hydra-access-controls 0.0.2 → 0.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (43) hide show
  1. data/.gitignore +1 -0
  2. data/.gitmodules +3 -0
  3. data/.rspec +2 -0
  4. data/Gemfile +6 -0
  5. data/README.textile +100 -0
  6. data/Rakefile +6 -3
  7. data/config/fedora.yml +8 -0
  8. data/config/jetty.yml +5 -0
  9. data/config/solr.yml +6 -0
  10. data/hydra-access-controls.gemspec +3 -2
  11. data/lib/ability.rb +1 -0
  12. data/lib/hydra-access-controls.rb +10 -0
  13. data/lib/hydra-access-controls/version.rb +1 -1
  14. data/lib/hydra/ability.rb +14 -13
  15. data/lib/hydra/access_controls_enforcement.rb +27 -16
  16. data/lib/hydra/admin_policy.rb +81 -0
  17. data/lib/hydra/datastream.rb +1 -0
  18. data/lib/hydra/datastream/inheritable_rights_metadata.rb +22 -0
  19. data/lib/hydra/policy_aware_ability.rb +128 -0
  20. data/lib/hydra/policy_aware_access_controls_enforcement.rb +70 -0
  21. data/lib/hydra/role_mapper_behavior.rb +16 -2
  22. data/lib/hydra/user.rb +42 -0
  23. data/lib/tasks/hydra-access-controls.rake +18 -0
  24. data/lib/tasks/hydra_jetty.rake +55 -0
  25. data/solr_conf/conf/schema.xml +124 -0
  26. data/solr_conf/conf/solrconfig.xml +329 -0
  27. data/solr_conf/solr.xml +35 -0
  28. data/spec/factories.rb +101 -0
  29. data/spec/spec_helper.rb +28 -0
  30. data/spec/support/blacklight.rb +7 -0
  31. data/spec/support/config/solr.yml +4 -0
  32. data/spec/support/mods_asset.rb +4 -1
  33. data/spec/support/rails.rb +10 -0
  34. data/spec/support/solr_document.rb +13 -0
  35. data/spec/support/user.rb +32 -0
  36. data/spec/unit/ability_spec.rb +338 -56
  37. data/spec/unit/access_controls_enforcement_spec.rb +180 -0
  38. data/spec/unit/admin_policy_spec.rb +89 -0
  39. data/spec/unit/inheritable_rights_metadata_spec.rb +66 -0
  40. data/spec/unit/policy_aware_ability_spec.rb +92 -0
  41. data/spec/unit/policy_aware_access_controls_enforcement_spec.rb +109 -0
  42. metadata +59 -4
  43. data/README.md +0 -29
@@ -0,0 +1,180 @@
1
+ require 'spec_helper'
2
+ # Need way to find way to stub current_user and RoleMapper in order to run these tests
3
+
4
+ describe Hydra::AccessControlsEnforcement do
5
+ before do
6
+ class Rails; end
7
+ Rails.stub(:root).and_return('spec/support')
8
+ Rails.stub(:env).and_return('test')
9
+ end
10
+ before(:all) do
11
+ class MockController
12
+ include Hydra::AccessControlsEnforcement
13
+ attr_accessor :params
14
+
15
+ def user_key
16
+ current_user.user_key
17
+ end
18
+
19
+ def session
20
+ end
21
+ end
22
+ end
23
+ subject { MockController.new }
24
+
25
+ describe "When I am searching for content" do
26
+ before do
27
+ @solr_parameters = {}
28
+ @user_parameters = {}
29
+ end
30
+ context "Given I am not logged in" do
31
+ before do
32
+ subject.stub(:current_user).and_return(User.new)
33
+ subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
34
+ end
35
+ it "Then I should be treated as a member of the 'public' group" do
36
+ ["discover","edit","read"].each do |type|
37
+ @solr_parameters[:fq].first.should match(/#{type}_access_group_t\:public/)
38
+ end
39
+ end
40
+ it "Then I should not be treated as a member of the 'registered' group" do
41
+ @solr_parameters[:fq].first.should_not match(/registered/)
42
+ end
43
+ it "Then I should not have individual or group permissions"
44
+ end
45
+ context "Given I am a registered user" do
46
+ before do
47
+ @user = FactoryGirl.build(:martia_morocco)
48
+ @user.new_record = false
49
+ User.stub(:find_by_user_key).and_return(@user)
50
+ # This is a pretty fragile way to stub it...
51
+ RoleMapper.stub(:byname).and_return(@user.user_key=>["faculty", "africana-faculty"])
52
+ subject.stub(:current_user).and_return(@user)
53
+ subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
54
+ end
55
+ it "Then I should be treated as a member of the 'public' and 'registered' groups" do
56
+ ["discover","edit","read"].each do |type|
57
+ @solr_parameters[:fq].first.should match(/#{type}_access_group_t\:public/)
58
+ @solr_parameters[:fq].first.should match(/#{type}_access_group_t\:registered/)
59
+ end
60
+ end
61
+ it "Then I should see assets that I have discover, read, or edit access to" do
62
+ ["discover","edit","read"].each do |type|
63
+ @solr_parameters[:fq].first.should match(/#{type}_access_person_t\:#{@user.user_key}/)
64
+ end
65
+ end
66
+ it "Then I should see assets that my groups have discover, read, or edit access to" do
67
+ ["faculty", "africana-faculty"].each do |group_id|
68
+ ["discover","edit","read"].each do |type|
69
+ @solr_parameters[:fq].first.should match(/#{type}_access_group_t\:#{group_id}/)
70
+ end
71
+ end
72
+ end
73
+ end
74
+ end
75
+
76
+ describe "enforce_access_controls" do
77
+ describe "when the method exists" do
78
+ it "should call the method" do
79
+ subject.params = {:action => :index}
80
+ subject.enforce_access_controls.should be_true
81
+ end
82
+ end
83
+ describe "when the method doesn't exist" do
84
+ it "should not call the method, but should return true" do
85
+ subject.params = {:action => :facet}
86
+ subject.enforce_access_controls.should be_true
87
+ end
88
+ end
89
+ end
90
+ describe "enforce_show_permissions" do
91
+ it "should allow a user w/ edit permissions to view an embargoed object" do
92
+ user = User.new :uid=>'testuser@example.com'
93
+ user.stub(:is_being_superuser?).and_return false
94
+ RoleMapper.stub(:roles).with(user.user_key).and_return(["archivist"])
95
+ subject.stub(:current_user).and_return(user)
96
+ subject.should_receive(:can?).with(:edit, nil).and_return(true)
97
+ subject.stub(:can?).with(:read, nil).and_return(true)
98
+ subject.instance_variable_set :@permissions_solr_document, SolrDocument.new({"edit_access_person_t"=>["testuser@example.com"], "embargo_release_date_dt"=>(Date.parse(Time.now.to_s)+2).to_s})
99
+
100
+ subject.params = {}
101
+ subject.should_receive(:load_permissions_from_solr) #This is what normally sets @permissions_solr_document
102
+ lambda {subject.send(:enforce_show_permissions, {}) }.should_not raise_error Hydra::AccessDenied
103
+ end
104
+ it "should prevent a user w/o edit permissions from viewing an embargoed object" do
105
+ user = User.new :uid=>'testuser@example.com'
106
+ user.stub(:is_being_superuser?).and_return false
107
+ RoleMapper.stub(:roles).with(user.user_key).and_return([])
108
+ subject.stub(:current_user).and_return(user)
109
+ subject.should_receive(:can?).with(:edit, nil).and_return(false)
110
+ subject.stub(:can?).with(:read, nil).and_return(true)
111
+ subject.params = {}
112
+ subject.instance_variable_set :@permissions_solr_document, SolrDocument.new({"edit_access_person_t"=>["testuser@example.com"], "embargo_release_date_dt"=>(Date.parse(Time.now.to_s)+2).to_s})
113
+ subject.should_receive(:load_permissions_from_solr) #This is what normally sets @permissions_solr_document
114
+ lambda {subject.send(:enforce_show_permissions, {})}.should raise_error Hydra::AccessDenied, "This item is under embargo. You do not have sufficient access privileges to read this document."
115
+ end
116
+ end
117
+ describe "apply_gated_discovery" do
118
+ before(:each) do
119
+ @stub_user = User.new :uid=>'archivist1@example.com'
120
+ @stub_user.stub(:is_being_superuser?).and_return false
121
+ RoleMapper.stub(:roles).with(@stub_user.user_key).and_return(["archivist","researcher"])
122
+ subject.stub(:current_user).and_return(@stub_user)
123
+ @solr_parameters = {}
124
+ @user_parameters = {}
125
+ end
126
+ it "should set query fields for the user id checking against the discover, access, read fields" do
127
+ subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
128
+ ["discover","edit","read"].each do |type|
129
+ @solr_parameters[:fq].first.should match(/#{type}_access_person_t\:#{@stub_user.user_key}/)
130
+ end
131
+ end
132
+ it "should set query fields for all roles the user is a member of checking against the discover, access, read fields" do
133
+ subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
134
+ ["discover","edit","read"].each do |type|
135
+ @solr_parameters[:fq].first.should match(/#{type}_access_group_t\:archivist/)
136
+ @solr_parameters[:fq].first.should match(/#{type}_access_group_t\:researcher/)
137
+ end
138
+ end
139
+
140
+ describe "(DEPRECATED) for superusers" do
141
+ it "should return superuser access level" do
142
+ stub_user = User.new(:uid=>'suzie@example.com')
143
+ stub_user.stub(:is_being_superuser?).and_return true
144
+ RoleMapper.stub(:roles).with(stub_user.user_key).and_return(["archivist","researcher"])
145
+ subject.stub(:current_user).and_return(stub_user)
146
+ subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
147
+ ["discover","edit","read"].each do |type|
148
+ @solr_parameters[:fq].first.should match(/#{type}_access_person_t\:\[\* TO \*\]/)
149
+ end
150
+ end
151
+ it "should not return superuser access to non-superusers" do
152
+ stub_user = User.new(:uid=>'suzie@example.com')
153
+ stub_user.stub(:is_being_superuser?).and_return false
154
+ RoleMapper.stub(:roles).with(stub_user.user_key).and_return(["archivist","researcher"])
155
+ subject.stub(:current_user).and_return(stub_user)
156
+ subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
157
+ ["discover","edit","read"].each do |type|
158
+ @solr_parameters[:fq].should_not include("#{type}_access_person_t\:\[\* TO \*\]")
159
+ end
160
+ end
161
+ end
162
+
163
+ end
164
+
165
+ describe "exclude_unwanted_models" do
166
+ before(:each) do
167
+ stub_user = User.new :uid=>'archivist1@example.com'
168
+ stub_user.stub(:is_being_superuser?).and_return false
169
+ subject.stub(:current_user).and_return(stub_user)
170
+ @solr_parameters = {}
171
+ @user_parameters = {}
172
+ end
173
+ it "should set solr query parameters to filter out FileAssets" do
174
+ subject.send(:exclude_unwanted_models, @solr_parameters, @user_parameters)
175
+ @solr_parameters[:fq].should include("-has_model_s:\"info:fedora/afmodel:FileAsset\"")
176
+ end
177
+ end
178
+ end
179
+
180
+
@@ -0,0 +1,89 @@
1
+ require 'spec_helper'
2
+
3
+ describe Hydra::AdminPolicy do
4
+ before do
5
+ Hydra.stub(:config).and_return({:permissions=>{
6
+ :catchall => "access_t",
7
+ :discover => {:group =>"discover_access_group_t", :individual=>"discover_access_person_t"},
8
+ :read => {:group =>"read_access_group_t", :individual=>"read_access_person_t"},
9
+ :edit => {:group =>"edit_access_group_t", :individual=>"edit_access_person_t"},
10
+ :owner => "depositor_t",
11
+ :embargo_release_date => "embargo_release_date_dt",
12
+
13
+ :inheritable => {
14
+ :catchall => "inheritable_access_t",
15
+ :discover => {:group =>"inheritable_discover_access_group_t", :individual=>"inheritable_discover_access_person_t"},
16
+ :read => {:group =>"inheritable_read_access_group_t", :individual=>"inheritable_read_access_person_t"},
17
+ :edit => {:group =>"inheritable_edit_access_group_t", :individual=>"inheritable_edit_access_person_t"},
18
+ :owner => "inheritable_depositor_t",
19
+ :embargo_release_date => "inheritable_embargo_release_date_dt"
20
+ }
21
+ }})
22
+ end
23
+ its(:defaultRights) { should be_kind_of Hydra::Datastream::InheritableRightsMetadata}
24
+ its(:rightsMetadata) { should be_kind_of Hydra::Datastream::RightsMetadata}
25
+ its(:descMetadata) { should be_kind_of ActiveFedora::QualifiedDublinCoreDatastream}
26
+
27
+ describe "when setting attributes" do
28
+ before do
29
+ subject.title = "My title"
30
+ subject.description = "My description"
31
+ subject.license_title = "My license"
32
+ subject.license_description = "My license desc"
33
+ subject.license_url = "My url"
34
+ end
35
+ its(:title) { should == "My title"}
36
+ its(:description) { should == "My description"}
37
+ its(:license_title) { should == "My license"}
38
+ its(:license_description) { should == "My license desc"}
39
+ its(:license_url) { should == "My url"}
40
+ end
41
+
42
+
43
+ describe "to_solr" do
44
+ subject { Hydra::AdminPolicy.new(:title=>"Foobar").to_solr }
45
+ it "should have title_t" do
46
+ subject["title_t"].should == ['Foobar']
47
+ end
48
+ it "should have title_display" do
49
+ subject["title_display"].should == 'Foobar'
50
+ end
51
+ end
52
+
53
+ describe "Inheritable rights" do
54
+ before do
55
+ @policy = Hydra::AdminPolicy.new
56
+ @policy.default_permissions = [{:name=>"africana-faculty", :access=>"edit", :type=>"group"}, {:name=>"cool-kids", :access=>"edit", :type=>"group"}, {:name=>"julius_caesar", :access=>"edit", :type=>"user"}]
57
+ @policy.default_permissions = [{:name=>"slightlycoolkids", :access=>"read", :type=>"group"}, {:name=>"nero", :access=>"read", :type=>"user"}]
58
+ @policy.default_permissions = [{:name=>"posers", :access=>"discover", :type=>"group"}, {:name=>"constantine", :access=>"discover", :type=>"user"}]
59
+ @policy.defaultRights.embargo_release_date = "2102-10-01"
60
+ end
61
+
62
+ describe "to_solr" do
63
+ subject {@policy.to_solr}
64
+ it "should not affect normal solr permissions fields" do
65
+ subject.should_not have_key( Hydra.config[:permissions][:catchall] )
66
+ subject.should_not have_key( Hydra.config[:permissions][:discover][:group] )
67
+ subject.should_not have_key( Hydra.config[:permissions][:discover][:individual] )
68
+ subject.should_not have_key( Hydra.config[:permissions][:read][:group] )
69
+ subject.should_not have_key( Hydra.config[:permissions][:read][:individual] )
70
+ subject.should_not have_key( Hydra.config[:permissions][:edit][:group] )
71
+ subject.should_not have_key( Hydra.config[:permissions][:edit][:individual] )
72
+ subject.should_not have_key( Hydra.config[:permissions][:embargo_release_date] )
73
+ end
74
+ it "should provide prefixed/inherited solr permissions fields" do
75
+ subject[Hydra.config[:permissions][:inheritable][:catchall] ].should == ["posers", "slightlycoolkids", "africana-faculty", "cool-kids", "constantine", "nero", "julius_caesar"]
76
+ subject[Hydra.config[:permissions][:inheritable][:discover][:group] ].should == ["posers"]
77
+ subject[Hydra.config[:permissions][:inheritable][:discover][:individual] ].should == ["constantine"]
78
+ subject[Hydra.config[:permissions][:inheritable][:read][:group] ].should == ["slightlycoolkids"]
79
+ subject[Hydra.config[:permissions][:inheritable][:read][:individual] ].should == ["nero"]
80
+ subject[Hydra.config[:permissions][:inheritable][:edit][:group] ].should == ["africana-faculty", "cool-kids"]
81
+ subject[Hydra.config[:permissions][:inheritable][:edit][:individual] ].should == ["julius_caesar"]
82
+ subject[Hydra.config[:permissions][:inheritable][:embargo_release_date] ].should == "2102-10-01"
83
+ end
84
+ end
85
+
86
+ end
87
+
88
+
89
+ end
@@ -0,0 +1,66 @@
1
+ require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
2
+ require "nokogiri"
3
+
4
+ describe Hydra::Datastream::InheritableRightsMetadata do
5
+ before do
6
+ Hydra.stub(:config).and_return({:permissions=>{
7
+ :catchall => "access_t",
8
+ :discover => {:group =>"discover_access_group_t", :individual=>"discover_access_person_t"},
9
+ :read => {:group =>"read_access_group_t", :individual=>"read_access_person_t"},
10
+ :edit => {:group =>"edit_access_group_t", :individual=>"edit_access_person_t"},
11
+ :owner => "depositor_t",
12
+ :embargo_release_date => "embargo_release_date_dt",
13
+
14
+ :inheritable => {
15
+ :catchall => "inheritable_access_t",
16
+ :discover => {:group =>"inheritable_discover_access_group_t", :individual=>"inheritable_discover_access_person_t"},
17
+ :read => {:group =>"inheritable_read_access_group_t", :individual=>"inheritable_read_access_person_t"},
18
+ :edit => {:group =>"inheritable_edit_access_group_t", :individual=>"inheritable_edit_access_person_t"},
19
+ :owner => "inheritable_depositor_t",
20
+ :embargo_release_date => "inheritable_embargo_release_date_dt"
21
+ }
22
+ }})
23
+ end
24
+
25
+ before(:each) do
26
+ # The way RubyDora loads objects prevents us from stubbing the fedora connection :(
27
+ # ActiveFedora::RubydoraConnection.stubs(:instance).returns(stub_everything())
28
+ obj = ActiveFedora::Base.new
29
+ @sample = Hydra::Datastream::InheritableRightsMetadata.new(obj.inner_object, nil)
30
+ @sample.stub(:content).and_return('')
31
+
32
+ @sample.permissions({:group=>"africana-faculty"}, "edit")
33
+ @sample.permissions({:group=>"cool-kids"}, "edit")
34
+ @sample.permissions({:group=>"slightly-cool-kids"}, "read")
35
+ @sample.permissions({:group=>"posers"}, "discover")
36
+ @sample.permissions({:person=>"julius_caesar"}, "edit")
37
+ @sample.permissions({:person=>"nero"}, "read")
38
+ @sample.permissions({:person=>"constantine"}, "discover")
39
+ @sample.embargo_release_date = "2102-10-01"
40
+ end
41
+
42
+ describe "to_solr" do
43
+ subject {@sample.to_solr}
44
+ it "should NOT provide normal solr permissions fields" do
45
+ subject.should_not have_key( Hydra.config[:permissions][:catchall] )
46
+ subject.should_not have_key( Hydra.config[:permissions][:discover][:group] )
47
+ subject.should_not have_key( Hydra.config[:permissions][:discover][:individual] )
48
+ subject.should_not have_key( Hydra.config[:permissions][:read][:group] )
49
+ subject.should_not have_key( Hydra.config[:permissions][:read][:individual] )
50
+ subject.should_not have_key( Hydra.config[:permissions][:edit][:group] )
51
+ subject.should_not have_key( Hydra.config[:permissions][:edit][:individual] )
52
+ subject.should_not have_key( Hydra.config[:permissions][:embargo_release_date] )
53
+ end
54
+ it "should provide prefixed/inherited solr permissions fields" do
55
+ subject[Hydra.config[:permissions][:inheritable][:catchall] ].should == ["posers", "slightly-cool-kids", "africana-faculty", "cool-kids", "constantine", "nero", "julius_caesar"]
56
+ subject[Hydra.config[:permissions][:inheritable][:discover][:group] ].should == ["posers"]
57
+ subject[Hydra.config[:permissions][:inheritable][:discover][:individual] ].should == ["constantine"]
58
+ subject[Hydra.config[:permissions][:inheritable][:read][:group] ].should == ["slightly-cool-kids"]
59
+ subject[Hydra.config[:permissions][:inheritable][:read][:individual] ].should == ["nero"]
60
+ subject[Hydra.config[:permissions][:inheritable][:edit][:group] ].should == ["africana-faculty", "cool-kids"]
61
+ subject[Hydra.config[:permissions][:inheritable][:edit][:individual] ].should == ["julius_caesar"]
62
+ subject[Hydra.config[:permissions][:inheritable][:embargo_release_date] ].should == "2102-10-01"
63
+ end
64
+ end
65
+
66
+ end
@@ -0,0 +1,92 @@
1
+ require 'spec_helper'
2
+
3
+ describe Hydra::PolicyAwareAbility do
4
+ before do
5
+ class Rails; end
6
+ Rails.stub(:root).and_return('spec/support')
7
+ Rails.stub(:env).and_return('test')
8
+
9
+ Hydra.stub(:config).and_return({
10
+ :permissions=>{
11
+ :catchall => "access_t",
12
+ :discover => {:group =>"discover_access_group_t", :individual=>"discover_access_person_t"},
13
+ :read => {:group =>"read_access_group_t", :individual=>"read_access_person_t"},
14
+ :edit => {:group =>"edit_access_group_t", :individual=>"edit_access_person_t"},
15
+ :owner => "depositor_t",
16
+ :embargo_release_date => "embargo_release_date_dt",
17
+
18
+ :inheritable => {
19
+ :catchall => "inheritable_access_t",
20
+ :discover => {:group =>"inheritable_discover_access_group_t", :individual=>"inheritable_discover_access_person_t"},
21
+ :read => {:group =>"inheritable_read_access_group_t", :individual=>"inheritable_read_access_person_t"},
22
+ :edit => {:group =>"inheritable_edit_access_group_t", :individual=>"inheritable_edit_access_person_t"},
23
+ :owner => "inheritable_depositor_t",
24
+ :embargo_release_date => "inheritable_embargo_release_date_dt"
25
+ }
26
+ }})
27
+ end
28
+ before(:all) do
29
+ class PolicyAwareClass
30
+ include CanCan::Ability
31
+ include Hydra::Ability
32
+ include Hydra::PolicyAwareAbility
33
+ end
34
+ @policy = Hydra::AdminPolicy.new
35
+ # Set the inheritable permissions
36
+ @policy.default_permissions = [
37
+ {:type=>"group", :access=>"read", :name=>"africana-faculty"},
38
+ {:type=>"group", :access=>"edit", :name=>"cool_kids"},
39
+ {:type=>"group", :access=>"edit", :name=>"in_crowd"},
40
+ {:type=>"user", :access=>"read", :name=>"nero"},
41
+ {:type=>"user", :access=>"edit", :name=>"julius_caesar"}
42
+ ]
43
+
44
+ @policy.save
45
+ @asset = ModsAsset.new()
46
+ @asset.admin_policy = @policy
47
+ @asset.save
48
+ end
49
+ after(:all) { @policy.delete; @asset.delete }
50
+ subject { PolicyAwareClass.new( User.new ) }
51
+
52
+ describe "policy_pid_for" do
53
+ it "should retrieve the pid doc for the current object's governing policy" do
54
+ subject.policy_pid_for(@asset.pid).should == @policy.pid
55
+ end
56
+ end
57
+
58
+ describe "policy_permissions_doc" do
59
+ it "should retrieve the permissions doc for the current object's policy and store for re-use" do
60
+ subject.should_receive(:get_permissions_solr_response_for_doc_id).with(@policy.pid).once.and_return(["response", "mock solr doc"])
61
+ subject.policy_permissions_doc(@policy.pid).should == "mock solr doc"
62
+ subject.policy_permissions_doc(@policy.pid).should == "mock solr doc"
63
+ subject.policy_permissions_doc(@policy.pid).should == "mock solr doc"
64
+ end
65
+ end
66
+ describe "test_edit_from_policy" do
67
+ it "should test_edit_from_policy"
68
+ end
69
+ describe "test_read_from_policy" do
70
+ it "should test_read_from_policy"
71
+ end
72
+ describe "edit_groups_from_policy" do
73
+ it "should retrieve the list of groups with edit access from the policy" do
74
+ subject.edit_groups_from_policy(@policy.pid).should == ["cool_kids","in_crowd"]
75
+ end
76
+ end
77
+ describe "edit_persons_from_policy" do
78
+ it "should retrieve the list of individuals with edit access from the policy" do
79
+ subject.edit_persons_from_policy(@policy.pid).should == ["julius_caesar"]
80
+ end
81
+ end
82
+ describe "read_groups_from_policy" do
83
+ it "should retrieve the list of groups with read access from the policy" do
84
+ subject.read_groups_from_policy(@policy.pid).should == ["cool_kids", "in_crowd", "africana-faculty"]
85
+ end
86
+ end
87
+ describe "read_persons_from_policy" do
88
+ it "should retrieve the list of individuals with read access from the policy" do
89
+ subject.read_persons_from_policy(@policy.pid).should == ["julius_caesar","nero"]
90
+ end
91
+ end
92
+ end
@@ -0,0 +1,109 @@
1
+ require 'spec_helper'
2
+
3
+ describe Hydra::PolicyAwareAccessControlsEnforcement do
4
+ before do
5
+ class Rails; end
6
+ Rails.stub(:root).and_return('spec/support')
7
+ Rails.stub(:env).and_return('test')
8
+ end
9
+ before(:all) do
10
+ class MockController
11
+ include Hydra::AccessControlsEnforcement
12
+ include Hydra::PolicyAwareAccessControlsEnforcement
13
+ attr_accessor :params
14
+
15
+ def user_key
16
+ current_user.user_key
17
+ end
18
+
19
+ def session
20
+ end
21
+ end
22
+
23
+ @sample_policies = []
24
+ # user discover
25
+ policy1 = Hydra::AdminPolicy.new(:pid=>"test:policy1")
26
+ policy1.default_permissions = [{:type=>"user", :access=>"discover", :name=>"sara_student"}]
27
+ policy1.save
28
+ @sample_policies << policy1
29
+
30
+ # user read
31
+ policy2 = Hydra::AdminPolicy.new(:pid=>"test:policy2")
32
+ policy2.default_permissions = [{:type=>"user", :access=>"read", :name=>"sara_student"}]
33
+ policy2.save
34
+ @sample_policies << policy2
35
+
36
+ # user edit
37
+ policy3 = Hydra::AdminPolicy.new(:pid=>"test:policy3")
38
+ policy3.default_permissions = [{:type=>"user", :access=>"edit", :name=>"sara_student"}]
39
+ policy3.save
40
+ @sample_policies << policy3
41
+
42
+
43
+ # group discover
44
+ policy4 = Hydra::AdminPolicy.new(:pid=>"test:policy4")
45
+ policy4.default_permissions = [{:type=>"group", :access=>"discover", :name=>"africana-104-students"}]
46
+ policy4.save
47
+ @sample_policies << policy4
48
+
49
+ # group read
50
+ policy5 = Hydra::AdminPolicy.new(:pid=>"test:policy5")
51
+ policy5.default_permissions = [{:type=>"group", :access=>"read", :name=>"africana-104-students"}]
52
+ policy5.save
53
+ @sample_policies << policy5
54
+
55
+ # group edit
56
+ policy6 = Hydra::AdminPolicy.new(:pid=>"test:policy6")
57
+ policy6.default_permissions = [{:type=>"group", :access=>"edit", :name=>"africana-104-students"}]
58
+ policy6.save
59
+ @sample_policies << policy6
60
+
61
+ # no access
62
+ policy7 = Hydra::AdminPolicy.create(:pid=>"test:policy7")
63
+ @sample_policies << policy7
64
+
65
+ @policies_with_access = @sample_policies.select { |p| p.pid != policy7.pid }
66
+ end
67
+
68
+ after(:all) do
69
+ @policies.access.each {|p| p.delete }
70
+ end
71
+
72
+ subject { MockController.new }
73
+
74
+ before do
75
+ @solr_parameters = {}
76
+ @user_parameters = {}
77
+ @user = FactoryGirl.build(:sara_student)
78
+ RoleMapper.stub(:roles).with(@user.user_key).and_return(@user.roles)
79
+ subject.stub(:current_user).and_return(@user)
80
+ end
81
+
82
+ describe "policies_with_access" do
83
+ it "should return the policies that provide discover permissions" do
84
+ @policies_with_access.map {|p| p.pid }.each do |p|
85
+ subject.policies_with_access.should include(p)
86
+ end
87
+ end
88
+ it "should return the policies that provide discover permissions" do
89
+ subject.policies_with_access.should_not include("test:policy7")
90
+ end
91
+ it "should allow you to configure which model to use for policies" do
92
+ Hydra.stub(:config).and_return( {:permissions=>{:policy_class => ModsAsset}} )
93
+ ModsAsset.should_receive(:find_with_conditions).and_return([])
94
+ subject.policies_with_access
95
+ end
96
+ end
97
+
98
+ describe "apply_gated_discovery" do
99
+ it "should include policy-aware query" do
100
+ subject.apply_gated_discovery(@solr_parameters, @user_parameters)
101
+ @solr_parameters[:fq].first.should include(" OR (is_governed_by_s:info\\:fedora/test\\:policy1 OR is_governed_by_s:info\\:fedora/test\\:policy2 OR is_governed_by_s:info\\:fedora/test\\:policy3 OR is_governed_by_s:info\\:fedora/test\\:policy4 OR is_governed_by_s:info\\:fedora/test\\:policy5 OR is_governed_by_s:info\\:fedora/test\\:policy6)")
102
+ end
103
+ it "should not change anything if there are no clauses to add" do
104
+ subject.stub(:policy_clauses).and_return(nil)
105
+ subject.apply_gated_discovery(@solr_parameters, @user_parameters)
106
+ @solr_parameters[:fq].first.should_not include(" OR (is_governed_by_s:info\\:fedora/test\\:policy1 OR is_governed_by_s:info\\:fedora/test\\:policy2 OR is_governed_by_s:info\\:fedora/test\\:policy3 OR is_governed_by_s:info\\:fedora/test\\:policy4 OR is_governed_by_s:info\\:fedora/test\\:policy5 OR is_governed_by_s:info\\:fedora/test\\:policy6)")
107
+ end
108
+ end
109
+ end