hydra-access-controls 6.0.0.pre8 → 6.0.0.rc1

Sign up to get free protection for your applications and to get access to all the features.
@@ -18,7 +18,7 @@ Gem::Specification.new do |gem|
18
18
  gem.required_ruby_version = '>= 1.9.3'
19
19
 
20
20
  gem.add_dependency 'activesupport'
21
- gem.add_dependency "active-fedora", '>= 6.0.0.pre10'
21
+ gem.add_dependency "active-fedora", '>= 6.0.0.rc2'
22
22
  gem.add_dependency 'cancan'
23
23
  gem.add_dependency 'deprecation'
24
24
  gem.add_dependency 'blacklight'
@@ -15,6 +15,7 @@ module Hydra
15
15
  autoload :AdminPolicy
16
16
  autoload :RoleMapperBehavior
17
17
  autoload :PermissionsQuery
18
+ autoload :PermissionsCache
18
19
  autoload :PermissionsSolrDocument
19
20
  class Engine < Rails::Engine
20
21
  end
@@ -1,162 +1,163 @@
1
1
  # Code for [CANCAN] access to Hydra models
2
2
  require 'cancan'
3
- module Hydra::Ability
4
- extend ActiveSupport::Concern
5
-
6
- # once you include Hydra::Ability you can add custom permission methods by appending to ability_logic like so:
7
- #
8
- # self.ability_logic +=[:setup_my_permissions]
9
-
10
- included do
11
- include CanCan::Ability
12
- include Hydra::PermissionsQuery
13
- include Blacklight::SolrHelper
14
- class_attribute :ability_logic
15
- self.ability_logic = [:create_permissions, :edit_permissions, :read_permissions, :custom_permissions]
16
- end
17
-
18
- def self.user_class
19
- Hydra.config[:user_model] ? Hydra.config[:user_model].constantize : ::User
20
- end
21
-
22
- attr_reader :current_user, :session
23
-
24
- def initialize(user, session=nil)
25
- @current_user = user || Hydra::Ability.user_class.new # guest user (not logged in)
26
- @user = @current_user # just in case someone was using this in an override. Just don't.
27
- @session = session
28
- hydra_default_permissions()
29
- end
30
-
31
- ## You can override this method if you are using a different AuthZ (such as LDAP)
32
- def user_groups
33
- return @user_groups if @user_groups
3
+ module Hydra
4
+ module Ability
5
+ extend ActiveSupport::Concern
34
6
 
35
- @user_groups = default_user_groups
36
- @user_groups |= current_user.groups if current_user and current_user.respond_to? :groups
37
- @user_groups |= ['registered'] unless current_user.new_record?
38
- @user_groups
39
- end
40
-
41
- def default_user_groups
42
- # # everyone is automatically a member of the group 'public'
43
- ['public']
44
- end
45
-
46
-
47
- def hydra_default_permissions
48
- logger.debug("Usergroups are " + user_groups.inspect)
49
- self.ability_logic.each do |method|
50
- send(method)
7
+ # once you include Hydra::Ability you can add custom permission methods by appending to ability_logic like so:
8
+ #
9
+ # self.ability_logic +=[:setup_my_permissions]
10
+
11
+ included do
12
+ include CanCan::Ability
13
+ include Hydra::PermissionsQuery
14
+ include Blacklight::SolrHelper
15
+ class_attribute :ability_logic
16
+ self.ability_logic = [:create_permissions, :edit_permissions, :read_permissions, :custom_permissions]
51
17
  end
52
- end
53
18
 
54
- def create_permissions
55
- can :create, :all if user_groups.include? 'registered'
56
- end
19
+ def self.user_class
20
+ Hydra.config[:user_model] ? Hydra.config[:user_model].constantize : ::User
21
+ end
57
22
 
58
- def edit_permissions
59
- can [:edit, :update, :destroy], String do |pid|
60
- test_edit(pid)
61
- end
23
+ attr_reader :current_user, :session
62
24
 
63
- can [:edit, :update, :destroy], ActiveFedora::Base do |obj|
64
- test_edit(obj.pid)
25
+ def initialize(user, session=nil)
26
+ @current_user = user || Hydra::Ability.user_class.new # guest user (not logged in)
27
+ @user = @current_user # just in case someone was using this in an override. Just don't.
28
+ @session = session
29
+ hydra_default_permissions()
65
30
  end
66
-
67
- can :edit, SolrDocument do |obj|
68
- @permission_doc_cache[obj.id] = obj
69
- test_edit(obj.id)
70
- end
71
- end
72
31
 
73
- def read_permissions
74
- can :read, String do |pid|
75
- test_read(pid)
32
+ ## You can override this method if you are using a different AuthZ (such as LDAP)
33
+ def user_groups
34
+ return @user_groups if @user_groups
35
+
36
+ @user_groups = default_user_groups
37
+ @user_groups |= current_user.groups if current_user and current_user.respond_to? :groups
38
+ @user_groups |= ['registered'] unless current_user.new_record?
39
+ @user_groups
76
40
  end
77
41
 
78
- can :read, ActiveFedora::Base do |obj|
79
- test_read(obj.pid)
80
- end
42
+ def default_user_groups
43
+ # # everyone is automatically a member of the group 'public'
44
+ ['public']
45
+ end
81
46
 
82
- can :read, SolrDocument do |obj|
83
- @permission_doc_cache[obj.id] = obj
84
- test_read(obj.id)
85
- end
86
- end
87
47
 
48
+ def hydra_default_permissions
49
+ logger.debug("Usergroups are " + user_groups.inspect)
50
+ self.ability_logic.each do |method|
51
+ send(method)
52
+ end
53
+ end
88
54
 
89
- ## Override custom permissions in your own app to add more permissions beyond what is defined by default.
90
- def custom_permissions
91
- end
92
-
93
- protected
94
-
95
- def test_edit(pid)
96
- logger.debug("[CANCAN] Checking edit permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
97
- group_intersection = user_groups & edit_groups(pid)
98
- result = !group_intersection.empty? || edit_persons(pid).include?(current_user.user_key)
99
- logger.debug("[CANCAN] decision: #{result}")
100
- result
101
- end
102
-
103
- def test_read(pid)
104
- logger.debug("[CANCAN] Checking read permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
105
- group_intersection = user_groups & read_groups(pid)
106
- result = !group_intersection.empty? || read_persons(pid).include?(current_user.user_key)
107
- result
108
- end
109
-
110
- def edit_groups(pid)
111
- doc = permissions_doc(pid)
112
- return [] if doc.nil?
113
- eg = doc[self.class.edit_group_field] || []
114
- logger.debug("[CANCAN] edit_groups: #{eg.inspect}")
115
- return eg
116
- end
55
+ def create_permissions
56
+ can :create, :all if user_groups.include? 'registered'
57
+ end
117
58
 
118
- # edit implies read, so read_groups is the union of edit and read groups
119
- def read_groups(pid)
120
- doc = permissions_doc(pid)
121
- return [] if doc.nil?
122
- rg = edit_groups(pid) | (doc[self.class.read_group_field] || [])
123
- logger.debug("[CANCAN] read_groups: #{rg.inspect}")
124
- return rg
125
- end
59
+ def edit_permissions
60
+ can [:edit, :update, :destroy], String do |pid|
61
+ test_edit(pid)
62
+ end
63
+
64
+ can [:edit, :update, :destroy], ActiveFedora::Base do |obj|
65
+ test_edit(obj.pid)
66
+ end
67
+
68
+ can :edit, SolrDocument do |obj|
69
+ PermissionsCache.put(obj.id, obj)
70
+ test_edit(obj.id)
71
+ end
72
+ end
126
73
 
127
- def edit_persons(pid)
128
- doc = permissions_doc(pid)
129
- return [] if doc.nil?
130
- ep = doc[self.class.edit_person_field] || []
131
- logger.debug("[CANCAN] edit_persons: #{ep.inspect}")
132
- return ep
133
- end
74
+ def read_permissions
75
+ can :read, String do |pid|
76
+ test_read(pid)
77
+ end
78
+
79
+ can :read, ActiveFedora::Base do |obj|
80
+ test_read(obj.pid)
81
+ end
82
+
83
+ can :read, SolrDocument do |obj|
84
+ PermissionsCache.put(obj.id, obj)
85
+ test_read(obj.id)
86
+ end
87
+ end
134
88
 
135
- # edit implies read, so read_persons is the union of edit and read persons
136
- def read_persons(pid)
137
- doc = permissions_doc(pid)
138
- return [] if doc.nil?
139
- rp = edit_persons(pid) | (doc[self.class.read_person_field] || [])
140
- logger.debug("[CANCAN] read_persons: #{rp.inspect}")
141
- return rp
142
- end
143
89
 
144
- module ClassMethods
145
- def read_group_field
146
- Hydra.config[:permissions][:read][:group]
90
+ ## Override custom permissions in your own app to add more permissions beyond what is defined by default.
91
+ def custom_permissions
92
+ end
93
+
94
+ protected
95
+
96
+ def test_edit(pid)
97
+ logger.debug("[CANCAN] Checking edit permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
98
+ group_intersection = user_groups & edit_groups(pid)
99
+ result = !group_intersection.empty? || edit_persons(pid).include?(current_user.user_key)
100
+ logger.debug("[CANCAN] decision: #{result}")
101
+ result
102
+ end
103
+
104
+ def test_read(pid)
105
+ logger.debug("[CANCAN] Checking read permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
106
+ group_intersection = user_groups & read_groups(pid)
107
+ result = !group_intersection.empty? || read_persons(pid).include?(current_user.user_key)
108
+ result
109
+ end
110
+
111
+ def edit_groups(pid)
112
+ doc = permissions_doc(pid)
113
+ return [] if doc.nil?
114
+ eg = doc[self.class.edit_group_field] || []
115
+ logger.debug("[CANCAN] edit_groups: #{eg.inspect}")
116
+ return eg
117
+ end
118
+
119
+ # edit implies read, so read_groups is the union of edit and read groups
120
+ def read_groups(pid)
121
+ doc = permissions_doc(pid)
122
+ return [] if doc.nil?
123
+ rg = edit_groups(pid) | (doc[self.class.read_group_field] || [])
124
+ logger.debug("[CANCAN] read_groups: #{rg.inspect}")
125
+ return rg
147
126
  end
148
127
 
149
- def edit_person_field
150
- Hydra.config[:permissions][:edit][:individual]
128
+ def edit_persons(pid)
129
+ doc = permissions_doc(pid)
130
+ return [] if doc.nil?
131
+ ep = doc[self.class.edit_person_field] || []
132
+ logger.debug("[CANCAN] edit_persons: #{ep.inspect}")
133
+ return ep
151
134
  end
152
135
 
153
- def read_person_field
154
- Hydra.config[:permissions][:read][:individual]
136
+ # edit implies read, so read_persons is the union of edit and read persons
137
+ def read_persons(pid)
138
+ doc = permissions_doc(pid)
139
+ return [] if doc.nil?
140
+ rp = edit_persons(pid) | (doc[self.class.read_person_field] || [])
141
+ logger.debug("[CANCAN] read_persons: #{rp.inspect}")
142
+ return rp
155
143
  end
156
144
 
157
- def edit_group_field
158
- Hydra.config[:permissions][:edit][:group]
145
+ module ClassMethods
146
+ def read_group_field
147
+ Hydra.config[:permissions][:read][:group]
148
+ end
149
+
150
+ def edit_person_field
151
+ Hydra.config[:permissions][:edit][:individual]
152
+ end
153
+
154
+ def read_person_field
155
+ Hydra.config[:permissions][:read][:individual]
156
+ end
157
+
158
+ def edit_group_field
159
+ Hydra.config[:permissions][:edit][:group]
160
+ end
159
161
  end
160
162
  end
161
-
162
163
  end
@@ -2,7 +2,7 @@ require 'active_support/core_ext/string'
2
2
  module Hydra
3
3
  module Datastream
4
4
  # Implements Hydra RightsMetadata XML terminology for asserting access permissions
5
- class RightsMetadata < ActiveFedora::NokogiriDatastream
5
+ class RightsMetadata < ActiveFedora::OmDatastream
6
6
 
7
7
  set_terminology do |t|
8
8
  t.root(:path=>"rightsMetadata", :xmlns=>"http://hydra-collab.stanford.edu/schemas/rightsMetadata/v1", :schema=>"http://github.com/projecthydra/schemas/tree/v1/rightsMetadata.xsd")
@@ -0,0 +1,16 @@
1
+ module Hydra::PermissionsCache
2
+ @@cache = {}
3
+
4
+ def self.get(pid)
5
+ @@cache[pid]
6
+ end
7
+
8
+ def self.put(pid, doc)
9
+ @@cache[pid] = doc
10
+ end
11
+
12
+ def self.clear
13
+ @@cache = {}
14
+ end
15
+
16
+ end
@@ -1,50 +1,55 @@
1
- module Hydra::PermissionsQuery
2
- extend ActiveSupport::Concern
3
- included do
4
- include Blacklight::SolrHelper # for force_to_utf8
5
- end
1
+ module Hydra
2
+ module PermissionsQuery
3
+ extend ActiveSupport::Concern
4
+ included do
5
+ include Blacklight::SolrHelper # for force_to_utf8
6
+ end
6
7
 
7
- def permissions_doc(pid)
8
- @permission_doc_cache ||= {}
9
- @permission_doc_cache[pid] ||= get_permissions_solr_response_for_doc_id(pid)
10
- end
8
+ def permissions_doc(pid)
9
+ doc = Hydra::PermissionsCache.get(pid)
10
+ unless doc
11
+ doc = get_permissions_solr_response_for_doc_id(pid)
12
+ Hydra::PermissionsCache.put(pid, doc)
13
+ end
14
+ doc
15
+ end
11
16
 
12
17
 
13
- protected
18
+ protected
14
19
 
15
- # a solr query method
16
- # retrieve a solr document, given the doc id
17
- # Modeled on Blacklight::SolrHelper.get_permissions_solr_response_for_doc_id
18
- # @param [String] id of the documetn to retrieve
19
- # @param [Hash] extra_controller_params (optional)
20
- def get_permissions_solr_response_for_doc_id(id=nil, extra_controller_params={})
21
- raise Blacklight::Exceptions::InvalidSolrID.new("The application is trying to retrieve permissions without specifying an asset id") if id.nil?
22
- #solr_response = Blacklight.solr.get permissions_solr_doc_params(id).merge(extra_controller_params)
23
- #path = blacklight_config.solr_path
24
- solr_opts = permissions_solr_doc_params(id).merge(extra_controller_params)
25
- response = Blacklight.solr.get('select', :params=> solr_opts)
26
- solr_response = Blacklight::SolrResponse.new(force_to_utf8(response), solr_opts)
20
+ # a solr query method
21
+ # retrieve a solr document, given the doc id
22
+ # Modeled on Blacklight::SolrHelper.get_permissions_solr_response_for_doc_id
23
+ # @param [String] id of the documetn to retrieve
24
+ # @param [Hash] extra_controller_params (optional)
25
+ def get_permissions_solr_response_for_doc_id(id=nil, extra_controller_params={})
26
+ raise Blacklight::Exceptions::InvalidSolrID.new("The application is trying to retrieve permissions without specifying an asset id") if id.nil?
27
+ #solr_response = Blacklight.solr.get permissions_solr_doc_params(id).merge(extra_controller_params)
28
+ #path = blacklight_config.solr_path
29
+ solr_opts = permissions_solr_doc_params(id).merge(extra_controller_params)
30
+ response = Blacklight.solr.get('select', :params=> solr_opts)
31
+ solr_response = Blacklight::SolrResponse.new(force_to_utf8(response), solr_opts)
27
32
 
28
- raise Blacklight::Exceptions::InvalidSolrID.new("The solr permissions search handler didn't return anything for id \"#{id}\"") if solr_response.docs.empty?
29
- Hydra::PermissionsSolrDocument.new(solr_response.docs.first, solr_response)
30
- end
33
+ raise Blacklight::Exceptions::InvalidSolrID.new("The solr permissions search handler didn't return anything for id \"#{id}\"") if solr_response.docs.empty?
34
+ Hydra::PermissionsSolrDocument.new(solr_response.docs.first, solr_response)
35
+ end
31
36
 
32
- #
33
- # Solr integration
34
- #
35
-
36
- # returns a params hash with the permissions info for a single solr document
37
- # If the id arg is nil, then the value is fetched from params[:id]
38
- # This method is primary called by the get_permissions_solr_response_for_doc_id method.
39
- # Modeled on Blacklight::SolrHelper.solr_doc_params
40
- # @param [String] id of the documetn to retrieve
41
- def permissions_solr_doc_params(id=nil)
42
- id ||= params[:id]
43
- # just to be consistent with the other solr param methods:
44
- {
45
- :qt => :permissions,
46
- :id => id # this assumes the document request handler will map the 'id' param to the unique key field
47
- }
48
- end
49
-
37
+ #
38
+ # Solr integration
39
+ #
40
+
41
+ # returns a params hash with the permissions info for a single solr document
42
+ # If the id arg is nil, then the value is fetched from params[:id]
43
+ # This method is primary called by the get_permissions_solr_response_for_doc_id method.
44
+ # Modeled on Blacklight::SolrHelper.solr_doc_params
45
+ # @param [String] id of the documetn to retrieve
46
+ def permissions_solr_doc_params(id=nil)
47
+ id ||= params[:id]
48
+ # just to be consistent with the other solr param methods:
49
+ {
50
+ :qt => :permissions,
51
+ :id => id # this assumes the document request handler will map the 'id' param to the unique key field
52
+ }
53
+ end
54
+ end
50
55
  end
@@ -81,6 +81,7 @@ describe Hydra::AccessControlsEnforcement do
81
81
  lambda {subject.send(:enforce_show_permissions, {}) }.should_not raise_error Hydra::AccessDenied
82
82
  end
83
83
  it "should prevent a user w/o edit permissions from viewing an embargoed object" do
84
+ Hydra::PermissionsCache.clear()
84
85
  user = User.new :uid=>'testuser@example.com'
85
86
  RoleMapper.stub(:roles).with(user.user_key).and_return([])
86
87
  subject.stub(:current_user).and_return(user)
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: hydra-access-controls
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.0.0.pre8
4
+ version: 6.0.0.rc1
5
5
  prerelease: 6
6
6
  platform: ruby
7
7
  authors:
@@ -11,14 +11,14 @@ authors:
11
11
  autorequire:
12
12
  bindir: bin
13
13
  cert_chain: []
14
- date: 2013-02-10 00:00:00.000000000 Z
14
+ date: 2013-02-15 00:00:00.000000000 Z
15
15
  dependencies:
16
16
  - !ruby/object:Gem::Dependency
17
17
  name: activesupport
18
18
  requirement: !ruby/object:Gem::Requirement
19
19
  none: false
20
20
  requirements:
21
- - - ">="
21
+ - - ! '>='
22
22
  - !ruby/object:Gem::Version
23
23
  version: '0'
24
24
  type: :runtime
@@ -26,7 +26,7 @@ dependencies:
26
26
  version_requirements: !ruby/object:Gem::Requirement
27
27
  none: false
28
28
  requirements:
29
- - - ">="
29
+ - - ! '>='
30
30
  - !ruby/object:Gem::Version
31
31
  version: '0'
32
32
  - !ruby/object:Gem::Dependency
@@ -34,23 +34,23 @@ dependencies:
34
34
  requirement: !ruby/object:Gem::Requirement
35
35
  none: false
36
36
  requirements:
37
- - - ">="
37
+ - - ! '>='
38
38
  - !ruby/object:Gem::Version
39
- version: 6.0.0.pre10
39
+ version: 6.0.0.rc2
40
40
  type: :runtime
41
41
  prerelease: false
42
42
  version_requirements: !ruby/object:Gem::Requirement
43
43
  none: false
44
44
  requirements:
45
- - - ">="
45
+ - - ! '>='
46
46
  - !ruby/object:Gem::Version
47
- version: 6.0.0.pre10
47
+ version: 6.0.0.rc2
48
48
  - !ruby/object:Gem::Dependency
49
49
  name: cancan
50
50
  requirement: !ruby/object:Gem::Requirement
51
51
  none: false
52
52
  requirements:
53
- - - ">="
53
+ - - ! '>='
54
54
  - !ruby/object:Gem::Version
55
55
  version: '0'
56
56
  type: :runtime
@@ -58,7 +58,7 @@ dependencies:
58
58
  version_requirements: !ruby/object:Gem::Requirement
59
59
  none: false
60
60
  requirements:
61
- - - ">="
61
+ - - ! '>='
62
62
  - !ruby/object:Gem::Version
63
63
  version: '0'
64
64
  - !ruby/object:Gem::Dependency
@@ -66,7 +66,7 @@ dependencies:
66
66
  requirement: !ruby/object:Gem::Requirement
67
67
  none: false
68
68
  requirements:
69
- - - ">="
69
+ - - ! '>='
70
70
  - !ruby/object:Gem::Version
71
71
  version: '0'
72
72
  type: :runtime
@@ -74,7 +74,7 @@ dependencies:
74
74
  version_requirements: !ruby/object:Gem::Requirement
75
75
  none: false
76
76
  requirements:
77
- - - ">="
77
+ - - ! '>='
78
78
  - !ruby/object:Gem::Version
79
79
  version: '0'
80
80
  - !ruby/object:Gem::Dependency
@@ -82,7 +82,7 @@ dependencies:
82
82
  requirement: !ruby/object:Gem::Requirement
83
83
  none: false
84
84
  requirements:
85
- - - ">="
85
+ - - ! '>='
86
86
  - !ruby/object:Gem::Version
87
87
  version: '0'
88
88
  type: :runtime
@@ -90,7 +90,7 @@ dependencies:
90
90
  version_requirements: !ruby/object:Gem::Requirement
91
91
  none: false
92
92
  requirements:
93
- - - ">="
93
+ - - ! '>='
94
94
  - !ruby/object:Gem::Version
95
95
  version: '0'
96
96
  - !ruby/object:Gem::Dependency
@@ -98,7 +98,7 @@ dependencies:
98
98
  requirement: !ruby/object:Gem::Requirement
99
99
  none: false
100
100
  requirements:
101
- - - ">="
101
+ - - ! '>='
102
102
  - !ruby/object:Gem::Version
103
103
  version: '0'
104
104
  type: :development
@@ -106,7 +106,7 @@ dependencies:
106
106
  version_requirements: !ruby/object:Gem::Requirement
107
107
  none: false
108
108
  requirements:
109
- - - ">="
109
+ - - ! '>='
110
110
  - !ruby/object:Gem::Version
111
111
  version: '0'
112
112
  - !ruby/object:Gem::Dependency
@@ -114,7 +114,7 @@ dependencies:
114
114
  requirement: !ruby/object:Gem::Requirement
115
115
  none: false
116
116
  requirements:
117
- - - ">="
117
+ - - ! '>='
118
118
  - !ruby/object:Gem::Version
119
119
  version: '0'
120
120
  type: :development
@@ -122,7 +122,7 @@ dependencies:
122
122
  version_requirements: !ruby/object:Gem::Requirement
123
123
  none: false
124
124
  requirements:
125
- - - ">="
125
+ - - ! '>='
126
126
  - !ruby/object:Gem::Version
127
127
  version: '0'
128
128
  description: Access controls for project hydra
@@ -148,6 +148,7 @@ files:
148
148
  - lib/hydra/datastream/inheritable_rights_metadata.rb
149
149
  - lib/hydra/datastream/rights_metadata.rb
150
150
  - lib/hydra/model_mixins/rights_metadata.rb
151
+ - lib/hydra/permissions_cache.rb
151
152
  - lib/hydra/permissions_query.rb
152
153
  - lib/hydra/permissions_solr_document.rb
153
154
  - lib/hydra/policy_aware_ability.rb
@@ -182,13 +183,13 @@ require_paths:
182
183
  required_ruby_version: !ruby/object:Gem::Requirement
183
184
  none: false
184
185
  requirements:
185
- - - ">="
186
+ - - ! '>='
186
187
  - !ruby/object:Gem::Version
187
188
  version: 1.9.3
188
189
  required_rubygems_version: !ruby/object:Gem::Requirement
189
190
  none: false
190
191
  requirements:
191
- - - ">"
192
+ - - ! '>'
192
193
  - !ruby/object:Gem::Version
193
194
  version: 1.3.1
194
195
  requirements: []