hydra-access-controls 5.0.1 → 5.1.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. data/README.textile +24 -4
  2. data/lib/hydra/admin_policy.rb +5 -3
  3. data/lib/hydra/datastream/rights_metadata.rb +0 -1
  4. data/lib/hydra/model_mixins/rights_metadata.rb +4 -2
  5. data/spec/unit/admin_policy_spec.rb +40 -0
  6. data/spec/unit/rights_metadata_spec.rb +7 -1
  7. metadata +2 -2
data/README.textile CHANGED
@@ -2,6 +2,8 @@ h1. hydra-access-controls
2
2
 
3
3
  The hydra-access-controls gem provides access controls models and functionality for Hydra Heads. See the "hydra-head":http://github.com/projecthydra/hydra-head gem and the "Hydra Project website":http://projecthydra.org for more info.
4
4
 
5
+ Some background information is available on the wiki at https://github.com/projecthydra/hydra-head/wiki/Access-Controls
6
+
5
7
  h2. Installation
6
8
 
7
9
  The easiest way to make your code use this gem is to run the hydra generator that comes with the hydra-head gem. That will set up everything you need:
@@ -13,14 +15,32 @@ The easiest way to make your code use this gem is to run the hydra generator tha
13
15
 
14
16
  h2. Usage
15
17
 
16
- h3. Enforcing Hydra-based Access Controls in your Controllers
18
+ h3. Enforcing Hydra-based Access Controls using CanCan and Hydra::Ability
17
19
 
18
20
  They hydra generator handles part of this for you - it sets up the CatalogController (Blacklight's main controller for searches) to do gated discovery for you.
19
- In your custom controllers, you need to tell them to enforce access controls.
20
21
 
21
- *!!!This section is unfinished!!!*
22
- _If you encounter this note, send an email to the hydra-tech mailing list asking "jcoyne":https://github.com/jcoyne to explain how to make a controller enforce Hydra-based access controls using CanCan._
22
+ Beyond enabling gated discovery, *everything is done using "CanCan":https://github.com/ryanb/cancan*. For more information on CanCan, how to use it, and how to define access controls policies (aka "abilities":https://github.com/ryanb/cancan/wiki/Defining-Abilities), refer to the "CanCan documentation":https://github.com/ryanb/cancan/blob/master/README.rdoc.
23
+
24
+ Within your CanCan ability definitions (usually ability.rb), if you include the "Hydra::Ability":https://github.com/projecthydra/hydra-head/blob/master/hydra-access-controls/lib/hydra/ability.rb module, you will have :read and :edit permissions defined for you, along with some convenience methods that help you evaluate permssions against info in the rightsMetadata. *Note*: the Hydra rails generator includes this module into your ability.rb for you!
25
+
26
+ In your custom controllers, you need to tell them to enforce access controls using "CanCan":https://github.com/ryanb/cancan. There are a number of ways to do this. The easiest way is to use the cancan "controller action":https://github.com/ryanb/cancan/wiki/Authorizing-Controller-Actions 'load_and_authorize_resource', however on show and edit, this also causes a load the resource from fedora, which you may want to avoid. If you want to authorize from solr, you ought to be able to call the cancan methods `authorize!` or `can?` which just checks the solr permissions handler.
27
+
28
+ Examples of using authorize! and can? in controller methods:
23
29
 
30
+ <pre>
31
+ def show
32
+ authorize! :show, params[:id] # raises CanCan::Access denied if they don't have permission
33
+ ...
34
+ end
35
+
36
+ def edit
37
+ if can? :edit, params[:id]
38
+ ## User is authorized
39
+ else
40
+ ## not authorized
41
+ end
42
+ end
43
+ </pre>
24
44
 
25
45
  h3. Modifying solr field names for enforcement
26
46
 
data/lib/hydra/admin_policy.rb CHANGED
@@ -48,10 +48,12 @@ class Hydra::AdminPolicy < ActiveFedora::Base
48
48
  perm_hash = {'person' => defaultRights.individuals, 'group'=> defaultRights.groups}
49
49
 
50
50
  params.each do |row|
51
- if row[:type] == 'user'
52
- perm_hash['person'][row[:name]] = row[:access]
53
- else
51
+ if row[:type] == 'user' || row[:type] == 'person'
52
+ perm_hash['person'][row[:name]] = row[:access]
53
+ elsif row[:type] == 'group'
54
54
  perm_hash['group'][row[:name]] = row[:access]
55
+ else
56
+ raise ArgumentError, "Permission type must be 'user', 'person' (alias for 'user'), or 'group'"
55
57
  end
56
58
  end
57
59
 
data/lib/hydra/datastream/rights_metadata.rb CHANGED
@@ -111,7 +111,6 @@ module Hydra
111
111
  access_type_symbol = "#{new_access_level}_access".to_sym
112
112
  result = self.update_values([access_type_symbol, type] => {"-1"=>actor})
113
113
  end
114
- self.dirty = true
115
114
  return new_access_level
116
115
  end
117
116
 
data/lib/hydra/model_mixins/rights_metadata.rb CHANGED
@@ -11,10 +11,12 @@ module Hydra
11
11
  perm_hash = {'person' => rightsMetadata.individuals, 'group'=> rightsMetadata.groups}
12
12
 
13
13
  params.each do |row|
14
- if row[:type] == 'user'
14
+ if row[:type] == 'user' || row[:type] == 'person'
15
15
  perm_hash['person'][row[:name]] = row[:access]
16
- else
16
+ elsif row[:type] == 'group'
17
17
  perm_hash['group'][row[:name]] = row[:access]
18
+ else
19
+ raise ArgumentError, "Permission type must be 'user', 'person' (alias for 'user'), or 'group'"
18
20
  end
19
21
  end
20
22
 
data/spec/unit/admin_policy_spec.rb CHANGED
@@ -47,6 +47,46 @@ describe Hydra::AdminPolicy do
47
47
  subject["title_display"].should == 'Foobar'
48
48
  end
49
49
  end
50
+
51
+ describe "updating default permissions" do
52
+ it "should create new group permissions" do
53
+ subject.default_permissions = [{:name=>'group1', :access=>'discover', :type=>'group'}]
54
+ subject.default_permissions.should == [{:type=>'group', :access=>'discover', :name=>'group1'}]
55
+ end
56
+ it "should create new user permissions" do
57
+ subject.default_permissions = [{:name=>'user1', :access=>'discover', :type=>'user'}]
58
+ subject.default_permissions.should == [{:type=>'user', :access=>'discover', :name=>'user1'}]
59
+ end
60
+ it "should not replace existing groups" do
61
+ subject.default_permissions = [{:name=>'group1', :access=>'discover', :type=>'group'}]
62
+ subject.default_permissions = [{:name=>'group2', :access=>'discover', :type=>'group'}]
63
+ subject.default_permissions.should == [{:type=>'group', :access=>'discover', :name=>'group1'},
64
+ {:type=>'group', :access=>'discover', :name=>'group2'}]
65
+ end
66
+ it "should not replace existing users" do
67
+ subject.default_permissions = [{:name=>'user1', :access=>'discover', :type=>'user'}]
68
+ subject.default_permissions = [{:name=>'user2', :access=>'discover', :type=>'user'}]
69
+ subject.default_permissions.should == [{:type=>'user', :access=>'discover', :name=>'user1'},
70
+ {:type=>'user', :access=>'discover', :name=>'user2'}]
71
+ end
72
+ it "should update permissions on existing users" do
73
+ subject.default_permissions = [{:name=>'user1', :access=>'discover', :type=>'user'}]
74
+ subject.default_permissions = [{:name=>'user1', :access=>'edit', :type=>'user'}]
75
+ subject.default_permissions.should == [{:type=>'user', :access=>'edit', :name=>'user1'}]
76
+ end
77
+ it "should update permissions on existing groups" do
78
+ subject.default_permissions = [{:name=>'group1', :access=>'discover', :type=>'group'}]
79
+ subject.default_permissions = [{:name=>'group1', :access=>'edit', :type=>'group'}]
80
+ subject.default_permissions.should == [{:type=>'group', :access=>'edit', :name=>'group1'}]
81
+ end
82
+ it "should assign user permissions when :type == 'person'" do
83
+ subject.default_permissions = [{:name=>'user1', :access=>'discover', :type=>'person'}]
84
+ subject.default_permissions.should == [{:type=>'user', :access=>'discover', :name=>'user1'}]
85
+ end
86
+ it "should raise an ArgumentError when the :type hashkey is invalid" do
87
+ expect{subject.default_permissions = [{:name=>'user1', :access=>'read', :type=>'foo'}]}.to raise_error(ArgumentError)
88
+ end
89
+ end
50
90
 
51
91
  describe "Inheritable rights" do
52
92
  before do
data/spec/unit/rights_metadata_spec.rb CHANGED
@@ -44,7 +44,13 @@ describe Hydra::ModelMixins::RightsMetadata do
44
44
  subject.permissions = [{:name=>'group1', :access=>'edit', :type=>'group'}]
45
45
  subject.permissions.should == [{:type=>'group', :access=>'edit', :name=>'group1'}]
46
46
  end
47
-
47
+ it "should assign user permissions when :type == 'person'" do
48
+ subject.permissions = [{:name=>'user1', :access=>'discover', :type=>'person'}]
49
+ subject.permissions.should == [{:type=>'user', :access=>'discover', :name=>'user1'}]
50
+ end
51
+ it "should raise an ArgumentError when the :type hashkey is invalid" do
52
+ expect{subject.permissions = [{:name=>'user1', :access=>'read', :type=>'foo'}]}.to raise_error(ArgumentError)
53
+ end
48
54
  end
49
55
 
50
56
  context "to_solr" do
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: hydra-access-controls
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.0.1
4
+ version: 5.1.0
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -11,7 +11,7 @@ authors:
11
11
  autorequire:
12
12
  bindir: bin
13
13
  cert_chain: []
14
- date: 2012-12-17 00:00:00.000000000 Z
14
+ date: 2012-12-20 00:00:00.000000000 Z
15
15
  dependencies:
16
16
  - !ruby/object:Gem::Dependency
17
17
  name: activesupport