hydra-access-controls 6.0.0.pre8 → 6.0.0.rc1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -18,7 +18,7 @@ Gem::Specification.new do |gem|
18
18
  gem.required_ruby_version = '>= 1.9.3'
19
19
 
20
20
  gem.add_dependency 'activesupport'
21
- gem.add_dependency "active-fedora", '>= 6.0.0.pre10'
21
+ gem.add_dependency "active-fedora", '>= 6.0.0.rc2'
22
22
  gem.add_dependency 'cancan'
23
23
  gem.add_dependency 'deprecation'
24
24
  gem.add_dependency 'blacklight'
@@ -15,6 +15,7 @@ module Hydra
15
15
  autoload :AdminPolicy
16
16
  autoload :RoleMapperBehavior
17
17
  autoload :PermissionsQuery
18
+ autoload :PermissionsCache
18
19
  autoload :PermissionsSolrDocument
19
20
  class Engine < Rails::Engine
20
21
  end
@@ -1,162 +1,163 @@
1
1
  # Code for [CANCAN] access to Hydra models
2
2
  require 'cancan'
3
- module Hydra::Ability
4
- extend ActiveSupport::Concern
5
-
6
- # once you include Hydra::Ability you can add custom permission methods by appending to ability_logic like so:
7
- #
8
- # self.ability_logic +=[:setup_my_permissions]
9
-
10
- included do
11
- include CanCan::Ability
12
- include Hydra::PermissionsQuery
13
- include Blacklight::SolrHelper
14
- class_attribute :ability_logic
15
- self.ability_logic = [:create_permissions, :edit_permissions, :read_permissions, :custom_permissions]
16
- end
17
-
18
- def self.user_class
19
- Hydra.config[:user_model] ? Hydra.config[:user_model].constantize : ::User
20
- end
21
-
22
- attr_reader :current_user, :session
23
-
24
- def initialize(user, session=nil)
25
- @current_user = user || Hydra::Ability.user_class.new # guest user (not logged in)
26
- @user = @current_user # just in case someone was using this in an override. Just don't.
27
- @session = session
28
- hydra_default_permissions()
29
- end
30
-
31
- ## You can override this method if you are using a different AuthZ (such as LDAP)
32
- def user_groups
33
- return @user_groups if @user_groups
3
+ module Hydra
4
+ module Ability
5
+ extend ActiveSupport::Concern
34
6
 
35
- @user_groups = default_user_groups
36
- @user_groups |= current_user.groups if current_user and current_user.respond_to? :groups
37
- @user_groups |= ['registered'] unless current_user.new_record?
38
- @user_groups
39
- end
40
-
41
- def default_user_groups
42
- # # everyone is automatically a member of the group 'public'
43
- ['public']
44
- end
45
-
46
-
47
- def hydra_default_permissions
48
- logger.debug("Usergroups are " + user_groups.inspect)
49
- self.ability_logic.each do |method|
50
- send(method)
7
+ # once you include Hydra::Ability you can add custom permission methods by appending to ability_logic like so:
8
+ #
9
+ # self.ability_logic +=[:setup_my_permissions]
10
+
11
+ included do
12
+ include CanCan::Ability
13
+ include Hydra::PermissionsQuery
14
+ include Blacklight::SolrHelper
15
+ class_attribute :ability_logic
16
+ self.ability_logic = [:create_permissions, :edit_permissions, :read_permissions, :custom_permissions]
51
17
  end
52
- end
53
18
 
54
- def create_permissions
55
- can :create, :all if user_groups.include? 'registered'
56
- end
19
+ def self.user_class
20
+ Hydra.config[:user_model] ? Hydra.config[:user_model].constantize : ::User
21
+ end
57
22
 
58
- def edit_permissions
59
- can [:edit, :update, :destroy], String do |pid|
60
- test_edit(pid)
61
- end
23
+ attr_reader :current_user, :session
62
24
 
63
- can [:edit, :update, :destroy], ActiveFedora::Base do |obj|
64
- test_edit(obj.pid)
25
+ def initialize(user, session=nil)
26
+ @current_user = user || Hydra::Ability.user_class.new # guest user (not logged in)
27
+ @user = @current_user # just in case someone was using this in an override. Just don't.
28
+ @session = session
29
+ hydra_default_permissions()
65
30
  end
66
-
67
- can :edit, SolrDocument do |obj|
68
- @permission_doc_cache[obj.id] = obj
69
- test_edit(obj.id)
70
- end
71
- end
72
31
 
73
- def read_permissions
74
- can :read, String do |pid|
75
- test_read(pid)
32
+ ## You can override this method if you are using a different AuthZ (such as LDAP)
33
+ def user_groups
34
+ return @user_groups if @user_groups
35
+
36
+ @user_groups = default_user_groups
37
+ @user_groups |= current_user.groups if current_user and current_user.respond_to? :groups
38
+ @user_groups |= ['registered'] unless current_user.new_record?
39
+ @user_groups
76
40
  end
77
41
 
78
- can :read, ActiveFedora::Base do |obj|
79
- test_read(obj.pid)
80
- end
42
+ def default_user_groups
43
+ # # everyone is automatically a member of the group 'public'
44
+ ['public']
45
+ end
81
46
 
82
- can :read, SolrDocument do |obj|
83
- @permission_doc_cache[obj.id] = obj
84
- test_read(obj.id)
85
- end
86
- end
87
47
 
48
+ def hydra_default_permissions
49
+ logger.debug("Usergroups are " + user_groups.inspect)
50
+ self.ability_logic.each do |method|
51
+ send(method)
52
+ end
53
+ end
88
54
 
89
- ## Override custom permissions in your own app to add more permissions beyond what is defined by default.
90
- def custom_permissions
91
- end
92
-
93
- protected
94
-
95
- def test_edit(pid)
96
- logger.debug("[CANCAN] Checking edit permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
97
- group_intersection = user_groups & edit_groups(pid)
98
- result = !group_intersection.empty? || edit_persons(pid).include?(current_user.user_key)
99
- logger.debug("[CANCAN] decision: #{result}")
100
- result
101
- end
102
-
103
- def test_read(pid)
104
- logger.debug("[CANCAN] Checking read permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
105
- group_intersection = user_groups & read_groups(pid)
106
- result = !group_intersection.empty? || read_persons(pid).include?(current_user.user_key)
107
- result
108
- end
109
-
110
- def edit_groups(pid)
111
- doc = permissions_doc(pid)
112
- return [] if doc.nil?
113
- eg = doc[self.class.edit_group_field] || []
114
- logger.debug("[CANCAN] edit_groups: #{eg.inspect}")
115
- return eg
116
- end
55
+ def create_permissions
56
+ can :create, :all if user_groups.include? 'registered'
57
+ end
117
58
 
118
- # edit implies read, so read_groups is the union of edit and read groups
119
- def read_groups(pid)
120
- doc = permissions_doc(pid)
121
- return [] if doc.nil?
122
- rg = edit_groups(pid) | (doc[self.class.read_group_field] || [])
123
- logger.debug("[CANCAN] read_groups: #{rg.inspect}")
124
- return rg
125
- end
59
+ def edit_permissions
60
+ can [:edit, :update, :destroy], String do |pid|
61
+ test_edit(pid)
62
+ end
63
+
64
+ can [:edit, :update, :destroy], ActiveFedora::Base do |obj|
65
+ test_edit(obj.pid)
66
+ end
67
+
68
+ can :edit, SolrDocument do |obj|
69
+ PermissionsCache.put(obj.id, obj)
70
+ test_edit(obj.id)
71
+ end
72
+ end
126
73
 
127
- def edit_persons(pid)
128
- doc = permissions_doc(pid)
129
- return [] if doc.nil?
130
- ep = doc[self.class.edit_person_field] || []
131
- logger.debug("[CANCAN] edit_persons: #{ep.inspect}")
132
- return ep
133
- end
74
+ def read_permissions
75
+ can :read, String do |pid|
76
+ test_read(pid)
77
+ end
78
+
79
+ can :read, ActiveFedora::Base do |obj|
80
+ test_read(obj.pid)
81
+ end
82
+
83
+ can :read, SolrDocument do |obj|
84
+ PermissionsCache.put(obj.id, obj)
85
+ test_read(obj.id)
86
+ end
87
+ end
134
88
 
135
- # edit implies read, so read_persons is the union of edit and read persons
136
- def read_persons(pid)
137
- doc = permissions_doc(pid)
138
- return [] if doc.nil?
139
- rp = edit_persons(pid) | (doc[self.class.read_person_field] || [])
140
- logger.debug("[CANCAN] read_persons: #{rp.inspect}")
141
- return rp
142
- end
143
89
 
144
- module ClassMethods
145
- def read_group_field
146
- Hydra.config[:permissions][:read][:group]
90
+ ## Override custom permissions in your own app to add more permissions beyond what is defined by default.
91
+ def custom_permissions
92
+ end
93
+
94
+ protected
95
+
96
+ def test_edit(pid)
97
+ logger.debug("[CANCAN] Checking edit permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
98
+ group_intersection = user_groups & edit_groups(pid)
99
+ result = !group_intersection.empty? || edit_persons(pid).include?(current_user.user_key)
100
+ logger.debug("[CANCAN] decision: #{result}")
101
+ result
102
+ end
103
+
104
+ def test_read(pid)
105
+ logger.debug("[CANCAN] Checking read permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
106
+ group_intersection = user_groups & read_groups(pid)
107
+ result = !group_intersection.empty? || read_persons(pid).include?(current_user.user_key)
108
+ result
109
+ end
110
+
111
+ def edit_groups(pid)
112
+ doc = permissions_doc(pid)
113
+ return [] if doc.nil?
114
+ eg = doc[self.class.edit_group_field] || []
115
+ logger.debug("[CANCAN] edit_groups: #{eg.inspect}")
116
+ return eg
117
+ end
118
+
119
+ # edit implies read, so read_groups is the union of edit and read groups
120
+ def read_groups(pid)
121
+ doc = permissions_doc(pid)
122
+ return [] if doc.nil?
123
+ rg = edit_groups(pid) | (doc[self.class.read_group_field] || [])
124
+ logger.debug("[CANCAN] read_groups: #{rg.inspect}")
125
+ return rg
147
126
  end
148
127
 
149
- def edit_person_field
150
- Hydra.config[:permissions][:edit][:individual]
128
+ def edit_persons(pid)
129
+ doc = permissions_doc(pid)
130
+ return [] if doc.nil?
131
+ ep = doc[self.class.edit_person_field] || []
132
+ logger.debug("[CANCAN] edit_persons: #{ep.inspect}")
133
+ return ep
151
134
  end
152
135
 
153
- def read_person_field
154
- Hydra.config[:permissions][:read][:individual]
136
+ # edit implies read, so read_persons is the union of edit and read persons
137
+ def read_persons(pid)
138
+ doc = permissions_doc(pid)
139
+ return [] if doc.nil?
140
+ rp = edit_persons(pid) | (doc[self.class.read_person_field] || [])
141
+ logger.debug("[CANCAN] read_persons: #{rp.inspect}")
142
+ return rp
155
143
  end
156
144
 
157
- def edit_group_field
158
- Hydra.config[:permissions][:edit][:group]
145
+ module ClassMethods
146
+ def read_group_field
147
+ Hydra.config[:permissions][:read][:group]
148
+ end
149
+
150
+ def edit_person_field
151
+ Hydra.config[:permissions][:edit][:individual]
152
+ end
153
+
154
+ def read_person_field
155
+ Hydra.config[:permissions][:read][:individual]
156
+ end
157
+
158
+ def edit_group_field
159
+ Hydra.config[:permissions][:edit][:group]
160
+ end
159
161
  end
160
162
  end
161
-
162
163
  end
@@ -2,7 +2,7 @@ require 'active_support/core_ext/string'
2
2
  module Hydra
3
3
  module Datastream
4
4
  # Implements Hydra RightsMetadata XML terminology for asserting access permissions
5
- class RightsMetadata < ActiveFedora::NokogiriDatastream
5
+ class RightsMetadata < ActiveFedora::OmDatastream
6
6
 
7
7
  set_terminology do |t|
8
8
  t.root(:path=>"rightsMetadata", :xmlns=>"http://hydra-collab.stanford.edu/schemas/rightsMetadata/v1", :schema=>"http://github.com/projecthydra/schemas/tree/v1/rightsMetadata.xsd")
@@ -0,0 +1,16 @@
1
+ module Hydra::PermissionsCache
2
+ @@cache = {}
3
+
4
+ def self.get(pid)
5
+ @@cache[pid]
6
+ end
7
+
8
+ def self.put(pid, doc)
9
+ @@cache[pid] = doc
10
+ end
11
+
12
+ def self.clear
13
+ @@cache = {}
14
+ end
15
+
16
+ end
@@ -1,50 +1,55 @@
1
- module Hydra::PermissionsQuery
2
- extend ActiveSupport::Concern
3
- included do
4
- include Blacklight::SolrHelper # for force_to_utf8
5
- end
1
+ module Hydra
2
+ module PermissionsQuery
3
+ extend ActiveSupport::Concern
4
+ included do
5
+ include Blacklight::SolrHelper # for force_to_utf8
6
+ end
6
7
 
7
- def permissions_doc(pid)
8
- @permission_doc_cache ||= {}
9
- @permission_doc_cache[pid] ||= get_permissions_solr_response_for_doc_id(pid)
10
- end
8
+ def permissions_doc(pid)
9
+ doc = Hydra::PermissionsCache.get(pid)
10
+ unless doc
11
+ doc = get_permissions_solr_response_for_doc_id(pid)
12
+ Hydra::PermissionsCache.put(pid, doc)
13
+ end
14
+ doc
15
+ end
11
16
 
12
17
 
13
- protected
18
+ protected
14
19
 
15
- # a solr query method
16
- # retrieve a solr document, given the doc id
17
- # Modeled on Blacklight::SolrHelper.get_permissions_solr_response_for_doc_id
18
- # @param [String] id of the documetn to retrieve
19
- # @param [Hash] extra_controller_params (optional)
20
- def get_permissions_solr_response_for_doc_id(id=nil, extra_controller_params={})
21
- raise Blacklight::Exceptions::InvalidSolrID.new("The application is trying to retrieve permissions without specifying an asset id") if id.nil?
22
- #solr_response = Blacklight.solr.get permissions_solr_doc_params(id).merge(extra_controller_params)
23
- #path = blacklight_config.solr_path
24
- solr_opts = permissions_solr_doc_params(id).merge(extra_controller_params)
25
- response = Blacklight.solr.get('select', :params=> solr_opts)
26
- solr_response = Blacklight::SolrResponse.new(force_to_utf8(response), solr_opts)
20
+ # a solr query method
21
+ # retrieve a solr document, given the doc id
22
+ # Modeled on Blacklight::SolrHelper.get_permissions_solr_response_for_doc_id
23
+ # @param [String] id of the documetn to retrieve
24
+ # @param [Hash] extra_controller_params (optional)
25
+ def get_permissions_solr_response_for_doc_id(id=nil, extra_controller_params={})
26
+ raise Blacklight::Exceptions::InvalidSolrID.new("The application is trying to retrieve permissions without specifying an asset id") if id.nil?
27
+ #solr_response = Blacklight.solr.get permissions_solr_doc_params(id).merge(extra_controller_params)
28
+ #path = blacklight_config.solr_path
29
+ solr_opts = permissions_solr_doc_params(id).merge(extra_controller_params)
30
+ response = Blacklight.solr.get('select', :params=> solr_opts)
31
+ solr_response = Blacklight::SolrResponse.new(force_to_utf8(response), solr_opts)
27
32
 
28
- raise Blacklight::Exceptions::InvalidSolrID.new("The solr permissions search handler didn't return anything for id \"#{id}\"") if solr_response.docs.empty?
29
- Hydra::PermissionsSolrDocument.new(solr_response.docs.first, solr_response)
30
- end
33
+ raise Blacklight::Exceptions::InvalidSolrID.new("The solr permissions search handler didn't return anything for id \"#{id}\"") if solr_response.docs.empty?
34
+ Hydra::PermissionsSolrDocument.new(solr_response.docs.first, solr_response)
35
+ end
31
36
 
32
- #
33
- # Solr integration
34
- #
35
-
36
- # returns a params hash with the permissions info for a single solr document
37
- # If the id arg is nil, then the value is fetched from params[:id]
38
- # This method is primary called by the get_permissions_solr_response_for_doc_id method.
39
- # Modeled on Blacklight::SolrHelper.solr_doc_params
40
- # @param [String] id of the documetn to retrieve
41
- def permissions_solr_doc_params(id=nil)
42
- id ||= params[:id]
43
- # just to be consistent with the other solr param methods:
44
- {
45
- :qt => :permissions,
46
- :id => id # this assumes the document request handler will map the 'id' param to the unique key field
47
- }
48
- end
49
-
37
+ #
38
+ # Solr integration
39
+ #
40
+
41
+ # returns a params hash with the permissions info for a single solr document
42
+ # If the id arg is nil, then the value is fetched from params[:id]
43
+ # This method is primary called by the get_permissions_solr_response_for_doc_id method.
44
+ # Modeled on Blacklight::SolrHelper.solr_doc_params
45
+ # @param [String] id of the documetn to retrieve
46
+ def permissions_solr_doc_params(id=nil)
47
+ id ||= params[:id]
48
+ # just to be consistent with the other solr param methods:
49
+ {
50
+ :qt => :permissions,
51
+ :id => id # this assumes the document request handler will map the 'id' param to the unique key field
52
+ }
53
+ end
54
+ end
50
55
  end
@@ -81,6 +81,7 @@ describe Hydra::AccessControlsEnforcement do
81
81
  lambda {subject.send(:enforce_show_permissions, {}) }.should_not raise_error Hydra::AccessDenied
82
82
  end
83
83
  it "should prevent a user w/o edit permissions from viewing an embargoed object" do
84
+ Hydra::PermissionsCache.clear()
84
85
  user = User.new :uid=>'testuser@example.com'
85
86
  RoleMapper.stub(:roles).with(user.user_key).and_return([])
86
87
  subject.stub(:current_user).and_return(user)
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: hydra-access-controls
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.0.0.pre8
4
+ version: 6.0.0.rc1
5
5
  prerelease: 6
6
6
  platform: ruby
7
7
  authors:
@@ -11,14 +11,14 @@ authors:
11
11
  autorequire:
12
12
  bindir: bin
13
13
  cert_chain: []
14
- date: 2013-02-10 00:00:00.000000000 Z
14
+ date: 2013-02-15 00:00:00.000000000 Z
15
15
  dependencies:
16
16
  - !ruby/object:Gem::Dependency
17
17
  name: activesupport
18
18
  requirement: !ruby/object:Gem::Requirement
19
19
  none: false
20
20
  requirements:
21
- - - ">="
21
+ - - ! '>='
22
22
  - !ruby/object:Gem::Version
23
23
  version: '0'
24
24
  type: :runtime
@@ -26,7 +26,7 @@ dependencies:
26
26
  version_requirements: !ruby/object:Gem::Requirement
27
27
  none: false
28
28
  requirements:
29
- - - ">="
29
+ - - ! '>='
30
30
  - !ruby/object:Gem::Version
31
31
  version: '0'
32
32
  - !ruby/object:Gem::Dependency
@@ -34,23 +34,23 @@ dependencies:
34
34
  requirement: !ruby/object:Gem::Requirement
35
35
  none: false
36
36
  requirements:
37
- - - ">="
37
+ - - ! '>='
38
38
  - !ruby/object:Gem::Version
39
- version: 6.0.0.pre10
39
+ version: 6.0.0.rc2
40
40
  type: :runtime
41
41
  prerelease: false
42
42
  version_requirements: !ruby/object:Gem::Requirement
43
43
  none: false
44
44
  requirements:
45
- - - ">="
45
+ - - ! '>='
46
46
  - !ruby/object:Gem::Version
47
- version: 6.0.0.pre10
47
+ version: 6.0.0.rc2
48
48
  - !ruby/object:Gem::Dependency
49
49
  name: cancan
50
50
  requirement: !ruby/object:Gem::Requirement
51
51
  none: false
52
52
  requirements:
53
- - - ">="
53
+ - - ! '>='
54
54
  - !ruby/object:Gem::Version
55
55
  version: '0'
56
56
  type: :runtime
@@ -58,7 +58,7 @@ dependencies:
58
58
  version_requirements: !ruby/object:Gem::Requirement
59
59
  none: false
60
60
  requirements:
61
- - - ">="
61
+ - - ! '>='
62
62
  - !ruby/object:Gem::Version
63
63
  version: '0'
64
64
  - !ruby/object:Gem::Dependency
@@ -66,7 +66,7 @@ dependencies:
66
66
  requirement: !ruby/object:Gem::Requirement
67
67
  none: false
68
68
  requirements:
69
- - - ">="
69
+ - - ! '>='
70
70
  - !ruby/object:Gem::Version
71
71
  version: '0'
72
72
  type: :runtime
@@ -74,7 +74,7 @@ dependencies:
74
74
  version_requirements: !ruby/object:Gem::Requirement
75
75
  none: false
76
76
  requirements:
77
- - - ">="
77
+ - - ! '>='
78
78
  - !ruby/object:Gem::Version
79
79
  version: '0'
80
80
  - !ruby/object:Gem::Dependency
@@ -82,7 +82,7 @@ dependencies:
82
82
  requirement: !ruby/object:Gem::Requirement
83
83
  none: false
84
84
  requirements:
85
- - - ">="
85
+ - - ! '>='
86
86
  - !ruby/object:Gem::Version
87
87
  version: '0'
88
88
  type: :runtime
@@ -90,7 +90,7 @@ dependencies:
90
90
  version_requirements: !ruby/object:Gem::Requirement
91
91
  none: false
92
92
  requirements:
93
- - - ">="
93
+ - - ! '>='
94
94
  - !ruby/object:Gem::Version
95
95
  version: '0'
96
96
  - !ruby/object:Gem::Dependency
@@ -98,7 +98,7 @@ dependencies:
98
98
  requirement: !ruby/object:Gem::Requirement
99
99
  none: false
100
100
  requirements:
101
- - - ">="
101
+ - - ! '>='
102
102
  - !ruby/object:Gem::Version
103
103
  version: '0'
104
104
  type: :development
@@ -106,7 +106,7 @@ dependencies:
106
106
  version_requirements: !ruby/object:Gem::Requirement
107
107
  none: false
108
108
  requirements:
109
- - - ">="
109
+ - - ! '>='
110
110
  - !ruby/object:Gem::Version
111
111
  version: '0'
112
112
  - !ruby/object:Gem::Dependency
@@ -114,7 +114,7 @@ dependencies:
114
114
  requirement: !ruby/object:Gem::Requirement
115
115
  none: false
116
116
  requirements:
117
- - - ">="
117
+ - - ! '>='
118
118
  - !ruby/object:Gem::Version
119
119
  version: '0'
120
120
  type: :development
@@ -122,7 +122,7 @@ dependencies:
122
122
  version_requirements: !ruby/object:Gem::Requirement
123
123
  none: false
124
124
  requirements:
125
- - - ">="
125
+ - - ! '>='
126
126
  - !ruby/object:Gem::Version
127
127
  version: '0'
128
128
  description: Access controls for project hydra
@@ -148,6 +148,7 @@ files:
148
148
  - lib/hydra/datastream/inheritable_rights_metadata.rb
149
149
  - lib/hydra/datastream/rights_metadata.rb
150
150
  - lib/hydra/model_mixins/rights_metadata.rb
151
+ - lib/hydra/permissions_cache.rb
151
152
  - lib/hydra/permissions_query.rb
152
153
  - lib/hydra/permissions_solr_document.rb
153
154
  - lib/hydra/policy_aware_ability.rb
@@ -182,13 +183,13 @@ require_paths:
182
183
  required_ruby_version: !ruby/object:Gem::Requirement
183
184
  none: false
184
185
  requirements:
185
- - - ">="
186
+ - - ! '>='
186
187
  - !ruby/object:Gem::Version
187
188
  version: 1.9.3
188
189
  required_rubygems_version: !ruby/object:Gem::Requirement
189
190
  none: false
190
191
  requirements:
191
- - - ">"
192
+ - - ! '>'
192
193
  - !ruby/object:Gem::Version
193
194
  version: 1.3.1
194
195
  requirements: []