a list of usernames
+      # @example
+      #  r.read_users= ['one', 'two', 'three']
+      #  r.read_users 
+      #  => ['one', 'two', 'three']
+      #
+      def read_users=(users)
+        set_read_users(users, read_users)
+      end
+
+      # Grant read permissions to the groups specified. Revokes read permission for all other users.
+      # @param[String] users a list of usernames
+      # @example
+      #  r.read_users_string= 'one, two, three'
+      #  r.read_users 
+      #  => ['one', 'two', 'three']
+      #
+      def read_users_string=(users)
+        self.read_users=users.split(/[\s,]+/)
+      end
+
+      # Display the users as a comma delimeted string
+      def read_users_string
+        self.read_users.join(', ')
+      end
+
+      # Grant read permissions to the users specified. Revokes read permission for
+      # any of the eligible_users that are not in users.
+      # This may be used when different users are responsible for setting different
+      # users.  Supply the users the current user is responsible for as the 
+      # 'eligible_users'
+      # @param[Array] users a list of users
+      # @param[Array] eligible_users the users that are eligible to have their read permssion revoked. 
+      # @example
+      #  r.read_users = ['one', 'two', 'three']
+      #  r.read_users 
+      #  => ['one', 'two', 'three']
+      #  r.set_read_users(['one'], ['three'])
+      #  r.read_users
+      #  => ['one', 'two']  ## 'two' was not eligible to be removed
+      #
+      def set_read_users(users, eligible_users)
+        set_entities(:read, :person, users, eligible_users)
+      end
+
+
+      # Return a list of groups that have edit permission
+      def edit_groups
+        rightsMetadata.groups.map {|k, v| k if v == 'edit'}.compact
+      end
+
+      # Grant edit permissions to the groups specified. Revokes edit permission for all other groups.
+      # @param[Array] groups a list of group names
+      # @example
+      #  r.edit_groups= ['one', 'two', 'three']
+      #  r.edit_groups 
+      #  => ['one', 'two', 'three']
+      #
+      def edit_groups=(groups)
+        set_edit_groups(groups, edit_groups)
+      end
+
+      # Grant edit permissions to the groups specified. Revokes edit permission for all other groups.
+      # @param[String] groups a list of group names
+      # @example
+      #  r.edit_groups_string= 'one, two, three'
+      #  r.edit_groups 
+      #  => ['one', 'two', 'three']
+      #
+      def edit_groups_string=(groups)
+        self.edit_groups=groups.split(/[\s,]+/)
+      end
+
+      # Display the groups a comma delimeted string
+      def edit_groups_string
+        self.edit_groups.join(', ')
+      end
+
+      # Grant edit permissions to the groups specified. Revokes edit permission for
+      # any of the eligible_groups that are not in groups.
+      # This may be used when different users are responsible for setting different
+      # groups.  Supply the groups the current user is responsible for as the 
+      # 'eligible_groups'
+      # @param[Array] groups a list of groups
+      # @param[Array] eligible_groups the groups that are eligible to have their edit permssion revoked. 
+      # @example
+      #  r.edit_groups = ['one', 'two', 'three']
+      #  r.edit_groups 
+      #  => ['one', 'two', 'three']
+      #  r.set_edit_groups(['one'], ['three'])
+      #  r.edit_groups
+      #  => ['one', 'two']  ## 'two' was not eligible to be removed
+      #
+      def set_edit_groups(groups, eligible_groups)
+        set_entities(:edit, :group, groups, eligible_groups)
+      end
+
+      def edit_users
+        rightsMetadata.individuals.map {|k, v| k if v == 'edit'}.compact
+      end
+
+      # Grant edit permissions to the groups specified. Revokes edit permission for all other groups.
+      # @param[Array] users a list of usernames
+      # @example
+      #  r.edit_users= ['one', 'two', 'three']
+      #  r.edit_users 
+      #  => ['one', 'two', 'three']
+      #
+      def edit_users=(users)
+        set_edit_users(users, edit_users)
+      end
+
+      # Grant edit permissions to the users specified. Revokes edit permission for
+      # any of the eligible_users that are not in users.
+      # This may be used when different users are responsible for setting different
+      # users.  Supply the users the current user is responsible for as the 
+      # 'eligible_users'
+      # @param[Array] users a list of users
+      # @param[Array] eligible_users the users that are eligible to have their edit permssion revoked. 
+      # @example
+      #  r.edit_users = ['one', 'two', 'three']
+      #  r.edit_users 
+      #  => ['one', 'two', 'three']
+      #  r.set_edit_users(['one'], ['three'])
+      #  r.edit_users
+      #  => ['one', 'two']  ## 'two' was not eligible to be removed
+      #
+      def set_edit_users(users, eligible_users)
+        set_entities(:edit, :person, users, eligible_users)
+      end
+
+
+      private 
+
+      # @param  permission either :discover, :read or :edit
+      # @param  type either :person or :group
+      # @param  values  Values to set
+      # @param  changeable Values we are allowed to change
+      def set_entities(permission, type, values, changeable)
+        g = preserved(type, permission)
+        (changeable - values).each do |entity|
+          #Strip permissions from users not provided
+          g[entity] = 'none'
+        end
+        values.each { |name| g[name] = permission.to_s}
+        rightsMetadata.update_permissions(type.to_s=>g)
+      end
+
+      ## Get those permissions we don't want to change
+      def preserved(type, permission)
+        case permission
+        when :edit
+          g = {}
+        when :read
+          Hash[rightsMetadata.quick_search_by_type(type).select {|k, v| v == 'edit'}]
+        when :discover
+          Hash[rightsMetadata.quick_search_by_type(type).select {|k, v| v == 'discover'}]
+        end
+      end
+
+    end
+  end
+end