RubyGems - hydra-access-controls - Versions diffs - 5.4.0.pre1 → 5.4.0 - Mend

hydra-access-controls 5.4.0.pre1 → 5.4.0

Files changed (7) hide show

data/lib/hydra/ability.rb +24 -19
data/lib/hydra/access_controls_enforcement.rb +18 -13
data/lib/hydra/policy_aware_ability.rb +5 -4
data/lib/hydra/policy_aware_access_controls_enforcement.rb +18 -7
data/spec/unit/ability_spec.rb +9 -111
data/spec/unit/admin_policy_spec.rb +116 -0
metadata +24 -21

@@ -25,6 +25,7 @@ module Hydra::Ability
     @current_user = user || Hydra::Ability.user_class.new # guest user (not logged in)
     @user = @current_user # just in case someone was using this in an override. Just don't.
     @session = session
+    @permission_doc_cache = {}
     hydra_default_permissions()
   end
@@ -71,7 +72,7 @@ module Hydra::Ability
     end
     can :edit, SolrDocument do |obj|
-      @permissions_solr_document = obj
+      @permission_doc_cache[obj.id] = obj
       test_edit(obj.id)
     end
   end
@@ -87,7 +88,7 @@ module Hydra::Ability
     end
     can :read, SolrDocument do |obj|
-      @permissions_solr_document = obj
+      @permission_doc_cache[obj.id] = obj
       test_read(obj.id)
     end
   end
@@ -101,18 +102,18 @@ module Hydra::Ability
   protected
   def permissions_doc(pid)
-    return @permissions_solr_document if @permissions_solr_document
-    response, @permissions_solr_document = get_permissions_solr_response_for_doc_id(pid)
-    @permissions_solr_document
+    return @permission_doc_cache[pid] if @permission_doc_cache[pid]
+    _, doc = get_permissions_solr_response_for_doc_id(pid)
+    #puts  "PERM: #{@permissions_solr_document.inspect}"
+    @permission_doc_cache[pid] = doc
   end
   def test_edit(pid, deprecated_user=nil, deprecated_session=nil)
     ActiveSupport::Deprecation.warn("No need to pass user or session to test_edit, use the instance_variables", caller()) if deprecated_user || deprecated_session
-    permissions_doc(pid)
     logger.debug("[CANCAN] Checking edit permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
-    group_intersection = user_groups & edit_groups
-    result = !group_intersection.empty? || edit_persons.include?(current_user.user_key)
+    group_intersection = user_groups & edit_groups(pid)
+    result = !group_intersection.empty? || edit_persons(pid).include?(current_user.user_key)
     logger.debug("[CANCAN] decision: #{result}")
     result
   end
@@ -120,39 +121,43 @@ module Hydra::Ability
   def test_read(pid, deprecated_user=nil, deprecated_session=nil)
     ActiveSupport::Deprecation.warn("No need to pass user or session to test_read, use the instance_variables", caller()) if deprecated_user || deprecated_session
     permissions_doc(pid)
-    logger.debug("[CANCAN] Checking edit permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
-    group_intersection = user_groups & read_groups
-    result = !group_intersection.empty? || read_persons.include?(current_user.user_key)
+    logger.debug("[CANCAN] Checking read permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
+    group_intersection = user_groups & read_groups(pid)
+    result = !group_intersection.empty? || read_persons(pid).include?(current_user.user_key)
     logger.debug("[CANCAN] decision: #{result}")
     result
   end
-  def edit_groups
+  def edit_groups(pid)
     edit_group_field = Hydra.config[:permissions][:edit][:group]
-    eg = ((@permissions_solr_document == nil || @permissions_solr_document.fetch(edit_group_field,nil) == nil) ? [] : @permissions_solr_document.fetch(edit_group_field,nil))
+    doc = permissions_doc(pid)
+    eg = ((doc == nil || doc.fetch(edit_group_field,nil) == nil) ? [] : doc.fetch(edit_group_field,nil))
     logger.debug("[CANCAN] edit_groups: #{eg.inspect}")
     return eg
   end
   # edit implies read, so read_groups is the union of edit and read groups
-  def read_groups
+  def read_groups(pid)
     read_group_field = Hydra.config[:permissions][:read][:group]
-    rg = edit_groups | ((@permissions_solr_document == nil || @permissions_solr_document.fetch(read_group_field,nil) == nil) ? [] : @permissions_solr_document.fetch(read_group_field,nil))
+    doc = permissions_doc(pid)
+    rg = edit_groups(pid) | ((doc == nil || doc.fetch(read_group_field,nil) == nil) ? [] : doc.fetch(read_group_field,nil))
     logger.debug("[CANCAN] read_groups: #{rg.inspect}")
     return rg
   end
-  def edit_persons
+  def edit_persons(pid)
     edit_person_field = Hydra.config[:permissions][:edit][:individual]
-    ep = ((@permissions_solr_document == nil || @permissions_solr_document.fetch(edit_person_field,nil) == nil) ? [] : @permissions_solr_document.fetch(edit_person_field,nil))
+    doc = permissions_doc(pid)
+    ep = ((doc == nil || doc.fetch(edit_person_field,nil) == nil) ? [] : doc.fetch(edit_person_field,nil))
     logger.debug("[CANCAN] edit_persons: #{ep.inspect}")
     return ep
   end
   # edit implies read, so read_persons is the union of edit and read persons
-  def read_persons
+  def read_persons(pid)
     read_individual_field = Hydra.config[:permissions][:read][:individual]
-    rp = edit_persons | ((@permissions_solr_document == nil || @permissions_solr_document.fetch(read_individual_field,nil) == nil) ? [] : @permissions_solr_document.fetch(read_individual_field,nil))
+    doc = permissions_doc(pid)
+    rp = edit_persons(pid) | ((doc == nil || doc.fetch(read_individual_field,nil) == nil) ? [] : doc.fetch(read_individual_field,nil))
     logger.debug("[CANCAN] read_persons: #{rp.inspect}")
     return rp
   end

data/lib/hydra/access_controls_enforcement.rb CHANGED

@@ -89,6 +89,22 @@ module Hydra::AccessControlsEnforcement
   protected
+  def gated_discovery_filters
+    # Grant access to public content
+    permission_types = discovery_permissions
+    user_access_filters = []
+    permission_types.each do |type|
+      user_access_filters << "#{type}_access_group_t:public"
+    end
+    # Grant access based on user id & role
+    solr_access_filters_logic.each do |method_name|
+      user_access_filters += send(method_name, permission_types)
+    end
+    user_access_filters
+  end
   # If someone hits the show action while their session's viewing_context is in edit mode,
   # this will redirect them to the edit action.
   # If they do not have sufficient privileges to edit documents, it will silently switch their session to browse mode.
@@ -211,21 +227,10 @@ module Hydra::AccessControlsEnforcement
   # @param user_parameters the current user-subitted parameters
   def apply_gated_discovery(solr_parameters, user_parameters)
     solr_parameters[:fq] ||= []
-    # Grant access to public content
-    permission_types = discovery_permissions
-    user_access_filters = []
-    permission_types.each do |type|
-      user_access_filters << "#{type}_access_group_t:public"
-    end
-    # Grant access based on user id & role
-    solr_access_filters_logic.each do |method_name|
-      user_access_filters += send(method_name, permission_types)
-    end
-    solr_parameters[:fq] << user_access_filters.join(" OR ")
+    solr_parameters[:fq] << gated_discovery_filters.join(" OR ")
     logger.debug("Solr parameters: #{ solr_parameters.inspect }")
   end
   def apply_role_permissions(permission_types)
       # for roles

data/lib/hydra/policy_aware_ability.rb CHANGED

@@ -39,11 +39,12 @@ module Hydra::PolicyAwareAbility
   # Returns the permissions solr document for policy_pid
   # The document is stored in an instance variable, so calling this multiple times will only query solr once.
-  # To force reload, set @policy_permissions_solr_document to nil
+  # To force reload, set @policy_permissions_solr_cache to {}
   def policy_permissions_doc(policy_pid)
-    return @policy_permissions_solr_document if @policy_permissions_solr_document
-    response, @policy_permissions_solr_document = get_permissions_solr_response_for_doc_id(policy_pid)
-    @policy_permissions_solr_document
+    @policy_permissions_solr_cache ||= {}
+    return @policy_permissions_solr_cache[policy_pid] if @policy_permissions_solr_cache[policy_pid]
+    _, doc = get_permissions_solr_response_for_doc_id(policy_pid)
+    @policy_permissions_solr_cache[policy_pid] = doc
   end
   # Tests whether the object's governing policy object grants edit access for the current user

data/lib/hydra/policy_aware_access_controls_enforcement.rb CHANGED

@@ -3,15 +3,15 @@ module Hydra::PolicyAwareAccessControlsEnforcement
   # Extends Hydra::AccessControlsEnforcement.apply_gated_discovery to reflect policy-provided access
   # appends the result of policy_clauses into the :fq
+  # @param solr_parameters the current solr parameters
+  # @param user_parameters the current user-subitted parameters
   def apply_gated_discovery(solr_parameters, user_parameters)
-    super
-    additional_clauses = policy_clauses
-    unless additional_clauses.nil? || additional_clauses.empty?
-      solr_parameters[:fq].first << " OR " + additional_clauses
-      logger.debug("POLICY-aware Solr parameters: #{ solr_parameters.inspect }")
-    end
+    solr_parameters[:fq] ||= []
+    solr_parameters[:fq] << gated_discovery_filters.join(" OR ")
+    logger.debug("POLICY-aware Solr parameters: #{ solr_parameters.inspect }")
   end
   # returns solr query for finding all objects whose policies grant discover access to current_user
   def policy_clauses
     policy_pids = policies_with_access
@@ -64,5 +64,16 @@ module Hydra::PolicyAwareAccessControlsEnforcement
       return Hydra.config[:permissions][:policy_class]
     end
   end
+  protected
+  def gated_discovery_filters
+    filters = super
+    additional_clauses = policy_clauses
+    unless additional_clauses.blank?
+      filters << additional_clauses
+    end
+    filters
+  end
 end

data/spec/unit/ability_spec.rb CHANGED

@@ -269,120 +269,18 @@ describe Ability do
   end
-  #
-  # Policy-based Access Controls
-  #
-  describe "When accessing assets with Policies associated" do
+  describe "calling ability on two separate objects" do
     before do
-      @user = FactoryGirl.build(:martia_morocco)
-      RoleMapper.stub(:roles).with(@user.user_key).and_return(@user.roles)
+      @asset1 = FactoryGirl.create(:org_read_access_asset)
+      @asset2 = FactoryGirl.create(:asset)
+      @user = FactoryGirl.build(:calvin_collaborator) # has access to @asset1, but not @asset2
     end
     subject { Ability.new(@user) }
-    context "Given a policy grants read access to a group I belong to" do
-      before do
-        @policy = Hydra::AdminPolicy.new
-        @policy.default_permissions = [{:type=>"group", :access=>"read", :name=>"africana-faculty"}]
-        @policy.save
-      end
-      after { @policy.delete }
-    	context "And a subscribing asset does not grant access" do
-    	  before do
-          @asset = ModsAsset.new()
-          @asset.admin_policy = @policy
-          @asset.save
-        end
-        after { @asset.delete }
-    		it "Then I should be able to view the asset" do
-    		  subject.can?(:read, @asset).should be_true
-  		  end
-        it "Then I should not be able to edit, update and destroy the asset" do
-          subject.can?(:edit, @asset).should be_false
-          subject.can?(:update, @asset).should be_false
-          subject.can?(:destroy, @asset).should be_false
-        end
-      end
-    end
-    context "Given a policy grants edit access to a group I belong to" do
-      before do
-        @policy = Hydra::AdminPolicy.new
-        @policy.default_permissions = [{:type=>"group", :access=>"edit", :name=>"africana-faculty"}]
-        @policy.save
-      end
-      after { @policy.delete }
-    	context "And a subscribing asset does not grant access" do
-    	  before do
-          @asset = ModsAsset.new()
-          @asset.admin_policy = @policy
-          @asset.save
-        end
-        after { @asset.delete }
-    		it "Then I should be able to view the asset" do
-    		  subject.can?(:read, @asset).should be_true
-  		  end
-    		it "Then I should be able to edit/update/destroy the asset" do
-          subject.can?(:edit, @asset).should be_true
-          subject.can?(:update, @asset).should be_true
-          subject.can?(:destroy, @asset).should be_true
-        end
-  		end
-    	context "And a subscribing asset grants read access to me as an individual" do
-    	  before do
-          @asset = ModsAsset.new()
-          @asset.read_users = [@user.uid]
-          @asset.admin_policy = @policy
-          @asset.save
-        end
-        after { @asset.delete }
-    		it "Then I should be able to view the asset" do
-    		  subject.can?(:read, @asset).should be_true
-  		  end
-        it "Then I should be able to edit/update/destroy the asset" do
-          subject.can?(:edit, @asset).should be_true
-          subject.can?(:update, @asset).should be_true
-          subject.can?(:destroy, @asset).should be_true
-        end
-      end
-    end
-    context "Given a policy does not grant access to any group I belong to" do
-      before do
-        @policy = Hydra::AdminPolicy.new
-        @policy.save
-      end
-      after { @policy.delete }
-      context "And a subscribing asset does not grant access" do
-        before do
-          @asset = ModsAsset.new()
-          @asset.admin_policy = @policy
-          @asset.save
-        end
-        after { @asset.delete }
-  		  it "Then I should not be able to view the asset" do
-    		  subject.can?(:read, @asset).should be_false
-  		  end
-        it "Then I should not be able to edit/update/destroy the asset" do
-          subject.can?(:edit, @asset).should be_false
-          subject.can?(:update, @asset).should be_false
-          subject.can?(:destroy, @asset).should be_false
-        end
-      end
-      context "And a subscribing asset grants read access to me as an individual" do
-        before do
-          @asset = ModsAsset.new()
-          @asset.read_users = [@user.uid]
-          @asset.admin_policy = @policy
-          @asset.save
-        end
-        after { @asset.delete }
-  		  it "Then I should be able to view the asset" do
-    		  subject.can?(:read, @asset).should be_true
-  		  end
-        it "Then I should not be able to edit/update/destroy the asset" do
-          subject.can?(:edit, @asset).should be_false
-          subject.can?(:update, @asset).should be_false
-          subject.can?(:destroy, @asset).should be_false
-        end
-      end
+    it "should be readable in the first instance and not in the second instance" do
+      # We had a bug around this where it keeps returning the access for the first object queried
+      subject.can?(:edit, @asset1).should be_true
+      subject.can?(:edit, @asset2).should be_false
     end
   end
 end

data/spec/unit/admin_policy_spec.rb CHANGED

@@ -124,5 +124,121 @@ describe Hydra::AdminPolicy do
   end
+  #
+  # Policy-based Access Controls
+  #
+  describe "When accessing assets with Policies associated" do
+    before do
+      @user = FactoryGirl.build(:martia_morocco)
+      RoleMapper.stub(:roles).with(@user.user_key).and_return(@user.roles)
+    end
+    subject { Ability.new(@user) }
+    context "Given a policy grants read access to a group I belong to" do
+      before do
+        @policy = Hydra::AdminPolicy.new
+        @policy.default_permissions = [{:type=>"group", :access=>"read", :name=>"africana-faculty"}]
+        @policy.save
+      end
+      after { @policy.delete }
+    	context "And a subscribing asset does not grant access" do
+    	  before do
+          @asset = ModsAsset.new()
+          @asset.admin_policy = @policy
+          @asset.save
+        end
+        after { @asset.delete }
+    		it "Then I should be able to view the asset" do
+    		  subject.can?(:read, @asset).should be_true
+  		  end
+        it "Then I should not be able to edit, update and destroy the asset" do
+          subject.can?(:edit, @asset).should be_false
+          subject.can?(:update, @asset).should be_false
+          subject.can?(:destroy, @asset).should be_false
+        end
+      end
+    end
+    context "Given a policy grants edit access to a group I belong to" do
+      before do
+        @policy = Hydra::AdminPolicy.new
+        @policy.default_permissions = [{:type=>"group", :access=>"edit", :name=>"africana-faculty"}]
+        @policy.save
+      end
+      after { @policy.delete }
+    	context "And a subscribing asset does not grant access" do
+    	  before do
+          @asset = ModsAsset.new()
+          @asset.admin_policy = @policy
+          @asset.save
+        end
+        after { @asset.delete }
+    		it "Then I should be able to view the asset" do
+    		  subject.can?(:read, @asset).should be_true
+  		  end
+    		it "Then I should be able to edit/update/destroy the asset" do
+          subject.can?(:edit, @asset).should be_true
+          subject.can?(:update, @asset).should be_true
+          subject.can?(:destroy, @asset).should be_true
+        end
+  		end
+    	context "And a subscribing asset grants read access to me as an individual" do
+    	  before do
+          @asset = ModsAsset.new()
+          @asset.read_users = [@user.uid]
+          @asset.admin_policy = @policy
+          @asset.save
+        end
+        after { @asset.delete }
+    		it "Then I should be able to view the asset" do
+    		  subject.can?(:read, @asset).should be_true
+  		  end
+        it "Then I should be able to edit/update/destroy the asset" do
+          subject.can?(:edit, @asset).should be_true
+          subject.can?(:update, @asset).should be_true
+          subject.can?(:destroy, @asset).should be_true
+        end
+      end
+    end
+    context "Given a policy does not grant access to any group I belong to" do
+      before do
+        @policy = Hydra::AdminPolicy.new
+        @policy.save
+      end
+      after { @policy.delete }
+      context "And a subscribing asset does not grant access" do
+        before do
+          @asset = ModsAsset.new()
+          @asset.admin_policy = @policy
+          @asset.save
+        end
+        after { @asset.delete }
+  		  it "Then I should not be able to view the asset" do
+    		  subject.can?(:read, @asset).should be_false
+  		  end
+        it "Then I should not be able to edit/update/destroy the asset" do
+          subject.can?(:edit, @asset).should be_false
+          subject.can?(:update, @asset).should be_false
+          subject.can?(:destroy, @asset).should be_false
+        end
+      end
+      context "And a subscribing asset grants read access to me as an individual" do
+        before do
+          @asset = ModsAsset.new()
+          @asset.read_users = [@user.uid]
+          @asset.admin_policy = @policy
+          @asset.save
+        end
+        after { @asset.delete }
+  		  it "Then I should be able to view the asset" do
+    		  subject.can?(:read, @asset).should be_true
+  		  end
+        it "Then I should not be able to edit/update/destroy the asset" do
+          subject.can?(:edit, @asset).should be_false
+          subject.can?(:update, @asset).should be_false
+          subject.can?(:destroy, @asset).should be_false
+        end
+      end
+    end
+  end
 end

metadata CHANGED

@@ -1,8 +1,8 @@
 --- !ruby/object:Gem::Specification
 name: hydra-access-controls
 version: !ruby/object:Gem::Version
-  version: 5.4.0.pre1
-  prerelease: 6
+  version: 5.4.0
+  prerelease:
 platform: ruby
 authors:
 - Chris Beer
@@ -11,14 +11,14 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-01-23 00:00:00.000000000 Z
+date: 2013-02-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
@@ -26,7 +26,7 @@ dependencies:
   version_requirements: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
@@ -34,7 +34,7 @@ dependencies:
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
@@ -42,7 +42,7 @@ dependencies:
   version_requirements: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
@@ -50,7 +50,7 @@ dependencies:
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
@@ -58,7 +58,7 @@ dependencies:
   version_requirements: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
@@ -66,7 +66,7 @@ dependencies:
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
@@ -74,7 +74,7 @@ dependencies:
   version_requirements: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
@@ -82,7 +82,7 @@ dependencies:
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
@@ -90,7 +90,7 @@ dependencies:
   version_requirements: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
@@ -98,7 +98,7 @@ dependencies:
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
@@ -106,7 +106,7 @@ dependencies:
   version_requirements: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
@@ -114,7 +114,7 @@ dependencies:
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
@@ -122,7 +122,7 @@ dependencies:
   version_requirements: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 description: Access controls for project hydra
@@ -180,18 +180,21 @@ require_paths:
 required_ruby_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: 1.9.3
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
-  - - ! '>'
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
+      segments:
+      - 0
+      hash: -3641881465125225421
 requirements: []
 rubyforge_project:
-rubygems_version: 1.8.23
+rubygems_version: 1.8.25
 signing_key:
 specification_version: 3
 summary: Access controls for project hydra