hydra-access-controls 11.0.0.rc2 → 12.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/app/models/concerns/hydra/access_controls/embargoable.rb +4 -4
- data/app/models/concerns/hydra/access_controls/visibility.rb +17 -6
- data/app/models/hydra/access_controls/permission.rb +12 -2
- data/hydra-access-controls.gemspec +7 -8
- data/lib/active_fedora/accessible_by.rb +2 -4
- data/lib/hydra-access-controls.rb +7 -1
- data/lib/hydra/ability.rb +0 -1
- data/lib/hydra/access_controls_enforcement.rb +16 -0
- data/spec/factories/objects.rb +34 -0
- data/spec/{factories.rb → factories/user.rb} +0 -32
- data/spec/spec_helper.rb +2 -1
- data/spec/unit/embargoable_spec.rb +58 -13
- data/spec/unit/permission_spec.rb +18 -6
- data/spec/unit/policy_aware_access_controls_enforcement_spec.rb +6 -19
- data/spec/unit/visibility_spec.rb +25 -0
- metadata +30 -36
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: cb6758e64e46375378c0ab402d42197ac1ed64af8f9ec87bda1ee603c2fa4e4e
|
4
|
+
data.tar.gz: 2e7f290acefb3924c5947e5ada34b54cdf0a64f3a127422c72cb5fdef8fe88c6
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 80f663ea54a156cf6a5ded46a0aae98a1df9e8953ca0999fa56a8668b266cc855a4db8aa1933dd2989c4c5df9ea989146af1989089059640412a573417901d01
|
7
|
+
data.tar.gz: 299fffeb06237d336774894d209313e968173446276210821a42a896522c5a3d17ee0ae67c428c856405cab04a3246a820fc54bd7fce5b613ea328d27c69b6ff
|
@@ -5,11 +5,11 @@ module Hydra
|
|
5
5
|
include Hydra::AccessControls::WithAccessRight
|
6
6
|
|
7
7
|
included do
|
8
|
-
validates :lease_expiration_date, :'hydra/future_date' => true, if: :enforce_future_date_for_lease
|
9
|
-
validates :embargo_release_date, :'hydra/future_date' => true, if: :enforce_future_date_for_embargo
|
8
|
+
validates :lease_expiration_date, :'hydra/future_date' => true, if: :enforce_future_date_for_lease?, on: :create
|
9
|
+
validates :embargo_release_date, :'hydra/future_date' => true, if: :enforce_future_date_for_embargo?, on: :create
|
10
10
|
|
11
|
-
belongs_to :embargo, predicate: Hydra::ACL.hasEmbargo, class_name: 'Hydra::AccessControls::Embargo'
|
12
|
-
belongs_to :lease, predicate: Hydra::ACL.hasLease, class_name: 'Hydra::AccessControls::Lease'
|
11
|
+
belongs_to :embargo, predicate: Hydra::ACL.hasEmbargo, class_name: 'Hydra::AccessControls::Embargo', autosave: true
|
12
|
+
belongs_to :lease, predicate: Hydra::ACL.hasLease, class_name: 'Hydra::AccessControls::Lease', autosave: true
|
13
13
|
|
14
14
|
delegate :visibility_during_embargo, :visibility_during_embargo=, :visibility_after_embargo, :visibility_after_embargo=, :embargo_release_date, :embargo_release_date=, :embargo_history, :embargo_history=, to: :existing_or_new_embargo
|
15
15
|
delegate :visibility_during_lease, :visibility_during_lease=, :visibility_after_lease, :visibility_after_lease=, :lease_expiration_date, :lease_expiration_date=, :lease_history, :lease_history=, to: :existing_or_new_lease
|
@@ -2,6 +2,14 @@ module Hydra::AccessControls
|
|
2
2
|
module Visibility
|
3
3
|
extend ActiveSupport::Concern
|
4
4
|
|
5
|
+
included do
|
6
|
+
# ActiveModel::Dirty requires defining the attribute method
|
7
|
+
# @see https://api.rubyonrails.org/classes/ActiveModel/Dirty.html
|
8
|
+
define_attribute_methods :visibility
|
9
|
+
# instance variable needs to be initialized here based upon what is in read_groups
|
10
|
+
after_initialize { @visibility = visibility }
|
11
|
+
end
|
12
|
+
|
5
13
|
def visibility=(value)
|
6
14
|
return if value.nil?
|
7
15
|
# only set explicit permissions
|
@@ -15,6 +23,7 @@ module Hydra::AccessControls
|
|
15
23
|
else
|
16
24
|
raise ArgumentError, "Invalid visibility: #{value.inspect}"
|
17
25
|
end
|
26
|
+
@visibility = value
|
18
27
|
end
|
19
28
|
|
20
29
|
def visibility
|
@@ -27,8 +36,14 @@ module Hydra::AccessControls
|
|
27
36
|
end
|
28
37
|
end
|
29
38
|
|
30
|
-
|
31
|
-
|
39
|
+
# Overridden for ActiveModel::Dirty tracking of visibility
|
40
|
+
# Required by ActiveModel::AttributeMethods
|
41
|
+
# @see https://api.rubyonrails.org/classes/ActiveModel/AttributeMethods.html
|
42
|
+
# An instance variable is used to avoid infinite recursion caused by calling #visibility
|
43
|
+
# Using this approach requires setting visibility read groups through #visibility=
|
44
|
+
# instead of manipulating them directly if #visibility_changed? is expected to work correctly.
|
45
|
+
def attributes
|
46
|
+
super.merge({ 'visibility' => @visibility })
|
32
47
|
end
|
33
48
|
|
34
49
|
private
|
@@ -41,10 +56,6 @@ module Hydra::AccessControls
|
|
41
56
|
AccessRight::PERMISSION_TEXT_VALUE_PUBLIC]
|
42
57
|
end
|
43
58
|
|
44
|
-
def visibility_will_change!
|
45
|
-
@visibility_will_change = true
|
46
|
-
end
|
47
|
-
|
48
59
|
def public_visibility!
|
49
60
|
visibility_will_change! unless visibility == AccessRight::VISIBILITY_TEXT_VALUE_PUBLIC
|
50
61
|
remove_groups = represented_visibility - [AccessRight::PERMISSION_TEXT_VALUE_PUBLIC]
|
@@ -41,7 +41,7 @@ module Hydra::AccessControls
|
|
41
41
|
end
|
42
42
|
|
43
43
|
def agent_name
|
44
|
-
|
44
|
+
decode(parsed_agent.last)
|
45
45
|
end
|
46
46
|
|
47
47
|
def update(*)
|
@@ -80,7 +80,7 @@ module Hydra::AccessControls
|
|
80
80
|
end
|
81
81
|
|
82
82
|
def build_agent_resource(prefix, name)
|
83
|
-
[Agent.new(::RDF::URI.new("#{prefix}##{
|
83
|
+
[Agent.new(::RDF::URI.new("#{prefix}##{encode(name)}"))]
|
84
84
|
end
|
85
85
|
|
86
86
|
def build_access(access)
|
@@ -96,5 +96,15 @@ module Hydra::AccessControls
|
|
96
96
|
raise ArgumentError, "Unknown access #{access.inspect}"
|
97
97
|
end
|
98
98
|
end
|
99
|
+
|
100
|
+
private
|
101
|
+
|
102
|
+
def encode(str)
|
103
|
+
URI::RFC2396_Parser.new.escape(str)
|
104
|
+
end
|
105
|
+
|
106
|
+
def decode(str)
|
107
|
+
URI::RFC2396_Parser.new.unescape(str)
|
108
|
+
end
|
99
109
|
end
|
100
110
|
end
|
@@ -16,15 +16,14 @@ Gem::Specification.new do |gem|
|
|
16
16
|
gem.version = version
|
17
17
|
gem.license = "APACHE-2.0"
|
18
18
|
|
19
|
-
gem.required_ruby_version = '>=
|
19
|
+
gem.required_ruby_version = '>= 2.4'
|
20
20
|
|
21
|
-
gem.add_dependency 'activesupport', '>=
|
22
|
-
gem.add_dependency
|
23
|
-
gem.add_dependency
|
24
|
-
gem.add_dependency
|
25
|
-
gem.add_dependency 'cancancan', '~> 1.8'
|
21
|
+
gem.add_dependency 'activesupport', '>= 5.2', '< 7'
|
22
|
+
gem.add_dependency 'active-fedora', '>= 10.0.0'
|
23
|
+
gem.add_dependency 'blacklight-access_controls', '~> 6.0'
|
24
|
+
gem.add_dependency 'cancancan', '>= 1.8', '< 4'
|
26
25
|
gem.add_dependency 'deprecation', '~> 1.0'
|
27
26
|
|
28
|
-
gem.add_development_dependency
|
29
|
-
gem.add_development_dependency 'rspec', '~>
|
27
|
+
gem.add_development_dependency 'rake', '>= 12.3.3'
|
28
|
+
gem.add_development_dependency 'rspec', '~> 4.0'
|
30
29
|
end
|
@@ -1,8 +1,5 @@
|
|
1
1
|
ActiveFedora::QueryMethods.module_eval do
|
2
2
|
extend ActiveSupport::Concern
|
3
|
-
included do
|
4
|
-
include Hydra::AccessControlsEnforcement
|
5
|
-
end
|
6
3
|
|
7
4
|
def accessible_by(ability, action = :index)
|
8
5
|
permission_types = case action
|
@@ -11,7 +8,8 @@ ActiveFedora::QueryMethods.module_eval do
|
|
11
8
|
when :update, :edit, :create, :new, :destroy then [:edit]
|
12
9
|
end
|
13
10
|
|
14
|
-
|
11
|
+
builder = Hydra::SearchBuilder.new(nil).with_ability(ability).with_discovery_permissions(permission_types)
|
12
|
+
filters = builder.send(:gated_discovery_filters).join(" OR ")
|
15
13
|
spawn.where!(filters)
|
16
14
|
end
|
17
15
|
end
|
@@ -29,7 +29,13 @@ module Hydra
|
|
29
29
|
alias :config :configure
|
30
30
|
end
|
31
31
|
|
32
|
-
class Engine < Rails::Engine
|
32
|
+
class Engine < Rails::Engine
|
33
|
+
config.before_configuration do
|
34
|
+
ActiveSupport::Inflector.inflections(:en) do |inflect|
|
35
|
+
inflect.acronym 'ACL'
|
36
|
+
end
|
37
|
+
end
|
38
|
+
end
|
33
39
|
|
34
40
|
# This error is raised when a user isn't allowed to access a given controller action.
|
35
41
|
# This usually happens within a call to AccessControlsEnforcement#enforce_access_controls but can be
|
data/lib/hydra/ability.rb
CHANGED
@@ -12,7 +12,6 @@ module Hydra
|
|
12
12
|
|
13
13
|
included do
|
14
14
|
include Hydra::PermissionsQuery
|
15
|
-
include Blacklight::SearchHelper
|
16
15
|
|
17
16
|
self.ability_logic = [:create_permissions, :edit_permissions, :read_permissions, :discover_permissions, :download_permissions, :custom_permissions]
|
18
17
|
end
|
@@ -2,6 +2,22 @@ module Hydra::AccessControlsEnforcement
|
|
2
2
|
extend ActiveSupport::Concern
|
3
3
|
include Blacklight::AccessControls::Enforcement
|
4
4
|
|
5
|
+
def current_ability
|
6
|
+
@current_ability || (scope.current_ability if scope&.respond_to?(:current_ability))
|
7
|
+
end
|
8
|
+
|
9
|
+
def with_ability(ability)
|
10
|
+
params_will_change!
|
11
|
+
@current_ability = ability
|
12
|
+
self
|
13
|
+
end
|
14
|
+
|
15
|
+
def with_discovery_permissions(permissions)
|
16
|
+
params_will_change!
|
17
|
+
@discovery_permissions = Array(permissions)
|
18
|
+
self
|
19
|
+
end
|
20
|
+
|
5
21
|
protected
|
6
22
|
|
7
23
|
def under_embargo?
|
@@ -0,0 +1,34 @@
|
|
1
|
+
FactoryBot.define do
|
2
|
+
|
3
|
+
#
|
4
|
+
# Repository Objects
|
5
|
+
#
|
6
|
+
|
7
|
+
factory :asset, :class => ModsAsset do |o|
|
8
|
+
end
|
9
|
+
|
10
|
+
factory :admin_policy, :class => Hydra::AdminPolicy do |o|
|
11
|
+
end
|
12
|
+
|
13
|
+
factory :default_access_asset, :parent=>:asset do |a|
|
14
|
+
permissions_attributes { [{ name: "joe_creator", access: "edit", type: "person" }] }
|
15
|
+
end
|
16
|
+
|
17
|
+
factory :dept_access_asset, :parent=>:asset do |a|
|
18
|
+
permissions_attributes { [{ name: "africana-faculty", access: "read", type: "group" }, { name: "joe_creator", access: "edit", type: "person" }] }
|
19
|
+
end
|
20
|
+
|
21
|
+
factory :group_edit_asset, :parent=>:asset do |a|
|
22
|
+
permissions_attributes { [{ name:"africana-faculty", access: "edit", type: "group" }, {name: "calvin_collaborator", access: "edit", type: "person"}] }
|
23
|
+
end
|
24
|
+
|
25
|
+
factory :org_read_access_asset, :parent=>:asset do |a|
|
26
|
+
permissions_attributes { [{ name: "registered", access: "read", type: "group" }, { name: "joe_creator", access: "edit", type: "person" }, { name: "calvin_collaborator", access: "edit", type: "person" }] }
|
27
|
+
end
|
28
|
+
|
29
|
+
factory :open_access_asset, :parent=>:asset do |a|
|
30
|
+
permissions_attributes { [{ name: "public", access: "read", type: "group" }, { name: "joe_creator", access: "edit", type: "person" }, { name: "calvin_collaborator", access: "edit", type: "person" }] }
|
31
|
+
end
|
32
|
+
|
33
|
+
end
|
34
|
+
|
@@ -1,7 +1,6 @@
|
|
1
1
|
FactoryBot.define do
|
2
2
|
|
3
3
|
# Users
|
4
|
-
|
5
4
|
# Prototype user factory
|
6
5
|
factory :user, :aliases => [:owner] do |u|
|
7
6
|
sequence :uid do |n|
|
@@ -58,36 +57,5 @@ FactoryBot.define do
|
|
58
57
|
uid { 'alice_admin' }
|
59
58
|
password { 'alice_admin' }
|
60
59
|
end
|
61
|
-
|
62
|
-
#
|
63
|
-
# Repository Objects
|
64
|
-
#
|
65
|
-
|
66
|
-
factory :asset, :class => ModsAsset do |o|
|
67
|
-
end
|
68
|
-
|
69
|
-
factory :admin_policy, :class => Hydra::AdminPolicy do |o|
|
70
|
-
end
|
71
|
-
|
72
|
-
factory :default_access_asset, :parent=>:asset do |a|
|
73
|
-
permissions_attributes { [{ name: "joe_creator", access: "edit", type: "person" }] }
|
74
|
-
end
|
75
|
-
|
76
|
-
factory :dept_access_asset, :parent=>:asset do |a|
|
77
|
-
permissions_attributes { [{ name: "africana-faculty", access: "read", type: "group" }, { name: "joe_creator", access: "edit", type: "person" }] }
|
78
|
-
end
|
79
|
-
|
80
|
-
factory :group_edit_asset, :parent=>:asset do |a|
|
81
|
-
permissions_attributes { [{ name:"africana-faculty", access: "edit", type: "group" }, {name: "calvin_collaborator", access: "edit", type: "person"}] }
|
82
|
-
end
|
83
|
-
|
84
|
-
factory :org_read_access_asset, :parent=>:asset do |a|
|
85
|
-
permissions_attributes { [{ name: "registered", access: "read", type: "group" }, { name: "joe_creator", access: "edit", type: "person" }, { name: "calvin_collaborator", access: "edit", type: "person" }] }
|
86
|
-
end
|
87
|
-
|
88
|
-
factory :open_access_asset, :parent=>:asset do |a|
|
89
|
-
permissions_attributes { [{ name: "public", access: "read", type: "group" }, { name: "joe_creator", access: "edit", type: "person" }, { name: "calvin_collaborator", access: "edit", type: "person" }] }
|
90
|
-
end
|
91
|
-
|
92
60
|
end
|
93
61
|
|
data/spec/spec_helper.rb
CHANGED
@@ -48,7 +48,8 @@ require "support/user"
|
|
48
48
|
require "factory_bot"
|
49
49
|
require 'rspec/mocks'
|
50
50
|
require 'rspec/its'
|
51
|
-
require
|
51
|
+
require 'factories/user'
|
52
|
+
require 'factories/objects'
|
52
53
|
|
53
54
|
# HttpLogger.logger = Logger.new(STDOUT)
|
54
55
|
# HttpLogger.ignore = [/localhost:8983\/solr/]
|
@@ -19,6 +19,59 @@ describe Hydra::AccessControls::Embargoable do
|
|
19
19
|
let(:model) { TestModel.new }
|
20
20
|
subject { model }
|
21
21
|
|
22
|
+
describe 'an object under embargo/lease' do
|
23
|
+
before do
|
24
|
+
class ModelWithPersistence < ActiveFedora::Base
|
25
|
+
include Hydra::AccessControls::Embargoable
|
26
|
+
end
|
27
|
+
end
|
28
|
+
after { Object.send(:remove_const, :ModelWithPersistence) }
|
29
|
+
let(:original_date) { 7.days.from_now }
|
30
|
+
let(:updated_date) { 14.days.from_now }
|
31
|
+
subject { ModelWithPersistence.new }
|
32
|
+
context 'saved with a new embargo release date' do
|
33
|
+
it 'will persist the new date' do
|
34
|
+
subject.visibility_during_embargo = Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PRIVATE
|
35
|
+
subject.visibility_after_embargo = Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PUBLIC
|
36
|
+
subject.embargo_release_date = original_date
|
37
|
+
subject.save
|
38
|
+
|
39
|
+
# These next three lines are to verify the round-trip for saves.
|
40
|
+
persisted_object = subject.class.find(subject.id)
|
41
|
+
expect(persisted_object).to be_under_embargo
|
42
|
+
expect(persisted_object.embargo_release_date).to eq(original_date)
|
43
|
+
|
44
|
+
expect do
|
45
|
+
persisted_object.embargo_release_date = updated_date
|
46
|
+
persisted_object.save
|
47
|
+
end.to change { persisted_object.class.find(persisted_object.id).embargo_release_date }
|
48
|
+
.from(original_date)
|
49
|
+
.to(updated_date)
|
50
|
+
end
|
51
|
+
end
|
52
|
+
|
53
|
+
context 'saved with a new lease expiration date' do
|
54
|
+
it 'will persist the new date' do
|
55
|
+
subject.visibility_during_lease = Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PUBLIC
|
56
|
+
subject.visibility_after_lease = Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PRIVATE
|
57
|
+
subject.lease_expiration_date = original_date
|
58
|
+
subject.save
|
59
|
+
|
60
|
+
# These next three lines are to verify the round-trip for saves.
|
61
|
+
persisted_object = subject.class.find(subject.id)
|
62
|
+
expect(persisted_object).to be_active_lease
|
63
|
+
expect(persisted_object.lease_expiration_date).to eq(original_date)
|
64
|
+
|
65
|
+
expect do
|
66
|
+
persisted_object.lease_expiration_date = updated_date
|
67
|
+
persisted_object.save
|
68
|
+
end.to change { persisted_object.class.find(persisted_object.id).lease_expiration_date }
|
69
|
+
.from(original_date)
|
70
|
+
.to(updated_date)
|
71
|
+
end
|
72
|
+
end
|
73
|
+
end
|
74
|
+
|
22
75
|
describe '#embargo_indexer_class' do
|
23
76
|
subject { model.embargo_indexer_class }
|
24
77
|
it { is_expected.to eq Hydra::AccessControls::EmbargoIndexer }
|
@@ -30,9 +83,9 @@ describe Hydra::AccessControls::Embargoable do
|
|
30
83
|
end
|
31
84
|
|
32
85
|
describe 'validations' do
|
33
|
-
context "with dates" do
|
86
|
+
context "with past dates" do
|
34
87
|
subject { ModsAsset.new(lease_expiration_date: past_date, embargo_release_date: past_date) }
|
35
|
-
it "validates embargo_release_date and lease_expiration_date" do
|
88
|
+
it "validates embargo_release_date and lease_expiration_date on create" do
|
36
89
|
expect(subject).to_not be_valid
|
37
90
|
expect(subject.errors[:lease_expiration_date]).to eq ['Must be a future date']
|
38
91
|
expect(subject.errors[:embargo_release_date]).to eq ['Must be a future date']
|
@@ -112,11 +165,7 @@ describe Hydra::AccessControls::Embargoable do
|
|
112
165
|
context "when the same embargo is applied" do
|
113
166
|
before do
|
114
167
|
subject.apply_embargo(future_date.to_s)
|
115
|
-
|
116
|
-
subject.embargo.send(:reset_changes)
|
117
|
-
else
|
118
|
-
subject.embargo.send(:clear_changes_information)
|
119
|
-
end
|
168
|
+
subject.embargo.send(:clear_changes_information)
|
120
169
|
end
|
121
170
|
|
122
171
|
it "doesn't call visibility_will_change!" do
|
@@ -195,11 +244,7 @@ describe Hydra::AccessControls::Embargoable do
|
|
195
244
|
context "when the same lease is applied" do
|
196
245
|
before do
|
197
246
|
subject.apply_lease(future_date.to_s)
|
198
|
-
|
199
|
-
subject.lease.send(:reset_changes)
|
200
|
-
else
|
201
|
-
subject.lease.send(:clear_changes_information)
|
202
|
-
end
|
247
|
+
subject.lease.send(:clear_changes_information)
|
203
248
|
end
|
204
249
|
|
205
250
|
it "doesn't call visibility_will_change!" do
|
@@ -213,7 +258,7 @@ describe Hydra::AccessControls::Embargoable do
|
|
213
258
|
before do
|
214
259
|
subject.visibility = Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PUBLIC
|
215
260
|
# reset the changed log
|
216
|
-
subject.send(:
|
261
|
+
subject.send(:clear_changes_information)
|
217
262
|
end
|
218
263
|
|
219
264
|
it "applies appropriate embargo_visibility settings" do
|
@@ -47,17 +47,29 @@ describe Hydra::AccessControls::Permission do
|
|
47
47
|
end
|
48
48
|
|
49
49
|
describe "URI escaping" do
|
50
|
-
let(:
|
51
|
-
let(:
|
50
|
+
let(:user_permission) { described_class.new(type: 'person', name: 'john doe', access: 'read') }
|
51
|
+
let(:user_permission2) { described_class.new(type: 'person', name: 'john%20doe', access: 'read') }
|
52
|
+
let(:user_permission3) { described_class.new(type: 'person', name: 'john+doe', access: 'read') }
|
53
|
+
let(:group_permission) { described_class.new(type: 'group', name: 'hydra devs', access: 'read') }
|
54
|
+
let(:group_permission2) { described_class.new(type: 'group', name: 'hydra%20devs', access: 'read') }
|
55
|
+
let(:group_permission3) { described_class.new(type: 'group', name: 'hydra+devs', access: 'read') }
|
52
56
|
|
53
57
|
it "should escape agent when building" do
|
54
|
-
expect(
|
55
|
-
expect(
|
58
|
+
expect(user_permission.agent.first.rdf_subject.to_s).to eq 'http://projecthydra.org/ns/auth/person#john%20doe'
|
59
|
+
expect(user_permission2.agent.first.rdf_subject.to_s).to eq 'http://projecthydra.org/ns/auth/person#john%2520doe'
|
60
|
+
expect(user_permission3.agent.first.rdf_subject.to_s).to eq 'http://projecthydra.org/ns/auth/person#john+doe'
|
61
|
+
expect(group_permission.agent.first.rdf_subject.to_s).to eq 'http://projecthydra.org/ns/auth/group#hydra%20devs'
|
62
|
+
expect(group_permission2.agent.first.rdf_subject.to_s).to eq 'http://projecthydra.org/ns/auth/group#hydra%2520devs'
|
63
|
+
expect(group_permission3.agent.first.rdf_subject.to_s).to eq 'http://projecthydra.org/ns/auth/group#hydra+devs'
|
56
64
|
end
|
57
65
|
|
58
66
|
it "should unescape agent when parsing" do
|
59
|
-
expect(
|
60
|
-
expect(
|
67
|
+
expect(user_permission.agent_name).to eq 'john doe'
|
68
|
+
expect(user_permission2.agent_name).to eq 'john%20doe'
|
69
|
+
expect(user_permission3.agent_name).to eq 'john+doe'
|
70
|
+
expect(group_permission.agent_name).to eq 'hydra devs'
|
71
|
+
expect(group_permission2.agent_name).to eq 'hydra%20devs'
|
72
|
+
expect(group_permission3.agent_name).to eq 'hydra+devs'
|
61
73
|
end
|
62
74
|
|
63
75
|
context 'with a User instance passed as :name argument' do
|
@@ -1,28 +1,15 @@
|
|
1
1
|
require 'spec_helper'
|
2
2
|
|
3
|
-
describe Hydra::PolicyAwareAccessControlsEnforcement do
|
3
|
+
RSpec.describe Hydra::PolicyAwareAccessControlsEnforcement do
|
4
4
|
before do
|
5
5
|
allow(Devise).to receive(:authentication_keys).and_return(['uid'])
|
6
6
|
|
7
|
-
class PolicyMockSearchBuilder <
|
8
|
-
include Blacklight::Solr::SearchBuilderBehavior
|
9
|
-
include Hydra::AccessControlsEnforcement
|
7
|
+
class PolicyMockSearchBuilder < Hydra::SearchBuilder
|
10
8
|
include Hydra::PolicyAwareAccessControlsEnforcement
|
11
|
-
attr_accessor :params
|
12
|
-
|
13
|
-
def initialize(current_ability)
|
14
|
-
@current_ability = current_ability
|
15
|
-
end
|
16
|
-
|
17
|
-
def current_ability
|
18
|
-
@current_ability
|
19
|
-
end
|
20
|
-
|
21
|
-
def session
|
22
|
-
end
|
23
9
|
|
24
10
|
delegate :logger, to: :Rails
|
25
11
|
end
|
12
|
+
|
26
13
|
@sample_policies = []
|
27
14
|
# user discover
|
28
15
|
policy1 = Hydra::AdminPolicy.create(id: "test-policy1")
|
@@ -91,7 +78,7 @@ describe Hydra::PolicyAwareAccessControlsEnforcement do
|
|
91
78
|
end
|
92
79
|
|
93
80
|
let(:current_ability) { Ability.new(user) }
|
94
|
-
subject { PolicyMockSearchBuilder.new(current_ability) }
|
81
|
+
subject { PolicyMockSearchBuilder.new(nil).with_ability(current_ability) }
|
95
82
|
let(:user) { FactoryBot.build(:sara_student) }
|
96
83
|
|
97
84
|
before do
|
@@ -134,7 +121,7 @@ describe Hydra::PolicyAwareAccessControlsEnforcement do
|
|
134
121
|
|
135
122
|
context "when policies are included" do
|
136
123
|
before { subject.apply_gated_discovery(@solr_parameters) }
|
137
|
-
|
124
|
+
|
138
125
|
it "builds a query that includes all the policies" do
|
139
126
|
skip if ActiveFedora.version.split('.').first.to_i < 11
|
140
127
|
(1..11).each do |p|
|
@@ -142,7 +129,7 @@ describe Hydra::PolicyAwareAccessControlsEnforcement do
|
|
142
129
|
end
|
143
130
|
end
|
144
131
|
end
|
145
|
-
|
132
|
+
|
146
133
|
context "when policies are not included" do
|
147
134
|
before do
|
148
135
|
allow(subject).to receive(:policy_clauses).and_return(nil)
|
@@ -100,4 +100,29 @@ describe Hydra::AccessControls::Visibility do
|
|
100
100
|
expect(model.read_groups).to contain_exactly 'public', 'another'
|
101
101
|
end
|
102
102
|
end
|
103
|
+
|
104
|
+
context 'dirty tracking' do
|
105
|
+
let(:object_class) do
|
106
|
+
Class.new(ActiveFedora::Base) do
|
107
|
+
include Hydra::AccessControls::Permissions
|
108
|
+
end
|
109
|
+
end
|
110
|
+
|
111
|
+
before { stub_const("Foo", object_class) }
|
112
|
+
|
113
|
+
subject { Foo.new }
|
114
|
+
|
115
|
+
it 'responds to visibility_changed?' do
|
116
|
+
expect(subject).to respond_to(:visibility_changed?)
|
117
|
+
end
|
118
|
+
|
119
|
+
it 'tracks changes' do
|
120
|
+
expect(subject.visibility_changed?).to eq false
|
121
|
+
subject.visibility = Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PUBLIC
|
122
|
+
expect(subject.visibility_changed?).to eq true
|
123
|
+
expect(subject.visibility_changed?(to: Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PUBLIC)).to eq true
|
124
|
+
expect(subject.visibility_changed?(from: Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PRIVATE)).to eq true
|
125
|
+
expect(subject.visibility_changed?(from: Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PRIVATE, to: Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PUBLIC)).to eq true
|
126
|
+
end
|
127
|
+
end
|
103
128
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: hydra-access-controls
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 12.0.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Chris Beer
|
@@ -10,7 +10,7 @@ authors:
|
|
10
10
|
autorequire:
|
11
11
|
bindir: bin
|
12
12
|
cert_chain: []
|
13
|
-
date:
|
13
|
+
date: 2021-05-17 00:00:00.000000000 Z
|
14
14
|
dependencies:
|
15
15
|
- !ruby/object:Gem::Dependency
|
16
16
|
name: activesupport
|
@@ -18,20 +18,20 @@ dependencies:
|
|
18
18
|
requirements:
|
19
19
|
- - ">="
|
20
20
|
- !ruby/object:Gem::Version
|
21
|
-
version: '
|
21
|
+
version: '5.2'
|
22
22
|
- - "<"
|
23
23
|
- !ruby/object:Gem::Version
|
24
|
-
version: '
|
24
|
+
version: '7'
|
25
25
|
type: :runtime
|
26
26
|
prerelease: false
|
27
27
|
version_requirements: !ruby/object:Gem::Requirement
|
28
28
|
requirements:
|
29
29
|
- - ">="
|
30
30
|
- !ruby/object:Gem::Version
|
31
|
-
version: '
|
31
|
+
version: '5.2'
|
32
32
|
- - "<"
|
33
33
|
- !ruby/object:Gem::Version
|
34
|
-
version: '
|
34
|
+
version: '7'
|
35
35
|
- !ruby/object:Gem::Dependency
|
36
36
|
name: active-fedora
|
37
37
|
requirement: !ruby/object:Gem::Requirement
|
@@ -46,48 +46,40 @@ dependencies:
|
|
46
46
|
- - ">="
|
47
47
|
- !ruby/object:Gem::Version
|
48
48
|
version: 10.0.0
|
49
|
-
- !ruby/object:Gem::Dependency
|
50
|
-
name: blacklight
|
51
|
-
requirement: !ruby/object:Gem::Requirement
|
52
|
-
requirements:
|
53
|
-
- - ">="
|
54
|
-
- !ruby/object:Gem::Version
|
55
|
-
version: '5.16'
|
56
|
-
type: :runtime
|
57
|
-
prerelease: false
|
58
|
-
version_requirements: !ruby/object:Gem::Requirement
|
59
|
-
requirements:
|
60
|
-
- - ">="
|
61
|
-
- !ruby/object:Gem::Version
|
62
|
-
version: '5.16'
|
63
49
|
- !ruby/object:Gem::Dependency
|
64
50
|
name: blacklight-access_controls
|
65
51
|
requirement: !ruby/object:Gem::Requirement
|
66
52
|
requirements:
|
67
53
|
- - "~>"
|
68
54
|
- !ruby/object:Gem::Version
|
69
|
-
version:
|
55
|
+
version: '6.0'
|
70
56
|
type: :runtime
|
71
57
|
prerelease: false
|
72
58
|
version_requirements: !ruby/object:Gem::Requirement
|
73
59
|
requirements:
|
74
60
|
- - "~>"
|
75
61
|
- !ruby/object:Gem::Version
|
76
|
-
version:
|
62
|
+
version: '6.0'
|
77
63
|
- !ruby/object:Gem::Dependency
|
78
64
|
name: cancancan
|
79
65
|
requirement: !ruby/object:Gem::Requirement
|
80
66
|
requirements:
|
81
|
-
- - "
|
67
|
+
- - ">="
|
82
68
|
- !ruby/object:Gem::Version
|
83
69
|
version: '1.8'
|
70
|
+
- - "<"
|
71
|
+
- !ruby/object:Gem::Version
|
72
|
+
version: '4'
|
84
73
|
type: :runtime
|
85
74
|
prerelease: false
|
86
75
|
version_requirements: !ruby/object:Gem::Requirement
|
87
76
|
requirements:
|
88
|
-
- - "
|
77
|
+
- - ">="
|
89
78
|
- !ruby/object:Gem::Version
|
90
79
|
version: '1.8'
|
80
|
+
- - "<"
|
81
|
+
- !ruby/object:Gem::Version
|
82
|
+
version: '4'
|
91
83
|
- !ruby/object:Gem::Dependency
|
92
84
|
name: deprecation
|
93
85
|
requirement: !ruby/object:Gem::Requirement
|
@@ -106,30 +98,30 @@ dependencies:
|
|
106
98
|
name: rake
|
107
99
|
requirement: !ruby/object:Gem::Requirement
|
108
100
|
requirements:
|
109
|
-
- - "
|
101
|
+
- - ">="
|
110
102
|
- !ruby/object:Gem::Version
|
111
|
-
version:
|
103
|
+
version: 12.3.3
|
112
104
|
type: :development
|
113
105
|
prerelease: false
|
114
106
|
version_requirements: !ruby/object:Gem::Requirement
|
115
107
|
requirements:
|
116
|
-
- - "
|
108
|
+
- - ">="
|
117
109
|
- !ruby/object:Gem::Version
|
118
|
-
version:
|
110
|
+
version: 12.3.3
|
119
111
|
- !ruby/object:Gem::Dependency
|
120
112
|
name: rspec
|
121
113
|
requirement: !ruby/object:Gem::Requirement
|
122
114
|
requirements:
|
123
115
|
- - "~>"
|
124
116
|
- !ruby/object:Gem::Version
|
125
|
-
version: '
|
117
|
+
version: '4.0'
|
126
118
|
type: :development
|
127
119
|
prerelease: false
|
128
120
|
version_requirements: !ruby/object:Gem::Requirement
|
129
121
|
requirements:
|
130
122
|
- - "~>"
|
131
123
|
- !ruby/object:Gem::Version
|
132
|
-
version: '
|
124
|
+
version: '4.0'
|
133
125
|
description: Access controls for project hydra
|
134
126
|
email:
|
135
127
|
- hydra-tech@googlegroups.com
|
@@ -182,7 +174,8 @@ files:
|
|
182
174
|
- lib/hydra/role_mapper_behavior.rb
|
183
175
|
- lib/hydra/shared_spec/group_service_interface.rb
|
184
176
|
- lib/hydra/user.rb
|
185
|
-
- spec/factories.rb
|
177
|
+
- spec/factories/objects.rb
|
178
|
+
- spec/factories/user.rb
|
186
179
|
- spec/indexers/embargo_indexer_spec.rb
|
187
180
|
- spec/indexers/lease_indexer_spec.rb
|
188
181
|
- spec/services/embargo_service_spec.rb
|
@@ -223,19 +216,20 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
223
216
|
requirements:
|
224
217
|
- - ">="
|
225
218
|
- !ruby/object:Gem::Version
|
226
|
-
version:
|
219
|
+
version: '2.4'
|
227
220
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
228
221
|
requirements:
|
229
|
-
- - "
|
222
|
+
- - ">="
|
230
223
|
- !ruby/object:Gem::Version
|
231
|
-
version:
|
224
|
+
version: '0'
|
232
225
|
requirements: []
|
233
|
-
rubygems_version: 3.
|
226
|
+
rubygems_version: 3.1.4
|
234
227
|
signing_key:
|
235
228
|
specification_version: 4
|
236
229
|
summary: Access controls for project hydra
|
237
230
|
test_files:
|
238
|
-
- spec/factories.rb
|
231
|
+
- spec/factories/objects.rb
|
232
|
+
- spec/factories/user.rb
|
239
233
|
- spec/indexers/embargo_indexer_spec.rb
|
240
234
|
- spec/indexers/lease_indexer_spec.rb
|
241
235
|
- spec/services/embargo_service_spec.rb
|