hydra-access-controls 0.0.2 → 0.0.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/.gitignore +1 -0
- data/.gitmodules +3 -0
- data/.rspec +2 -0
- data/Gemfile +6 -0
- data/README.textile +100 -0
- data/Rakefile +6 -3
- data/config/fedora.yml +8 -0
- data/config/jetty.yml +5 -0
- data/config/solr.yml +6 -0
- data/hydra-access-controls.gemspec +3 -2
- data/lib/ability.rb +1 -0
- data/lib/hydra-access-controls.rb +10 -0
- data/lib/hydra-access-controls/version.rb +1 -1
- data/lib/hydra/ability.rb +14 -13
- data/lib/hydra/access_controls_enforcement.rb +27 -16
- data/lib/hydra/admin_policy.rb +81 -0
- data/lib/hydra/datastream.rb +1 -0
- data/lib/hydra/datastream/inheritable_rights_metadata.rb +22 -0
- data/lib/hydra/policy_aware_ability.rb +128 -0
- data/lib/hydra/policy_aware_access_controls_enforcement.rb +70 -0
- data/lib/hydra/role_mapper_behavior.rb +16 -2
- data/lib/hydra/user.rb +42 -0
- data/lib/tasks/hydra-access-controls.rake +18 -0
- data/lib/tasks/hydra_jetty.rake +55 -0
- data/solr_conf/conf/schema.xml +124 -0
- data/solr_conf/conf/solrconfig.xml +329 -0
- data/solr_conf/solr.xml +35 -0
- data/spec/factories.rb +101 -0
- data/spec/spec_helper.rb +28 -0
- data/spec/support/blacklight.rb +7 -0
- data/spec/support/config/solr.yml +4 -0
- data/spec/support/mods_asset.rb +4 -1
- data/spec/support/rails.rb +10 -0
- data/spec/support/solr_document.rb +13 -0
- data/spec/support/user.rb +32 -0
- data/spec/unit/ability_spec.rb +338 -56
- data/spec/unit/access_controls_enforcement_spec.rb +180 -0
- data/spec/unit/admin_policy_spec.rb +89 -0
- data/spec/unit/inheritable_rights_metadata_spec.rb +66 -0
- data/spec/unit/policy_aware_ability_spec.rb +92 -0
- data/spec/unit/policy_aware_access_controls_enforcement_spec.rb +109 -0
- metadata +59 -4
- data/README.md +0 -29
@@ -0,0 +1,180 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
# Need way to find way to stub current_user and RoleMapper in order to run these tests
|
3
|
+
|
4
|
+
describe Hydra::AccessControlsEnforcement do
|
5
|
+
before do
|
6
|
+
class Rails; end
|
7
|
+
Rails.stub(:root).and_return('spec/support')
|
8
|
+
Rails.stub(:env).and_return('test')
|
9
|
+
end
|
10
|
+
before(:all) do
|
11
|
+
class MockController
|
12
|
+
include Hydra::AccessControlsEnforcement
|
13
|
+
attr_accessor :params
|
14
|
+
|
15
|
+
def user_key
|
16
|
+
current_user.user_key
|
17
|
+
end
|
18
|
+
|
19
|
+
def session
|
20
|
+
end
|
21
|
+
end
|
22
|
+
end
|
23
|
+
subject { MockController.new }
|
24
|
+
|
25
|
+
describe "When I am searching for content" do
|
26
|
+
before do
|
27
|
+
@solr_parameters = {}
|
28
|
+
@user_parameters = {}
|
29
|
+
end
|
30
|
+
context "Given I am not logged in" do
|
31
|
+
before do
|
32
|
+
subject.stub(:current_user).and_return(User.new)
|
33
|
+
subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
|
34
|
+
end
|
35
|
+
it "Then I should be treated as a member of the 'public' group" do
|
36
|
+
["discover","edit","read"].each do |type|
|
37
|
+
@solr_parameters[:fq].first.should match(/#{type}_access_group_t\:public/)
|
38
|
+
end
|
39
|
+
end
|
40
|
+
it "Then I should not be treated as a member of the 'registered' group" do
|
41
|
+
@solr_parameters[:fq].first.should_not match(/registered/)
|
42
|
+
end
|
43
|
+
it "Then I should not have individual or group permissions"
|
44
|
+
end
|
45
|
+
context "Given I am a registered user" do
|
46
|
+
before do
|
47
|
+
@user = FactoryGirl.build(:martia_morocco)
|
48
|
+
@user.new_record = false
|
49
|
+
User.stub(:find_by_user_key).and_return(@user)
|
50
|
+
# This is a pretty fragile way to stub it...
|
51
|
+
RoleMapper.stub(:byname).and_return(@user.user_key=>["faculty", "africana-faculty"])
|
52
|
+
subject.stub(:current_user).and_return(@user)
|
53
|
+
subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
|
54
|
+
end
|
55
|
+
it "Then I should be treated as a member of the 'public' and 'registered' groups" do
|
56
|
+
["discover","edit","read"].each do |type|
|
57
|
+
@solr_parameters[:fq].first.should match(/#{type}_access_group_t\:public/)
|
58
|
+
@solr_parameters[:fq].first.should match(/#{type}_access_group_t\:registered/)
|
59
|
+
end
|
60
|
+
end
|
61
|
+
it "Then I should see assets that I have discover, read, or edit access to" do
|
62
|
+
["discover","edit","read"].each do |type|
|
63
|
+
@solr_parameters[:fq].first.should match(/#{type}_access_person_t\:#{@user.user_key}/)
|
64
|
+
end
|
65
|
+
end
|
66
|
+
it "Then I should see assets that my groups have discover, read, or edit access to" do
|
67
|
+
["faculty", "africana-faculty"].each do |group_id|
|
68
|
+
["discover","edit","read"].each do |type|
|
69
|
+
@solr_parameters[:fq].first.should match(/#{type}_access_group_t\:#{group_id}/)
|
70
|
+
end
|
71
|
+
end
|
72
|
+
end
|
73
|
+
end
|
74
|
+
end
|
75
|
+
|
76
|
+
describe "enforce_access_controls" do
|
77
|
+
describe "when the method exists" do
|
78
|
+
it "should call the method" do
|
79
|
+
subject.params = {:action => :index}
|
80
|
+
subject.enforce_access_controls.should be_true
|
81
|
+
end
|
82
|
+
end
|
83
|
+
describe "when the method doesn't exist" do
|
84
|
+
it "should not call the method, but should return true" do
|
85
|
+
subject.params = {:action => :facet}
|
86
|
+
subject.enforce_access_controls.should be_true
|
87
|
+
end
|
88
|
+
end
|
89
|
+
end
|
90
|
+
describe "enforce_show_permissions" do
|
91
|
+
it "should allow a user w/ edit permissions to view an embargoed object" do
|
92
|
+
user = User.new :uid=>'testuser@example.com'
|
93
|
+
user.stub(:is_being_superuser?).and_return false
|
94
|
+
RoleMapper.stub(:roles).with(user.user_key).and_return(["archivist"])
|
95
|
+
subject.stub(:current_user).and_return(user)
|
96
|
+
subject.should_receive(:can?).with(:edit, nil).and_return(true)
|
97
|
+
subject.stub(:can?).with(:read, nil).and_return(true)
|
98
|
+
subject.instance_variable_set :@permissions_solr_document, SolrDocument.new({"edit_access_person_t"=>["testuser@example.com"], "embargo_release_date_dt"=>(Date.parse(Time.now.to_s)+2).to_s})
|
99
|
+
|
100
|
+
subject.params = {}
|
101
|
+
subject.should_receive(:load_permissions_from_solr) #This is what normally sets @permissions_solr_document
|
102
|
+
lambda {subject.send(:enforce_show_permissions, {}) }.should_not raise_error Hydra::AccessDenied
|
103
|
+
end
|
104
|
+
it "should prevent a user w/o edit permissions from viewing an embargoed object" do
|
105
|
+
user = User.new :uid=>'testuser@example.com'
|
106
|
+
user.stub(:is_being_superuser?).and_return false
|
107
|
+
RoleMapper.stub(:roles).with(user.user_key).and_return([])
|
108
|
+
subject.stub(:current_user).and_return(user)
|
109
|
+
subject.should_receive(:can?).with(:edit, nil).and_return(false)
|
110
|
+
subject.stub(:can?).with(:read, nil).and_return(true)
|
111
|
+
subject.params = {}
|
112
|
+
subject.instance_variable_set :@permissions_solr_document, SolrDocument.new({"edit_access_person_t"=>["testuser@example.com"], "embargo_release_date_dt"=>(Date.parse(Time.now.to_s)+2).to_s})
|
113
|
+
subject.should_receive(:load_permissions_from_solr) #This is what normally sets @permissions_solr_document
|
114
|
+
lambda {subject.send(:enforce_show_permissions, {})}.should raise_error Hydra::AccessDenied, "This item is under embargo. You do not have sufficient access privileges to read this document."
|
115
|
+
end
|
116
|
+
end
|
117
|
+
describe "apply_gated_discovery" do
|
118
|
+
before(:each) do
|
119
|
+
@stub_user = User.new :uid=>'archivist1@example.com'
|
120
|
+
@stub_user.stub(:is_being_superuser?).and_return false
|
121
|
+
RoleMapper.stub(:roles).with(@stub_user.user_key).and_return(["archivist","researcher"])
|
122
|
+
subject.stub(:current_user).and_return(@stub_user)
|
123
|
+
@solr_parameters = {}
|
124
|
+
@user_parameters = {}
|
125
|
+
end
|
126
|
+
it "should set query fields for the user id checking against the discover, access, read fields" do
|
127
|
+
subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
|
128
|
+
["discover","edit","read"].each do |type|
|
129
|
+
@solr_parameters[:fq].first.should match(/#{type}_access_person_t\:#{@stub_user.user_key}/)
|
130
|
+
end
|
131
|
+
end
|
132
|
+
it "should set query fields for all roles the user is a member of checking against the discover, access, read fields" do
|
133
|
+
subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
|
134
|
+
["discover","edit","read"].each do |type|
|
135
|
+
@solr_parameters[:fq].first.should match(/#{type}_access_group_t\:archivist/)
|
136
|
+
@solr_parameters[:fq].first.should match(/#{type}_access_group_t\:researcher/)
|
137
|
+
end
|
138
|
+
end
|
139
|
+
|
140
|
+
describe "(DEPRECATED) for superusers" do
|
141
|
+
it "should return superuser access level" do
|
142
|
+
stub_user = User.new(:uid=>'suzie@example.com')
|
143
|
+
stub_user.stub(:is_being_superuser?).and_return true
|
144
|
+
RoleMapper.stub(:roles).with(stub_user.user_key).and_return(["archivist","researcher"])
|
145
|
+
subject.stub(:current_user).and_return(stub_user)
|
146
|
+
subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
|
147
|
+
["discover","edit","read"].each do |type|
|
148
|
+
@solr_parameters[:fq].first.should match(/#{type}_access_person_t\:\[\* TO \*\]/)
|
149
|
+
end
|
150
|
+
end
|
151
|
+
it "should not return superuser access to non-superusers" do
|
152
|
+
stub_user = User.new(:uid=>'suzie@example.com')
|
153
|
+
stub_user.stub(:is_being_superuser?).and_return false
|
154
|
+
RoleMapper.stub(:roles).with(stub_user.user_key).and_return(["archivist","researcher"])
|
155
|
+
subject.stub(:current_user).and_return(stub_user)
|
156
|
+
subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
|
157
|
+
["discover","edit","read"].each do |type|
|
158
|
+
@solr_parameters[:fq].should_not include("#{type}_access_person_t\:\[\* TO \*\]")
|
159
|
+
end
|
160
|
+
end
|
161
|
+
end
|
162
|
+
|
163
|
+
end
|
164
|
+
|
165
|
+
describe "exclude_unwanted_models" do
|
166
|
+
before(:each) do
|
167
|
+
stub_user = User.new :uid=>'archivist1@example.com'
|
168
|
+
stub_user.stub(:is_being_superuser?).and_return false
|
169
|
+
subject.stub(:current_user).and_return(stub_user)
|
170
|
+
@solr_parameters = {}
|
171
|
+
@user_parameters = {}
|
172
|
+
end
|
173
|
+
it "should set solr query parameters to filter out FileAssets" do
|
174
|
+
subject.send(:exclude_unwanted_models, @solr_parameters, @user_parameters)
|
175
|
+
@solr_parameters[:fq].should include("-has_model_s:\"info:fedora/afmodel:FileAsset\"")
|
176
|
+
end
|
177
|
+
end
|
178
|
+
end
|
179
|
+
|
180
|
+
|
@@ -0,0 +1,89 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe Hydra::AdminPolicy do
|
4
|
+
before do
|
5
|
+
Hydra.stub(:config).and_return({:permissions=>{
|
6
|
+
:catchall => "access_t",
|
7
|
+
:discover => {:group =>"discover_access_group_t", :individual=>"discover_access_person_t"},
|
8
|
+
:read => {:group =>"read_access_group_t", :individual=>"read_access_person_t"},
|
9
|
+
:edit => {:group =>"edit_access_group_t", :individual=>"edit_access_person_t"},
|
10
|
+
:owner => "depositor_t",
|
11
|
+
:embargo_release_date => "embargo_release_date_dt",
|
12
|
+
|
13
|
+
:inheritable => {
|
14
|
+
:catchall => "inheritable_access_t",
|
15
|
+
:discover => {:group =>"inheritable_discover_access_group_t", :individual=>"inheritable_discover_access_person_t"},
|
16
|
+
:read => {:group =>"inheritable_read_access_group_t", :individual=>"inheritable_read_access_person_t"},
|
17
|
+
:edit => {:group =>"inheritable_edit_access_group_t", :individual=>"inheritable_edit_access_person_t"},
|
18
|
+
:owner => "inheritable_depositor_t",
|
19
|
+
:embargo_release_date => "inheritable_embargo_release_date_dt"
|
20
|
+
}
|
21
|
+
}})
|
22
|
+
end
|
23
|
+
its(:defaultRights) { should be_kind_of Hydra::Datastream::InheritableRightsMetadata}
|
24
|
+
its(:rightsMetadata) { should be_kind_of Hydra::Datastream::RightsMetadata}
|
25
|
+
its(:descMetadata) { should be_kind_of ActiveFedora::QualifiedDublinCoreDatastream}
|
26
|
+
|
27
|
+
describe "when setting attributes" do
|
28
|
+
before do
|
29
|
+
subject.title = "My title"
|
30
|
+
subject.description = "My description"
|
31
|
+
subject.license_title = "My license"
|
32
|
+
subject.license_description = "My license desc"
|
33
|
+
subject.license_url = "My url"
|
34
|
+
end
|
35
|
+
its(:title) { should == "My title"}
|
36
|
+
its(:description) { should == "My description"}
|
37
|
+
its(:license_title) { should == "My license"}
|
38
|
+
its(:license_description) { should == "My license desc"}
|
39
|
+
its(:license_url) { should == "My url"}
|
40
|
+
end
|
41
|
+
|
42
|
+
|
43
|
+
describe "to_solr" do
|
44
|
+
subject { Hydra::AdminPolicy.new(:title=>"Foobar").to_solr }
|
45
|
+
it "should have title_t" do
|
46
|
+
subject["title_t"].should == ['Foobar']
|
47
|
+
end
|
48
|
+
it "should have title_display" do
|
49
|
+
subject["title_display"].should == 'Foobar'
|
50
|
+
end
|
51
|
+
end
|
52
|
+
|
53
|
+
describe "Inheritable rights" do
|
54
|
+
before do
|
55
|
+
@policy = Hydra::AdminPolicy.new
|
56
|
+
@policy.default_permissions = [{:name=>"africana-faculty", :access=>"edit", :type=>"group"}, {:name=>"cool-kids", :access=>"edit", :type=>"group"}, {:name=>"julius_caesar", :access=>"edit", :type=>"user"}]
|
57
|
+
@policy.default_permissions = [{:name=>"slightlycoolkids", :access=>"read", :type=>"group"}, {:name=>"nero", :access=>"read", :type=>"user"}]
|
58
|
+
@policy.default_permissions = [{:name=>"posers", :access=>"discover", :type=>"group"}, {:name=>"constantine", :access=>"discover", :type=>"user"}]
|
59
|
+
@policy.defaultRights.embargo_release_date = "2102-10-01"
|
60
|
+
end
|
61
|
+
|
62
|
+
describe "to_solr" do
|
63
|
+
subject {@policy.to_solr}
|
64
|
+
it "should not affect normal solr permissions fields" do
|
65
|
+
subject.should_not have_key( Hydra.config[:permissions][:catchall] )
|
66
|
+
subject.should_not have_key( Hydra.config[:permissions][:discover][:group] )
|
67
|
+
subject.should_not have_key( Hydra.config[:permissions][:discover][:individual] )
|
68
|
+
subject.should_not have_key( Hydra.config[:permissions][:read][:group] )
|
69
|
+
subject.should_not have_key( Hydra.config[:permissions][:read][:individual] )
|
70
|
+
subject.should_not have_key( Hydra.config[:permissions][:edit][:group] )
|
71
|
+
subject.should_not have_key( Hydra.config[:permissions][:edit][:individual] )
|
72
|
+
subject.should_not have_key( Hydra.config[:permissions][:embargo_release_date] )
|
73
|
+
end
|
74
|
+
it "should provide prefixed/inherited solr permissions fields" do
|
75
|
+
subject[Hydra.config[:permissions][:inheritable][:catchall] ].should == ["posers", "slightlycoolkids", "africana-faculty", "cool-kids", "constantine", "nero", "julius_caesar"]
|
76
|
+
subject[Hydra.config[:permissions][:inheritable][:discover][:group] ].should == ["posers"]
|
77
|
+
subject[Hydra.config[:permissions][:inheritable][:discover][:individual] ].should == ["constantine"]
|
78
|
+
subject[Hydra.config[:permissions][:inheritable][:read][:group] ].should == ["slightlycoolkids"]
|
79
|
+
subject[Hydra.config[:permissions][:inheritable][:read][:individual] ].should == ["nero"]
|
80
|
+
subject[Hydra.config[:permissions][:inheritable][:edit][:group] ].should == ["africana-faculty", "cool-kids"]
|
81
|
+
subject[Hydra.config[:permissions][:inheritable][:edit][:individual] ].should == ["julius_caesar"]
|
82
|
+
subject[Hydra.config[:permissions][:inheritable][:embargo_release_date] ].should == "2102-10-01"
|
83
|
+
end
|
84
|
+
end
|
85
|
+
|
86
|
+
end
|
87
|
+
|
88
|
+
|
89
|
+
end
|
@@ -0,0 +1,66 @@
|
|
1
|
+
require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
|
2
|
+
require "nokogiri"
|
3
|
+
|
4
|
+
describe Hydra::Datastream::InheritableRightsMetadata do
|
5
|
+
before do
|
6
|
+
Hydra.stub(:config).and_return({:permissions=>{
|
7
|
+
:catchall => "access_t",
|
8
|
+
:discover => {:group =>"discover_access_group_t", :individual=>"discover_access_person_t"},
|
9
|
+
:read => {:group =>"read_access_group_t", :individual=>"read_access_person_t"},
|
10
|
+
:edit => {:group =>"edit_access_group_t", :individual=>"edit_access_person_t"},
|
11
|
+
:owner => "depositor_t",
|
12
|
+
:embargo_release_date => "embargo_release_date_dt",
|
13
|
+
|
14
|
+
:inheritable => {
|
15
|
+
:catchall => "inheritable_access_t",
|
16
|
+
:discover => {:group =>"inheritable_discover_access_group_t", :individual=>"inheritable_discover_access_person_t"},
|
17
|
+
:read => {:group =>"inheritable_read_access_group_t", :individual=>"inheritable_read_access_person_t"},
|
18
|
+
:edit => {:group =>"inheritable_edit_access_group_t", :individual=>"inheritable_edit_access_person_t"},
|
19
|
+
:owner => "inheritable_depositor_t",
|
20
|
+
:embargo_release_date => "inheritable_embargo_release_date_dt"
|
21
|
+
}
|
22
|
+
}})
|
23
|
+
end
|
24
|
+
|
25
|
+
before(:each) do
|
26
|
+
# The way RubyDora loads objects prevents us from stubbing the fedora connection :(
|
27
|
+
# ActiveFedora::RubydoraConnection.stubs(:instance).returns(stub_everything())
|
28
|
+
obj = ActiveFedora::Base.new
|
29
|
+
@sample = Hydra::Datastream::InheritableRightsMetadata.new(obj.inner_object, nil)
|
30
|
+
@sample.stub(:content).and_return('')
|
31
|
+
|
32
|
+
@sample.permissions({:group=>"africana-faculty"}, "edit")
|
33
|
+
@sample.permissions({:group=>"cool-kids"}, "edit")
|
34
|
+
@sample.permissions({:group=>"slightly-cool-kids"}, "read")
|
35
|
+
@sample.permissions({:group=>"posers"}, "discover")
|
36
|
+
@sample.permissions({:person=>"julius_caesar"}, "edit")
|
37
|
+
@sample.permissions({:person=>"nero"}, "read")
|
38
|
+
@sample.permissions({:person=>"constantine"}, "discover")
|
39
|
+
@sample.embargo_release_date = "2102-10-01"
|
40
|
+
end
|
41
|
+
|
42
|
+
describe "to_solr" do
|
43
|
+
subject {@sample.to_solr}
|
44
|
+
it "should NOT provide normal solr permissions fields" do
|
45
|
+
subject.should_not have_key( Hydra.config[:permissions][:catchall] )
|
46
|
+
subject.should_not have_key( Hydra.config[:permissions][:discover][:group] )
|
47
|
+
subject.should_not have_key( Hydra.config[:permissions][:discover][:individual] )
|
48
|
+
subject.should_not have_key( Hydra.config[:permissions][:read][:group] )
|
49
|
+
subject.should_not have_key( Hydra.config[:permissions][:read][:individual] )
|
50
|
+
subject.should_not have_key( Hydra.config[:permissions][:edit][:group] )
|
51
|
+
subject.should_not have_key( Hydra.config[:permissions][:edit][:individual] )
|
52
|
+
subject.should_not have_key( Hydra.config[:permissions][:embargo_release_date] )
|
53
|
+
end
|
54
|
+
it "should provide prefixed/inherited solr permissions fields" do
|
55
|
+
subject[Hydra.config[:permissions][:inheritable][:catchall] ].should == ["posers", "slightly-cool-kids", "africana-faculty", "cool-kids", "constantine", "nero", "julius_caesar"]
|
56
|
+
subject[Hydra.config[:permissions][:inheritable][:discover][:group] ].should == ["posers"]
|
57
|
+
subject[Hydra.config[:permissions][:inheritable][:discover][:individual] ].should == ["constantine"]
|
58
|
+
subject[Hydra.config[:permissions][:inheritable][:read][:group] ].should == ["slightly-cool-kids"]
|
59
|
+
subject[Hydra.config[:permissions][:inheritable][:read][:individual] ].should == ["nero"]
|
60
|
+
subject[Hydra.config[:permissions][:inheritable][:edit][:group] ].should == ["africana-faculty", "cool-kids"]
|
61
|
+
subject[Hydra.config[:permissions][:inheritable][:edit][:individual] ].should == ["julius_caesar"]
|
62
|
+
subject[Hydra.config[:permissions][:inheritable][:embargo_release_date] ].should == "2102-10-01"
|
63
|
+
end
|
64
|
+
end
|
65
|
+
|
66
|
+
end
|
@@ -0,0 +1,92 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe Hydra::PolicyAwareAbility do
|
4
|
+
before do
|
5
|
+
class Rails; end
|
6
|
+
Rails.stub(:root).and_return('spec/support')
|
7
|
+
Rails.stub(:env).and_return('test')
|
8
|
+
|
9
|
+
Hydra.stub(:config).and_return({
|
10
|
+
:permissions=>{
|
11
|
+
:catchall => "access_t",
|
12
|
+
:discover => {:group =>"discover_access_group_t", :individual=>"discover_access_person_t"},
|
13
|
+
:read => {:group =>"read_access_group_t", :individual=>"read_access_person_t"},
|
14
|
+
:edit => {:group =>"edit_access_group_t", :individual=>"edit_access_person_t"},
|
15
|
+
:owner => "depositor_t",
|
16
|
+
:embargo_release_date => "embargo_release_date_dt",
|
17
|
+
|
18
|
+
:inheritable => {
|
19
|
+
:catchall => "inheritable_access_t",
|
20
|
+
:discover => {:group =>"inheritable_discover_access_group_t", :individual=>"inheritable_discover_access_person_t"},
|
21
|
+
:read => {:group =>"inheritable_read_access_group_t", :individual=>"inheritable_read_access_person_t"},
|
22
|
+
:edit => {:group =>"inheritable_edit_access_group_t", :individual=>"inheritable_edit_access_person_t"},
|
23
|
+
:owner => "inheritable_depositor_t",
|
24
|
+
:embargo_release_date => "inheritable_embargo_release_date_dt"
|
25
|
+
}
|
26
|
+
}})
|
27
|
+
end
|
28
|
+
before(:all) do
|
29
|
+
class PolicyAwareClass
|
30
|
+
include CanCan::Ability
|
31
|
+
include Hydra::Ability
|
32
|
+
include Hydra::PolicyAwareAbility
|
33
|
+
end
|
34
|
+
@policy = Hydra::AdminPolicy.new
|
35
|
+
# Set the inheritable permissions
|
36
|
+
@policy.default_permissions = [
|
37
|
+
{:type=>"group", :access=>"read", :name=>"africana-faculty"},
|
38
|
+
{:type=>"group", :access=>"edit", :name=>"cool_kids"},
|
39
|
+
{:type=>"group", :access=>"edit", :name=>"in_crowd"},
|
40
|
+
{:type=>"user", :access=>"read", :name=>"nero"},
|
41
|
+
{:type=>"user", :access=>"edit", :name=>"julius_caesar"}
|
42
|
+
]
|
43
|
+
|
44
|
+
@policy.save
|
45
|
+
@asset = ModsAsset.new()
|
46
|
+
@asset.admin_policy = @policy
|
47
|
+
@asset.save
|
48
|
+
end
|
49
|
+
after(:all) { @policy.delete; @asset.delete }
|
50
|
+
subject { PolicyAwareClass.new( User.new ) }
|
51
|
+
|
52
|
+
describe "policy_pid_for" do
|
53
|
+
it "should retrieve the pid doc for the current object's governing policy" do
|
54
|
+
subject.policy_pid_for(@asset.pid).should == @policy.pid
|
55
|
+
end
|
56
|
+
end
|
57
|
+
|
58
|
+
describe "policy_permissions_doc" do
|
59
|
+
it "should retrieve the permissions doc for the current object's policy and store for re-use" do
|
60
|
+
subject.should_receive(:get_permissions_solr_response_for_doc_id).with(@policy.pid).once.and_return(["response", "mock solr doc"])
|
61
|
+
subject.policy_permissions_doc(@policy.pid).should == "mock solr doc"
|
62
|
+
subject.policy_permissions_doc(@policy.pid).should == "mock solr doc"
|
63
|
+
subject.policy_permissions_doc(@policy.pid).should == "mock solr doc"
|
64
|
+
end
|
65
|
+
end
|
66
|
+
describe "test_edit_from_policy" do
|
67
|
+
it "should test_edit_from_policy"
|
68
|
+
end
|
69
|
+
describe "test_read_from_policy" do
|
70
|
+
it "should test_read_from_policy"
|
71
|
+
end
|
72
|
+
describe "edit_groups_from_policy" do
|
73
|
+
it "should retrieve the list of groups with edit access from the policy" do
|
74
|
+
subject.edit_groups_from_policy(@policy.pid).should == ["cool_kids","in_crowd"]
|
75
|
+
end
|
76
|
+
end
|
77
|
+
describe "edit_persons_from_policy" do
|
78
|
+
it "should retrieve the list of individuals with edit access from the policy" do
|
79
|
+
subject.edit_persons_from_policy(@policy.pid).should == ["julius_caesar"]
|
80
|
+
end
|
81
|
+
end
|
82
|
+
describe "read_groups_from_policy" do
|
83
|
+
it "should retrieve the list of groups with read access from the policy" do
|
84
|
+
subject.read_groups_from_policy(@policy.pid).should == ["cool_kids", "in_crowd", "africana-faculty"]
|
85
|
+
end
|
86
|
+
end
|
87
|
+
describe "read_persons_from_policy" do
|
88
|
+
it "should retrieve the list of individuals with read access from the policy" do
|
89
|
+
subject.read_persons_from_policy(@policy.pid).should == ["julius_caesar","nero"]
|
90
|
+
end
|
91
|
+
end
|
92
|
+
end
|
@@ -0,0 +1,109 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe Hydra::PolicyAwareAccessControlsEnforcement do
|
4
|
+
before do
|
5
|
+
class Rails; end
|
6
|
+
Rails.stub(:root).and_return('spec/support')
|
7
|
+
Rails.stub(:env).and_return('test')
|
8
|
+
end
|
9
|
+
before(:all) do
|
10
|
+
class MockController
|
11
|
+
include Hydra::AccessControlsEnforcement
|
12
|
+
include Hydra::PolicyAwareAccessControlsEnforcement
|
13
|
+
attr_accessor :params
|
14
|
+
|
15
|
+
def user_key
|
16
|
+
current_user.user_key
|
17
|
+
end
|
18
|
+
|
19
|
+
def session
|
20
|
+
end
|
21
|
+
end
|
22
|
+
|
23
|
+
@sample_policies = []
|
24
|
+
# user discover
|
25
|
+
policy1 = Hydra::AdminPolicy.new(:pid=>"test:policy1")
|
26
|
+
policy1.default_permissions = [{:type=>"user", :access=>"discover", :name=>"sara_student"}]
|
27
|
+
policy1.save
|
28
|
+
@sample_policies << policy1
|
29
|
+
|
30
|
+
# user read
|
31
|
+
policy2 = Hydra::AdminPolicy.new(:pid=>"test:policy2")
|
32
|
+
policy2.default_permissions = [{:type=>"user", :access=>"read", :name=>"sara_student"}]
|
33
|
+
policy2.save
|
34
|
+
@sample_policies << policy2
|
35
|
+
|
36
|
+
# user edit
|
37
|
+
policy3 = Hydra::AdminPolicy.new(:pid=>"test:policy3")
|
38
|
+
policy3.default_permissions = [{:type=>"user", :access=>"edit", :name=>"sara_student"}]
|
39
|
+
policy3.save
|
40
|
+
@sample_policies << policy3
|
41
|
+
|
42
|
+
|
43
|
+
# group discover
|
44
|
+
policy4 = Hydra::AdminPolicy.new(:pid=>"test:policy4")
|
45
|
+
policy4.default_permissions = [{:type=>"group", :access=>"discover", :name=>"africana-104-students"}]
|
46
|
+
policy4.save
|
47
|
+
@sample_policies << policy4
|
48
|
+
|
49
|
+
# group read
|
50
|
+
policy5 = Hydra::AdminPolicy.new(:pid=>"test:policy5")
|
51
|
+
policy5.default_permissions = [{:type=>"group", :access=>"read", :name=>"africana-104-students"}]
|
52
|
+
policy5.save
|
53
|
+
@sample_policies << policy5
|
54
|
+
|
55
|
+
# group edit
|
56
|
+
policy6 = Hydra::AdminPolicy.new(:pid=>"test:policy6")
|
57
|
+
policy6.default_permissions = [{:type=>"group", :access=>"edit", :name=>"africana-104-students"}]
|
58
|
+
policy6.save
|
59
|
+
@sample_policies << policy6
|
60
|
+
|
61
|
+
# no access
|
62
|
+
policy7 = Hydra::AdminPolicy.create(:pid=>"test:policy7")
|
63
|
+
@sample_policies << policy7
|
64
|
+
|
65
|
+
@policies_with_access = @sample_policies.select { |p| p.pid != policy7.pid }
|
66
|
+
end
|
67
|
+
|
68
|
+
after(:all) do
|
69
|
+
@policies.access.each {|p| p.delete }
|
70
|
+
end
|
71
|
+
|
72
|
+
subject { MockController.new }
|
73
|
+
|
74
|
+
before do
|
75
|
+
@solr_parameters = {}
|
76
|
+
@user_parameters = {}
|
77
|
+
@user = FactoryGirl.build(:sara_student)
|
78
|
+
RoleMapper.stub(:roles).with(@user.user_key).and_return(@user.roles)
|
79
|
+
subject.stub(:current_user).and_return(@user)
|
80
|
+
end
|
81
|
+
|
82
|
+
describe "policies_with_access" do
|
83
|
+
it "should return the policies that provide discover permissions" do
|
84
|
+
@policies_with_access.map {|p| p.pid }.each do |p|
|
85
|
+
subject.policies_with_access.should include(p)
|
86
|
+
end
|
87
|
+
end
|
88
|
+
it "should return the policies that provide discover permissions" do
|
89
|
+
subject.policies_with_access.should_not include("test:policy7")
|
90
|
+
end
|
91
|
+
it "should allow you to configure which model to use for policies" do
|
92
|
+
Hydra.stub(:config).and_return( {:permissions=>{:policy_class => ModsAsset}} )
|
93
|
+
ModsAsset.should_receive(:find_with_conditions).and_return([])
|
94
|
+
subject.policies_with_access
|
95
|
+
end
|
96
|
+
end
|
97
|
+
|
98
|
+
describe "apply_gated_discovery" do
|
99
|
+
it "should include policy-aware query" do
|
100
|
+
subject.apply_gated_discovery(@solr_parameters, @user_parameters)
|
101
|
+
@solr_parameters[:fq].first.should include(" OR (is_governed_by_s:info\\:fedora/test\\:policy1 OR is_governed_by_s:info\\:fedora/test\\:policy2 OR is_governed_by_s:info\\:fedora/test\\:policy3 OR is_governed_by_s:info\\:fedora/test\\:policy4 OR is_governed_by_s:info\\:fedora/test\\:policy5 OR is_governed_by_s:info\\:fedora/test\\:policy6)")
|
102
|
+
end
|
103
|
+
it "should not change anything if there are no clauses to add" do
|
104
|
+
subject.stub(:policy_clauses).and_return(nil)
|
105
|
+
subject.apply_gated_discovery(@solr_parameters, @user_parameters)
|
106
|
+
@solr_parameters[:fq].first.should_not include(" OR (is_governed_by_s:info\\:fedora/test\\:policy1 OR is_governed_by_s:info\\:fedora/test\\:policy2 OR is_governed_by_s:info\\:fedora/test\\:policy3 OR is_governed_by_s:info\\:fedora/test\\:policy4 OR is_governed_by_s:info\\:fedora/test\\:policy5 OR is_governed_by_s:info\\:fedora/test\\:policy6)")
|
107
|
+
end
|
108
|
+
end
|
109
|
+
end
|