hydra-access-controls 6.5.2 → 7.0.0.pre1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 6ecdae0c038ee96bc891eff67731001fb2891900
-  data.tar.gz: 259734b1ed3d5f976d306863b9a8ffc29b9680ba
+  metadata.gz: a4a93165f43e234199b40f661c831297b8fa0028
+  data.tar.gz: e1a7ffe7818ad9b6a4b05f275c04b692492c6ae0
 SHA512:
-  metadata.gz: 7c8a7e54b600cfec5fc4a18d7aec6ac164e3eeb880fa04d5d18c40e6c9ea0be86bbcf9d17b375a124e364b58772ce205bb20864833781130734d48c7afbbed9e
-  data.tar.gz: 9c142b27794db0f448a822ba1080259a2431df772d63b40408c43428835622b17bc49d6c7032a4086f4a960c52346b73af3f94dc5ec15d792e540ad682cb044b
+  metadata.gz: d6347cac6a363890e6c97010635aa9348cf7ba0c8ee7b42cbe194559a15409d7828226d9c5671e9f32572a2c6b19c74950783b9637609dd93245e0d64d1c48d1
+  data.tar.gz: 85f02a19c26d9dbcf3403c7031805961849d73a013b73620936347082aebec6428aac7520dfe930f48b50474741a4cbe87930390854ebb134f037bb16f37ea6d

data/app/models/concerns/hydra/access_controls/permissions.rb

@@ -9,18 +9,12 @@ module Hydra
         has_metadata "rightsMetadata", type: Hydra::Datastream::RightsMetadata
       end
 
-      # permissions= added for backward compatibility of Hydra::AdminPolicy for hydra-head < 6.4
-      def permissions= attributes_collection
-        Deprecation.warn(Permissions, "The permissions= method is deprecated and will be removed from Hydra::AccessControls::Permissions in hydra-head 7.0", caller)
-        self.permissions_attributes = attributes_collection
-      end
-
       ## Updates those permissions that are provided to it. Does not replace any permissions unless they are provided
       # @example
       #  obj.permissions_attributes= [{:name=>"group1", :access=>"discover", :type=>'group'},
       #  {:name=>"group2", :access=>"discover", :type=>'group'}]
       def permissions_attributes= attributes_collection
-        perm_hash = {'person' => rightsMetadata.individuals, 'group'=> rightsMetadata.groups}
+        perm_hash = {'person' => rightsMetadata.users, 'group'=> rightsMetadata.groups}
 
         if attributes_collection.is_a? Hash
           attributes_collection = attributes_collection.sort_by { |i, _| i.to_i }.map { |_, attributes| attributes }
@@ -52,7 +46,20 @@ module Hydra
       ## Returns a list with all the permissions on the object.
       def permissions
         (rightsMetadata.groups.map {|x| Permission.new(type: 'group', access: x[1], name: x[0] )} + 
-          rightsMetadata.individuals.map {|x|  Permission.new(type: 'user', access: x[1], name: x[0] )})
+          rightsMetadata.users.map {|x|  Permission.new(type: 'user', access: x[1], name: x[0] )})
+      end
+
+      # @param values [Array<Permission>] a list of permission objects to set
+      def permissions= values
+        perm_hash = {'person' => {}, 'group'=> {}}
+        values.each do |perm|
+          if perm.type == 'user'
+            perm_hash['person'][perm.name] = perm.access
+          else
+            perm_hash['group'][perm.name] = perm.access
+          end
+        end
+        rightsMetadata.permissions = perm_hash
       end
 
       # Return a list of groups that have discover permission
@@ -107,7 +114,7 @@ module Hydra
       end
 
       def discover_users
-        rightsMetadata.individuals.map {|k, v| k if v == 'discover'}.compact
+        rightsMetadata.users.map {|k, v| k if v == 'discover'}.compact
       end
 
       # Grant discover permissions to the users specified. Revokes discover permission for all other users.
@@ -208,7 +215,7 @@ module Hydra
       end
 
       def read_users
-        rightsMetadata.individuals.map {|k, v| k if v == 'read'}.compact
+        rightsMetadata.users.map {|k, v| k if v == 'read'}.compact
       end
 
       # Grant read permissions to the users specified. Revokes read permission for all other users.
@@ -310,7 +317,7 @@ module Hydra
       end
 
       def edit_users
-        rightsMetadata.individuals.map {|k, v| k if v == 'edit'}.compact
+        rightsMetadata.users.map {|k, v| k if v == 'edit'}.compact
       end
 
       # Grant edit permissions to the groups specified. Revokes edit permission for all other groups.
@@ -351,8 +358,6 @@ module Hydra
 
       private 
 
-
-
       # @param  permission either :discover, :read or :edit
       # @param  type either :person or :group
       # @param  values  Values to set

data/hydra-access-controls.gemspec

@@ -19,10 +19,10 @@ Gem::Specification.new do |gem|
   gem.required_ruby_version = '>= 1.9.3'
 
   gem.add_dependency 'activesupport'
-  gem.add_dependency "active-fedora", '~> 6.7'
+  gem.add_dependency "active-fedora", '~> 7.0.0.pre2'
   gem.add_dependency 'cancan'
   gem.add_dependency 'deprecation'
-  gem.add_dependency 'blacklight', '~> 4.7'
+  gem.add_dependency 'blacklight', '~> 4.0' 
 
   gem.add_development_dependency "rake"
   gem.add_development_dependency 'rspec'

data/lib/hydra-access-controls.rb

@@ -1,8 +1,7 @@
-require 'active_support'
+require 'rails'
 require 'active-fedora'
 require 'blacklight'
 require 'cancan'
-require 'rails'
 
 module Hydra
   extend ActiveSupport::Autoload
@@ -12,6 +11,7 @@ module Hydra
   autoload :PolicyAwareAccessControlsEnforcement
   autoload :AccessControlsEvaluation
   autoload :Ability
+  autoload :Config
   autoload :Datastream
   autoload :PolicyAwareAbility
   autoload :AdminPolicy
@@ -19,17 +19,23 @@ module Hydra
   autoload :PermissionsQuery
   autoload :PermissionsCache
   autoload :PermissionsSolrDocument
+
+  class << self
+    def configure(_ = nil)
+      @config ||= Config.new
+      yield @config if block_given?
+      @config
+    end
+    alias :config :configure
+  end
+
   class Engine < Rails::Engine
+    # autoload_paths is only necessary for Rails 3
     config.autoload_paths += %W(
       #{config.root}/app/models/concerns
     )
   end
 
-  module ModelMixins
-    extend ActiveSupport::Autoload
-    autoload :RightsMetadata
-  end
-
   # This error is raised when a user isn't allowed to access a given controller action.
   # This usually happens within a call to AccessControlsEnforcement#enforce_access_controls but can be
   # raised manually.

data/lib/hydra/ability.rb

@@ -3,6 +3,7 @@ require 'cancan'
 module Hydra
   module Ability
     extend ActiveSupport::Concern
+    extend Deprecation
     
     # once you include Hydra::Ability you can add custom permission methods by appending to ability_logic like so:
     #
@@ -13,7 +14,7 @@ module Hydra
       include Hydra::PermissionsQuery
       include Blacklight::SolrHelper
       class_attribute :ability_logic
-      self.ability_logic = [:create_permissions, :edit_permissions, :read_permissions, :custom_permissions]
+      self.ability_logic = [:create_permissions, :edit_permissions, :read_permissions, :download_permissions, :custom_permissions]
     end
 
     def self.user_class
@@ -54,7 +55,7 @@ module Hydra
     end
 
     def create_permissions
-      can :create, :all if user_groups.include? 'registered'
+      # no op -- this is automatically run as part of self.ability_logic. Override in your own Ability class to set default create permissions.
     end
 
     def edit_permissions
@@ -66,7 +67,7 @@ module Hydra
         test_edit(obj.pid)
       end
    
-      can :edit, SolrDocument do |obj|
+      can [:edit, :update, :destroy], SolrDocument do |obj|
         cache.put(obj.id, obj)
         test_edit(obj.id)
       end       
@@ -87,6 +88,12 @@ module Hydra
       end 
     end
 
+    # Download permissions are exercised in Hydra::Controller::DownloadBehavior
+    def download_permissions
+      can :download, ActiveFedora::Datastream do |ds|
+        can? :read, ds.pid # i.e, can download ds if can read object
+      end
+    end
 
     ## Override custom permissions in your own app to add more permissions beyond what is defined by default.
     def custom_permissions
@@ -97,7 +104,7 @@ module Hydra
     def test_edit(pid)
       logger.debug("[CANCAN] Checking edit permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
       group_intersection = user_groups & edit_groups(pid)
-      result = !group_intersection.empty? || edit_persons(pid).include?(current_user.user_key)
+      result = !group_intersection.empty? || edit_users(pid).include?(current_user.user_key)
       logger.debug("[CANCAN] decision: #{result}")
       result
     end   
@@ -105,7 +112,7 @@ module Hydra
     def test_read(pid)
       logger.debug("[CANCAN] Checking read permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
       group_intersection = user_groups & read_groups(pid)
-      result = !group_intersection.empty? || read_persons(pid).include?(current_user.user_key)
+      result = !group_intersection.empty? || read_users(pid).include?(current_user.user_key)
       result
     end 
     
@@ -126,38 +133,48 @@ module Hydra
       return rg
     end
 
-    def edit_persons(pid)
+    def edit_users(pid)
       doc = permissions_doc(pid)
       return [] if doc.nil?
-      ep = doc[self.class.edit_person_field] ||  []
-      logger.debug("[CANCAN] edit_persons: #{ep.inspect}")
+      ep = doc[self.class.edit_user_field] ||  []
+      logger.debug("[CANCAN] edit_users: #{ep.inspect}")
       return ep
     end
 
-    # edit implies read, so read_persons is the union of edit and read persons
-    def read_persons(pid)
+    # edit implies read, so read_users is the union of edit and read users
+    def read_users(pid)
       doc = permissions_doc(pid)
       return [] if doc.nil?
-      rp = edit_persons(pid) | (doc[self.class.read_person_field] || [])
-      logger.debug("[CANCAN] read_persons: #{rp.inspect}")
+      rp = edit_users(pid) | (doc[self.class.read_user_field] || [])
+      logger.debug("[CANCAN] read_users: #{rp.inspect}")
       return rp
     end
 
     module ClassMethods
       def read_group_field 
-        Hydra.config[:permissions][:read][:group]
+        Hydra.config.permissions.read.group
+      end
+
+      def edit_person_field
+        Deprecation.warn(Ability, "The edit_person_field class method is deprecated and will be removed from Hydra::Ability in hydra-head 8.0.  Use edit_user_field instead.", caller)
+        edit_user_field
+      end
+
+      def edit_user_field 
+        Hydra.config.permissions.edit.individual
       end
 
-      def edit_person_field 
-        Hydra.config[:permissions][:edit][:individual]
+      def read_person_field
+        Deprecation.warn(Ability, "The read_person_field class method is deprecated and will be removed from Hydra::Ability in hydra-head 8.0.  Use read_user_field instead.", caller)
+        read_user_field
       end
 
-      def read_person_field 
-        Hydra.config[:permissions][:read][:individual]
+      def read_user_field 
+        Hydra.config.permissions.read.individual
       end
 
       def edit_group_field
-        Hydra.config[:permissions][:edit][:group]
+        Hydra.config.permissions.edit.group
       end
     end
   end

data/lib/hydra/access_controls/permission.rb

@@ -1,6 +1,5 @@
 module Hydra::AccessControls
   class Permission
-
     def initialize(args)
       @vals = {name: args[:name], access: args[:access], type: args[:type]}
     end
@@ -9,12 +8,8 @@ module Hydra::AccessControls
       false
     end
 
-    def to_hash
-      @vals
-    end
-
     def [] var
-      to_hash[var]
+      @vals[var]
     end
 
     def name

data/lib/hydra/access_controls_enforcement.rb

@@ -11,7 +11,7 @@ module Hydra::AccessControlsEnforcement
     # CatalogController.include ModuleDefiningNewMethod
     # CatalogController.solr_access_filters_logic += [:new_method]
     # CatalogController.solr_access_filters_logic.delete(:we_dont_want)
-    self.solr_access_filters_logic = [:apply_role_permissions, :apply_individual_permissions, :apply_superuser_permissions ]
+    self.solr_access_filters_logic = [:apply_group_permissions, :apply_user_permissions, :apply_superuser_permissions ]
 
   end
   
@@ -22,7 +22,7 @@ module Hydra::AccessControlsEnforcement
     permission_types = discovery_permissions
     user_access_filters = []
     
-    # Grant access based on user id & role
+    # Grant access based on user id & group
     solr_access_filters_logic.each do |method_name|
       user_access_filters += send(method_name, permission_types)
     end
@@ -102,12 +102,12 @@ module Hydra::AccessControlsEnforcement
   end
 
   
-  def apply_role_permissions(permission_types)
-      # for roles
+  def apply_group_permissions(permission_types)
+      # for groups
       user_access_filters = []
-      current_ability.user_groups.each_with_index do |role, i|
+      current_ability.user_groups.each_with_index do |group, i|
         permission_types.each do |type|
-          user_access_filters << escape_filter(ActiveFedora::SolrService.solr_name("#{type}_access_group", Hydra::Datastream::RightsMetadata.indexer), role)
+          user_access_filters << escape_filter(ActiveFedora::SolrService.solr_name("#{type}_access_group", Hydra::Datastream::RightsMetadata.indexer), group)
         end
       end
       user_access_filters
@@ -117,8 +117,8 @@ module Hydra::AccessControlsEnforcement
     [key, value.gsub(/[ :\/]/, ' ' => '\ ', '/' => '\/', ':' => '\:')].join(':')
   end
 
-  def apply_individual_permissions(permission_types)
-      # for individual person access
+  def apply_user_permissions(permission_types)
+      # for individual user access
       user_access_filters = []
       if current_user && current_user.user_key.present?
         permission_types.each do |type|
@@ -128,7 +128,6 @@ module Hydra::AccessControlsEnforcement
       user_access_filters
   end
 
-
   # override to apply super user permissions
   def apply_superuser_permissions(permission_types)
     []

data/lib/hydra/admin_policy.rb

@@ -14,7 +14,7 @@ class Hydra::AdminPolicy < ActiveFedora::Base
     
   end
 
-  has_attributes :title, :description, datastream: :descMetadata, multiple: false
+  has_attributes :title, :description, datastream: 'descMetadata', multiple: false
   has_attributes :license_title, datastream: 'rightsMetadata', at: [:license, :title], multiple: false
   has_attributes :license_description, datastream: 'rightsMetadata', at: [:license, :description], multiple: false
   has_attributes :license_url, datastream: 'rightsMetadata', at: [:license, :url], multiple: false
@@ -48,7 +48,7 @@ class Hydra::AdminPolicy < ActiveFedora::Base
   #  obj.default_permissions= [{:name=>"group1", :access=>"discover", :type=>'group'},
   #  {:name=>"group2", :access=>"discover", :type=>'group'}]
   def default_permissions=(params)
-    perm_hash = {'person' => defaultRights.individuals, 'group'=> defaultRights.groups}
+    perm_hash = {'person' => defaultRights.users, 'group'=> defaultRights.groups}
 
     params.each do |row|
       if row[:type] == 'user' || row[:type] == 'person'
@@ -72,7 +72,7 @@ class Hydra::AdminPolicy < ActiveFedora::Base
   #  {:name=>"user3", :access=>"read", :type=>'user'}]
   def default_permissions
     (defaultRights.groups.map {|x| {:type=>'group', :access=>x[1], :name=>x[0] }} + 
-      defaultRights.individuals.map {|x| {:type=>'user', :access=>x[1], :name=>x[0]}})
+      defaultRights.users.map {|x| {:type=>'user', :access=>x[1], :name=>x[0]}})
 
   end
 

data/lib/hydra/config.rb

@@ -0,0 +1,152 @@
+module Hydra
+  class Config
+    def initialize
+      @permissions = PermissionsConfig.new
+      @user_model = 'User'
+    end
+
+    def []= key, value
+      case key
+        when :permissions
+          self.permissions = value
+        when :user_model
+          self.user_model = value
+        else
+          raise "Unknown key"
+      end
+    end
+
+    def [] key
+      case key
+        when :permissions
+          permissions
+        when :user_model
+          user_model
+        else
+          raise "Unknown key #{key}"
+      end
+    end
+
+    attr_reader :permissions
+    attr_accessor :user_model
+
+    def permissions= values
+      @permissions.merge! values
+    end
+
+    class PermissionsConfig
+      attr_accessor :embargo_release_date, :policy_class
+      def initialize
+        @values = {}
+        [:discover, :read, :edit].each do |key|
+          @values[key] = GroupPermission.new(
+            group:      solr_name("#{prefix}#{key}_access_group", :symbol),
+            individual: solr_name("#{prefix}#{key}_access_person", :symbol))
+        end
+        @embargo_release_date = solr_name("#{prefix}embargo_release_date", Solrizer::Descriptor.new(:date, :stored, :indexed))
+      end
+
+      def merge! values
+        values.each {|k, v| self[k] = v }
+      end
+
+      def []= key, value
+        case key
+          when :discover, :read, :edit
+            self.assign_value key, value
+          when :embargo_release_date
+            self.embargo_release_date = value
+          when :policy_class
+            self.policy_class = value
+          when :owner
+            logger.warn "':owner' is no longer a valid configuration for Hydra. Please remove it from your configuration."
+          else
+            raise "Unknown key"
+        end
+      end
+
+      def [] key
+        case key
+          when :discover, :read, :edit
+            @values[key]
+          when :inheritable
+            inheritable
+          when :embargo_release_date
+            @embargo_release_date
+          when :policy_class
+            @policy_class
+          else
+            raise "Unknown key #{key}"
+        end
+      end
+
+      def inheritable
+        @inheritable ||= InheritablePermissionsConfig.new
+      end
+
+      def discover
+        @values[:discover]
+      end
+
+      def read
+        @values[:read]
+      end
+
+      def edit
+        @values[:edit]
+      end
+
+      def discover= val
+        assign_value :discover, val
+      end
+
+      def read= val
+        assign_value :read, val
+      end
+
+      def edit= val
+        assign_value :edit, val
+      end
+
+      protected 
+
+      def prefix
+      end
+
+      def assign_value key, val
+        @values[key].merge!(val)
+      end
+
+      def solr_name(*args)
+        ActiveFedora::SolrService.solr_name(*args)
+      end
+
+
+      class GroupPermission
+        attr_accessor :group, :individual
+        def initialize(values = {})
+          merge! values
+        end
+        def merge! values
+          @group = values[:group]
+          @individual = values[:individual]
+        end
+        def [] key
+          case key
+            when :group, :individual
+              send key
+            else
+              raise "Unknown key"
+          end
+        end
+      end
+    end
+
+    class InheritablePermissionsConfig < PermissionsConfig
+      protected
+        def prefix
+          'inheritable_'
+        end
+    end
+  end
+end