hydra-access-controls 5.0.1 → 5.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. data/README.textile +24 -4
  2. data/lib/hydra/admin_policy.rb +5 -3
  3. data/lib/hydra/datastream/rights_metadata.rb +0 -1
  4. data/lib/hydra/model_mixins/rights_metadata.rb +4 -2
  5. data/spec/unit/admin_policy_spec.rb +40 -0
  6. data/spec/unit/rights_metadata_spec.rb +7 -1
  7. metadata +2 -2
data/README.textile CHANGED
@@ -2,6 +2,8 @@ h1. hydra-access-controls
2
2
 
3
3
  The hydra-access-controls gem provides access controls models and functionality for Hydra Heads. See the "hydra-head":http://github.com/projecthydra/hydra-head gem and the "Hydra Project website":http://projecthydra.org for more info.
4
4
 
5
+ Some background information is available on the wiki at https://github.com/projecthydra/hydra-head/wiki/Access-Controls
6
+
5
7
  h2. Installation
6
8
 
7
9
  The easiest way to make your code use this gem is to run the hydra generator that comes with the hydra-head gem. That will set up everything you need:
@@ -13,14 +15,32 @@ The easiest way to make your code use this gem is to run the hydra generator tha
13
15
 
14
16
  h2. Usage
15
17
 
16
- h3. Enforcing Hydra-based Access Controls in your Controllers
18
+ h3. Enforcing Hydra-based Access Controls using CanCan and Hydra::Ability
17
19
 
18
20
  They hydra generator handles part of this for you - it sets up the CatalogController (Blacklight's main controller for searches) to do gated discovery for you.
19
- In your custom controllers, you need to tell them to enforce access controls.
20
21
 
21
- *!!!This section is unfinished!!!*
22
- _If you encounter this note, send an email to the hydra-tech mailing list asking "jcoyne":https://github.com/jcoyne to explain how to make a controller enforce Hydra-based access controls using CanCan._
22
+ Beyond enabling gated discovery, *everything is done using "CanCan":https://github.com/ryanb/cancan*. For more information on CanCan, how to use it, and how to define access controls policies (aka "abilities":https://github.com/ryanb/cancan/wiki/Defining-Abilities), refer to the "CanCan documentation":https://github.com/ryanb/cancan/blob/master/README.rdoc.
23
+
24
+ Within your CanCan ability definitions (usually ability.rb), if you include the "Hydra::Ability":https://github.com/projecthydra/hydra-head/blob/master/hydra-access-controls/lib/hydra/ability.rb module, you will have :read and :edit permissions defined for you, along with some convenience methods that help you evaluate permssions against info in the rightsMetadata. *Note*: the Hydra rails generator includes this module into your ability.rb for you!
25
+
26
+ In your custom controllers, you need to tell them to enforce access controls using "CanCan":https://github.com/ryanb/cancan. There are a number of ways to do this. The easiest way is to use the cancan "controller action":https://github.com/ryanb/cancan/wiki/Authorizing-Controller-Actions 'load_and_authorize_resource', however on show and edit, this also causes a load the resource from fedora, which you may want to avoid. If you want to authorize from solr, you ought to be able to call the cancan methods `authorize!` or `can?` which just checks the solr permissions handler.
27
+
28
+ Examples of using authorize! and can? in controller methods:
23
29
 
30
+ <pre>
31
+ def show
32
+ authorize! :show, params[:id] # raises CanCan::Access denied if they don't have permission
33
+ ...
34
+ end
35
+
36
+ def edit
37
+ if can? :edit, params[:id]
38
+ ## User is authorized
39
+ else
40
+ ## not authorized
41
+ end
42
+ end
43
+ </pre>
24
44
 
25
45
  h3. Modifying solr field names for enforcement
26
46
 
data/lib/hydra/admin_policy.rb CHANGED
@@ -48,10 +48,12 @@ class Hydra::AdminPolicy < ActiveFedora::Base
48
48
  perm_hash = {'person' => defaultRights.individuals, 'group'=> defaultRights.groups}
49
49
 
50
50
  params.each do |row|
51
- if row[:type] == 'user'
52
- perm_hash['person'][row[:name]] = row[:access]
53
- else
51
+ if row[:type] == 'user' || row[:type] == 'person'
52
+ perm_hash['person'][row[:name]] = row[:access]
53
+ elsif row[:type] == 'group'
54
54
  perm_hash['group'][row[:name]] = row[:access]
55
+ else
56
+ raise ArgumentError, "Permission type must be 'user', 'person' (alias for 'user'), or 'group'"
55
57
  end
56
58
  end
57
59
 
data/lib/hydra/datastream/rights_metadata.rb CHANGED
@@ -111,7 +111,6 @@ module Hydra
111
111
  access_type_symbol = "#{new_access_level}_access".to_sym
112
112
  result = self.update_values([access_type_symbol, type] => {"-1"=>actor})
113
113
  end
114
- self.dirty = true
115
114
  return new_access_level
116
115
  end
117
116
 
data/lib/hydra/model_mixins/rights_metadata.rb CHANGED
@@ -11,10 +11,12 @@ module Hydra
11
11
  perm_hash = {'person' => rightsMetadata.individuals, 'group'=> rightsMetadata.groups}
12
12
 
13
13
  params.each do |row|
14
- if row[:type] == 'user'
14
+ if row[:type] == 'user' || row[:type] == 'person'
15
15
  perm_hash['person'][row[:name]] = row[:access]
16
- else
16
+ elsif row[:type] == 'group'
17
17
  perm_hash['group'][row[:name]] = row[:access]
18
+ else
19
+ raise ArgumentError, "Permission type must be 'user', 'person' (alias for 'user'), or 'group'"
18
20
  end
19
21
  end
20
22
 
data/spec/unit/admin_policy_spec.rb CHANGED
@@ -47,6 +47,46 @@ describe Hydra::AdminPolicy do
47
47
  subject["title_display"].should == 'Foobar'
48
48
  end
49
49
  end
50
+
51
+ describe "updating default permissions" do
52
+ it "should create new group permissions" do
53
+ subject.default_permissions = [{:name=>'group1', :access=>'discover', :type=>'group'}]
54
+ subject.default_permissions.should == [{:type=>'group', :access=>'discover', :name=>'group1'}]
55
+ end
56
+ it "should create new user permissions" do
57
+ subject.default_permissions = [{:name=>'user1', :access=>'discover', :type=>'user'}]
58
+ subject.default_permissions.should == [{:type=>'user', :access=>'discover', :name=>'user1'}]
59
+ end
60
+ it "should not replace existing groups" do
61
+ subject.default_permissions = [{:name=>'group1', :access=>'discover', :type=>'group'}]
62
+ subject.default_permissions = [{:name=>'group2', :access=>'discover', :type=>'group'}]
63
+ subject.default_permissions.should == [{:type=>'group', :access=>'discover', :name=>'group1'},
64
+ {:type=>'group', :access=>'discover', :name=>'group2'}]
65
+ end
66
+ it "should not replace existing users" do
67
+ subject.default_permissions = [{:name=>'user1', :access=>'discover', :type=>'user'}]
68
+ subject.default_permissions = [{:name=>'user2', :access=>'discover', :type=>'user'}]
69
+ subject.default_permissions.should == [{:type=>'user', :access=>'discover', :name=>'user1'},
70
+ {:type=>'user', :access=>'discover', :name=>'user2'}]
71
+ end
72
+ it "should update permissions on existing users" do
73
+ subject.default_permissions = [{:name=>'user1', :access=>'discover', :type=>'user'}]
74
+ subject.default_permissions = [{:name=>'user1', :access=>'edit', :type=>'user'}]
75
+ subject.default_permissions.should == [{:type=>'user', :access=>'edit', :name=>'user1'}]
76
+ end
77
+ it "should update permissions on existing groups" do
78
+ subject.default_permissions = [{:name=>'group1', :access=>'discover', :type=>'group'}]
79
+ subject.default_permissions = [{:name=>'group1', :access=>'edit', :type=>'group'}]
80
+ subject.default_permissions.should == [{:type=>'group', :access=>'edit', :name=>'group1'}]
81
+ end
82
+ it "should assign user permissions when :type == 'person'" do
83
+ subject.default_permissions = [{:name=>'user1', :access=>'discover', :type=>'person'}]
84
+ subject.default_permissions.should == [{:type=>'user', :access=>'discover', :name=>'user1'}]
85
+ end
86
+ it "should raise an ArgumentError when the :type hashkey is invalid" do
87
+ expect{subject.default_permissions = [{:name=>'user1', :access=>'read', :type=>'foo'}]}.to raise_error(ArgumentError)
88
+ end
89
+ end
50
90
 
51
91
  describe "Inheritable rights" do
52
92
  before do
data/spec/unit/rights_metadata_spec.rb CHANGED
@@ -44,7 +44,13 @@ describe Hydra::ModelMixins::RightsMetadata do
44
44
  subject.permissions = [{:name=>'group1', :access=>'edit', :type=>'group'}]
45
45
  subject.permissions.should == [{:type=>'group', :access=>'edit', :name=>'group1'}]
46
46
  end
47
-
47
+ it "should assign user permissions when :type == 'person'" do
48
+ subject.permissions = [{:name=>'user1', :access=>'discover', :type=>'person'}]
49
+ subject.permissions.should == [{:type=>'user', :access=>'discover', :name=>'user1'}]
50
+ end
51
+ it "should raise an ArgumentError when the :type hashkey is invalid" do
52
+ expect{subject.permissions = [{:name=>'user1', :access=>'read', :type=>'foo'}]}.to raise_error(ArgumentError)
53
+ end
48
54
  end
49
55
 
50
56
  context "to_solr" do
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: hydra-access-controls
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.0.1
4
+ version: 5.1.0
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -11,7 +11,7 @@ authors:
11
11
  autorequire:
12
12
  bindir: bin
13
13
  cert_chain: []
14
- date: 2012-12-17 00:00:00.000000000 Z
14
+ date: 2012-12-20 00:00:00.000000000 Z
15
15
  dependencies:
16
16
  - !ruby/object:Gem::Dependency
17
17
  name: activesupport