RubyGems - hydra-access-controls - Versions diffs - 6.0.0.pre8 → 6.0.0.rc1 - Mend

hydra-access-controls 6.0.0.pre8 → 6.0.0.rc1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

data/hydra-access-controls.gemspec +1 -1
data/lib/hydra-access-controls.rb +1 -0
data/lib/hydra/ability.rb +136 -135
data/lib/hydra/datastream/rights_metadata.rb +1 -1
data/lib/hydra/permissions_cache.rb +16 -0
data/lib/hydra/permissions_query.rb +48 -43
data/spec/unit/access_controls_enforcement_spec.rb +1 -0
metadata +21 -20

data/hydra-access-controls.gemspec CHANGED

@@ -18,7 +18,7 @@ Gem::Specification.new do |gem|
   gem.required_ruby_version = '>= 1.9.3'
   gem.add_dependency 'activesupport'
-  gem.add_dependency "active-fedora", '>= 6.0.0.pre10'
+  gem.add_dependency "active-fedora", '>= 6.0.0.rc2'
   gem.add_dependency 'cancan'
   gem.add_dependency 'deprecation'
   gem.add_dependency 'blacklight'

data/lib/hydra-access-controls.rb CHANGED

@@ -15,6 +15,7 @@ module Hydra
   autoload :AdminPolicy
   autoload :RoleMapperBehavior
   autoload :PermissionsQuery
+  autoload :PermissionsCache
   autoload :PermissionsSolrDocument
   class Engine < Rails::Engine
   end

data/lib/hydra/ability.rb CHANGED

@@ -1,162 +1,163 @@
 # Code for [CANCAN] access to Hydra models
 require 'cancan'
-module Hydra::Ability
-  extend ActiveSupport::Concern
-  # once you include Hydra::Ability you can add custom permission methods by appending to ability_logic like so:
-  #
-  # self.ability_logic +=[:setup_my_permissions]
-  included do
-    include CanCan::Ability
-    include Hydra::PermissionsQuery
-    include Blacklight::SolrHelper
-    class_attribute :ability_logic
-    self.ability_logic = [:create_permissions, :edit_permissions, :read_permissions, :custom_permissions]
-  end
-  def self.user_class
-    Hydra.config[:user_model] ?  Hydra.config[:user_model].constantize : ::User
-  end
-  attr_reader :current_user, :session
-  def initialize(user, session=nil)
-    @current_user = user || Hydra::Ability.user_class.new # guest user (not logged in)
-    @user = @current_user # just in case someone was using this in an override. Just don't.
-    @session = session
-    hydra_default_permissions()
-  end
-  ## You can override this method if you are using a different AuthZ (such as LDAP)
-  def user_groups
-    return @user_groups if @user_groups
+module Hydra
+  module Ability
+    extend ActiveSupport::Concern
-    @user_groups = default_user_groups
-    @user_groups |= current_user.groups if current_user and current_user.respond_to? :groups
-    @user_groups |= ['registered'] unless current_user.new_record?
-    @user_groups
-  end
-  def default_user_groups
-    # # everyone is automatically a member of the group 'public'
-    ['public']
-  end
-  def hydra_default_permissions
-    logger.debug("Usergroups are " + user_groups.inspect)
-    self.ability_logic.each do |method|
-      send(method)
+    # once you include Hydra::Ability you can add custom permission methods by appending to ability_logic like so:
+    #
+    # self.ability_logic +=[:setup_my_permissions]
+    included do
+      include CanCan::Ability
+      include Hydra::PermissionsQuery
+      include Blacklight::SolrHelper
+      class_attribute :ability_logic
+      self.ability_logic = [:create_permissions, :edit_permissions, :read_permissions, :custom_permissions]
     end
-  end
-  def create_permissions
-    can :create, :all if user_groups.include? 'registered'
-  end
+    def self.user_class
+      Hydra.config[:user_model] ?  Hydra.config[:user_model].constantize : ::User
+    end
-  def edit_permissions
-    can [:edit, :update, :destroy], String do |pid|
-      test_edit(pid)
-    end
+    attr_reader :current_user, :session
-    can [:edit, :update, :destroy], ActiveFedora::Base do |obj|
-      test_edit(obj.pid)
+    def initialize(user, session=nil)
+      @current_user = user || Hydra::Ability.user_class.new # guest user (not logged in)
+      @user = @current_user # just in case someone was using this in an override. Just don't.
+      @session = session
+      hydra_default_permissions()
     end
-    can :edit, SolrDocument do |obj|
-      @permission_doc_cache[obj.id] = obj
-      test_edit(obj.id)
-    end
-  end
-  def read_permissions
-    can :read, String do |pid|
-      test_read(pid)
+    ## You can override this method if you are using a different AuthZ (such as LDAP)
+    def user_groups
+      return @user_groups if @user_groups
+      @user_groups = default_user_groups
+      @user_groups |= current_user.groups if current_user and current_user.respond_to? :groups
+      @user_groups |= ['registered'] unless current_user.new_record?
+      @user_groups
     end
-    can :read, ActiveFedora::Base do |obj|
-      test_read(obj.pid)
-    end
+    def default_user_groups
+      # # everyone is automatically a member of the group 'public'
+      ['public']
+    end
-    can :read, SolrDocument do |obj|
-      @permission_doc_cache[obj.id] = obj
-      test_read(obj.id)
-    end
-  end
+    def hydra_default_permissions
+      logger.debug("Usergroups are " + user_groups.inspect)
+      self.ability_logic.each do |method|
+        send(method)
+      end
+    end
-  ## Override custom permissions in your own app to add more permissions beyond what is defined by default.
-  def custom_permissions
-  end
-  protected
-  def test_edit(pid)
-    logger.debug("[CANCAN] Checking edit permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
-    group_intersection = user_groups & edit_groups(pid)
-    result = !group_intersection.empty? || edit_persons(pid).include?(current_user.user_key)
-    logger.debug("[CANCAN] decision: #{result}")
-    result
-  end
-  def test_read(pid)
-    logger.debug("[CANCAN] Checking read permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
-    group_intersection = user_groups & read_groups(pid)
-    result = !group_intersection.empty? || read_persons(pid).include?(current_user.user_key)
-    result
-  end
-  def edit_groups(pid)
-    doc = permissions_doc(pid)
-    return [] if doc.nil?
-    eg = doc[self.class.edit_group_field] || []
-    logger.debug("[CANCAN] edit_groups: #{eg.inspect}")
-    return eg
-  end
+    def create_permissions
+      can :create, :all if user_groups.include? 'registered'
+    end
-  # edit implies read, so read_groups is the union of edit and read groups
-  def read_groups(pid)
-    doc = permissions_doc(pid)
-    return [] if doc.nil?
-    rg = edit_groups(pid) | (doc[self.class.read_group_field] || [])
-    logger.debug("[CANCAN] read_groups: #{rg.inspect}")
-    return rg
-  end
+    def edit_permissions
+      can [:edit, :update, :destroy], String do |pid|
+        test_edit(pid)
+      end
+      can [:edit, :update, :destroy], ActiveFedora::Base do |obj|
+        test_edit(obj.pid)
+      end
+      can :edit, SolrDocument do |obj|
+        PermissionsCache.put(obj.id, obj)
+        test_edit(obj.id)
+      end
+    end
-  def edit_persons(pid)
-    doc = permissions_doc(pid)
-    return [] if doc.nil?
-    ep = doc[self.class.edit_person_field] ||  []
-    logger.debug("[CANCAN] edit_persons: #{ep.inspect}")
-    return ep
-  end
+    def read_permissions
+      can :read, String do |pid|
+        test_read(pid)
+      end
+      can :read, ActiveFedora::Base do |obj|
+        test_read(obj.pid)
+      end
+      can :read, SolrDocument do |obj|
+        PermissionsCache.put(obj.id, obj)
+        test_read(obj.id)
+      end
+    end
-  # edit implies read, so read_persons is the union of edit and read persons
-  def read_persons(pid)
-    doc = permissions_doc(pid)
-    return [] if doc.nil?
-    rp = edit_persons(pid) | (doc[self.class.read_person_field] || [])
-    logger.debug("[CANCAN] read_persons: #{rp.inspect}")
-    return rp
-  end
-  module ClassMethods
-    def read_group_field
-      Hydra.config[:permissions][:read][:group]
+    ## Override custom permissions in your own app to add more permissions beyond what is defined by default.
+    def custom_permissions
+    end
+    protected
+    def test_edit(pid)
+      logger.debug("[CANCAN] Checking edit permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
+      group_intersection = user_groups & edit_groups(pid)
+      result = !group_intersection.empty? || edit_persons(pid).include?(current_user.user_key)
+      logger.debug("[CANCAN] decision: #{result}")
+      result
+    end
+    def test_read(pid)
+      logger.debug("[CANCAN] Checking read permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
+      group_intersection = user_groups & read_groups(pid)
+      result = !group_intersection.empty? || read_persons(pid).include?(current_user.user_key)
+      result
+    end
+    def edit_groups(pid)
+      doc = permissions_doc(pid)
+      return [] if doc.nil?
+      eg = doc[self.class.edit_group_field] || []
+      logger.debug("[CANCAN] edit_groups: #{eg.inspect}")
+      return eg
+    end
+    # edit implies read, so read_groups is the union of edit and read groups
+    def read_groups(pid)
+      doc = permissions_doc(pid)
+      return [] if doc.nil?
+      rg = edit_groups(pid) | (doc[self.class.read_group_field] || [])
+      logger.debug("[CANCAN] read_groups: #{rg.inspect}")
+      return rg
     end
-    def edit_person_field
-      Hydra.config[:permissions][:edit][:individual]
+    def edit_persons(pid)
+      doc = permissions_doc(pid)
+      return [] if doc.nil?
+      ep = doc[self.class.edit_person_field] ||  []
+      logger.debug("[CANCAN] edit_persons: #{ep.inspect}")
+      return ep
     end
-    def read_person_field
-      Hydra.config[:permissions][:read][:individual]
+    # edit implies read, so read_persons is the union of edit and read persons
+    def read_persons(pid)
+      doc = permissions_doc(pid)
+      return [] if doc.nil?
+      rp = edit_persons(pid) | (doc[self.class.read_person_field] || [])
+      logger.debug("[CANCAN] read_persons: #{rp.inspect}")
+      return rp
     end
-    def edit_group_field
-      Hydra.config[:permissions][:edit][:group]
+    module ClassMethods
+      def read_group_field
+        Hydra.config[:permissions][:read][:group]
+      end
+      def edit_person_field
+        Hydra.config[:permissions][:edit][:individual]
+      end
+      def read_person_field
+        Hydra.config[:permissions][:read][:individual]
+      end
+      def edit_group_field
+        Hydra.config[:permissions][:edit][:group]
+      end
     end
   end
 end

data/lib/hydra/datastream/rights_metadata.rb CHANGED

@@ -2,7 +2,7 @@ require 'active_support/core_ext/string'
 module Hydra
   module Datastream
     # Implements Hydra RightsMetadata XML terminology for asserting access permissions
-    class RightsMetadata < ActiveFedora::NokogiriDatastream
+    class RightsMetadata < ActiveFedora::OmDatastream
       set_terminology do |t|
         t.root(:path=>"rightsMetadata", :xmlns=>"http://hydra-collab.stanford.edu/schemas/rightsMetadata/v1", :schema=>"http://github.com/projecthydra/schemas/tree/v1/rightsMetadata.xsd")

data/lib/hydra/permissions_cache.rb ADDED

@@ -0,0 +1,16 @@
+module Hydra::PermissionsCache
+  @@cache = {}
+  def self.get(pid)
+    @@cache[pid]
+  end
+  def self.put(pid, doc)
+    @@cache[pid] = doc
+  end
+  def self.clear
+    @@cache = {}
+  end
+end

data/lib/hydra/permissions_query.rb CHANGED

@@ -1,50 +1,55 @@
-module Hydra::PermissionsQuery
-  extend ActiveSupport::Concern
-  included do
-    include Blacklight::SolrHelper # for force_to_utf8
-  end
+module Hydra
+  module PermissionsQuery
+    extend ActiveSupport::Concern
+    included do
+      include Blacklight::SolrHelper # for force_to_utf8
+    end
-  def permissions_doc(pid)
-    @permission_doc_cache ||= {}
-    @permission_doc_cache[pid] ||= get_permissions_solr_response_for_doc_id(pid)
-  end
+    def permissions_doc(pid)
+      doc = Hydra::PermissionsCache.get(pid)
+      unless doc
+        doc = get_permissions_solr_response_for_doc_id(pid)
+        Hydra::PermissionsCache.put(pid, doc)
+      end
+      doc
+    end
-  protected
+    protected
-  # a solr query method
-  # retrieve a solr document, given the doc id
-  # Modeled on Blacklight::SolrHelper.get_permissions_solr_response_for_doc_id
-  # @param [String] id of the documetn to retrieve
-  # @param [Hash] extra_controller_params (optional)
-  def get_permissions_solr_response_for_doc_id(id=nil, extra_controller_params={})
-    raise Blacklight::Exceptions::InvalidSolrID.new("The application is trying to retrieve permissions without specifying an asset id") if id.nil?
-    #solr_response = Blacklight.solr.get permissions_solr_doc_params(id).merge(extra_controller_params)
-    #path = blacklight_config.solr_path
-    solr_opts = permissions_solr_doc_params(id).merge(extra_controller_params)
-    response = Blacklight.solr.get('select', :params=> solr_opts)
-    solr_response = Blacklight::SolrResponse.new(force_to_utf8(response), solr_opts)
+    # a solr query method
+    # retrieve a solr document, given the doc id
+    # Modeled on Blacklight::SolrHelper.get_permissions_solr_response_for_doc_id
+    # @param [String] id of the documetn to retrieve
+    # @param [Hash] extra_controller_params (optional)
+    def get_permissions_solr_response_for_doc_id(id=nil, extra_controller_params={})
+      raise Blacklight::Exceptions::InvalidSolrID.new("The application is trying to retrieve permissions without specifying an asset id") if id.nil?
+      #solr_response = Blacklight.solr.get permissions_solr_doc_params(id).merge(extra_controller_params)
+      #path = blacklight_config.solr_path
+      solr_opts = permissions_solr_doc_params(id).merge(extra_controller_params)
+      response = Blacklight.solr.get('select', :params=> solr_opts)
+      solr_response = Blacklight::SolrResponse.new(force_to_utf8(response), solr_opts)
-    raise Blacklight::Exceptions::InvalidSolrID.new("The solr permissions search handler didn't return anything for id \"#{id}\"") if solr_response.docs.empty?
-    Hydra::PermissionsSolrDocument.new(solr_response.docs.first, solr_response)
-  end
+      raise Blacklight::Exceptions::InvalidSolrID.new("The solr permissions search handler didn't return anything for id \"#{id}\"") if solr_response.docs.empty?
+      Hydra::PermissionsSolrDocument.new(solr_response.docs.first, solr_response)
+    end
-  #
-  #  Solr integration
-  #
-  # returns a params hash with the permissions info for a single solr document
-  # If the id arg is nil, then the value is fetched from params[:id]
-  # This method is primary called by the get_permissions_solr_response_for_doc_id method.
-  # Modeled on Blacklight::SolrHelper.solr_doc_params
-  # @param [String] id of the documetn to retrieve
-  def permissions_solr_doc_params(id=nil)
-    id ||= params[:id]
-    # just to be consistent with the other solr param methods:
-    {
-      :qt => :permissions,
-      :id => id # this assumes the document request handler will map the 'id' param to the unique key field
-    }
-  end
+    #
+    #  Solr integration
+    #
+    # returns a params hash with the permissions info for a single solr document
+    # If the id arg is nil, then the value is fetched from params[:id]
+    # This method is primary called by the get_permissions_solr_response_for_doc_id method.
+    # Modeled on Blacklight::SolrHelper.solr_doc_params
+    # @param [String] id of the documetn to retrieve
+    def permissions_solr_doc_params(id=nil)
+      id ||= params[:id]
+      # just to be consistent with the other solr param methods:
+      {
+        :qt => :permissions,
+        :id => id # this assumes the document request handler will map the 'id' param to the unique key field
+      }
+    end
+  end
 end

data/spec/unit/access_controls_enforcement_spec.rb CHANGED

@@ -81,6 +81,7 @@ describe Hydra::AccessControlsEnforcement do
       lambda {subject.send(:enforce_show_permissions, {}) }.should_not raise_error Hydra::AccessDenied
     end
     it "should prevent a user w/o edit permissions from viewing an embargoed object" do
+      Hydra::PermissionsCache.clear()
       user = User.new :uid=>'testuser@example.com'
       RoleMapper.stub(:roles).with(user.user_key).and_return([])
       subject.stub(:current_user).and_return(user)

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: hydra-access-controls
 version: !ruby/object:Gem::Version
-  version: 6.0.0.pre8
+  version: 6.0.0.rc1
   prerelease: 6
 platform: ruby
 authors:
@@ -11,14 +11,14 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-02-10 00:00:00.000000000 Z
+date: 2013-02-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
@@ -26,7 +26,7 @@ dependencies:
   version_requirements: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
@@ -34,23 +34,23 @@ dependencies:
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
-        version: 6.0.0.pre10
+        version: 6.0.0.rc2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
-        version: 6.0.0.pre10
+        version: 6.0.0.rc2
 - !ruby/object:Gem::Dependency
   name: cancan
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
@@ -58,7 +58,7 @@ dependencies:
   version_requirements: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
@@ -66,7 +66,7 @@ dependencies:
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
@@ -74,7 +74,7 @@ dependencies:
   version_requirements: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
@@ -82,7 +82,7 @@ dependencies:
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
@@ -90,7 +90,7 @@ dependencies:
   version_requirements: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
@@ -98,7 +98,7 @@ dependencies:
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
@@ -106,7 +106,7 @@ dependencies:
   version_requirements: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
@@ -114,7 +114,7 @@ dependencies:
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
@@ -122,7 +122,7 @@ dependencies:
   version_requirements: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
 description: Access controls for project hydra
@@ -148,6 +148,7 @@ files:
 - lib/hydra/datastream/inheritable_rights_metadata.rb
 - lib/hydra/datastream/rights_metadata.rb
 - lib/hydra/model_mixins/rights_metadata.rb
+- lib/hydra/permissions_cache.rb
 - lib/hydra/permissions_query.rb
 - lib/hydra/permissions_solr_document.rb
 - lib/hydra/policy_aware_ability.rb
@@ -182,13 +183,13 @@ require_paths:
 required_ruby_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
-  - - ">="
+  - - ! '>='
     - !ruby/object:Gem::Version
       version: 1.9.3
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
-  - - ">"
+  - - ! '>'
     - !ruby/object:Gem::Version
       version: 1.3.1
 requirements: []