hydra-access-controls 5.0.0 → 5.0.1

data/README.textile

@@ -4,19 +4,51 @@ The hydra-access-controls gem provides access controls models and functionality
 
 h2. Installation
 
-Add this line to your application's Gemfile:
+The easiest way to make your code use this gem is to run the hydra generator that comes with the hydra-head gem.  That will set up everything you need:
 
-    gem 'hydra-access-controls'
+* adds _include Hydra::User_ to your User class
+* modifies the filters in your CatalogController class to inject access controls into solr queries
+* adds the YAML files that are used by the default RoleMapper class
+* adds section to hydra_config initializer that sets names used to look up enforcement info in solr (see "Modifying solr field names for enforcement" below)
 
-And then execute:
+h2. Usage
 
-    $ bundle
+h3. Enforcing Hydra-based Access Controls in your Controllers
 
-Or install it yourself as:
+They hydra generator handles part of this for you - it sets up the CatalogController (Blacklight's main controller for searches) to do gated discovery for you.
+In your custom controllers, you need to tell them to enforce access controls.  
 
-    $ gem install hydra-access-controls
+*!!!This section is unfinished!!!*  
+_If you encounter this note, send an email to the hydra-tech mailing list asking "jcoyne":https://github.com/jcoyne to explain how to make a controller enforce Hydra-based access controls using CanCan._
 
-h2. Usage
+
+h3. Modifying solr field names for enforcement
+
+Hydra uses its own set of default solr field names to track rights-related metadata in solr.  If you want to use your own field names, you can change them in your Hydra config.  You will also have to modify the permissions response handler in your solrconfig.xml to return those fields.
+
+Note: The hydra generator sets up the defaults for you in this file.  You only need to edit it if you want to change the field names.
+
+In config/initializers/hydra_config.rb
+
+<pre>
+  Hydra.configure(:shared) do |config|
+    # ... other stuff ...
+    config[:permissions] = {
+      :discover => {:group =>"discover_access_group_t", :individual=>"discover_access_person_t"},
+      :read => {:group =>"read_access_group_t", :individual=>"read_access_person_t"},
+      :edit => {:group =>"edit_access_group_t", :individual=>"edit_access_person_t"},
+      :owner => "depositor_t",
+      :embargo_release_date => "embargo_release_date_dt"
+    }
+    config[:permissions][:inheritable] = {
+      :discover => {:group =>"inheritable_discover_access_group_t", :individual=>"inheritable_discover_access_person_t"},
+      :read => {:group =>"inheritable_read_access_group_t", :individual=>"inheritable_read_access_person_t"},
+      :edit => {:group =>"inheritable_edit_access_group_t", :individual=>"inheritable_edit_access_person_t"},
+      :owner => "inheritable_depositor_t",
+      :embargo_release_date => "inheritable_embargo_release_date_dt"
+    }
+  end
+</pre>
 
 h3. Policy-based Enforcement (or Collecton-level enforcement)
 
@@ -27,14 +59,15 @@ AdminPolicy objects store their inheritable rightsMetadata in a datastream calle
 Object-level permissions and Policy-level permissions are combined to produce the list of Individuals & Groups who have access to the object.  This means that if _either_ the object's rightsMetadata or the Policy's defaultRights grants access to an Individual or Group, that access will be allowed.
 
 * Currently, an asset can have only one Policy associated with it -- you can't associate objects with multiple policies
-* 
 
 To turn on Policy-based enforcement, 
 
 * include the Hydra::PolicyAwareAbility module in your Ability class (Make sure to include it _after_ Hydra::Ability because it overrides some of the methods provided by that module.)
 * include the Hydra::PolicyAwareAccessControlsEnforcement module into any appropriate Controllers (or into ApplicationController)
  
-# app/models/ability.rb
+
+Example app/models/ability.rb
+
 <pre>
   # Allows you to use CanCan to control access to Models
   require 'cancan'
@@ -45,7 +78,8 @@ To turn on Policy-based enforcement,
   end
 </pre>
 
-# app/controllers/catalog_controller.rb
+Example app/controllers/catalog_controller.rb
+
 <pre>
   class CatalogController < ApplicationController  
 
@@ -57,30 +91,7 @@ To turn on Policy-based enforcement,
   end
 </pre>
 
-h3. Modifying solr field names for enforcement
-
-Hydra uses its own set of default solr field names to track rights-related metadata in solr.  If you want to use your own field names, you can change them in your Hydra config.  You will also have to modify the permissions response handler in your solrconfig.xml to return those fields.
 
-# config/initializers/hydra_config.rb
-<pre>
-  Hydra.configure(:shared) do |config|
-    # ... other stuff ...
-    config[:permissions] = {
-      :discover => {:group =>"discover_access_group_t", :individual=>"discover_access_person_t"},
-      :read => {:group =>"read_access_group_t", :individual=>"read_access_person_t"},
-      :edit => {:group =>"edit_access_group_t", :individual=>"edit_access_person_t"},
-      :owner => "depositor_t",
-      :embargo_release_date => "embargo_release_date_dt"
-    }
-    config[:permissions][:inheritable] = {
-      :discover => {:group =>"inheritable_discover_access_group_t", :individual=>"inheritable_discover_access_person_t"},
-      :read => {:group =>"inheritable_read_access_group_t", :individual=>"inheritable_read_access_person_t"},
-      :edit => {:group =>"inheritable_edit_access_group_t", :individual=>"inheritable_edit_access_person_t"},
-      :owner => "inheritable_depositor_t",
-      :embargo_release_date => "inheritable_embargo_release_date_dt"
-    }
-  end
-</pre>
 
 h2. Contributing
 

data/lib/hydra/access_controls_enforcement.rb

@@ -232,18 +232,22 @@ module Hydra::AccessControlsEnforcement
       user_access_filters = []
       current_ability.user_groups.each_with_index do |role, i|
         permission_types.each do |type|
-          user_access_filters << "#{type}_access_group_t:#{role}"
+          user_access_filters << escape_filter("#{type}_access_group_t", role)
         end
       end
       user_access_filters
   end
 
+  def escape_filter(key, value)
+    [key, value.gsub('/', '\/')].join(':')
+  end
+
   def apply_individual_permissions(permission_types)
       # for individual person access
       user_access_filters = []
       if user_key.present?
         permission_types.each do |type|
-          user_access_filters << "#{type}_access_person_t:#{user_key}"        
+          user_access_filters << escape_filter("#{type}_access_person_t", user_key)
         end
       end
       user_access_filters

data/spec/unit/access_controls_enforcement_spec.rb

@@ -133,6 +133,15 @@ describe Hydra::AccessControlsEnforcement do
         @solr_parameters[:fq].first.should match(/#{type}_access_group_t\:researcher/)        
       end
     end
+
+    it "should escape slashes in the group names" do
+      RoleMapper.stub(:roles).with(@stub_user.user_key).and_return(["abc/123","cde/567"])
+      subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
+      ["discover","edit","read"].each do |type|
+        @solr_parameters[:fq].first.should match(/#{type}_access_group_t\:abc\\\/123/)        
+        @solr_parameters[:fq].first.should match(/#{type}_access_group_t\:cde\\\/567/)        
+      end
+    end
   end
   
   describe "exclude_unwanted_models" do

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: hydra-access-controls
 version: !ruby/object:Gem::Version
-  version: 5.0.0
+  version: 5.0.1
   prerelease: 
 platform: ruby
 authors:
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-12-11 00:00:00.000000000 Z
+date: 2012-12-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport