hydra-access-controls 5.0.0.pre15 → 5.0.0.rc1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/{lib → app/models}/ability.rb +0 -0
- data/{lib → app/models}/role_mapper.rb +0 -0
- data/lib/hydra/ability.rb +43 -30
- data/lib/hydra/access_controls_enforcement.rb +2 -2
- data/lib/hydra/datastream/rights_metadata.rb +5 -1
- data/lib/hydra/policy_aware_ability.rb +15 -11
- data/lib/hydra/policy_aware_access_controls_enforcement.rb +1 -1
- data/lib/hydra-access-controls.rb +3 -5
- data/spec/spec_helper.rb +8 -2
- data/spec/unit/ability_spec.rb +0 -1
- data/spec/unit/access_controls_enforcement_spec.rb +11 -2
- data/spec/unit/admin_policy_spec.rb +0 -1
- data/spec/unit/hydra_rights_metadata_spec.rb +16 -0
- metadata +4 -4
File without changes
|
File without changes
|
data/lib/hydra/ability.rb
CHANGED
@@ -2,6 +2,7 @@
|
|
2
2
|
module Hydra::Ability
|
3
3
|
extend ActiveSupport::Concern
|
4
4
|
|
5
|
+
|
5
6
|
included do
|
6
7
|
include Hydra::AccessControlsEnforcement
|
7
8
|
include Blacklight::SolrHelper
|
@@ -12,15 +13,18 @@ module Hydra::Ability
|
|
12
13
|
end
|
13
14
|
|
14
15
|
def initialize(user, session=nil)
|
15
|
-
user
|
16
|
-
|
16
|
+
@user = user || Hydra::Ability.user_class.new # guest user (not logged in)
|
17
|
+
@session = session
|
18
|
+
hydra_default_permissions()
|
17
19
|
end
|
18
20
|
|
19
21
|
## You can override this method if you are using a different AuthZ (such as LDAP)
|
20
|
-
def user_groups(user, session)
|
22
|
+
def user_groups(user=nil, session=nil)
|
23
|
+
ActiveSupport::Deprecation.warn("No need to pass user or session to user_groups, use the instance_variables", caller()) if user || session
|
24
|
+
|
21
25
|
return @user_groups if @user_groups
|
22
|
-
@user_groups = RoleMapper.roles(user_key
|
23
|
-
@user_groups << 'registered' unless (user.new_record? || @user_groups.include?('registered'))
|
26
|
+
@user_groups = RoleMapper.roles(@user.user_key) + default_user_groups
|
27
|
+
@user_groups << 'registered' unless (@user.new_record? || @user_groups.include?('registered'))
|
24
28
|
@user_groups
|
25
29
|
end
|
26
30
|
|
@@ -30,51 +34,57 @@ module Hydra::Ability
|
|
30
34
|
end
|
31
35
|
|
32
36
|
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
37
|
+
# Requires no arguments, but accepts 2 arguments for backwards compatibility
|
38
|
+
def hydra_default_permissions(user=nil, session=nil)
|
39
|
+
ActiveSupport::Deprecation.warn("No need to pass user or session to hydra_default_permissions, use the instance_variables", caller()) if user || session
|
40
|
+
logger.debug("Usergroups are " + user_groups.inspect)
|
41
|
+
create_permissions()
|
42
|
+
edit_permissions()
|
43
|
+
read_permissions()
|
44
|
+
custom_permissions()
|
39
45
|
end
|
40
46
|
|
41
|
-
def create_permissions(user, session)
|
42
|
-
|
47
|
+
def create_permissions(user=nil, session=nil)
|
48
|
+
ActiveSupport::Deprecation.warn("No need to pass user or session to create_permissions, use the instance_variables", caller()) if user || session
|
49
|
+
can :create, :all if user_groups.include? 'registered'
|
43
50
|
end
|
44
51
|
|
45
|
-
def edit_permissions(user, session)
|
52
|
+
def edit_permissions(user=nil, session=nil)
|
53
|
+
ActiveSupport::Deprecation.warn("No need to pass user or session to edit_permissions, use the instance_variables", caller()) if user || session
|
46
54
|
can [:edit, :update, :destroy], String do |pid|
|
47
|
-
test_edit(pid
|
55
|
+
test_edit(pid)
|
48
56
|
end
|
49
57
|
|
50
58
|
can [:edit, :update, :destroy], ActiveFedora::Base do |obj|
|
51
|
-
test_edit(obj.pid
|
59
|
+
test_edit(obj.pid)
|
52
60
|
end
|
53
61
|
|
54
62
|
can :edit, SolrDocument do |obj|
|
55
63
|
@permissions_solr_document = obj
|
56
|
-
test_edit(obj.id
|
64
|
+
test_edit(obj.id)
|
57
65
|
end
|
58
66
|
end
|
59
67
|
|
60
|
-
def read_permissions(user, session)
|
68
|
+
def read_permissions(user=nil, session=nil)
|
69
|
+
ActiveSupport::Deprecation.warn("No need to pass user or session to read_permissions, use the instance_variables", caller()) if user || session
|
61
70
|
can :read, String do |pid|
|
62
|
-
test_read(pid
|
71
|
+
test_read(pid)
|
63
72
|
end
|
64
73
|
|
65
74
|
can :read, ActiveFedora::Base do |obj|
|
66
|
-
test_read(obj.pid
|
75
|
+
test_read(obj.pid)
|
67
76
|
end
|
68
77
|
|
69
78
|
can :read, SolrDocument do |obj|
|
70
79
|
@permissions_solr_document = obj
|
71
|
-
test_read(obj.id
|
80
|
+
test_read(obj.id)
|
72
81
|
end
|
73
82
|
end
|
74
83
|
|
75
84
|
|
76
85
|
## Override custom permissions in your own app to add more permissions beyond what is defined by default.
|
77
|
-
def custom_permissions(user, session)
|
86
|
+
def custom_permissions(user=nil, session=nil)
|
87
|
+
ActiveSupport::Deprecation.warn("No need to pass user or session to custom_permissions, use the instance_variables", caller()) if user || session
|
78
88
|
end
|
79
89
|
|
80
90
|
protected
|
@@ -86,20 +96,22 @@ module Hydra::Ability
|
|
86
96
|
end
|
87
97
|
|
88
98
|
|
89
|
-
def test_edit(pid, user, session)
|
99
|
+
def test_edit(pid, user=nil, session=nil)
|
100
|
+
ActiveSupport::Deprecation.warn("No need to pass user or session to test_edit, use the instance_variables", caller()) if user || session
|
90
101
|
permissions_doc(pid)
|
91
|
-
logger.debug("[CANCAN] Checking edit permissions for user: #{user_key
|
92
|
-
group_intersection = user_groups
|
93
|
-
result = !group_intersection.empty? || edit_persons.include?(user_key
|
102
|
+
logger.debug("[CANCAN] Checking edit permissions for user: #{@user.user_key} with groups: #{user_groups.inspect}")
|
103
|
+
group_intersection = user_groups & edit_groups
|
104
|
+
result = !group_intersection.empty? || edit_persons.include?(@user.user_key)
|
94
105
|
logger.debug("[CANCAN] decision: #{result}")
|
95
106
|
result
|
96
107
|
end
|
97
108
|
|
98
|
-
def test_read(pid, user, session)
|
109
|
+
def test_read(pid, user=nil, session=nil)
|
110
|
+
ActiveSupport::Deprecation.warn("No need to pass user or session to test_read, use the instance_variables", caller()) if user || session
|
99
111
|
permissions_doc(pid)
|
100
|
-
logger.debug("[CANCAN] Checking edit permissions for user: #{user_key
|
101
|
-
group_intersection = user_groups
|
102
|
-
result = !group_intersection.empty? || read_persons.include?(user_key
|
112
|
+
logger.debug("[CANCAN] Checking edit permissions for user: #{@user.user_key} with groups: #{user_groups.inspect}")
|
113
|
+
group_intersection = user_groups & read_groups
|
114
|
+
result = !group_intersection.empty? || read_persons.include?(@user.user_key)
|
103
115
|
logger.debug("[CANCAN] decision: #{result}")
|
104
116
|
result
|
105
117
|
end
|
@@ -138,6 +150,7 @@ module Hydra::Ability
|
|
138
150
|
# get the currently configured user identifier. Can be overridden to return whatever (ie. login, email, etc)
|
139
151
|
# defaults to using whatever you have set as the Devise authentication_key
|
140
152
|
def user_key(user)
|
153
|
+
ActiveSupport::Deprecation.warn("Ability#user_key is deprecated, call user.user_key instead", caller(1))
|
141
154
|
user.send(Devise.authentication_keys.first)
|
142
155
|
end
|
143
156
|
|
@@ -229,7 +229,7 @@ module Hydra::AccessControlsEnforcement
|
|
229
229
|
def apply_role_permissions(permission_types)
|
230
230
|
# for roles
|
231
231
|
user_access_filters = []
|
232
|
-
current_ability.user_groups
|
232
|
+
current_ability.user_groups.each_with_index do |role, i|
|
233
233
|
permission_types.each do |type|
|
234
234
|
user_access_filters << "#{type}_access_group_t:#{role}"
|
235
235
|
end
|
@@ -240,7 +240,7 @@ module Hydra::AccessControlsEnforcement
|
|
240
240
|
def apply_individual_permissions(permission_types)
|
241
241
|
# for individual person access
|
242
242
|
user_access_filters = []
|
243
|
-
if user_key
|
243
|
+
if user_key.present?
|
244
244
|
permission_types.each do |type|
|
245
245
|
user_access_filters << "#{type}_access_person_t:#{user_key}"
|
246
246
|
end
|
@@ -2,7 +2,8 @@
|
|
2
2
|
module Hydra::PolicyAwareAbility
|
3
3
|
|
4
4
|
# Extends Hydra::Ability.test_edit to try policy controls if object-level controls deny access
|
5
|
-
def test_edit(pid, user, session)
|
5
|
+
def test_edit(pid, user=nil, session=nil)
|
6
|
+
ActiveSupport::Deprecation.warn("No need to pass user or session to test_edit, use the instance_variables", caller) if user || session
|
6
7
|
result = super
|
7
8
|
if result
|
8
9
|
return result
|
@@ -12,7 +13,8 @@ module Hydra::PolicyAwareAbility
|
|
12
13
|
end
|
13
14
|
|
14
15
|
# Extends Hydra::Ability.test_read to try policy controls if object-level controls deny access
|
15
|
-
def test_read(pid, user, session)
|
16
|
+
def test_read(pid, user=nil, session=nil)
|
17
|
+
ActiveSupport::Deprecation.warn("No need to pass user or session to test_read, use the instance_variables", caller) if user || session
|
16
18
|
result = super
|
17
19
|
if result
|
18
20
|
return result
|
@@ -45,28 +47,30 @@ module Hydra::PolicyAwareAbility
|
|
45
47
|
end
|
46
48
|
|
47
49
|
# Tests whether the object's governing policy object grants edit access for the current user
|
48
|
-
def test_edit_from_policy(object_pid, user, session)
|
50
|
+
def test_edit_from_policy(object_pid, user=nil, session=nil)
|
51
|
+
ActiveSupport::Deprecation.warn("No need to pass user or session to test_edit_from_policy, use the instance_variables", caller) if user || session
|
49
52
|
policy_pid = policy_pid_for(object_pid)
|
50
53
|
if policy_pid.nil?
|
51
54
|
return false
|
52
55
|
else
|
53
|
-
logger.debug("[CANCAN] -policy- Does the POLICY #{policy_pid} provide EDIT permissions for #{user_key
|
54
|
-
group_intersection = user_groups
|
55
|
-
result = !group_intersection.empty? || edit_persons_from_policy( policy_pid ).include?(user_key
|
56
|
+
logger.debug("[CANCAN] -policy- Does the POLICY #{policy_pid} provide EDIT permissions for #{@user.user_key}?")
|
57
|
+
group_intersection = user_groups & edit_groups_from_policy( policy_pid )
|
58
|
+
result = !group_intersection.empty? || edit_persons_from_policy( policy_pid ).include?(@user.user_key)
|
56
59
|
logger.debug("[CANCAN] -policy- decision: #{result}")
|
57
60
|
return result
|
58
61
|
end
|
59
62
|
end
|
60
63
|
|
61
64
|
# Tests whether the object's governing policy object grants read access for the current user
|
62
|
-
def test_read_from_policy(object_pid, user, session)
|
65
|
+
def test_read_from_policy(object_pid, user=nil, session=nil)
|
66
|
+
ActiveSupport::Deprecation.warn("No need to pass user or session to test_read_from_policy, use the instance_variables", caller) if user || session
|
63
67
|
policy_pid = policy_pid_for(object_pid)
|
64
68
|
if policy_pid.nil?
|
65
69
|
return false
|
66
70
|
else
|
67
|
-
logger.debug("[CANCAN] -policy- Does the POLICY #{policy_pid} provide READ permissions for #{user_key
|
68
|
-
group_intersection = user_groups
|
69
|
-
result = !group_intersection.empty? || read_persons_from_policy( policy_pid ).include?(user_key
|
71
|
+
logger.debug("[CANCAN] -policy- Does the POLICY #{policy_pid} provide READ permissions for #{@user.user_key}?")
|
72
|
+
group_intersection = user_groups & read_groups_from_policy( policy_pid )
|
73
|
+
result = !group_intersection.empty? || read_persons_from_policy( policy_pid ).include?(@user.user_key)
|
70
74
|
logger.debug("[CANCAN] -policy- decision: #{result}")
|
71
75
|
result
|
72
76
|
end
|
@@ -125,4 +129,4 @@ module Hydra::PolicyAwareAbility
|
|
125
129
|
return field_from_result[field_name]
|
126
130
|
end
|
127
131
|
end
|
128
|
-
end
|
132
|
+
end
|
@@ -37,7 +37,7 @@ module Hydra::PolicyAwareAccessControlsEnforcement
|
|
37
37
|
def apply_policy_role_permissions(permission_types)
|
38
38
|
# for roles
|
39
39
|
user_access_filters = []
|
40
|
-
current_ability.user_groups
|
40
|
+
current_ability.user_groups.each_with_index do |role, i|
|
41
41
|
discovery_permissions.each do |type|
|
42
42
|
user_access_filters << "inheritable_#{type}_access_group_t:#{role}"
|
43
43
|
end
|
@@ -4,6 +4,7 @@ require 'active_support'
|
|
4
4
|
# This would allow solrizer to load it's config files after the rails logger is up.
|
5
5
|
require 'active-fedora'
|
6
6
|
require 'cancan'
|
7
|
+
require 'rails'
|
7
8
|
|
8
9
|
module Hydra
|
9
10
|
extend ActiveSupport::Autoload
|
@@ -16,6 +17,8 @@ module Hydra
|
|
16
17
|
autoload :PolicyAwareAbility
|
17
18
|
autoload :AdminPolicy
|
18
19
|
autoload :RoleMapperBehavior
|
20
|
+
class Engine < Rails::Engine
|
21
|
+
end
|
19
22
|
|
20
23
|
module ModelMixins
|
21
24
|
extend ActiveSupport::Autoload
|
@@ -28,8 +31,3 @@ module Hydra
|
|
28
31
|
class AccessDenied < ::CanCan::AccessDenied; end
|
29
32
|
|
30
33
|
end
|
31
|
-
|
32
|
-
# Enable the ability/role_mapper classes in the local application to load before the ability/role_mapper classes provided by hydra-access-controls
|
33
|
-
autoload :Ability, 'ability'
|
34
|
-
autoload :RoleMapper, 'role_mapper'
|
35
|
-
|
data/spec/spec_helper.rb
CHANGED
@@ -1,4 +1,5 @@
|
|
1
1
|
ENV["environment"] ||= "test"
|
2
|
+
|
2
3
|
module Hydra
|
3
4
|
# Stubbing Hydra.config[:policy_aware] so Hydra::PolicyAwareAbility will be loaded for tests.
|
4
5
|
def self.config
|
@@ -10,8 +11,6 @@ end
|
|
10
11
|
$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
|
11
12
|
$LOAD_PATH.unshift(File.dirname(__FILE__))
|
12
13
|
|
13
|
-
|
14
|
-
|
15
14
|
if ENV['COVERAGE'] and RUBY_VERSION =~ /^1.9/
|
16
15
|
require 'simplecov'
|
17
16
|
require 'simplecov-rcov'
|
@@ -30,6 +29,13 @@ require "factories"
|
|
30
29
|
|
31
30
|
require 'support/blacklight'
|
32
31
|
require 'support/rails'
|
32
|
+
Object.logger = Logger.new(File.expand_path('../test.log', __FILE__))
|
33
|
+
|
34
|
+
# Since we're not doing a Rails Engine test, we have to load these classes manually:
|
35
|
+
require_relative '../app/models/role_mapper'
|
36
|
+
require_relative '../app/models/ability'
|
37
|
+
|
38
|
+
|
33
39
|
|
34
40
|
RSpec.configure do |config|
|
35
41
|
|
data/spec/unit/ability_spec.rb
CHANGED
@@ -1,6 +1,4 @@
|
|
1
1
|
require 'spec_helper'
|
2
|
-
# Need way to find way to stub current_user and RoleMapper in order to run these tests
|
3
|
-
require 'ability'
|
4
2
|
|
5
3
|
describe Hydra::AccessControlsEnforcement do
|
6
4
|
before(:all) do
|
@@ -76,12 +74,14 @@ describe Hydra::AccessControlsEnforcement do
|
|
76
74
|
describe "enforce_access_controls" do
|
77
75
|
describe "when the method exists" do
|
78
76
|
it "should call the method" do
|
77
|
+
Deprecation.stub(:warn)
|
79
78
|
subject.params = {:action => :index}
|
80
79
|
subject.enforce_access_controls.should be_true
|
81
80
|
end
|
82
81
|
end
|
83
82
|
describe "when the method doesn't exist" do
|
84
83
|
it "should not call the method, but should return true" do
|
84
|
+
Deprecation.stub(:warn)
|
85
85
|
subject.params = {:action => :facet}
|
86
86
|
subject.enforce_access_controls.should be_true
|
87
87
|
end
|
@@ -158,6 +158,15 @@ describe Hydra::AccessControlsEnforcement do
|
|
158
158
|
subject.send(:apply_individual_permissions, ["edit","discover","read"]).should == []
|
159
159
|
end
|
160
160
|
end
|
161
|
+
describe "when the user is a guest user (user key empty string)" do
|
162
|
+
before do
|
163
|
+
stub_user = User.new :uid=>''
|
164
|
+
subject.stub(:current_user).and_return(stub_user)
|
165
|
+
end
|
166
|
+
it "should not create filters" do
|
167
|
+
subject.send(:apply_individual_permissions, ["edit","discover","read"]).should == []
|
168
|
+
end
|
169
|
+
end
|
161
170
|
end
|
162
171
|
end
|
163
172
|
|
@@ -60,7 +60,6 @@ describe Hydra::AdminPolicy do
|
|
60
60
|
describe "to_solr" do
|
61
61
|
subject {@policy.to_solr}
|
62
62
|
it "should not affect normal solr permissions fields" do
|
63
|
-
puts subject
|
64
63
|
subject.should_not have_key( Hydra.config[:permissions][:discover][:group] )
|
65
64
|
subject.should_not have_key( Hydra.config[:permissions][:discover][:individual] )
|
66
65
|
subject.should_not have_key( Hydra.config[:permissions][:read][:group] )
|
@@ -122,6 +122,22 @@ describe Hydra::Datastream::RightsMetadata do
|
|
122
122
|
@sample.update_permissions( {"group"=>{"group1"=>"discover","group2"=>"edit"}, "person"=>{"person1"=>"read","person2"=>"discover"}} )
|
123
123
|
end
|
124
124
|
end
|
125
|
+
|
126
|
+
describe "clear_permissions!" do
|
127
|
+
before do
|
128
|
+
@sample.permissions({"person"=>"person_123"}, "read")
|
129
|
+
@sample.permissions({"person"=>"person_456"}, "edit")
|
130
|
+
@sample.permissions({"person"=>"person_789"}, "discover")
|
131
|
+
@sample.permissions({"group"=>"group_123"}, "read")
|
132
|
+
@sample.permissions({"group"=>"group_456"}, "edit")
|
133
|
+
@sample.permissions({"group"=>"group_789"}, "discover")
|
134
|
+
end
|
135
|
+
it "clears permissions" do
|
136
|
+
@sample.clear_permissions!
|
137
|
+
@sample.individuals.should == {}
|
138
|
+
@sample.groups.should == {}
|
139
|
+
end
|
140
|
+
end
|
125
141
|
|
126
142
|
describe "update_indexed_attributes" do
|
127
143
|
it "should update the declared properties" do
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: hydra-access-controls
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 5.0.0.
|
4
|
+
version: 5.0.0.rc1
|
5
5
|
prerelease: 6
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
@@ -11,7 +11,7 @@ authors:
|
|
11
11
|
autorequire:
|
12
12
|
bindir: bin
|
13
13
|
cert_chain: []
|
14
|
-
date: 2012-
|
14
|
+
date: 2012-12-03 00:00:00.000000000 Z
|
15
15
|
dependencies:
|
16
16
|
- !ruby/object:Gem::Dependency
|
17
17
|
name: activesupport
|
@@ -134,10 +134,11 @@ extra_rdoc_files: []
|
|
134
134
|
files:
|
135
135
|
- README.textile
|
136
136
|
- Rakefile
|
137
|
+
- app/models/ability.rb
|
138
|
+
- app/models/role_mapper.rb
|
137
139
|
- config/fedora.yml
|
138
140
|
- config/solr.yml
|
139
141
|
- hydra-access-controls.gemspec
|
140
|
-
- lib/ability.rb
|
141
142
|
- lib/hydra-access-controls.rb
|
142
143
|
- lib/hydra/ability.rb
|
143
144
|
- lib/hydra/access_controls_enforcement.rb
|
@@ -151,7 +152,6 @@ files:
|
|
151
152
|
- lib/hydra/policy_aware_access_controls_enforcement.rb
|
152
153
|
- lib/hydra/role_mapper_behavior.rb
|
153
154
|
- lib/hydra/user.rb
|
154
|
-
- lib/role_mapper.rb
|
155
155
|
- lib/tasks/hydra-access-controls.rake
|
156
156
|
- lib/tasks/hydra_jetty.rake
|
157
157
|
- spec/factories.rb
|