hydra-access-controls 0.0.2 → 0.0.3

data/spec/spec_helper.rb

@@ -1,3 +1,12 @@
+ENV["environment"] ||= "test"
+module Hydra
+  # Stubbing Hydra.config[:policy_aware] so Hydra::PolicyAwareAbility will be loaded for tests.
+  def self.config
+    {:permissions=>{:policy_aware => true}}
+  end
+end
+
+
 $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
 $LOAD_PATH.unshift(File.dirname(__FILE__))
 
@@ -14,7 +23,26 @@ end
 require 'rspec/autorun'
 require 'hydra-access-controls'
 require 'support/mods_asset'
+require 'support/solr_document'
+require "support/user"
+require "factory_girl"
+require "factories"
+
+require 'support/blacklight'
+require 'support/rails'
+
 RSpec.configure do |config|
 
 end
 
+# Stubbing a deprecated class/method so it won't mess up tests.
+class Hydra::SuperuserAttributes
+ cattr_accessor :silenced
+end
+
+# Stubbing Devise
+class Devise
+  def self.authentication_keys
+    ["uid"]
+  end
+end

data/spec/support/blacklight.rb

@@ -0,0 +1,7 @@
+require 'blacklight'
+
+module Blacklight
+  def self.solr_file
+    File.expand_path(File.join(File.dirname(__FILE__), "config", "solr.yml"))
+  end
+end

data/spec/support/config/solr.yml

@@ -0,0 +1,4 @@
+development:
+  url: http://localhost:<%= ENV['TEST_JETTY_PORT'] || 8983 %>/solr/development
+test: 
+  url: http://localhost:<%= ENV['TEST_JETTY_PORT'] || 8983 %>/solr/test

data/spec/support/mods_asset.rb

@@ -2,5 +2,8 @@ require 'active-fedora'
 class ModsAsset < ActiveFedora::Base
   include Hydra::ModelMixins::RightsMetadata
   has_metadata :name => "rightsMetadata", :type => Hydra::Datastream::RightsMetadata
-
+  
+  # This is how we're associating admin policies with assets.  
+  # You can associate them however you want, just use the :is_governed_by relationship
+  belongs_to :admin_policy, :class_name=> "Hydra::AdminPolicy", :property=>:is_governed_by
 end

data/spec/support/rails.rb

@@ -0,0 +1,10 @@
+class Rails
+  def self.env
+    ENV['environment']
+  end
+
+  def self.version
+    "0.0.0"
+    #"hydra-access-controls mock rails"
+  end
+end

data/spec/support/solr_document.rb

@@ -0,0 +1,13 @@
+class SolrDocument
+  def initialize(source_doc={}, solr_response=nil)
+    @source_doc = source_doc
+  end
+  def fetch(field, default)
+    @source_doc[field]
+  end
+
+  def [](field)
+    @source_doc[field]
+  end
+end
+

data/spec/support/user.rb

@@ -0,0 +1,32 @@
+class User
+  
+  include Hydra::User
+
+  attr_accessor :uid, :email, :password, :roles, :new_record
+
+  def initialize(params={})
+    self.email = params[:email] if params[:email]
+  end
+  
+  def new_record?
+    new_record == true
+  end
+  
+  def is_being_superuser?(session)
+    # do nothing -- stubbing deprecated behavior
+  end
+  
+  def self.find_by_uid(uid)
+    nil
+  end
+  
+  def save
+    # do nothing!
+  end
+  
+  def save!
+    save
+    return self
+  end
+  
+end

data/spec/unit/ability_spec.rb

@@ -3,44 +3,25 @@ require 'spec_helper'
 describe Ability do
   before do
     class Rails; end
-    class User; end
-    class Devise; end
-    class SolrDocument
-      def initialize(one, two)
-        @one = one
-      end
-      def fetch(field, default)
-        @one[field]
-      end
-    end
-    class Hydra::SuperuserAttributes; end
-    module Blacklight
-      module Exceptions
-        class InvalidSolrID < StandardError
-          def initialize(opt)
-          end
-        end
-      end
-    end
-    Devise.stub(:authentication_keys).and_return(['email'])
-    # User.any_instance.stub(:email).and_return('archivist1@example.com')
-    # User.any_instance.stub(:new_record?).and_return(false)
-    # User.any_instance.stub(:is_being_superuser?).and_return(false)
-    Hydra::SuperuserAttributes.stub(:silenced)
-    Hydra::SuperuserAttributes.stub(:silenced=)
-    @solr_resp = stub("solr response")
-    Blacklight.stub(:solr).and_return(stub("solr", :find=>@solr_resp))
-    
     Rails.stub(:root).and_return('spec/support')
     Rails.stub(:env).and_return('test')
-
-    Hydra.stub(:config).and_return({:permissions=>{
-      :catchall => "access_t",
-      :discover => {:group =>"discover_access_group_t", :individual=>"discover_access_person_t"},
-      :read => {:group =>"read_access_group_t", :individual=>"read_access_person_t"},
-      :edit => {:group =>"edit_access_group_t", :individual=>"edit_access_person_t"},
-      :owner => "depositor_t",
-      :embargo_release_date => "embargo_release_date_dt"
+    Hydra.stub(:config).and_return({
+      :permissions=>{
+        :catchall => "access_t",
+        :discover => {:group =>"discover_access_group_t", :individual=>"discover_access_person_t"},
+        :read => {:group =>"read_access_group_t", :individual=>"read_access_person_t"},
+        :edit => {:group =>"edit_access_group_t", :individual=>"edit_access_person_t"},
+        :owner => "depositor_t",
+        :embargo_release_date => "embargo_release_date_dt",
+      
+        :inheritable => {
+          :catchall => "inheritable_access_t",
+          :discover => {:group =>"inheritable_discover_access_group_t", :individual=>"inheritable_discover_access_person_t"},
+          :read => {:group =>"inheritable_read_access_group_t", :individual=>"inheritable_read_access_person_t"},
+          :edit => {:group =>"inheritable_edit_access_group_t", :individual=>"inheritable_edit_access_person_t"},
+          :owner => "inheritable_depositor_t",
+          :embargo_release_date => "inheritable_embargo_release_date_dt"
+        }
     }})
   end
 
@@ -55,34 +36,335 @@ describe Ability do
       Ability.any_instance.should_receive(:custom_permissions)
       subject.can?(:delete, 7)
     end
-    it "should be able to read objects that are public" do
-      @solr_resp.stub(:docs).and_return([{'read_access_group_t' =>['public']}])
-      public_object = ModsAsset.new
-      subject.can?(:read, public_object).should be_true
-    end
-    it "should not be able to read objects that are registered" do
-      registered_object = ModsAsset.new
-      @solr_resp.stub(:docs).and_return([{'read_access_group_t' =>['registered']}])
-      subject.can?(:read, registered_object).should_not be_true
-    end
     it "should not be able to create objects" do
       subject.can?(:create, :any).should be_false
     end
   end
   context "for a signed in user" do
-    subject { Ability.new(stub("user", :email=>'archivist1@example.com', :new_record? => false, :is_being_superuser? =>false)) }
-    it "should be able to read objects that are public" do
-      public_object = ModsAsset.new
-      @solr_resp.stub(:docs).and_return([{'read_access_group_t' =>['public']}])
-      subject.can?(:read, public_object).should be_true
-    end
-    it "should be able to read objects that are registered" do
-      registered_object = ModsAsset.new
-      @solr_resp.stub(:docs).and_return([{'read_access_group_t' =>['registered']}])
-      subject.can?(:read, registered_object).should be_true
+    before do
+      @user = FactoryGirl.build(:registered_user)
     end
+    subject { Ability.new(@user) }
     it "should be able to create objects" do
       subject.can?(:create, :any).should be_true
     end
   end
+
+
+# NOTES: 
+#   See spec/requests/... for test coverage describing WHAT should appear on a page based on access permissions
+#   Test coverage for discover permission is in spec/requests/gated_discovery_spec.rb
+  
+  describe "Given an asset that has been made publicly available (ie. open access)" do
+    before do
+      @asset = FactoryGirl.build(:open_access_asset)
+      @asset.save
+    end
+    context "Then a not-signed-in user" do
+      before do
+        @user = User.new
+        @user.new_record = true
+      end
+      subject { Ability.new(nil) }
+      it "should be able to view the asset" do
+        subject.can?(:read, @asset).should be_true
+      end
+      it "should not be able to edit, update and destroy the asset" do
+        subject.can?(:edit, @asset).should be_false
+        subject.can?(:update, @asset).should be_false
+        subject.can?(:destroy, @asset).should be_false
+      end
+    end
+    context "Then a registered user" do
+      before do
+        @user = FactoryGirl.build(:registered_user)
+      end
+      subject { Ability.new(@user) }
+      it "should be able to view the asset" do
+        subject.can?(:read, @asset).should be_true
+      end
+      it "should not be able to edit, update and destroy the asset" do
+        subject.can?(:edit, @asset).should be_false
+        subject.can?(:update, @asset).should be_false
+        subject.can?(:destroy, @asset).should be_false
+      end
+    end
+  end
+  
+  describe "Given an asset with no custom access set" do
+    before do
+      @asset = FactoryGirl.build(:default_access_asset)
+      @asset.save
+    end
+    context "Then a not-signed-in user" do
+      before do
+        @user = User.new
+        @user.new_record = true
+      end
+      subject { Ability.new(@user) }
+      it "should not be able to view the asset" do
+        subject.can?(:read, @asset).should be_false
+      end
+      it "should not be able to edit, update and destroy the asset" do
+        subject.can?(:edit, @asset).should be_false
+        subject.can?(:update, @asset).should be_false
+        subject.can?(:destroy, @asset).should be_false
+      end
+    end
+    context "Then a registered user" do
+      before do
+        @user = FactoryGirl.build(:registered_user)
+      end
+      subject { Ability.new(@user) }
+      it "should not be able to view the asset" do
+        subject.can?(:read, @asset).should be_false
+      end
+      it "should not be able to edit, update and destroy the asset" do
+        subject.can?(:edit, @asset).should be_false
+        subject.can?(:update, @asset).should be_false
+        subject.can?(:destroy, @asset).should be_false
+      end
+    end
+    context "Then the Creator" do
+      before do
+        @user = FactoryGirl.build(:joe_creator)
+      end
+      subject { Ability.new(@user) }
+
+      it "should be able to view the asset" do
+        subject.can?(:read, @asset).should be_true
+      end
+      it "should be able to edit, update and destroy the asset" do
+        subject.can?(:edit, @asset).should be_true
+        subject.can?(:update, @asset).should be_true
+        subject.can?(:destroy, @asset).should be_true
+      end
+      it "should not be able to see the admin view of the asset" do
+        subject.can?(:admin, @asset).should be_false
+      end
+    end
+  end
+
+  describe "Given an asset which registered users have read access to" do
+    before do
+      @asset = FactoryGirl.build(:org_read_access_asset)
+      @asset.save
+    end
+    context "The a registered user" do
+      before do
+        @user = FactoryGirl.build(:registered_user)
+      end
+      subject { Ability.new(@user) }
+
+      it "should be able to view the asset" do
+        subject.can?(:read, @asset).should be_true
+      end
+      it "should not be able to edit, update and destroy the asset" do
+        subject.can?(:edit, @asset).should be_false
+        subject.can?(:update, @asset).should be_false
+        subject.can?(:destroy, @asset).should be_false
+      end
+      it "should not be able to see the admin view of the asset" do
+        subject.can?(:admin, @asset).should be_false
+      end
+    end
+  end
+
+  describe "Given an asset with collaborator" do
+    before do
+      @asset = FactoryGirl.build(:org_read_access_asset)
+      @asset.save
+    end
+    context "Then a collaborator with edit access" do
+      before do
+        @user = FactoryGirl.build(:calvin_collaborator)
+      end
+      subject { Ability.new(@user) }
+
+      it "should be able to view the asset" do
+        subject.can?(:read, @asset).should be_true
+      end
+      it "should be able to edit, update and destroy the asset" do
+        subject.can?(:edit, @asset).should be_true
+        subject.can?(:update, @asset).should be_true
+        subject.can?(:destroy, @asset).should be_true
+      end
+      it "should not be able to see the admin view of the asset" do
+        subject.can?(:admin, @asset).should be_false
+      end
+    end
+  end
+
+  describe "Given an asset where dept can read & registered users can discover" do
+    before do
+      @asset = FactoryGirl.build(:dept_access_asset)
+      @asset.save
+    end
+    context "Then a registered user" do
+      before do
+        @user = FactoryGirl.build(:registered_user)
+      end
+      subject { Ability.new(@user) }
+
+      it "should not be able to view the asset" do
+        subject.can?(:read, @asset).should be_false
+      end
+      it "should not be able to edit, update and destroy the asset" do
+        subject.can?(:edit, @asset).should be_false
+        subject.can?(:update, @asset).should be_false
+        subject.can?(:destroy, @asset).should be_false
+      end
+      it "should not be able to see the admin view of the asset" do
+        subject.can?(:admin, @asset).should be_false
+      end
+    end
+    context "Then someone whose role/group has read access" do
+      before do
+        @user = FactoryGirl.build(:martia_morocco)
+        RoleMapper.stub(:roles).with(@user.user_key).and_return(@user.roles)
+      end
+      subject { Ability.new(@user) }
+
+      it "should be able to view the asset" do
+        subject.can?(:read, @asset).should be_true
+      end
+      it "should not be able to edit, update and destroy the asset" do
+        subject.can?(:edit, @asset).should be_false
+        subject.can?(:update, @asset).should be_false
+        subject.can?(:destroy, @asset).should be_false
+      end
+      it "should not be able to see the admin view of the asset" do
+        subject.can?(:admin, @asset).should be_false
+      end
+    end
+  end
+
+  describe "a user" do
+    before do
+      @user = FactoryGirl.create(:staff)
+    end
+    subject { Ability.new(@user) }
+
+    it "should be able to create admin policies" do
+      subject.can?(:create, Hydra::AdminPolicy).should be_true
+    end
+
+  end
+
+  #
+  # Policy-based Access Controls
+  #
+  describe "When accessing assets with Policies associated" do
+    before do
+      @user = FactoryGirl.build(:martia_morocco)
+      RoleMapper.stub(:roles).with(@user.user_key).and_return(@user.roles)
+    end
+    subject { Ability.new(@user) }
+    context "Given a policy grants read access to a group I belong to" do
+      before do
+        @policy = Hydra::AdminPolicy.new
+        @policy.default_permissions = [{:type=>"group", :access=>"read", :name=>"africana-faculty"}]
+        @policy.save
+      end
+      after { @policy.delete }
+    	context "And a subscribing asset does not grant access" do
+    	  before do
+          @asset = ModsAsset.new()
+          @asset.admin_policy = @policy
+          @asset.save
+        end
+        after { @asset.delete }
+    		it "Then I should be able to view the asset" do
+    		  subject.can?(:read, @asset).should be_true
+  		  end
+        it "Then I should not be able to edit, update and destroy the asset" do
+          subject.can?(:edit, @asset).should be_false
+          subject.can?(:update, @asset).should be_false
+          subject.can?(:destroy, @asset).should be_false
+        end
+      end
+    end
+    context "Given a policy grants edit access to a group I belong to" do
+      before do
+        @policy = Hydra::AdminPolicy.new
+        @policy.default_permissions = [{:type=>"group", :access=>"edit", :name=>"africana-faculty"}]
+        @policy.save
+      end
+      after { @policy.delete }
+    	context "And a subscribing asset does not grant access" do
+    	  before do
+          @asset = ModsAsset.new()
+          @asset.admin_policy = @policy
+          @asset.save
+        end
+        after { @asset.delete }
+    		it "Then I should be able to view the asset" do
+    		  subject.can?(:read, @asset).should be_true
+  		  end
+    		it "Then I should be able to edit/update/destroy the asset" do
+          subject.can?(:edit, @asset).should be_true
+          subject.can?(:update, @asset).should be_true
+          subject.can?(:destroy, @asset).should be_true
+        end
+  		end
+    	context "And a subscribing asset grants read access to me as an individual" do
+    	  before do
+          @asset = ModsAsset.new()
+          @asset.read_users = [@user.uid]
+          @asset.admin_policy = @policy
+          @asset.save
+        end
+        after { @asset.delete }
+    		it "Then I should be able to view the asset" do
+    		  subject.can?(:read, @asset).should be_true
+  		  end
+        it "Then I should be able to edit/update/destroy the asset" do
+          subject.can?(:edit, @asset).should be_true
+          subject.can?(:update, @asset).should be_true
+          subject.can?(:destroy, @asset).should be_true
+        end
+      end
+    end
+
+    context "Given a policy does not grant access to any group I belong to" do
+      before do
+        @policy = Hydra::AdminPolicy.new
+        @policy.save
+      end
+      after { @policy.delete }
+      context "And a subscribing asset does not grant access" do
+        before do
+          @asset = ModsAsset.new()
+          @asset.admin_policy = @policy
+          @asset.save
+        end
+        after { @asset.delete }
+  		  it "Then I should not be able to view the asset" do
+    		  subject.can?(:read, @asset).should be_false
+  		  end
+        it "Then I should not be able to edit/update/destroy the asset" do
+          subject.can?(:edit, @asset).should be_false
+          subject.can?(:update, @asset).should be_false
+          subject.can?(:destroy, @asset).should be_false
+        end
+      end
+      context "And a subscribing asset grants read access to me as an individual" do
+        before do
+          @asset = ModsAsset.new()
+          @asset.read_users = [@user.uid]
+          @asset.admin_policy = @policy
+          @asset.save
+        end
+        after { @asset.delete }
+  		  it "Then I should be able to view the asset" do
+    		  subject.can?(:read, @asset).should be_true
+  		  end
+        it "Then I should not be able to edit/update/destroy the asset" do
+          subject.can?(:edit, @asset).should be_false
+          subject.can?(:update, @asset).should be_false
+          subject.can?(:destroy, @asset).should be_false
+        end
+      end
+    end
+  end
 end