RubyGems - hydra-access-controls - Versions diffs - 5.0.0.pre13 → 5.0.0.pre14 - Mend

hydra-access-controls 5.0.0.pre13 → 5.0.0.pre14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

data/lib/hydra/access_controls_enforcement.rb +19 -8
data/lib/hydra/policy_aware_access_controls_enforcement.rb +5 -7
data/spec/support/user.rb +1 -0
data/spec/unit/access_controls_enforcement_spec.rb +14 -9
data/spec/unit/policy_aware_access_controls_enforcement_spec.rb +2 -2
metadata +2 -2

data/lib/hydra/access_controls_enforcement.rb CHANGED

@@ -1,9 +1,20 @@
-# will move to lib/hydra/access_control folder/namespace in release 5.x
 module Hydra::AccessControlsEnforcement
   extend ActiveSupport::Concern
+  extend Deprecation
+  self.deprecation_horizon = "hydra-access-controls 6.0"
   included do
     include Hydra::AccessControlsEvaluation
+    class_attribute :solr_access_filters_logic
+    # Set defaults. Each symbol identifies a _method_ that must be in
+    # this class, taking one parameter (permission_types)
+    # Can be changed in local apps or by plugins, eg:
+    # CatalogController.include ModuleDefiningNewMethod
+    # CatalogController.solr_access_filters_logic += [:new_method]
+    # CatalogController.solr_access_filters_logic.delete(:we_dont_want)
+    self.solr_access_filters_logic = [:apply_role_permissions, :apply_individual_permissions, :apply_superuser_permissions ]
   end
   #
@@ -77,6 +88,7 @@ module Hydra::AccessControlsEnforcement
   # If someone hits the show action while their session's viewing_context is in edit mode,
   # this will redirect them to the edit action.
   # If they do not have sufficient privileges to edit documents, it will silently switch their session to browse mode.
+  # @deprecated this is a vestige of the old workflow, which is being removed from hydra-head
   def enforce_viewing_context_for_show_requests
     if params[:viewing_context] == "browse"
       session[:viewing_context] = params[:viewing_context]
@@ -93,6 +105,7 @@ module Hydra::AccessControlsEnforcement
       end
     end
   end
+  deprecation_deprecate :enforce_viewing_context_for_show_requests
   #
   # Action-specific enforcement
@@ -106,7 +119,7 @@ module Hydra::AccessControlsEnforcement
       if @permissions_solr_document["embargo_release_date_dt"]
         embargo_date = Date.parse(@permissions_solr_document["embargo_release_date_dt"].split(/T/)[0])
         if embargo_date > Date.parse(Time.now.to_s)
-          unless current_or_guest_user && can?(:edit, params[:id])
+          unless can?(:edit, params[:id])
             raise Hydra::AccessDenied.new("This item is under embargo.  You do not have sufficient access privileges to read this document.", :edit, params[:id])
           end
         end
@@ -201,10 +214,8 @@ module Hydra::AccessControlsEnforcement
     end
     # Grant access based on user id & role
-    unless current_or_guest_user.nil?
-      user_access_filters += apply_role_permissions(permission_types)
-      user_access_filters += apply_individual_permissions(permission_types)
-      user_access_filters += apply_superuser_permissions(permission_types)
+    solr_access_filters_logic.each do |method_name|
+      user_access_filters += send(method_name, permission_types)
     end
     solr_parameters[:fq] << user_access_filters.join(" OR ")
     logger.debug("Solr parameters: #{ solr_parameters.inspect }")
@@ -213,7 +224,7 @@ module Hydra::AccessControlsEnforcement
   def apply_role_permissions(permission_types)
       # for roles
       user_access_filters = []
-      ::RoleMapper.roles(user_key).each_with_index do |role, i|
+      current_ability.user_groups(current_user, session).each_with_index do |role, i|
         permission_types.each do |type|
           user_access_filters << "#{type}_access_group_t:#{role}"
         end

data/lib/hydra/policy_aware_access_controls_enforcement.rb CHANGED

@@ -12,7 +12,7 @@ module Hydra::PolicyAwareAccessControlsEnforcement
     end
   end
-  # returns solr query for finding all objects whose policies grant discover access to current_or_guest_user
+  # returns solr query for finding all objects whose policies grant discover access to current_user
   def policy_clauses
     policy_pids = policies_with_access
     return nil if policy_pids.empty?
@@ -23,13 +23,11 @@ module Hydra::PolicyAwareAccessControlsEnforcement
   # find all the policies that grant discover/read/edit permissions to this user or any of it's groups
   def policies_with_access
     #### TODO -- Memoize this and put it in the session?
-    return [] unless current_or_guest_user
+    return [] unless current_user
     user_access_filters = []
     # Grant access based on user id & role
-    unless current_or_guest_user.nil?
-      user_access_filters += apply_policy_role_permissions(discovery_permissions)
-      user_access_filters += apply_policy_individual_permissions(discovery_permissions)
-    end
+    user_access_filters += apply_policy_role_permissions(discovery_permissions)
+    user_access_filters += apply_policy_individual_permissions(discovery_permissions)
     result = policy_class.find_with_conditions( user_access_filters.join(" OR "), :fl => "id" )
     logger.debug "get policies: #{result}\n\n"
     result.map {|h| h['id']}
@@ -39,7 +37,7 @@ module Hydra::PolicyAwareAccessControlsEnforcement
   def apply_policy_role_permissions(permission_types)
       # for roles
       user_access_filters = []
-      ::RoleMapper.roles(user_key).each_with_index do |role, i|
+      current_ability.user_groups(current_user, session).each_with_index do |role, i|
         discovery_permissions.each do |type|
           user_access_filters << "inheritable_#{type}_access_group_t:#{role}"
         end

data/spec/support/user.rb CHANGED

@@ -7,6 +7,7 @@ class User
   def initialize(params={})
     self.email = params[:email] if params[:email]
     self.uid = params[:uid] if params[:uid]
+    self.new_record = params[:new_record] if params[:new_record]
   end
   def new_record?

data/spec/unit/access_controls_enforcement_spec.rb CHANGED

@@ -1,5 +1,6 @@
 require 'spec_helper'
-# Need way to find way to stub current_or_guest_user and RoleMapper in order to run these tests
+# Need way to find way to stub current_user and RoleMapper in order to run these tests
+require 'ability'
 describe Hydra::AccessControlsEnforcement do
   before(:all) do
@@ -7,8 +8,12 @@ describe Hydra::AccessControlsEnforcement do
       include Hydra::AccessControlsEnforcement
       attr_accessor :params
+      def current_ability
+        @current_ability ||= Ability.new(current_user)
+      end
       def user_key
-        current_or_guest_user.user_key
+        current_user.user_key
       end
       def session
@@ -24,7 +29,7 @@ describe Hydra::AccessControlsEnforcement do
     end
     context "Given I am not logged in" do
       before do
-        subject.stub(:current_or_guest_user).and_return(User.new)
+        subject.stub(:current_user).and_return(User.new(:new_record=>true))
         subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
       end
       it "Then I should be treated as a member of the 'public' group" do
@@ -44,7 +49,7 @@ describe Hydra::AccessControlsEnforcement do
         User.stub(:find_by_user_key).and_return(@user)
         # This is a pretty fragile way to stub it...
         RoleMapper.stub(:byname).and_return(@user.user_key=>["faculty", "africana-faculty"])
-        subject.stub(:current_or_guest_user).and_return(@user)
+        subject.stub(:current_user).and_return(@user)
         subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
       end
       it "Then I should be treated as a member of the 'public' and 'registered' groups" do
@@ -86,7 +91,7 @@ describe Hydra::AccessControlsEnforcement do
     it "should allow a user w/ edit permissions to view an embargoed object" do
       user = User.new :uid=>'testuser@example.com'
       RoleMapper.stub(:roles).with(user.user_key).and_return(["archivist"])
-      subject.stub(:current_or_guest_user).and_return(user)
+      subject.stub(:current_user).and_return(user)
       subject.should_receive(:can?).with(:edit, nil).and_return(true)
       subject.stub(:can?).with(:read, nil).and_return(true)
       subject.instance_variable_set :@permissions_solr_document, SolrDocument.new({"edit_access_person_t"=>["testuser@example.com"], "embargo_release_date_dt"=>(Date.parse(Time.now.to_s)+2).to_s})
@@ -98,7 +103,7 @@ describe Hydra::AccessControlsEnforcement do
     it "should prevent a user w/o edit permissions from viewing an embargoed object" do
       user = User.new :uid=>'testuser@example.com'
       RoleMapper.stub(:roles).with(user.user_key).and_return([])
-      subject.stub(:current_or_guest_user).and_return(user)
+      subject.stub(:current_user).and_return(user)
       subject.should_receive(:can?).with(:edit, nil).and_return(false)
       subject.stub(:can?).with(:read, nil).and_return(true)
       subject.params = {}
@@ -111,7 +116,7 @@ describe Hydra::AccessControlsEnforcement do
     before(:each) do
       @stub_user = User.new :uid=>'archivist1@example.com'
       RoleMapper.stub(:roles).with(@stub_user.user_key).and_return(["archivist","researcher"])
-      subject.stub(:current_or_guest_user).and_return(@stub_user)
+      subject.stub(:current_user).and_return(@stub_user)
       @solr_parameters = {}
       @user_parameters = {}
     end
@@ -133,7 +138,7 @@ describe Hydra::AccessControlsEnforcement do
   describe "exclude_unwanted_models" do
     before(:each) do
       stub_user = User.new :uid=>'archivist1@example.com'
-      subject.stub(:current_or_guest_user).and_return(stub_user)
+      subject.stub(:current_user).and_return(stub_user)
       @solr_parameters = {}
       @user_parameters = {}
     end
@@ -147,7 +152,7 @@ describe Hydra::AccessControlsEnforcement do
     describe "when the user is a guest user (user key nil)" do
       before do
         stub_user = User.new
-        subject.stub(:current_or_guest_user).and_return(stub_user)
+        subject.stub(:current_user).and_return(stub_user)
       end
       it "should not create filters" do
         subject.send(:apply_individual_permissions, ["edit","discover","read"]).should == []

data/spec/unit/policy_aware_access_controls_enforcement_spec.rb CHANGED

@@ -8,7 +8,7 @@ describe Hydra::PolicyAwareAccessControlsEnforcement do
       attr_accessor :params
       def user_key
-        current_or_guest_user.user_key
+        current_user.user_key
       end
       def session
@@ -71,7 +71,7 @@ describe Hydra::PolicyAwareAccessControlsEnforcement do
     @user_parameters = {}
     @user = FactoryGirl.build(:sara_student)
     RoleMapper.stub(:roles).with(@user.user_key).and_return(@user.roles)
-    subject.stub(:current_or_guest_user).and_return(@user)
+    subject.stub(:current_user).and_return(@user)
   end
   describe "policies_with_access" do

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: hydra-access-controls
 version: !ruby/object:Gem::Version
-  version: 5.0.0.pre13
+  version: 5.0.0.pre14
   prerelease: 6
 platform: ruby
 authors:
@@ -11,7 +11,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2012-11-28 00:00:00.000000000 Z
+date: 2012-11-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport