hydra-access-controls 5.0.0.pre15 → 5.0.0.rc1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
File without changes
File without changes
data/lib/hydra/ability.rb CHANGED
@@ -2,6 +2,7 @@
2
2
  module Hydra::Ability
3
3
  extend ActiveSupport::Concern
4
4
 
5
+
5
6
  included do
6
7
  include Hydra::AccessControlsEnforcement
7
8
  include Blacklight::SolrHelper
@@ -12,15 +13,18 @@ module Hydra::Ability
12
13
  end
13
14
 
14
15
  def initialize(user, session=nil)
15
- user ||= Hydra::Ability.user_class.new # guest user (not logged in)
16
- hydra_default_permissions(user, session)
16
+ @user = user || Hydra::Ability.user_class.new # guest user (not logged in)
17
+ @session = session
18
+ hydra_default_permissions()
17
19
  end
18
20
 
19
21
  ## You can override this method if you are using a different AuthZ (such as LDAP)
20
- def user_groups(user, session)
22
+ def user_groups(user=nil, session=nil)
23
+ ActiveSupport::Deprecation.warn("No need to pass user or session to user_groups, use the instance_variables", caller()) if user || session
24
+
21
25
  return @user_groups if @user_groups
22
- @user_groups = RoleMapper.roles(user_key(user)) + default_user_groups
23
- @user_groups << 'registered' unless (user.new_record? || @user_groups.include?('registered'))
26
+ @user_groups = RoleMapper.roles(@user.user_key) + default_user_groups
27
+ @user_groups << 'registered' unless (@user.new_record? || @user_groups.include?('registered'))
24
28
  @user_groups
25
29
  end
26
30
 
@@ -30,51 +34,57 @@ module Hydra::Ability
30
34
  end
31
35
 
32
36
 
33
- def hydra_default_permissions(user, session)
34
- logger.debug("Usergroups are " + user_groups(user, session).inspect)
35
- create_permissions(user, session)
36
- edit_permissions(user, session)
37
- read_permissions(user, session)
38
- custom_permissions(user, session)
37
+ # Requires no arguments, but accepts 2 arguments for backwards compatibility
38
+ def hydra_default_permissions(user=nil, session=nil)
39
+ ActiveSupport::Deprecation.warn("No need to pass user or session to hydra_default_permissions, use the instance_variables", caller()) if user || session
40
+ logger.debug("Usergroups are " + user_groups.inspect)
41
+ create_permissions()
42
+ edit_permissions()
43
+ read_permissions()
44
+ custom_permissions()
39
45
  end
40
46
 
41
- def create_permissions(user, session)
42
- can :create, :all if user_groups(user, session).include? 'registered'
47
+ def create_permissions(user=nil, session=nil)
48
+ ActiveSupport::Deprecation.warn("No need to pass user or session to create_permissions, use the instance_variables", caller()) if user || session
49
+ can :create, :all if user_groups.include? 'registered'
43
50
  end
44
51
 
45
- def edit_permissions(user, session)
52
+ def edit_permissions(user=nil, session=nil)
53
+ ActiveSupport::Deprecation.warn("No need to pass user or session to edit_permissions, use the instance_variables", caller()) if user || session
46
54
  can [:edit, :update, :destroy], String do |pid|
47
- test_edit(pid, user, session)
55
+ test_edit(pid)
48
56
  end
49
57
 
50
58
  can [:edit, :update, :destroy], ActiveFedora::Base do |obj|
51
- test_edit(obj.pid, user, session)
59
+ test_edit(obj.pid)
52
60
  end
53
61
 
54
62
  can :edit, SolrDocument do |obj|
55
63
  @permissions_solr_document = obj
56
- test_edit(obj.id, user, session)
64
+ test_edit(obj.id)
57
65
  end
58
66
  end
59
67
 
60
- def read_permissions(user, session)
68
+ def read_permissions(user=nil, session=nil)
69
+ ActiveSupport::Deprecation.warn("No need to pass user or session to read_permissions, use the instance_variables", caller()) if user || session
61
70
  can :read, String do |pid|
62
- test_read(pid, user, session)
71
+ test_read(pid)
63
72
  end
64
73
 
65
74
  can :read, ActiveFedora::Base do |obj|
66
- test_read(obj.pid, user, session)
75
+ test_read(obj.pid)
67
76
  end
68
77
 
69
78
  can :read, SolrDocument do |obj|
70
79
  @permissions_solr_document = obj
71
- test_read(obj.id, user, session)
80
+ test_read(obj.id)
72
81
  end
73
82
  end
74
83
 
75
84
 
76
85
  ## Override custom permissions in your own app to add more permissions beyond what is defined by default.
77
- def custom_permissions(user, session)
86
+ def custom_permissions(user=nil, session=nil)
87
+ ActiveSupport::Deprecation.warn("No need to pass user or session to custom_permissions, use the instance_variables", caller()) if user || session
78
88
  end
79
89
 
80
90
  protected
@@ -86,20 +96,22 @@ module Hydra::Ability
86
96
  end
87
97
 
88
98
 
89
- def test_edit(pid, user, session)
99
+ def test_edit(pid, user=nil, session=nil)
100
+ ActiveSupport::Deprecation.warn("No need to pass user or session to test_edit, use the instance_variables", caller()) if user || session
90
101
  permissions_doc(pid)
91
- logger.debug("[CANCAN] Checking edit permissions for user: #{user_key(user)} with groups: #{user_groups(user, session).inspect}")
92
- group_intersection = user_groups(user, session) & edit_groups
93
- result = !group_intersection.empty? || edit_persons.include?(user_key(user))
102
+ logger.debug("[CANCAN] Checking edit permissions for user: #{@user.user_key} with groups: #{user_groups.inspect}")
103
+ group_intersection = user_groups & edit_groups
104
+ result = !group_intersection.empty? || edit_persons.include?(@user.user_key)
94
105
  logger.debug("[CANCAN] decision: #{result}")
95
106
  result
96
107
  end
97
108
 
98
- def test_read(pid, user, session)
109
+ def test_read(pid, user=nil, session=nil)
110
+ ActiveSupport::Deprecation.warn("No need to pass user or session to test_read, use the instance_variables", caller()) if user || session
99
111
  permissions_doc(pid)
100
- logger.debug("[CANCAN] Checking edit permissions for user: #{user_key(user)} with groups: #{user_groups(user, session).inspect}")
101
- group_intersection = user_groups(user, session) & read_groups
102
- result = !group_intersection.empty? || read_persons.include?(user_key(user))
112
+ logger.debug("[CANCAN] Checking edit permissions for user: #{@user.user_key} with groups: #{user_groups.inspect}")
113
+ group_intersection = user_groups & read_groups
114
+ result = !group_intersection.empty? || read_persons.include?(@user.user_key)
103
115
  logger.debug("[CANCAN] decision: #{result}")
104
116
  result
105
117
  end
@@ -138,6 +150,7 @@ module Hydra::Ability
138
150
  # get the currently configured user identifier. Can be overridden to return whatever (ie. login, email, etc)
139
151
  # defaults to using whatever you have set as the Devise authentication_key
140
152
  def user_key(user)
153
+ ActiveSupport::Deprecation.warn("Ability#user_key is deprecated, call user.user_key instead", caller(1))
141
154
  user.send(Devise.authentication_keys.first)
142
155
  end
143
156
 
@@ -229,7 +229,7 @@ module Hydra::AccessControlsEnforcement
229
229
  def apply_role_permissions(permission_types)
230
230
  # for roles
231
231
  user_access_filters = []
232
- current_ability.user_groups(current_user, session).each_with_index do |role, i|
232
+ current_ability.user_groups.each_with_index do |role, i|
233
233
  permission_types.each do |type|
234
234
  user_access_filters << "#{type}_access_group_t:#{role}"
235
235
  end
@@ -240,7 +240,7 @@ module Hydra::AccessControlsEnforcement
240
240
  def apply_individual_permissions(permission_types)
241
241
  # for individual person access
242
242
  user_access_filters = []
243
- if user_key
243
+ if user_key.present?
244
244
  permission_types.each do |type|
245
245
  user_access_filters << "#{type}_access_person_t:#{user_key}"
246
246
  end
@@ -192,7 +192,11 @@ module Hydra
192
192
  solr_doc
193
193
  end
194
194
 
195
-
195
+ # Completely clear the permissions
196
+ def clear_permissions!
197
+ remove_all_permissions({:person=>true})
198
+ remove_all_permissions({:group=>true})
199
+ end
196
200
 
197
201
 
198
202
 
@@ -2,7 +2,8 @@
2
2
  module Hydra::PolicyAwareAbility
3
3
 
4
4
  # Extends Hydra::Ability.test_edit to try policy controls if object-level controls deny access
5
- def test_edit(pid, user, session)
5
+ def test_edit(pid, user=nil, session=nil)
6
+ ActiveSupport::Deprecation.warn("No need to pass user or session to test_edit, use the instance_variables", caller) if user || session
6
7
  result = super
7
8
  if result
8
9
  return result
@@ -12,7 +13,8 @@ module Hydra::PolicyAwareAbility
12
13
  end
13
14
 
14
15
  # Extends Hydra::Ability.test_read to try policy controls if object-level controls deny access
15
- def test_read(pid, user, session)
16
+ def test_read(pid, user=nil, session=nil)
17
+ ActiveSupport::Deprecation.warn("No need to pass user or session to test_read, use the instance_variables", caller) if user || session
16
18
  result = super
17
19
  if result
18
20
  return result
@@ -45,28 +47,30 @@ module Hydra::PolicyAwareAbility
45
47
  end
46
48
 
47
49
  # Tests whether the object's governing policy object grants edit access for the current user
48
- def test_edit_from_policy(object_pid, user, session)
50
+ def test_edit_from_policy(object_pid, user=nil, session=nil)
51
+ ActiveSupport::Deprecation.warn("No need to pass user or session to test_edit_from_policy, use the instance_variables", caller) if user || session
49
52
  policy_pid = policy_pid_for(object_pid)
50
53
  if policy_pid.nil?
51
54
  return false
52
55
  else
53
- logger.debug("[CANCAN] -policy- Does the POLICY #{policy_pid} provide EDIT permissions for #{user_key(user)}?")
54
- group_intersection = user_groups(user, session) & edit_groups_from_policy( policy_pid )
55
- result = !group_intersection.empty? || edit_persons_from_policy( policy_pid ).include?(user_key(user))
56
+ logger.debug("[CANCAN] -policy- Does the POLICY #{policy_pid} provide EDIT permissions for #{@user.user_key}?")
57
+ group_intersection = user_groups & edit_groups_from_policy( policy_pid )
58
+ result = !group_intersection.empty? || edit_persons_from_policy( policy_pid ).include?(@user.user_key)
56
59
  logger.debug("[CANCAN] -policy- decision: #{result}")
57
60
  return result
58
61
  end
59
62
  end
60
63
 
61
64
  # Tests whether the object's governing policy object grants read access for the current user
62
- def test_read_from_policy(object_pid, user, session)
65
+ def test_read_from_policy(object_pid, user=nil, session=nil)
66
+ ActiveSupport::Deprecation.warn("No need to pass user or session to test_read_from_policy, use the instance_variables", caller) if user || session
63
67
  policy_pid = policy_pid_for(object_pid)
64
68
  if policy_pid.nil?
65
69
  return false
66
70
  else
67
- logger.debug("[CANCAN] -policy- Does the POLICY #{policy_pid} provide READ permissions for #{user_key(user)}?")
68
- group_intersection = user_groups(user, session) & read_groups_from_policy( policy_pid )
69
- result = !group_intersection.empty? || read_persons_from_policy( policy_pid ).include?(user_key(user))
71
+ logger.debug("[CANCAN] -policy- Does the POLICY #{policy_pid} provide READ permissions for #{@user.user_key}?")
72
+ group_intersection = user_groups & read_groups_from_policy( policy_pid )
73
+ result = !group_intersection.empty? || read_persons_from_policy( policy_pid ).include?(@user.user_key)
70
74
  logger.debug("[CANCAN] -policy- decision: #{result}")
71
75
  result
72
76
  end
@@ -125,4 +129,4 @@ module Hydra::PolicyAwareAbility
125
129
  return field_from_result[field_name]
126
130
  end
127
131
  end
128
- end
132
+ end
@@ -37,7 +37,7 @@ module Hydra::PolicyAwareAccessControlsEnforcement
37
37
  def apply_policy_role_permissions(permission_types)
38
38
  # for roles
39
39
  user_access_filters = []
40
- current_ability.user_groups(current_user, session).each_with_index do |role, i|
40
+ current_ability.user_groups.each_with_index do |role, i|
41
41
  discovery_permissions.each do |type|
42
42
  user_access_filters << "inheritable_#{type}_access_group_t:#{role}"
43
43
  end
@@ -4,6 +4,7 @@ require 'active_support'
4
4
  # This would allow solrizer to load it's config files after the rails logger is up.
5
5
  require 'active-fedora'
6
6
  require 'cancan'
7
+ require 'rails'
7
8
 
8
9
  module Hydra
9
10
  extend ActiveSupport::Autoload
@@ -16,6 +17,8 @@ module Hydra
16
17
  autoload :PolicyAwareAbility
17
18
  autoload :AdminPolicy
18
19
  autoload :RoleMapperBehavior
20
+ class Engine < Rails::Engine
21
+ end
19
22
 
20
23
  module ModelMixins
21
24
  extend ActiveSupport::Autoload
@@ -28,8 +31,3 @@ module Hydra
28
31
  class AccessDenied < ::CanCan::AccessDenied; end
29
32
 
30
33
  end
31
-
32
- # Enable the ability/role_mapper classes in the local application to load before the ability/role_mapper classes provided by hydra-access-controls
33
- autoload :Ability, 'ability'
34
- autoload :RoleMapper, 'role_mapper'
35
-
data/spec/spec_helper.rb CHANGED
@@ -1,4 +1,5 @@
1
1
  ENV["environment"] ||= "test"
2
+
2
3
  module Hydra
3
4
  # Stubbing Hydra.config[:policy_aware] so Hydra::PolicyAwareAbility will be loaded for tests.
4
5
  def self.config
@@ -10,8 +11,6 @@ end
10
11
  $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
11
12
  $LOAD_PATH.unshift(File.dirname(__FILE__))
12
13
 
13
-
14
-
15
14
  if ENV['COVERAGE'] and RUBY_VERSION =~ /^1.9/
16
15
  require 'simplecov'
17
16
  require 'simplecov-rcov'
@@ -30,6 +29,13 @@ require "factories"
30
29
 
31
30
  require 'support/blacklight'
32
31
  require 'support/rails'
32
+ Object.logger = Logger.new(File.expand_path('../test.log', __FILE__))
33
+
34
+ # Since we're not doing a Rails Engine test, we have to load these classes manually:
35
+ require_relative '../app/models/role_mapper'
36
+ require_relative '../app/models/ability'
37
+
38
+
33
39
 
34
40
  RSpec.configure do |config|
35
41
 
@@ -1,5 +1,4 @@
1
1
  require 'spec_helper'
2
- require 'ability'
3
2
 
4
3
  describe Ability do
5
4
  before do
@@ -1,6 +1,4 @@
1
1
  require 'spec_helper'
2
- # Need way to find way to stub current_user and RoleMapper in order to run these tests
3
- require 'ability'
4
2
 
5
3
  describe Hydra::AccessControlsEnforcement do
6
4
  before(:all) do
@@ -76,12 +74,14 @@ describe Hydra::AccessControlsEnforcement do
76
74
  describe "enforce_access_controls" do
77
75
  describe "when the method exists" do
78
76
  it "should call the method" do
77
+ Deprecation.stub(:warn)
79
78
  subject.params = {:action => :index}
80
79
  subject.enforce_access_controls.should be_true
81
80
  end
82
81
  end
83
82
  describe "when the method doesn't exist" do
84
83
  it "should not call the method, but should return true" do
84
+ Deprecation.stub(:warn)
85
85
  subject.params = {:action => :facet}
86
86
  subject.enforce_access_controls.should be_true
87
87
  end
@@ -158,6 +158,15 @@ describe Hydra::AccessControlsEnforcement do
158
158
  subject.send(:apply_individual_permissions, ["edit","discover","read"]).should == []
159
159
  end
160
160
  end
161
+ describe "when the user is a guest user (user key empty string)" do
162
+ before do
163
+ stub_user = User.new :uid=>''
164
+ subject.stub(:current_user).and_return(stub_user)
165
+ end
166
+ it "should not create filters" do
167
+ subject.send(:apply_individual_permissions, ["edit","discover","read"]).should == []
168
+ end
169
+ end
161
170
  end
162
171
  end
163
172
 
@@ -60,7 +60,6 @@ describe Hydra::AdminPolicy do
60
60
  describe "to_solr" do
61
61
  subject {@policy.to_solr}
62
62
  it "should not affect normal solr permissions fields" do
63
- puts subject
64
63
  subject.should_not have_key( Hydra.config[:permissions][:discover][:group] )
65
64
  subject.should_not have_key( Hydra.config[:permissions][:discover][:individual] )
66
65
  subject.should_not have_key( Hydra.config[:permissions][:read][:group] )
@@ -122,6 +122,22 @@ describe Hydra::Datastream::RightsMetadata do
122
122
  @sample.update_permissions( {"group"=>{"group1"=>"discover","group2"=>"edit"}, "person"=>{"person1"=>"read","person2"=>"discover"}} )
123
123
  end
124
124
  end
125
+
126
+ describe "clear_permissions!" do
127
+ before do
128
+ @sample.permissions({"person"=>"person_123"}, "read")
129
+ @sample.permissions({"person"=>"person_456"}, "edit")
130
+ @sample.permissions({"person"=>"person_789"}, "discover")
131
+ @sample.permissions({"group"=>"group_123"}, "read")
132
+ @sample.permissions({"group"=>"group_456"}, "edit")
133
+ @sample.permissions({"group"=>"group_789"}, "discover")
134
+ end
135
+ it "clears permissions" do
136
+ @sample.clear_permissions!
137
+ @sample.individuals.should == {}
138
+ @sample.groups.should == {}
139
+ end
140
+ end
125
141
 
126
142
  describe "update_indexed_attributes" do
127
143
  it "should update the declared properties" do
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: hydra-access-controls
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.0.0.pre15
4
+ version: 5.0.0.rc1
5
5
  prerelease: 6
6
6
  platform: ruby
7
7
  authors:
@@ -11,7 +11,7 @@ authors:
11
11
  autorequire:
12
12
  bindir: bin
13
13
  cert_chain: []
14
- date: 2012-11-29 00:00:00.000000000 Z
14
+ date: 2012-12-03 00:00:00.000000000 Z
15
15
  dependencies:
16
16
  - !ruby/object:Gem::Dependency
17
17
  name: activesupport
@@ -134,10 +134,11 @@ extra_rdoc_files: []
134
134
  files:
135
135
  - README.textile
136
136
  - Rakefile
137
+ - app/models/ability.rb
138
+ - app/models/role_mapper.rb
137
139
  - config/fedora.yml
138
140
  - config/solr.yml
139
141
  - hydra-access-controls.gemspec
140
- - lib/ability.rb
141
142
  - lib/hydra-access-controls.rb
142
143
  - lib/hydra/ability.rb
143
144
  - lib/hydra/access_controls_enforcement.rb
@@ -151,7 +152,6 @@ files:
151
152
  - lib/hydra/policy_aware_access_controls_enforcement.rb
152
153
  - lib/hydra/role_mapper_behavior.rb
153
154
  - lib/hydra/user.rb
154
- - lib/role_mapper.rb
155
155
  - lib/tasks/hydra-access-controls.rake
156
156
  - lib/tasks/hydra_jetty.rake
157
157
  - spec/factories.rb