RubyGems - hydra-access-controls - Versions diffs - 6.3.3 → 6.3.4 - Mend

hydra-access-controls 6.3.3 → 6.3.4

Files changed (9) hide show

checksums.yaml +7 -0
data/README.textile +6 -3
data/app/models/ability.rb +0 -1
data/lib/hydra/access_controls_enforcement.rb +7 -9
data/lib/hydra/permissions_solr_document.rb +1 -0
data/lib/hydra/policy_aware_access_controls_enforcement.rb +7 -7
data/spec/unit/access_controls_enforcement_spec.rb +8 -0
data/spec/unit/policy_aware_access_controls_enforcement_spec.rb +21 -0
metadata +17 -33

checksums.yaml ADDED

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: a66021a35f6755132cb22674e59e880d6980b571
+  data.tar.gz: 4d82907106c6f1c80e63d13cf02aef92b8ab6faa
+SHA512:
+  metadata.gz: dc5a599c3da37b374063f605ecc405db4ec68ea8b7b099a1c65507ff308459d58aea801589e05d98d6c52a33e33b31b2fc628de153071be8a451aba214659819
+  data.tar.gz: d135be6d700d4aba21be4736d3e867c3327929a39f95b7eb63adaad205eb0a1792641511342e13aa96d4fb5ef26306c581387eb7670d5187dcaeb2389481a7e5

data/README.textile CHANGED

@@ -12,18 +12,21 @@ The easiest way to make your code use this gem is to run the hydra generator tha
 * modifies the filters in your CatalogController class to inject access controls into solr queries
 * adds the YAML files that are used by the default RoleMapper class
 * adds section to hydra_config initializer that sets names used to look up enforcement info in solr (see "Modifying solr field names for enforcement" below)
+* adds ability.rb under app/models
 h2. Usage
 h3. Enforcing Hydra-based Access Controls using CanCan and Hydra::Ability
-They hydra generator handles part of this for you - it sets up the CatalogController (Blacklight's main controller for searches) to do gated discovery for you.
+The hydra generator handles part of this for you - it sets up the CatalogController (Blacklight's main controller for searches) to do gated discovery for you and creates an ability.rb file under app/models.
 Beyond enabling gated discovery, *everything is done using "CanCan":https://github.com/ryanb/cancan*.  For more information on CanCan, how to use it, and how to define access controls policies (aka "abilities":https://github.com/ryanb/cancan/wiki/Defining-Abilities), refer to the "CanCan documentation":https://github.com/ryanb/cancan/blob/master/README.rdoc.
-Within your CanCan ability definitions (usually ability.rb), if you include the "Hydra::Ability":https://github.com/projecthydra/hydra-head/blob/master/hydra-access-controls/lib/hydra/ability.rb module, you will have :read and :edit permissions defined for you, along with some convenience methods that help you evaluate permssions against info in the rightsMetadata. *Note*: the Hydra rails generator includes this module into your ability.rb for you!
+Within your CanCan ability definitions, app/models/ability.rb, the "Hydra::Ability":https://github.com/projecthydra/hydra-head/blob/master/hydra-access-controls/lib/hydra/ability.rb module is already included. This module has
+:read and :edit permissions defined for you, along with some convenience methods that help you evaluate permssions
+against info in the rightsMetadata datastream.
-In your custom controllers, you need to tell them to enforce access controls using "CanCan":https://github.com/ryanb/cancan.  There are a number of ways to do this.  The easiest way is to use the cancan "controller action":https://github.com/ryanb/cancan/wiki/Authorizing-Controller-Actions 'load_and_authorize_resource', however on show and edit, this also causes a load the resource from fedora, which you may want to avoid.  If you want to authorize from solr, you ought to be able to call the cancan methods `authorize!` or `can?` which just checks the solr permissions handler.
+In your custom controllers, you will need to enforce access controls using "CanCan":https://github.com/ryanb/cancan.  There are a number of ways to do this.  The easiest way is to use the cancan "controller action":https://github.com/ryanb/cancan/wiki/Authorizing-Controller-Actions 'load_and_authorize_resource', however on show and edit, this also causes a load the resource from fedora, which you may want to avoid.  If you want to authorize from solr, you ought to be able to call the cancan methods `authorize!` or `can?` which just checks the solr permissions handler.
 Examples of using authorize! and can? in controller methods:

data/app/models/ability.rb CHANGED

@@ -1,5 +1,4 @@
 # Allows you to use CanCan to control access to Models
 class Ability
   include Hydra::Ability
-  include Hydra::PolicyAwareAbility
 end

data/lib/hydra/access_controls_enforcement.rb CHANGED

@@ -44,6 +44,7 @@ module Hydra::AccessControlsEnforcement
   end
   def is_public?
+    ActiveSupport::Deprecation.warn("Hydra::AccessControlsEnforcement.is_public? has been deprecated. Use can? instead.")
     load_permissions_from_solr
     access_key = ActiveFedora::SolrService.solr_name("access", Hydra::Datastream::RightsMetadata.indexer)
     @permissions_solr_document[access_key].present? && @permissions_solr_document[access_key].first.downcase == "public"
@@ -58,14 +59,11 @@ module Hydra::AccessControlsEnforcement
   # @param [Hash] opts (optional, not currently used)
   def enforce_show_permissions(opts={})
     permissions = current_ability.permissions_doc(params[:id])
-    unless permissions.is_public?
-      #its not 'public'
-      if permissions.under_embargo? && !can?(:edit, permissions)
-        raise Hydra::AccessDenied.new("This item is under embargo.  You do not have sufficient access privileges to read this document.", :edit, params[:id])
-      end
-      unless can? :read, permissions
-        raise Hydra::AccessDenied.new("You do not have sufficient access privileges to read this document, which has been marked private.", :read, params[:id])
-      end
+    if permissions.under_embargo? && !can?(:edit, permissions)
+      raise Hydra::AccessDenied.new("This item is under embargo.  You do not have sufficient access privileges to read this document.", :edit, params[:id])
+    end
+    unless can? :read, permissions
+      raise Hydra::AccessDenied.new("You do not have sufficient access privileges to read this document, which has been marked private.", :read, params[:id])
     end
   end
@@ -120,7 +118,7 @@ module Hydra::AccessControlsEnforcement
   end
   def escape_filter(key, value)
-    [key, value.gsub('/', '\/')].join(':')
+    [key, value.gsub(/[ \/]/, ' ' => '\ ', '/' => '\/')].join(':')
   end
   def apply_individual_permissions(permission_types)

data/lib/hydra/permissions_solr_document.rb CHANGED

@@ -10,6 +10,7 @@ class Hydra::PermissionsSolrDocument < SolrDocument
   end
   def is_public?
+    ActiveSupport::Deprecation.warn("Hydra::PermissionsSolrDocument.is_public? has been deprecated. Use can? instead.")
     access_key = ActiveFedora::SolrService.solr_name("access", Hydra::Datastream::RightsMetadata.indexer)
     self[access_key].present? && self[access_key].first.downcase == "public"
   end

data/lib/hydra/policy_aware_access_controls_enforcement.rb CHANGED

@@ -33,28 +33,28 @@ module Hydra::PolicyAwareAccessControlsEnforcement
   end
-  def apply_policy_role_permissions(permission_types)
+  def apply_policy_role_permissions(permission_types = discovery_permissions)
       # for roles
       user_access_filters = []
       current_ability.user_groups.each_with_index do |role, i|
-        discovery_permissions.each do |type|
-          user_access_filters << ActiveFedora::SolrService.solr_name("inheritable_#{type}_access_group", Hydra::Datastream::RightsMetadata.indexer ) + ":#{role}"
+        permission_types.each do |type|
+          user_access_filters << escape_filter(ActiveFedora::SolrService.solr_name("inheritable_#{type}_access_group", Hydra::Datastream::RightsMetadata.indexer ), role)
         end
       end
       user_access_filters
   end
-  def apply_policy_individual_permissions(permission_types)
+  def apply_policy_individual_permissions(permission_types = discovery_permissions)
     # for individual person access
     user_access_filters = []
     if current_user
-      discovery_permissions.each do |type|
-        user_access_filters << ActiveFedora::SolrService.solr_name("inheritable_#{type}_access_person", Hydra::Datastream::RightsMetadata.indexer ) + ":#{current_user.user_key}"
+      permission_types.each do |type|
+        user_access_filters << escape_filter(ActiveFedora::SolrService.solr_name("inheritable_#{type}_access_person", Hydra::Datastream::RightsMetadata.indexer ), current_user.user_key)
       end
     end
     user_access_filters
   end
   # Returns the Model used for AdminPolicy objects.
   # You can set this by overriding this method or setting Hydra.config[:permissions][:policy_class]
   # Defults to Hydra::AdminPolicy

data/spec/unit/access_controls_enforcement_spec.rb CHANGED

@@ -140,6 +140,14 @@ describe Hydra::AccessControlsEnforcement do
         @solr_parameters[:fq].first.should match(/#{type}_access_group_ssim\:cde\\\/567/)
       end
     end
+    it "should escape spaces in the group names" do
+      RoleMapper.stub(:roles).with(@stub_user.user_key).and_return(["abc 123","cd/e 567"])
+      subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
+      ["discover","edit","read"].each do |type|
+        @solr_parameters[:fq].first.should match(/#{type}_access_group_ssim\:abc\\ 123/)
+        @solr_parameters[:fq].first.should match(/#{type}_access_group_ssim\:cd\\\/e\\ 567/)
+      end
+    end
   end
   describe "exclude_unwanted_models" do

data/spec/unit/policy_aware_access_controls_enforcement_spec.rb CHANGED

@@ -129,4 +129,25 @@ describe Hydra::PolicyAwareAccessControlsEnforcement do
       @solr_parameters[:fq].first.should_not include(" OR (#{ActiveFedora::SolrService.solr_name('is_governed_by', :symbol)}:info\\:fedora\\/test\\:policy1 OR #{ActiveFedora::SolrService.solr_name('is_governed_by', :symbol)}:info\\:fedora\\/test\\:policy2 OR #{ActiveFedora::SolrService.solr_name('is_governed_by', :symbol)}:info\\:fedora\\/test\\:policy3 OR #{ActiveFedora::SolrService.solr_name('is_governed_by', :symbol)}:info\\:fedora\\/test\\:policy4 OR #{ActiveFedora::SolrService.solr_name('is_governed_by', :symbol)}:info\\:fedora\\/test\\:policy5 OR #{ActiveFedora::SolrService.solr_name('is_governed_by', :symbol)}:info\\:fedora\\/test\\:policy6 OR #{ActiveFedora::SolrService.solr_name('is_governed_by', :symbol)}:info\\:fedora\\/test\\:policy7 OR #{ActiveFedora::SolrService.solr_name('is_governed_by', :symbol)}:info\\:fedora\\/test\\:policy8)")
     end
   end
+  describe "apply_policy_role_permissions" do
+    it "should escape slashes in the group names" do
+      RoleMapper.stub(:roles).with(@user.user_key).and_return(["abc/123","cde/567"])
+      subject.stub(:current_user).and_return(@user)
+      user_access_filters = subject.apply_policy_role_permissions
+      ["edit","discover","read"].each do |type|
+        user_access_filters.should include("#{ActiveFedora::SolrService.solr_name("inheritable_#{type}_access_group", Hydra::Datastream::RightsMetadata.indexer )}\:abc\\\/123")
+        user_access_filters.should include("#{ActiveFedora::SolrService.solr_name("inheritable_#{type}_access_group", Hydra::Datastream::RightsMetadata.indexer )}\:cde\\\/567")
+      end
+    end
+    it "should escape spaces in the group names" do
+      RoleMapper.stub(:roles).with(@user.user_key).and_return(["abc 123","cd/e 567"])
+      subject.stub(:current_user).and_return(@user)
+      user_access_filters = subject.apply_policy_role_permissions
+      ["edit","discover","read"].each do |type|
+        user_access_filters.should include("#{ActiveFedora::SolrService.solr_name("inheritable_#{type}_access_group", Hydra::Datastream::RightsMetadata.indexer )}\:abc\\ 123")
+        user_access_filters.should include("#{ActiveFedora::SolrService.solr_name("inheritable_#{type}_access_group", Hydra::Datastream::RightsMetadata.indexer )}\:cd\\\/e\\ 567")
+      end
+    end
+  end
 end

metadata CHANGED

@@ -1,8 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: hydra-access-controls
 version: !ruby/object:Gem::Version
-  version: 6.3.3
-  prerelease:
+  version: 6.3.4
 platform: ruby
 authors:
 - Chris Beer
@@ -11,28 +10,25 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-08-16 00:00:00.000000000 Z
+date: 2013-08-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: active-fedora
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -40,7 +36,6 @@ dependencies:
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -48,39 +43,34 @@ dependencies:
 - !ruby/object:Gem::Dependency
   name: cancan
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: deprecation
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: blacklight
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -88,7 +78,6 @@ dependencies:
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -96,33 +85,29 @@ dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
 description: Access controls for project hydra
@@ -178,27 +163,26 @@ files:
 homepage: http://projecthydra.org
 licenses:
 - APACHE2
+metadata: {}
 post_install_message:
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: 1.9.3
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 1.8.23
+rubygems_version: 2.0.5
 signing_key:
-specification_version: 3
+specification_version: 4
 summary: Access controls for project hydra
 test_files:
 - spec/factories.rb