hydra-access-controls 5.0.0.pre4 → 5.0.0.pre6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/lib/hydra/ability.rb +6 -1
- data/lib/hydra/access_controls_enforcement.rb +2 -9
- data/lib/hydra/role_mapper_behavior.rb +2 -2
- data/spec/support/user.rb +0 -4
- data/spec/unit/ability_spec.rb +0 -1
- data/spec/unit/access_controls_enforcement_spec.rb +0 -28
- data/spec/unit/admin_policy_spec.rb +7 -2
- data/spec/unit/policy_aware_ability_spec.rb +6 -2
- metadata +2 -2
data/lib/hydra/ability.rb
CHANGED
|
@@ -4,8 +4,13 @@ require "blacklight"
|
|
|
4
4
|
module Hydra::Ability
|
|
5
5
|
include Hydra::AccessControlsEnforcement
|
|
6
6
|
|
|
7
|
+
def self.user_class
|
|
8
|
+
puts "Hydra.config[:user_model]: #{Hydra.config[:user_model].constantize.inspect}"
|
|
9
|
+
Hydra.config[:user_model] ? Hydra.config[:user_model].constantize : ::User
|
|
10
|
+
end
|
|
11
|
+
|
|
7
12
|
def initialize(user, session=nil)
|
|
8
|
-
user ||= ::
|
|
13
|
+
user ||= Hydra::Ability.user_class.new # guest user (not logged in)
|
|
9
14
|
hydra_default_permissions(user, session)
|
|
10
15
|
end
|
|
11
16
|
|
|
@@ -225,16 +225,9 @@ module Hydra::AccessControlsEnforcement
|
|
|
225
225
|
end
|
|
226
226
|
|
|
227
227
|
|
|
228
|
-
#
|
|
229
|
-
# so developers can easily override this behavior in their local app
|
|
228
|
+
# override to apply super user permissions
|
|
230
229
|
def apply_superuser_permissions(permission_types)
|
|
231
|
-
|
|
232
|
-
if current_user.respond_to?(:is_being_superuser?) && current_user.is_being_superuser?(session) ##Deprecated
|
|
233
|
-
permission_types.each do |type|
|
|
234
|
-
user_access_filters << "#{type}_access_person_t:[* TO *]"
|
|
235
|
-
end
|
|
236
|
-
end
|
|
237
|
-
user_access_filters
|
|
230
|
+
[]
|
|
238
231
|
end
|
|
239
232
|
|
|
240
233
|
# proxy for {enforce_index_permissions}
|
|
@@ -13,9 +13,9 @@ module Hydra::RoleMapperBehavior
|
|
|
13
13
|
# If you pass in a nil User object (ie. user isn't logged in), or a uid that doesn't exist, it will return an empty array
|
|
14
14
|
def roles(user_or_uid)
|
|
15
15
|
if user_or_uid.kind_of?(String)
|
|
16
|
-
user = ::
|
|
16
|
+
user = Hydra::Ability.user_class.find_by_user_key(user_or_uid)
|
|
17
17
|
user_id = user_or_uid
|
|
18
|
-
elsif user_or_uid.kind_of?(::
|
|
18
|
+
elsif user_or_uid.kind_of?(Hydra::Ability.user_class) && user_or_uid.user_key
|
|
19
19
|
user = user_or_uid
|
|
20
20
|
user_id = user.user_key
|
|
21
21
|
end
|
data/spec/support/user.rb
CHANGED
data/spec/unit/ability_spec.rb
CHANGED
|
@@ -26,7 +26,6 @@ describe Ability do
|
|
|
26
26
|
before do
|
|
27
27
|
User.any_instance.stub(:email).and_return(nil)
|
|
28
28
|
User.any_instance.stub(:new_record?).and_return(true)
|
|
29
|
-
User.any_instance.stub(:is_being_superuser?).and_return(false)
|
|
30
29
|
end
|
|
31
30
|
subject { Ability.new(nil) }
|
|
32
31
|
it "should call custom_permissions" do
|
|
@@ -85,7 +85,6 @@ describe Hydra::AccessControlsEnforcement do
|
|
|
85
85
|
describe "enforce_show_permissions" do
|
|
86
86
|
it "should allow a user w/ edit permissions to view an embargoed object" do
|
|
87
87
|
user = User.new :uid=>'testuser@example.com'
|
|
88
|
-
user.stub(:is_being_superuser?).and_return false
|
|
89
88
|
RoleMapper.stub(:roles).with(user.user_key).and_return(["archivist"])
|
|
90
89
|
subject.stub(:current_user).and_return(user)
|
|
91
90
|
subject.should_receive(:can?).with(:edit, nil).and_return(true)
|
|
@@ -98,7 +97,6 @@ describe Hydra::AccessControlsEnforcement do
|
|
|
98
97
|
end
|
|
99
98
|
it "should prevent a user w/o edit permissions from viewing an embargoed object" do
|
|
100
99
|
user = User.new :uid=>'testuser@example.com'
|
|
101
|
-
user.stub(:is_being_superuser?).and_return false
|
|
102
100
|
RoleMapper.stub(:roles).with(user.user_key).and_return([])
|
|
103
101
|
subject.stub(:current_user).and_return(user)
|
|
104
102
|
subject.should_receive(:can?).with(:edit, nil).and_return(false)
|
|
@@ -112,7 +110,6 @@ describe Hydra::AccessControlsEnforcement do
|
|
|
112
110
|
describe "apply_gated_discovery" do
|
|
113
111
|
before(:each) do
|
|
114
112
|
@stub_user = User.new :uid=>'archivist1@example.com'
|
|
115
|
-
@stub_user.stub(:is_being_superuser?).and_return false
|
|
116
113
|
RoleMapper.stub(:roles).with(@stub_user.user_key).and_return(["archivist","researcher"])
|
|
117
114
|
subject.stub(:current_user).and_return(@stub_user)
|
|
118
115
|
@solr_parameters = {}
|
|
@@ -131,36 +128,11 @@ describe Hydra::AccessControlsEnforcement do
|
|
|
131
128
|
@solr_parameters[:fq].first.should match(/#{type}_access_group_t\:researcher/)
|
|
132
129
|
end
|
|
133
130
|
end
|
|
134
|
-
|
|
135
|
-
describe "(DEPRECATED) for superusers" do
|
|
136
|
-
it "should return superuser access level" do
|
|
137
|
-
stub_user = User.new(:uid=>'suzie@example.com')
|
|
138
|
-
stub_user.stub(:is_being_superuser?).and_return true
|
|
139
|
-
RoleMapper.stub(:roles).with(stub_user.user_key).and_return(["archivist","researcher"])
|
|
140
|
-
subject.stub(:current_user).and_return(stub_user)
|
|
141
|
-
subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
|
|
142
|
-
["discover","edit","read"].each do |type|
|
|
143
|
-
@solr_parameters[:fq].first.should match(/#{type}_access_person_t\:\[\* TO \*\]/)
|
|
144
|
-
end
|
|
145
|
-
end
|
|
146
|
-
it "should not return superuser access to non-superusers" do
|
|
147
|
-
stub_user = User.new(:uid=>'suzie@example.com')
|
|
148
|
-
stub_user.stub(:is_being_superuser?).and_return false
|
|
149
|
-
RoleMapper.stub(:roles).with(stub_user.user_key).and_return(["archivist","researcher"])
|
|
150
|
-
subject.stub(:current_user).and_return(stub_user)
|
|
151
|
-
subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
|
|
152
|
-
["discover","edit","read"].each do |type|
|
|
153
|
-
@solr_parameters[:fq].should_not include("#{type}_access_person_t\:\[\* TO \*\]")
|
|
154
|
-
end
|
|
155
|
-
end
|
|
156
|
-
end
|
|
157
|
-
|
|
158
131
|
end
|
|
159
132
|
|
|
160
133
|
describe "exclude_unwanted_models" do
|
|
161
134
|
before(:each) do
|
|
162
135
|
stub_user = User.new :uid=>'archivist1@example.com'
|
|
163
|
-
stub_user.stub(:is_being_superuser?).and_return false
|
|
164
136
|
subject.stub(:current_user).and_return(stub_user)
|
|
165
137
|
@solr_parameters = {}
|
|
166
138
|
@user_parameters = {}
|
|
@@ -72,12 +72,17 @@ describe Hydra::AdminPolicy do
|
|
|
72
72
|
subject.should_not have_key( Hydra.config[:permissions][:embargo_release_date] )
|
|
73
73
|
end
|
|
74
74
|
it "should provide prefixed/inherited solr permissions fields" do
|
|
75
|
-
|
|
75
|
+
catchall = Hydra.config[:permissions][:inheritable][:catchall]
|
|
76
|
+
subject[catchall].should have(7).items
|
|
77
|
+
subject[catchall].should include("posers", "slightlycoolkids", "africana-faculty", "cool-kids", "constantine", "nero", "julius_caesar")
|
|
76
78
|
subject[Hydra.config[:permissions][:inheritable][:discover][:group] ].should == ["posers"]
|
|
77
79
|
subject[Hydra.config[:permissions][:inheritable][:discover][:individual] ].should == ["constantine"]
|
|
78
80
|
subject[Hydra.config[:permissions][:inheritable][:read][:group] ].should == ["slightlycoolkids"]
|
|
79
81
|
subject[Hydra.config[:permissions][:inheritable][:read][:individual] ].should == ["nero"]
|
|
80
|
-
|
|
82
|
+
inheritable_group = Hydra.config[:permissions][:inheritable][:edit][:group]
|
|
83
|
+
subject[inheritable_group].length.should == 2
|
|
84
|
+
subject[inheritable_group].should include("africana-faculty", "cool-kids")
|
|
85
|
+
|
|
81
86
|
subject[Hydra.config[:permissions][:inheritable][:edit][:individual] ].should == ["julius_caesar"]
|
|
82
87
|
subject[Hydra.config[:permissions][:inheritable][:embargo_release_date] ].should == "2102-10-01"
|
|
83
88
|
end
|
|
@@ -67,7 +67,9 @@ describe Hydra::PolicyAwareAbility do
|
|
|
67
67
|
end
|
|
68
68
|
describe "edit_groups_from_policy" do
|
|
69
69
|
it "should retrieve the list of groups with edit access from the policy" do
|
|
70
|
-
subject.edit_groups_from_policy(@policy.pid)
|
|
70
|
+
result = subject.edit_groups_from_policy(@policy.pid)
|
|
71
|
+
result.length.should == 2
|
|
72
|
+
result.should include("cool_kids","in_crowd")
|
|
71
73
|
end
|
|
72
74
|
end
|
|
73
75
|
describe "edit_persons_from_policy" do
|
|
@@ -77,7 +79,9 @@ describe Hydra::PolicyAwareAbility do
|
|
|
77
79
|
end
|
|
78
80
|
describe "read_groups_from_policy" do
|
|
79
81
|
it "should retrieve the list of groups with read access from the policy" do
|
|
80
|
-
subject.read_groups_from_policy(@policy.pid)
|
|
82
|
+
result = subject.read_groups_from_policy(@policy.pid)
|
|
83
|
+
result.length.should == 3
|
|
84
|
+
result.should include("cool_kids", "in_crowd", "africana-faculty")
|
|
81
85
|
end
|
|
82
86
|
end
|
|
83
87
|
describe "read_persons_from_policy" do
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: hydra-access-controls
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 5.0.0.
|
|
4
|
+
version: 5.0.0.pre6
|
|
5
5
|
prerelease: 6
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
@@ -11,7 +11,7 @@ authors:
|
|
|
11
11
|
autorequire:
|
|
12
12
|
bindir: bin
|
|
13
13
|
cert_chain: []
|
|
14
|
-
date: 2012-10-
|
|
14
|
+
date: 2012-10-12 00:00:00.000000000 Z
|
|
15
15
|
dependencies:
|
|
16
16
|
- !ruby/object:Gem::Dependency
|
|
17
17
|
name: activesupport
|