hydra-access-controls 6.4.0.pre1 → 6.4.0.pre2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d58a98abb5fa51ab9dcc8d38a80475d6bc9310cb
-  data.tar.gz: 23bc49074fa0715dc9515c1e9c7638484ba8040e
+  metadata.gz: 35f2c828c01a662e99c864d3a3188f83ffa0a2d3
+  data.tar.gz: 5b305407bd3d90d231c7c5098de035608dabb6d1
 SHA512:
-  metadata.gz: 4b7e22c6d6e32dbdd5b39032af3d3caad5b3f6a885fbcf40b7852cc714ec1109aca94906b88f9044652375ca3ca81cb247fce852e58960ca728ab0678c06343c
-  data.tar.gz: dd23a59d0a72cd311011244ccba077cd8964cf0a295f5dace58e6487081411b35bfac55e767767ee3c5380b3be0fdf8b8bff0721f32e59af36ccce98e2266f56
+  metadata.gz: 80c97916451cd6546514a2b18d36c8c6025696d5b09dfa0644eae31fb3c39770ccd1938423ebf9174daae3430e012386e9feec511a566d886541df56efd13d57
+  data.tar.gz: 11ae4e897b165e0c21bc29491179ef23907de5c6c5dc1da6639811c85dfb488cb0b41200dfa85b4510d51fbf11d6a67a13668778ba6110f036dd94c659aa1f8e

data/app/models/concerns/hydra/access_controls.rb

@@ -4,6 +4,7 @@ module Hydra
     autoload :AccessRight
     autoload :WithAccessRight
     autoload :Visibility
+    autoload :Permission
     autoload :Permissions
   end
 end

data/app/models/concerns/hydra/access_controls/permissions.rb

@@ -2,12 +2,276 @@ module Hydra
   module AccessControls
     module Permissions
       extend ActiveSupport::Concern
-      include Hydra::ModelMixins::RightsMetadata
       include Hydra::AccessControls::Visibility
 
       included do
         has_metadata "rightsMetadata", type: Hydra::Datastream::RightsMetadata
       end
+
+
+      ## Updates those permissions that are provided to it. Does not replace any permissions unless they are provided
+      # @example
+      #  obj.permissions_attributes= [{:name=>"group1", :access=>"discover", :type=>'group'},
+      #  {:name=>"group2", :access=>"discover", :type=>'group'}]
+      def permissions_attributes= attributes_collection
+        perm_hash = {'person' => rightsMetadata.individuals, 'group'=> rightsMetadata.groups}
+
+        if attributes_collection.is_a? Hash
+          attributes_collection = attributes_collection.sort_by { |i, _| i.to_i }.map { |_, attributes| attributes }
+        end
+
+        attributes_collection.each do |row|
+          row = row.with_indifferent_access
+          if row[:type] == 'user' || row[:type] == 'person'
+            if has_destroy_flag? row
+              perm_hash['person'].delete(row[:name])
+            else
+              perm_hash['person'][row[:name]] = row[:access]
+            end
+          elsif row[:type] == 'group'
+            perm_hash['group'][row[:name]] = row[:access]
+            if has_destroy_flag? row
+              perm_hash['group'].delete(row[:name])
+            else
+              perm_hash['group'][row[:name]] = row[:access]
+            end
+          else
+            raise ArgumentError, "Permission type must be 'user', 'person' (alias for 'user'), or 'group'"
+          end
+        end
+        
+        rightsMetadata.permissions = perm_hash
+      end
+
+      ## Returns a list with all the permissions on the object.
+      def permissions
+        (rightsMetadata.groups.map {|x| Permission.new(type: 'group', access: x[1], name: x[0] )} + 
+          rightsMetadata.individuals.map {|x|  Permission.new(type: 'user', access: x[1], name: x[0] )})
+      end
+
+      # Return a list of groups that have discover permission
+      def read_groups
+        rightsMetadata.groups.map {|k, v| k if v == 'read'}.compact
+      end
+
+      # Grant read permissions to the groups specified. Revokes read permission for all other groups.
+      # @param[Array] groups a list of group names
+      # @example
+      #  r.read_groups= ['one', 'two', 'three']
+      #  r.read_groups 
+      #  => ['one', 'two', 'three']
+      #
+      def read_groups=(groups)
+        set_read_groups(groups, read_groups)
+      end
+
+      # Grant read permissions to the groups specified. Revokes read permission for all other groups.
+      # @param[String] groups a list of group names
+      # @example
+      #  r.read_groups_string= 'one, two, three'
+      #  r.read_groups 
+      #  => ['one', 'two', 'three']
+      #
+      def read_groups_string=(groups)
+        self.read_groups=groups.split(/[\s,]+/)
+      end
+
+      # Display the groups a comma delimeted string
+      def read_groups_string
+        self.read_groups.join(', ')
+      end
+
+      # Grant read permissions to the groups specified. Revokes read permission for
+      # any of the eligible_groups that are not in groups.
+      # This may be used when different users are responsible for setting different
+      # groups.  Supply the groups the current user is responsible for as the 
+      # 'eligible_groups'
+      # @param[Array] groups a list of groups
+      # @param[Array] eligible_groups the groups that are eligible to have their read permssion revoked. 
+      # @example
+      #  r.read_groups = ['one', 'two', 'three']
+      #  r.read_groups 
+      #  => ['one', 'two', 'three']
+      #  r.set_read_groups(['one'], ['three'])
+      #  r.read_groups
+      #  => ['one', 'two']  ## 'two' was not eligible to be removed
+      #
+      def set_read_groups(groups, eligible_groups)
+        set_entities(:read, :group, groups, eligible_groups)
+      end
+
+      def read_users
+        rightsMetadata.individuals.map {|k, v| k if v == 'read'}.compact
+      end
+
+      # Grant read permissions to the users specified. Revokes read permission for all other users.
+      # @param[Array] users a list of usernames
+      # @example
+      #  r.read_users= ['one', 'two', 'three']
+      #  r.read_users 
+      #  => ['one', 'two', 'three']
+      #
+      def read_users=(users)
+        set_read_users(users, read_users)
+      end
+
+      # Grant read permissions to the groups specified. Revokes read permission for all other users.
+      # @param[String] users a list of usernames
+      # @example
+      #  r.read_users_string= 'one, two, three'
+      #  r.read_users 
+      #  => ['one', 'two', 'three']
+      #
+      def read_users_string=(users)
+        self.read_users=users.split(/[\s,]+/)
+      end
+
+      # Display the users as a comma delimeted string
+      def read_users_string
+        self.read_users.join(', ')
+      end
+
+      # Grant read permissions to the users specified. Revokes read permission for
+      # any of the eligible_users that are not in users.
+      # This may be used when different users are responsible for setting different
+      # users.  Supply the users the current user is responsible for as the 
+      # 'eligible_users'
+      # @param[Array] users a list of users
+      # @param[Array] eligible_users the users that are eligible to have their read permssion revoked. 
+      # @example
+      #  r.read_users = ['one', 'two', 'three']
+      #  r.read_users 
+      #  => ['one', 'two', 'three']
+      #  r.set_read_users(['one'], ['three'])
+      #  r.read_users
+      #  => ['one', 'two']  ## 'two' was not eligible to be removed
+      #
+      def set_read_users(users, eligible_users)
+        set_entities(:read, :person, users, eligible_users)
+      end
+
+
+      # Return a list of groups that have edit permission
+      def edit_groups
+        rightsMetadata.groups.map {|k, v| k if v == 'edit'}.compact
+      end
+
+      # Grant edit permissions to the groups specified. Revokes edit permission for all other groups.
+      # @param[Array] groups a list of group names
+      # @example
+      #  r.edit_groups= ['one', 'two', 'three']
+      #  r.edit_groups 
+      #  => ['one', 'two', 'three']
+      #
+      def edit_groups=(groups)
+        set_edit_groups(groups, edit_groups)
+      end
+
+      # Grant edit permissions to the groups specified. Revokes edit permission for all other groups.
+      # @param[String] groups a list of group names
+      # @example
+      #  r.edit_groups_string= 'one, two, three'
+      #  r.edit_groups 
+      #  => ['one', 'two', 'three']
+      #
+      def edit_groups_string=(groups)
+        self.edit_groups=groups.split(/[\s,]+/)
+      end
+
+      # Display the groups a comma delimeted string
+      def edit_groups_string
+        self.edit_groups.join(', ')
+      end
+
+      # Grant edit permissions to the groups specified. Revokes edit permission for
+      # any of the eligible_groups that are not in groups.
+      # This may be used when different users are responsible for setting different
+      # groups.  Supply the groups the current user is responsible for as the 
+      # 'eligible_groups'
+      # @param[Array] groups a list of groups
+      # @param[Array] eligible_groups the groups that are eligible to have their edit permssion revoked. 
+      # @example
+      #  r.edit_groups = ['one', 'two', 'three']
+      #  r.edit_groups 
+      #  => ['one', 'two', 'three']
+      #  r.set_edit_groups(['one'], ['three'])
+      #  r.edit_groups
+      #  => ['one', 'two']  ## 'two' was not eligible to be removed
+      #
+      def set_edit_groups(groups, eligible_groups)
+        set_entities(:edit, :group, groups, eligible_groups)
+      end
+
+      def edit_users
+        rightsMetadata.individuals.map {|k, v| k if v == 'edit'}.compact
+      end
+
+      # Grant edit permissions to the groups specified. Revokes edit permission for all other groups.
+      # @param[Array] users a list of usernames
+      # @example
+      #  r.edit_users= ['one', 'two', 'three']
+      #  r.edit_users 
+      #  => ['one', 'two', 'three']
+      #
+      def edit_users=(users)
+        set_edit_users(users, edit_users)
+      end
+
+      # Grant edit permissions to the users specified. Revokes edit permission for
+      # any of the eligible_users that are not in users.
+      # This may be used when different users are responsible for setting different
+      # users.  Supply the users the current user is responsible for as the 
+      # 'eligible_users'
+      # @param[Array] users a list of users
+      # @param[Array] eligible_users the users that are eligible to have their edit permssion revoked. 
+      # @example
+      #  r.edit_users = ['one', 'two', 'three']
+      #  r.edit_users 
+      #  => ['one', 'two', 'three']
+      #  r.set_edit_users(['one'], ['three'])
+      #  r.edit_users
+      #  => ['one', 'two']  ## 'two' was not eligible to be removed
+      #
+      def set_edit_users(users, eligible_users)
+        set_entities(:edit, :person, users, eligible_users)
+      end
+
+      protected 
+
+      def has_destroy_flag?(hash)
+        ["1", "true"].include?(hash['_destroy'].to_s)
+      end
+
+      private 
+
+
+
+      # @param  permission either :discover, :read or :edit
+      # @param  type either :person or :group
+      # @param  values  Values to set
+      # @param  changeable Values we are allowed to change
+      def set_entities(permission, type, values, changeable)
+        g = preserved(type, permission)
+        (changeable - values).each do |entity|
+          #Strip permissions from users not provided
+          g[entity] = 'none'
+        end
+        values.each { |name| g[name] = permission.to_s}
+        rightsMetadata.update_permissions(type.to_s=>g)
+      end
+
+      ## Get those permissions we don't want to change
+      def preserved(type, permission)
+        case permission
+        when :edit
+          g = {}
+        when :read
+          Hash[rightsMetadata.quick_search_by_type(type).select {|k, v| v == 'edit'}]
+        when :discover
+          Hash[rightsMetadata.quick_search_by_type(type).select {|k, v| v == 'discover'}]
+        end
+      end
+
     end
   end
 end

data/lib/hydra/access_controls/permission.rb

@@ -0,0 +1,36 @@
+module Hydra::AccessControls
+  class Permission
+    def initialize(args)
+      @vals = {name: args[:name], access: args[:access], type: args[:type]}
+    end
+
+    def persisted?
+      false
+    end
+
+    def [] var
+      @vals[var]
+    end
+
+    def name
+      self[:name]
+    end
+
+    def access
+      self[:access]
+    end
+
+    def type
+      self[:type]
+    end
+
+    def _destroy
+      false
+    end
+
+    def == other
+      other.is_a?(Permission) && self.name == other.name && self.type == other.type && self.access == other.access
+    end
+
+  end
+end

data/lib/hydra/admin_policy.rb

@@ -20,7 +20,7 @@ class Hydra::AdminPolicy < ActiveFedora::Base
   delegate :license_url, :to=>'rightsMetadata', :at=>[:license, :url], :unique=>true
 
   # easy access to edit_groups, etc
-  include Hydra::ModelMixins::RightsMetadata 
+  include Hydra::AccessControls::Permissions 
 
   def self.readable_by_user(user)
     where_user_has_permissions(user, [:read, :edit])

data/lib/hydra/datastream/rights_metadata.rb

@@ -136,7 +136,17 @@ module Hydra
       # Currently restricts actor type to group or person.  Any others will be ignored
       def update_permissions(params)
         params.fetch("group", {}).each_pair {|group_id, access_level| self.permissions({"group"=>group_id}, access_level)}
-        params.fetch("person", {}).each_pair {|group_id, access_level| self.permissions({"person"=>group_id}, access_level)}
+        params.fetch("person", {}).each_pair {|person_id, access_level| self.permissions({"person"=>person_id}, access_level)}
+      end
+
+      # Updates all permissions
+      # @param params ex. {"group"=>{"group1"=>"discover","group2"=>"edit"}, "person"=>{"person1"=>"read","person2"=>"discover"}}
+      # Restricts actor type to group or person.  Any others will be ignored
+      def permissions= (params)
+        group_ids = groups.keys | params['group'].keys
+        group_ids.each {|group_id| self.permissions({"group"=>group_id}, params['group'].fetch(group_id, 'none'))}
+        user_ids = individuals.keys | params['person'].keys
+        user_ids.each {|person_id| self.permissions({"person"=>person_id}, params['person'].fetch(person_id, 'none'))}
       end
       
       # @param [Symbol] type (either :group or :person)

data/lib/hydra/model_mixins/rights_metadata.rb

@@ -1,6 +1,13 @@
 module Hydra
   module ModelMixins
     module RightsMetadata
+      extend ActiveSupport::Concern
+      extend Deprecation
+
+      included do
+        Deprecation.warn(RightsMetadata, "Hydra::ModelMixins::RightsMetadata has been deprecated and will be removed in hydra-head 7.0. Use Hydra::AccessControls::Permissions instead", caller(3));
+      end
+
 
 
       ## Updates those permissions that are provided to it. Does not replace any permissions unless they are provided

data/spec/unit/permissions_spec.rb

@@ -0,0 +1,114 @@
+require 'spec_helper'
+
+describe Hydra::AccessControls::Permissions do
+  before do
+    class Foo < ActiveFedora::Base
+      include Hydra::AccessControls::Permissions
+    end
+  end
+
+  subject { Foo.new }
+
+  
+  it "should have a set of permissions" do
+    subject.read_groups=['group1', 'group2']
+    subject.edit_users=['user1']
+    subject.read_users=['user2', 'user3']
+    subject.permissions.should == [Hydra::AccessControls::Permission.new(:type=>"group", :access=>"read", :name=>"group1"),
+        Hydra::AccessControls::Permission.new({:type=>"group", :access=>"read", :name=>"group2"}),
+        Hydra::AccessControls::Permission.new({:type=>"user", :access=>"read", :name=>"user2"}),
+        Hydra::AccessControls::Permission.new({:type=>"user", :access=>"read", :name=>"user3"}),
+        Hydra::AccessControls::Permission.new({:type=>"user", :access=>"edit", :name=>"user1"})]
+  end
+  describe "updating permissions" do
+    before do
+      subject.permissions_attributes = [{:type=>"user", :access=>"edit", :name=>"jcoyne"}]
+    end
+    it "should handle a hash" do
+      subject.permissions_attributes = {'0' => {type: "group", access:"read", name:"group1"}, '1'=> {type: 'user', access: 'edit', name: 'user2'}}
+      subject.permissions.should == [Hydra::AccessControls::Permission.new(:type=>"group", :access=>"read", :name=>"group1"),
+                                   Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"jcoyne"),
+                                   Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"user2")]
+    end
+    it "should create new group permissions" do
+      subject.permissions_attributes = [{:type=>"group", :access=>"read", :name=>"group1"}]
+      subject.permissions.should == [Hydra::AccessControls::Permission.new(:type=>"group", :access=>"read", :name=>"group1"),
+                                   Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"jcoyne")]
+    end
+    it "should create new user permissions" do
+      subject.permissions_attributes = [{:type=>"user", :access=>"read", :name=>"user1"}]
+      subject.permissions.should == [Hydra::AccessControls::Permission.new(:type=>"user", :access=>"read", :name=>"user1"),
+                                   Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"jcoyne")]
+    end
+    it "should not replace existing groups" do
+      subject.permissions_attributes = [{:type=>"group", :access=>"read", :name=>"group1"}]
+      subject.permissions_attributes = [{:type=>"group", :access=>"read", :name=>"group2"}]
+      subject.permissions.should == [Hydra::AccessControls::Permission.new(:type=>"group", :access=>"read", :name=>"group1"),
+                                   Hydra::AccessControls::Permission.new(:type=>"group", :access=>"read", :name=>"group2"),
+                                   Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"jcoyne")]
+    end
+    it "should not replace existing users" do
+      subject.permissions_attributes = [{:type=>"user", :access=>"read", :name=>"user1"}]
+      subject.permissions_attributes = [{:type=>"user", :access=>"read", :name=>"user2"}]
+      subject.permissions.should == [Hydra::AccessControls::Permission.new(:type=>"user", :access=>"read", :name=>"user1"),
+                                   Hydra::AccessControls::Permission.new(:type=>"user", :access=>"read", :name=>"user2"),
+                                   Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"jcoyne")]
+    end
+    it "should update permissions on existing users" do
+      subject.permissions_attributes = [{:type=>"user", :access=>"read", :name=>"user1"}]
+      subject.permissions_attributes = [{:type=>"user", :access=>"edit", :name=>"user1"}]
+      subject.permissions.should == [Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"user1"),
+                                   Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"jcoyne")]
+    end
+    it "should update permissions on existing groups" do
+      subject.permissions_attributes = [{:type=>"group", :access=>"read", :name=>"group1"}]
+      subject.permissions_attributes = [{:type=>"group", :access=>"edit", :name=>"group1"}]
+      subject.permissions.should == [Hydra::AccessControls::Permission.new(:type=>"group", :access=>"edit", :name=>"group1"),
+                                   Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"jcoyne")]
+    end
+    it "should remove permissions on existing users" do
+      subject.permissions_attributes = [{:type=>"user", :access=>"read", :name=>"user1"}]
+      subject.permissions_attributes = [{:type=>"user", :access=>"edit", :name=>"user1", _destroy: true}]
+      subject.permissions.should == [Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"jcoyne")]
+    end
+    it "should remove permissions on existing groups" do
+      subject.permissions_attributes = [{:type=>"group", :access=>"read", :name=>"group1"}]
+      subject.permissions_attributes = [{:type=>"group", :access=>"edit", :name=>"group1", _destroy: '1'}]
+      subject.permissions.should == [Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"jcoyne")]
+    end
+    it "should not remove when destroy flag is falsy" do
+      subject.permissions_attributes = [{:type=>"group", :access=>"read", :name=>"group1"}]
+      subject.permissions_attributes = [{:type=>"group", :access=>"edit", :name=>"group1", _destroy: '0'}]
+      subject.permissions.should == [ Hydra::AccessControls::Permission.new(:type=>"group", :access=>"edit", :name=>"group1"),
+                                      Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"jcoyne")]
+    end
+  end
+  context "with rightsMetadata" do
+    before do
+      subject.rightsMetadata.update_permissions("person"=>{"person1"=>"read","person2"=>"discover"}, "group"=>{'group-6' => 'read', "group-7"=>'read', 'group-8'=>'edit'})
+    end
+    it "should have read groups accessor" do
+      subject.read_groups.should == ['group-6', 'group-7']
+    end
+    it "should have read groups string accessor" do
+      subject.read_groups_string.should == 'group-6, group-7'
+    end
+    it "should have read groups writer" do
+      subject.read_groups = ['group-2', 'group-3']
+      subject.rightsMetadata.groups.should == {'group-2' => 'read', 'group-3'=>'read', 'group-8' => 'edit'}
+      subject.rightsMetadata.individuals.should == {"person1"=>"read","person2"=>"discover"}
+    end
+
+    it "should have read groups string writer" do
+      subject.read_groups_string = 'umg/up.dlt.staff, group-3'
+      subject.rightsMetadata.groups.should == {'umg/up.dlt.staff' => 'read', 'group-3'=>'read', 'group-8' => 'edit'}
+      subject.rightsMetadata.individuals.should == {"person1"=>"read","person2"=>"discover"}
+    end
+    it "should only revoke eligible groups" do
+      subject.set_read_groups(['group-2', 'group-3'], ['group-6'])
+      # 'group-7' is not eligible to be revoked
+      subject.rightsMetadata.groups.should == {'group-2' => 'read', 'group-3'=>'read', 'group-7' => 'read', 'group-8' => 'edit'}
+      subject.rightsMetadata.individuals.should == {"person1"=>"read","person2"=>"discover"}
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: hydra-access-controls
 version: !ruby/object:Gem::Version
-  version: 6.4.0.pre1
+  version: 6.4.0.pre2
 platform: ruby
 authors:
 - Chris Beer
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-09-27 00:00:00.000000000 Z
+date: 2013-09-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -132,6 +132,7 @@ files:
 - hydra-access-controls.gemspec
 - lib/hydra-access-controls.rb
 - lib/hydra/ability.rb
+- lib/hydra/access_controls/permission.rb
 - lib/hydra/access_controls_enforcement.rb
 - lib/hydra/access_controls_evaluation.rb
 - lib/hydra/admin_policy.rb
@@ -162,6 +163,7 @@ files:
 - spec/unit/hydra_rights_metadata_persistence_spec.rb
 - spec/unit/hydra_rights_metadata_spec.rb
 - spec/unit/inheritable_rights_metadata_spec.rb
+- spec/unit/permissions_spec.rb
 - spec/unit/policy_aware_ability_spec.rb
 - spec/unit/policy_aware_access_controls_enforcement_spec.rb
 - spec/unit/rights_metadata_spec.rb
@@ -209,6 +211,7 @@ test_files:
 - spec/unit/hydra_rights_metadata_persistence_spec.rb
 - spec/unit/hydra_rights_metadata_spec.rb
 - spec/unit/inheritable_rights_metadata_spec.rb
+- spec/unit/permissions_spec.rb
 - spec/unit/policy_aware_ability_spec.rb
 - spec/unit/policy_aware_access_controls_enforcement_spec.rb
 - spec/unit/rights_metadata_spec.rb