hydra-access-controls 6.3.3 → 6.3.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. checksums.yaml +7 -0
  2. data/README.textile +6 -3
  3. data/app/models/ability.rb +0 -1
  4. data/lib/hydra/access_controls_enforcement.rb +7 -9
  5. data/lib/hydra/permissions_solr_document.rb +1 -0
  6. data/lib/hydra/policy_aware_access_controls_enforcement.rb +7 -7
  7. data/spec/unit/access_controls_enforcement_spec.rb +8 -0
  8. data/spec/unit/policy_aware_access_controls_enforcement_spec.rb +21 -0
  9. metadata +17 -33
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: a66021a35f6755132cb22674e59e880d6980b571
4
+ data.tar.gz: 4d82907106c6f1c80e63d13cf02aef92b8ab6faa
5
+ SHA512:
6
+ metadata.gz: dc5a599c3da37b374063f605ecc405db4ec68ea8b7b099a1c65507ff308459d58aea801589e05d98d6c52a33e33b31b2fc628de153071be8a451aba214659819
7
+ data.tar.gz: d135be6d700d4aba21be4736d3e867c3327929a39f95b7eb63adaad205eb0a1792641511342e13aa96d4fb5ef26306c581387eb7670d5187dcaeb2389481a7e5
data/README.textile CHANGED
@@ -12,18 +12,21 @@ The easiest way to make your code use this gem is to run the hydra generator tha
12
12
  * modifies the filters in your CatalogController class to inject access controls into solr queries
13
13
  * adds the YAML files that are used by the default RoleMapper class
14
14
  * adds section to hydra_config initializer that sets names used to look up enforcement info in solr (see "Modifying solr field names for enforcement" below)
15
+ * adds ability.rb under app/models
15
16
 
16
17
  h2. Usage
17
18
 
18
19
  h3. Enforcing Hydra-based Access Controls using CanCan and Hydra::Ability
19
20
 
20
- They hydra generator handles part of this for you - it sets up the CatalogController (Blacklight's main controller for searches) to do gated discovery for you.
21
+ The hydra generator handles part of this for you - it sets up the CatalogController (Blacklight's main controller for searches) to do gated discovery for you and creates an ability.rb file under app/models.
21
22
 
22
23
  Beyond enabling gated discovery, *everything is done using "CanCan":https://github.com/ryanb/cancan*. For more information on CanCan, how to use it, and how to define access controls policies (aka "abilities":https://github.com/ryanb/cancan/wiki/Defining-Abilities), refer to the "CanCan documentation":https://github.com/ryanb/cancan/blob/master/README.rdoc.
23
24
 
24
- Within your CanCan ability definitions (usually ability.rb), if you include the "Hydra::Ability":https://github.com/projecthydra/hydra-head/blob/master/hydra-access-controls/lib/hydra/ability.rb module, you will have :read and :edit permissions defined for you, along with some convenience methods that help you evaluate permssions against info in the rightsMetadata. *Note*: the Hydra rails generator includes this module into your ability.rb for you!
25
+ Within your CanCan ability definitions, app/models/ability.rb, the "Hydra::Ability":https://github.com/projecthydra/hydra-head/blob/master/hydra-access-controls/lib/hydra/ability.rb module is already included. This module has
26
+ :read and :edit permissions defined for you, along with some convenience methods that help you evaluate permssions
27
+ against info in the rightsMetadata datastream.
25
28
 
26
- In your custom controllers, you need to tell them to enforce access controls using "CanCan":https://github.com/ryanb/cancan. There are a number of ways to do this. The easiest way is to use the cancan "controller action":https://github.com/ryanb/cancan/wiki/Authorizing-Controller-Actions 'load_and_authorize_resource', however on show and edit, this also causes a load the resource from fedora, which you may want to avoid. If you want to authorize from solr, you ought to be able to call the cancan methods `authorize!` or `can?` which just checks the solr permissions handler.
29
+ In your custom controllers, you will need to enforce access controls using "CanCan":https://github.com/ryanb/cancan. There are a number of ways to do this. The easiest way is to use the cancan "controller action":https://github.com/ryanb/cancan/wiki/Authorizing-Controller-Actions 'load_and_authorize_resource', however on show and edit, this also causes a load the resource from fedora, which you may want to avoid. If you want to authorize from solr, you ought to be able to call the cancan methods `authorize!` or `can?` which just checks the solr permissions handler.
27
30
 
28
31
  Examples of using authorize! and can? in controller methods:
29
32
 
data/app/models/ability.rb CHANGED
@@ -1,5 +1,4 @@
1
1
  # Allows you to use CanCan to control access to Models
2
2
  class Ability
3
3
  include Hydra::Ability
4
- include Hydra::PolicyAwareAbility
5
4
  end
data/lib/hydra/access_controls_enforcement.rb CHANGED
@@ -44,6 +44,7 @@ module Hydra::AccessControlsEnforcement
44
44
  end
45
45
 
46
46
  def is_public?
47
+ ActiveSupport::Deprecation.warn("Hydra::AccessControlsEnforcement.is_public? has been deprecated. Use can? instead.")
47
48
  load_permissions_from_solr
48
49
  access_key = ActiveFedora::SolrService.solr_name("access", Hydra::Datastream::RightsMetadata.indexer)
49
50
  @permissions_solr_document[access_key].present? && @permissions_solr_document[access_key].first.downcase == "public"
@@ -58,14 +59,11 @@ module Hydra::AccessControlsEnforcement
58
59
  # @param [Hash] opts (optional, not currently used)
59
60
  def enforce_show_permissions(opts={})
60
61
  permissions = current_ability.permissions_doc(params[:id])
61
- unless permissions.is_public?
62
- #its not 'public'
63
- if permissions.under_embargo? && !can?(:edit, permissions)
64
- raise Hydra::AccessDenied.new("This item is under embargo. You do not have sufficient access privileges to read this document.", :edit, params[:id])
65
- end
66
- unless can? :read, permissions
67
- raise Hydra::AccessDenied.new("You do not have sufficient access privileges to read this document, which has been marked private.", :read, params[:id])
68
- end
62
+ if permissions.under_embargo? && !can?(:edit, permissions)
63
+ raise Hydra::AccessDenied.new("This item is under embargo. You do not have sufficient access privileges to read this document.", :edit, params[:id])
64
+ end
65
+ unless can? :read, permissions
66
+ raise Hydra::AccessDenied.new("You do not have sufficient access privileges to read this document, which has been marked private.", :read, params[:id])
69
67
  end
70
68
  end
71
69
 
@@ -120,7 +118,7 @@ module Hydra::AccessControlsEnforcement
120
118
  end
121
119
 
122
120
  def escape_filter(key, value)
123
- [key, value.gsub('/', '\/')].join(':')
121
+ [key, value.gsub(/[ \/]/, ' ' => '\ ', '/' => '\/')].join(':')
124
122
  end
125
123
 
126
124
  def apply_individual_permissions(permission_types)
data/lib/hydra/permissions_solr_document.rb CHANGED
@@ -10,6 +10,7 @@ class Hydra::PermissionsSolrDocument < SolrDocument
10
10
  end
11
11
 
12
12
  def is_public?
13
+ ActiveSupport::Deprecation.warn("Hydra::PermissionsSolrDocument.is_public? has been deprecated. Use can? instead.")
13
14
  access_key = ActiveFedora::SolrService.solr_name("access", Hydra::Datastream::RightsMetadata.indexer)
14
15
  self[access_key].present? && self[access_key].first.downcase == "public"
15
16
  end
data/lib/hydra/policy_aware_access_controls_enforcement.rb CHANGED
@@ -33,28 +33,28 @@ module Hydra::PolicyAwareAccessControlsEnforcement
33
33
  end
34
34
 
35
35
 
36
- def apply_policy_role_permissions(permission_types)
36
+ def apply_policy_role_permissions(permission_types = discovery_permissions)
37
37
  # for roles
38
38
  user_access_filters = []
39
39
  current_ability.user_groups.each_with_index do |role, i|
40
- discovery_permissions.each do |type|
41
- user_access_filters << ActiveFedora::SolrService.solr_name("inheritable_#{type}_access_group", Hydra::Datastream::RightsMetadata.indexer ) + ":#{role}"
40
+ permission_types.each do |type|
41
+ user_access_filters << escape_filter(ActiveFedora::SolrService.solr_name("inheritable_#{type}_access_group", Hydra::Datastream::RightsMetadata.indexer ), role)
42
42
  end
43
43
  end
44
44
  user_access_filters
45
45
  end
46
46
 
47
- def apply_policy_individual_permissions(permission_types)
47
+ def apply_policy_individual_permissions(permission_types = discovery_permissions)
48
48
  # for individual person access
49
49
  user_access_filters = []
50
50
  if current_user
51
- discovery_permissions.each do |type|
52
- user_access_filters << ActiveFedora::SolrService.solr_name("inheritable_#{type}_access_person", Hydra::Datastream::RightsMetadata.indexer ) + ":#{current_user.user_key}"
51
+ permission_types.each do |type|
52
+ user_access_filters << escape_filter(ActiveFedora::SolrService.solr_name("inheritable_#{type}_access_person", Hydra::Datastream::RightsMetadata.indexer ), current_user.user_key)
53
53
  end
54
54
  end
55
55
  user_access_filters
56
56
  end
57
-
57
+
58
58
  # Returns the Model used for AdminPolicy objects.
59
59
  # You can set this by overriding this method or setting Hydra.config[:permissions][:policy_class]
60
60
  # Defults to Hydra::AdminPolicy
data/spec/unit/access_controls_enforcement_spec.rb CHANGED
@@ -140,6 +140,14 @@ describe Hydra::AccessControlsEnforcement do
140
140
  @solr_parameters[:fq].first.should match(/#{type}_access_group_ssim\:cde\\\/567/)
141
141
  end
142
142
  end
143
+ it "should escape spaces in the group names" do
144
+ RoleMapper.stub(:roles).with(@stub_user.user_key).and_return(["abc 123","cd/e 567"])
145
+ subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
146
+ ["discover","edit","read"].each do |type|
147
+ @solr_parameters[:fq].first.should match(/#{type}_access_group_ssim\:abc\\ 123/)
148
+ @solr_parameters[:fq].first.should match(/#{type}_access_group_ssim\:cd\\\/e\\ 567/)
149
+ end
150
+ end
143
151
  end
144
152
 
145
153
  describe "exclude_unwanted_models" do
data/spec/unit/policy_aware_access_controls_enforcement_spec.rb CHANGED
@@ -129,4 +129,25 @@ describe Hydra::PolicyAwareAccessControlsEnforcement do
129
129
  @solr_parameters[:fq].first.should_not include(" OR (#{ActiveFedora::SolrService.solr_name('is_governed_by', :symbol)}:info\\:fedora\\/test\\:policy1 OR #{ActiveFedora::SolrService.solr_name('is_governed_by', :symbol)}:info\\:fedora\\/test\\:policy2 OR #{ActiveFedora::SolrService.solr_name('is_governed_by', :symbol)}:info\\:fedora\\/test\\:policy3 OR #{ActiveFedora::SolrService.solr_name('is_governed_by', :symbol)}:info\\:fedora\\/test\\:policy4 OR #{ActiveFedora::SolrService.solr_name('is_governed_by', :symbol)}:info\\:fedora\\/test\\:policy5 OR #{ActiveFedora::SolrService.solr_name('is_governed_by', :symbol)}:info\\:fedora\\/test\\:policy6 OR #{ActiveFedora::SolrService.solr_name('is_governed_by', :symbol)}:info\\:fedora\\/test\\:policy7 OR #{ActiveFedora::SolrService.solr_name('is_governed_by', :symbol)}:info\\:fedora\\/test\\:policy8)")
130
130
  end
131
131
  end
132
+
133
+ describe "apply_policy_role_permissions" do
134
+ it "should escape slashes in the group names" do
135
+ RoleMapper.stub(:roles).with(@user.user_key).and_return(["abc/123","cde/567"])
136
+ subject.stub(:current_user).and_return(@user)
137
+ user_access_filters = subject.apply_policy_role_permissions
138
+ ["edit","discover","read"].each do |type|
139
+ user_access_filters.should include("#{ActiveFedora::SolrService.solr_name("inheritable_#{type}_access_group", Hydra::Datastream::RightsMetadata.indexer )}\:abc\\\/123")
140
+ user_access_filters.should include("#{ActiveFedora::SolrService.solr_name("inheritable_#{type}_access_group", Hydra::Datastream::RightsMetadata.indexer )}\:cde\\\/567")
141
+ end
142
+ end
143
+ it "should escape spaces in the group names" do
144
+ RoleMapper.stub(:roles).with(@user.user_key).and_return(["abc 123","cd/e 567"])
145
+ subject.stub(:current_user).and_return(@user)
146
+ user_access_filters = subject.apply_policy_role_permissions
147
+ ["edit","discover","read"].each do |type|
148
+ user_access_filters.should include("#{ActiveFedora::SolrService.solr_name("inheritable_#{type}_access_group", Hydra::Datastream::RightsMetadata.indexer )}\:abc\\ 123")
149
+ user_access_filters.should include("#{ActiveFedora::SolrService.solr_name("inheritable_#{type}_access_group", Hydra::Datastream::RightsMetadata.indexer )}\:cd\\\/e\\ 567")
150
+ end
151
+ end
152
+ end
132
153
  end
metadata CHANGED
@@ -1,8 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: hydra-access-controls
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.3.3
5
- prerelease:
4
+ version: 6.3.4
6
5
  platform: ruby
7
6
  authors:
8
7
  - Chris Beer
@@ -11,28 +10,25 @@ authors:
11
10
  autorequire:
12
11
  bindir: bin
13
12
  cert_chain: []
14
- date: 2013-08-16 00:00:00.000000000 Z
13
+ date: 2013-08-27 00:00:00.000000000 Z
15
14
  dependencies:
16
15
  - !ruby/object:Gem::Dependency
17
16
  name: activesupport
18
17
  requirement: !ruby/object:Gem::Requirement
19
- none: false
20
18
  requirements:
21
- - - ! '>='
19
+ - - '>='
22
20
  - !ruby/object:Gem::Version
23
21
  version: '0'
24
22
  type: :runtime
25
23
  prerelease: false
26
24
  version_requirements: !ruby/object:Gem::Requirement
27
- none: false
28
25
  requirements:
29
- - - ! '>='
26
+ - - '>='
30
27
  - !ruby/object:Gem::Version
31
28
  version: '0'
32
29
  - !ruby/object:Gem::Dependency
33
30
  name: active-fedora
34
31
  requirement: !ruby/object:Gem::Requirement
35
- none: false
36
32
  requirements:
37
33
  - - ~>
38
34
  - !ruby/object:Gem::Version
@@ -40,7 +36,6 @@ dependencies:
40
36
  type: :runtime
41
37
  prerelease: false
42
38
  version_requirements: !ruby/object:Gem::Requirement
43
- none: false
44
39
  requirements:
45
40
  - - ~>
46
41
  - !ruby/object:Gem::Version
@@ -48,39 +43,34 @@ dependencies:
48
43
  - !ruby/object:Gem::Dependency
49
44
  name: cancan
50
45
  requirement: !ruby/object:Gem::Requirement
51
- none: false
52
46
  requirements:
53
- - - ! '>='
47
+ - - '>='
54
48
  - !ruby/object:Gem::Version
55
49
  version: '0'
56
50
  type: :runtime
57
51
  prerelease: false
58
52
  version_requirements: !ruby/object:Gem::Requirement
59
- none: false
60
53
  requirements:
61
- - - ! '>='
54
+ - - '>='
62
55
  - !ruby/object:Gem::Version
63
56
  version: '0'
64
57
  - !ruby/object:Gem::Dependency
65
58
  name: deprecation
66
59
  requirement: !ruby/object:Gem::Requirement
67
- none: false
68
60
  requirements:
69
- - - ! '>='
61
+ - - '>='
70
62
  - !ruby/object:Gem::Version
71
63
  version: '0'
72
64
  type: :runtime
73
65
  prerelease: false
74
66
  version_requirements: !ruby/object:Gem::Requirement
75
- none: false
76
67
  requirements:
77
- - - ! '>='
68
+ - - '>='
78
69
  - !ruby/object:Gem::Version
79
70
  version: '0'
80
71
  - !ruby/object:Gem::Dependency
81
72
  name: blacklight
82
73
  requirement: !ruby/object:Gem::Requirement
83
- none: false
84
74
  requirements:
85
75
  - - ~>
86
76
  - !ruby/object:Gem::Version
@@ -88,7 +78,6 @@ dependencies:
88
78
  type: :runtime
89
79
  prerelease: false
90
80
  version_requirements: !ruby/object:Gem::Requirement
91
- none: false
92
81
  requirements:
93
82
  - - ~>
94
83
  - !ruby/object:Gem::Version
@@ -96,33 +85,29 @@ dependencies:
96
85
  - !ruby/object:Gem::Dependency
97
86
  name: rake
98
87
  requirement: !ruby/object:Gem::Requirement
99
- none: false
100
88
  requirements:
101
- - - ! '>='
89
+ - - '>='
102
90
  - !ruby/object:Gem::Version
103
91
  version: '0'
104
92
  type: :development
105
93
  prerelease: false
106
94
  version_requirements: !ruby/object:Gem::Requirement
107
- none: false
108
95
  requirements:
109
- - - ! '>='
96
+ - - '>='
110
97
  - !ruby/object:Gem::Version
111
98
  version: '0'
112
99
  - !ruby/object:Gem::Dependency
113
100
  name: rspec
114
101
  requirement: !ruby/object:Gem::Requirement
115
- none: false
116
102
  requirements:
117
- - - ! '>='
103
+ - - '>='
118
104
  - !ruby/object:Gem::Version
119
105
  version: '0'
120
106
  type: :development
121
107
  prerelease: false
122
108
  version_requirements: !ruby/object:Gem::Requirement
123
- none: false
124
109
  requirements:
125
- - - ! '>='
110
+ - - '>='
126
111
  - !ruby/object:Gem::Version
127
112
  version: '0'
128
113
  description: Access controls for project hydra
@@ -178,27 +163,26 @@ files:
178
163
  homepage: http://projecthydra.org
179
164
  licenses:
180
165
  - APACHE2
166
+ metadata: {}
181
167
  post_install_message:
182
168
  rdoc_options: []
183
169
  require_paths:
184
170
  - lib
185
171
  required_ruby_version: !ruby/object:Gem::Requirement
186
- none: false
187
172
  requirements:
188
- - - ! '>='
173
+ - - '>='
189
174
  - !ruby/object:Gem::Version
190
175
  version: 1.9.3
191
176
  required_rubygems_version: !ruby/object:Gem::Requirement
192
- none: false
193
177
  requirements:
194
- - - ! '>='
178
+ - - '>='
195
179
  - !ruby/object:Gem::Version
196
180
  version: '0'
197
181
  requirements: []
198
182
  rubyforge_project:
199
- rubygems_version: 1.8.23
183
+ rubygems_version: 2.0.5
200
184
  signing_key:
201
- specification_version: 3
185
+ specification_version: 4
202
186
  summary: Access controls for project hydra
203
187
  test_files:
204
188
  - spec/factories.rb