hydra-access-controls 6.5.2 → 7.0.0.pre1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -7,13 +7,11 @@ module Hydra
7
7
  @terminology = Hydra::Datastream::RightsMetadata.terminology
8
8
 
9
9
  def to_solr(solr_doc=Hash.new)
10
- solr_doc[ActiveFedora::SolrService.solr_name('inheritable_discover_access_group', indexer)] = discover_access.machine.group
11
- solr_doc[ActiveFedora::SolrService.solr_name('inheritable_discover_access_person', indexer)] = discover_access.machine.person
12
- solr_doc[ActiveFedora::SolrService.solr_name('inheritable_read_access_group', indexer)] = read_access.machine.group
13
- solr_doc[ActiveFedora::SolrService.solr_name('inheritable_read_access_person', indexer)] = read_access.machine.person
14
- solr_doc[ActiveFedora::SolrService.solr_name('inheritable_edit_access_group', indexer)] = edit_access.machine.group
15
- solr_doc[ActiveFedora::SolrService.solr_name('inheritable_edit_access_person', indexer)] = edit_access.machine.person
16
- solr_doc[ActiveFedora::SolrService.solr_name('inheritable_embargo_release_date', date_indexer)] = embargo_release_date
10
+ [:discover, :read, :edit].each do |access|
11
+ solr_doc[Hydra.config[:permissions][:inheritable][access][:group]] = send("#{access}_access").machine.group
12
+ solr_doc[Hydra.config[:permissions][:inheritable][access][:individual]] = send("#{access}_access").machine.person
13
+ end
14
+ solr_doc[Hydra.config[:permissions][:inheritable][:embargo_release_date]] = embargo_release_date
17
15
  return solr_doc
18
16
  end
19
17
  end
@@ -3,6 +3,7 @@ module Hydra
3
3
  module Datastream
4
4
  # Implements Hydra RightsMetadata XML terminology for asserting access permissions
5
5
  class RightsMetadata < ActiveFedora::OmDatastream
6
+ extend Deprecation
6
7
 
7
8
  set_terminology do |t|
8
9
  t.root(:path=>"rightsMetadata", :xmlns=>"http://hydra-collab.stanford.edu/schemas/rightsMetadata/v1", :schema=>"http://github.com/projecthydra/schemas/tree/v1/rightsMetadata.xsd")
@@ -125,9 +126,14 @@ module Hydra
125
126
  return quick_search_by_type(:group)
126
127
  end
127
128
 
128
- # Reports on which groups have which permissions
129
- # @return Hash in format {person_name => person_permissions, person_name => person_permissions}
130
129
  def individuals
130
+ Deprecation.warn(RightsMetadata, "The method `individuals' is deprecated and will be removed from Hydra::Datastream::RightsMetadata in hydra-head 8.0. Use `users' instead.", caller)
131
+ users
132
+ end
133
+
134
+ # Reports on which users have which permissions
135
+ # @return Hash in format {user_name => user_permissions, user_name => user_permissions}
136
+ def users
131
137
  return quick_search_by_type(:person)
132
138
  end
133
139
 
@@ -147,7 +153,7 @@ module Hydra
147
153
  group_ids = groups.keys | groups_for_update
148
154
  group_ids.each {|group_id| self.permissions({"group"=>group_id}, params['group'].fetch(group_id, 'none'))}
149
155
  users_for_update = params['person'] ? params['person'].keys : []
150
- user_ids = individuals.keys | users_for_update
156
+ user_ids = users.keys | users_for_update
151
157
  user_ids.each {|person_id| self.permissions({"person"=>person_id}, params['person'].fetch(person_id, 'none'))}
152
158
  end
153
159
 
@@ -170,7 +176,7 @@ module Hydra
170
176
  def embargo_release_date=(release_date)
171
177
  release_date = release_date.to_s if release_date.is_a? Date
172
178
  begin
173
- release_date.nil? || Date.parse(release_date)
179
+ Date.parse(release_date)
174
180
  rescue
175
181
  return "INVALID DATE"
176
182
  end
@@ -189,22 +195,14 @@ module Hydra
189
195
 
190
196
  def to_solr(solr_doc=Hash.new)
191
197
  super(solr_doc)
192
- vals = edit_access.machine.group
193
- solr_doc[ActiveFedora::SolrService.solr_name('edit_access_group', indexer)] = vals unless vals.empty?
194
- vals = discover_access.machine.group
195
- solr_doc[ActiveFedora::SolrService.solr_name('discover_access_group', indexer)] = vals unless vals.empty?
196
- vals = read_access.machine.group
197
- solr_doc[ActiveFedora::SolrService.solr_name('read_access_group', indexer)] = vals unless vals.empty?
198
- vals = edit_access.machine.person
199
- solr_doc[ActiveFedora::SolrService.solr_name('edit_access_person', indexer)] = vals unless vals.empty?
200
- vals = discover_access.machine.person
201
- solr_doc[ActiveFedora::SolrService.solr_name('discover_access_person', indexer)] = vals unless vals.empty?
202
- vals = read_access.machine.person
203
- solr_doc[ActiveFedora::SolrService.solr_name('read_access_person', indexer)] = vals unless vals.empty?
204
-
198
+ [:discover, :read, :edit].each do |access|
199
+ vals = send("#{access}_access").machine.group
200
+ solr_doc[Hydra.config[:permissions][access][:group]] = vals unless vals.empty?
201
+ vals = send("#{access}_access").machine.person
202
+ solr_doc[Hydra.config[:permissions][access][:individual]] = vals unless vals.empty?
203
+ end
205
204
  if embargo_release_date
206
- embargo_release_date_solr_key_name = ActiveFedora::SolrService.solr_name("embargo_release_date", date_indexer)
207
- ::Solrizer::Extractor.insert_solr_field_value(solr_doc, embargo_release_date_solr_key_name , embargo_release_date(:format=>:solr_date))
205
+ ::Solrizer::Extractor.insert_solr_field_value(solr_doc, Hydra.config[:permissions][:embargo_release_date], embargo_release_date(:format=>:solr_date))
208
206
  end
209
207
  solr_doc
210
208
  end
@@ -24,8 +24,10 @@ module Hydra
24
24
  # @param [Hash] extra_controller_params (optional)
25
25
  def get_permissions_solr_response_for_doc_id(id=nil, extra_controller_params={})
26
26
  raise Blacklight::Exceptions::InvalidSolrID.new("The application is trying to retrieve permissions without specifying an asset id") if id.nil?
27
+ #solr_response = Blacklight.solr.get permissions_solr_doc_params(id).merge(extra_controller_params)
28
+ #path = blacklight_config.solr_path
27
29
  solr_opts = permissions_solr_doc_params(id).merge(extra_controller_params)
28
- response = ActiveFedora::SolrService.instance.conn.get('select', :params=>solr_opts)
30
+ response = Blacklight.solr.get('select', :params=> solr_opts)
29
31
  solr_response = Blacklight::SolrResponse.new(force_to_utf8(response), solr_opts)
30
32
 
31
33
  raise Blacklight::Exceptions::InvalidSolrID.new("The solr permissions search handler didn't return anything for id \"#{id}\"") if solr_response.docs.empty?
@@ -1,6 +1,7 @@
1
1
  # Repeats access controls evaluation methods, but checks against a governing "Policy" object (or "Collection" object) that provides inherited access controls.
2
2
  module Hydra::PolicyAwareAbility
3
3
  extend ActiveSupport::Concern
4
+ extend Deprecation
4
5
  include Hydra::Ability
5
6
 
6
7
  # Extends Hydra::Ability.test_edit to try policy controls if object-level controls deny access
@@ -54,7 +55,7 @@ module Hydra::PolicyAwareAbility
54
55
  else
55
56
  logger.debug("[CANCAN] -policy- Does the POLICY #{policy_pid} provide EDIT permissions for #{current_user.user_key}?")
56
57
  group_intersection = user_groups & edit_groups_from_policy( policy_pid )
57
- result = !group_intersection.empty? || edit_persons_from_policy( policy_pid ).include?(current_user.user_key)
58
+ result = !group_intersection.empty? || edit_users_from_policy( policy_pid ).include?(current_user.user_key)
58
59
  logger.debug("[CANCAN] -policy- decision: #{result}")
59
60
  return result
60
61
  end
@@ -68,7 +69,7 @@ module Hydra::PolicyAwareAbility
68
69
  else
69
70
  logger.debug("[CANCAN] -policy- Does the POLICY #{policy_pid} provide READ permissions for #{current_user.user_key}?")
70
71
  group_intersection = user_groups & read_groups_from_policy( policy_pid )
71
- result = !group_intersection.empty? || read_persons_from_policy( policy_pid ).include?(current_user.user_key)
72
+ result = !group_intersection.empty? || read_users_from_policy( policy_pid ).include?(current_user.user_key)
72
73
  logger.debug("[CANCAN] -policy- decision: #{result}")
73
74
  result
74
75
  end
@@ -93,23 +94,33 @@ module Hydra::PolicyAwareAbility
93
94
  return rg
94
95
  end
95
96
 
96
- # Returns the list of individuals granted edit access by the policy object identified by policy_pid
97
97
  def edit_persons_from_policy(policy_pid)
98
+ Deprecation.warn(Hydra::PolicyAwareAbility, "The edit_persons_from_policy method is deprecated and will be removed from Hydra::PolicyAwareAbility in hydra-head 8.0. Use edit_users_from_policy instead.", caller)
99
+ edit_users_from_policy(policy_pid)
100
+ end
101
+
102
+ # Returns the list of users granted edit access by the policy object identified by policy_pid
103
+ def edit_users_from_policy(policy_pid)
98
104
  policy_permissions = policy_permissions_doc(policy_pid)
99
- edit_person_field = Hydra.config[:permissions][:inheritable][:edit][:individual]
100
- ep = ((policy_permissions == nil || policy_permissions.fetch(edit_person_field,nil) == nil) ? [] : policy_permissions.fetch(edit_person_field,nil))
101
- logger.debug("[CANCAN] -policy- edit_persons: #{ep.inspect}")
102
- return ep
105
+ edit_user_field = Hydra.config[:permissions][:inheritable][:edit][:individual]
106
+ eu = ((policy_permissions == nil || policy_permissions.fetch(edit_user_field,nil) == nil) ? [] : policy_permissions.fetch(edit_user_field,nil))
107
+ logger.debug("[CANCAN] -policy- edit_users: #{eu.inspect}")
108
+ return eu
103
109
  end
104
110
 
105
- # Returns the list of individuals granted read access by the policy object identified by policy_pid
106
- # Noate: edit implies read, so read_persons is the union of edit and read persons
107
111
  def read_persons_from_policy(policy_pid)
112
+ Deprecation.warn(Hydra::PolicyAwareAbility, "The read_persons_from_policy method is deprecated and will be removed from Hydra::PolicyAwareAbility in hydra-head 8.0. Use read_users_from_policy instead.", caller)
113
+ read_users_from_policy(policy_pid)
114
+ end
115
+
116
+ # Returns the list of users granted read access by the policy object identified by policy_pid
117
+ # Note: edit implies read, so read_users is the union of edit and read users
118
+ def read_users_from_policy(policy_pid)
108
119
  policy_permissions = policy_permissions_doc(policy_pid)
109
- read_individual_field = Hydra.config[:permissions][:inheritable][:read][:individual]
110
- rp = edit_persons_from_policy(policy_pid) | ((policy_permissions == nil || policy_permissions.fetch(read_individual_field,nil) == nil) ? [] : policy_permissions.fetch(read_individual_field,nil))
111
- logger.debug("[CANCAN] -policy- read_persons: #{rp.inspect}")
112
- return rp
120
+ read_user_field = Hydra.config[:permissions][:inheritable][:read][:individual]
121
+ ru = edit_users_from_policy(policy_pid) | ((policy_permissions == nil || policy_permissions.fetch(read_user_field, nil) == nil) ? [] : policy_permissions.fetch(read_user_field, nil))
122
+ logger.debug("[CANCAN] -policy- read_users: #{ru.inspect}")
123
+ return ru
113
124
  end
114
125
 
115
126
  private
@@ -1,5 +1,6 @@
1
1
  # Repeats access controls evaluation methods, but checks against a governing "Policy" object (or "Collection" object) that provides inherited access controls.
2
2
  module Hydra::PolicyAwareAccessControlsEnforcement
3
+ extend Deprecation
3
4
 
4
5
  # Extends Hydra::AccessControlsEnforcement.apply_gated_discovery to reflect policy-provided access
5
6
  # appends the result of policy_clauses into the :fq
@@ -11,7 +12,6 @@ module Hydra::PolicyAwareAccessControlsEnforcement
11
12
  logger.debug("POLICY-aware Solr parameters: #{ solr_parameters.inspect }")
12
13
  end
13
14
 
14
-
15
15
  # returns solr query for finding all objects whose policies grant discover access to current_user
16
16
  def policy_clauses
17
17
  policy_pids = policies_with_access
@@ -19,33 +19,41 @@ module Hydra::PolicyAwareAccessControlsEnforcement
19
19
  '(' + policy_pids.map {|pid| ActiveFedora::SolrService.construct_query_for_rel(is_governed_by: "info:fedora/#{pid}")}.join(' OR ') + ')'
20
20
  end
21
21
 
22
-
23
- # find all the policies that grant discover/read/edit permissions to this user or any of it's groups
22
+ # find all the policies that grant discover/read/edit permissions to this user or any of its groups
24
23
  def policies_with_access
25
24
  #### TODO -- Memoize this and put it in the session?
26
25
  user_access_filters = []
27
- # Grant access based on user id & role
28
- user_access_filters += apply_policy_role_permissions(discovery_permissions)
29
- user_access_filters += apply_policy_individual_permissions(discovery_permissions)
26
+ # Grant access based on user id & group
27
+ user_access_filters += apply_policy_group_permissions(discovery_permissions)
28
+ user_access_filters += apply_policy_user_permissions(discovery_permissions)
30
29
  result = policy_class.find_with_conditions( user_access_filters.join(" OR "), :fl => "id", :rows => policy_class.count )
31
30
  logger.debug "get policies: #{result}\n\n"
32
31
  result.map {|h| h['id']}
33
32
  end
34
33
 
35
-
36
34
  def apply_policy_role_permissions(permission_types = discovery_permissions)
37
- # for roles
35
+ Deprecation.warn(Hydra::PolicyAwareAccessControlsEnforcement, "The method apply_policy_role_permissions is deprecated and will be removed from Hydra::PolicyAwareAccessControlsEnforcement in hydra-head 8.0. Use apply_policy_group_permissions instead.", caller)
36
+ apply_policy_group_permissions(permission_types)
37
+ end
38
+
39
+ def apply_policy_group_permissions(permission_types = discovery_permissions)
40
+ # for groups
38
41
  user_access_filters = []
39
- current_ability.user_groups.each_with_index do |role, i|
42
+ current_ability.user_groups.each_with_index do |group, i|
40
43
  permission_types.each do |type|
41
- user_access_filters << escape_filter(ActiveFedora::SolrService.solr_name("inheritable_#{type}_access_group", Hydra::Datastream::RightsMetadata.indexer ), role)
44
+ user_access_filters << escape_filter(ActiveFedora::SolrService.solr_name("inheritable_#{type}_access_group", Hydra::Datastream::RightsMetadata.indexer ), group)
42
45
  end
43
46
  end
44
47
  user_access_filters
45
48
  end
46
49
 
47
50
  def apply_policy_individual_permissions(permission_types = discovery_permissions)
48
- # for individual person access
51
+ Deprecation.warn(Hydra::PolicyAwareAccessControlsEnforcement, "The method apply_policy_individual_permissions is deprecated and will be removed from Hydra::PolicyAwareAccessControlsEnforcement in hydra-head 8.0. Use apply_policy_user_permissions instead.", caller)
52
+ apply_policy_user_permissions(permission_types)
53
+ end
54
+
55
+ def apply_policy_user_permissions(permission_types = discovery_permissions)
56
+ # for individual user access
49
57
  user_access_filters = []
50
58
  if current_user
51
59
  permission_types.each do |type|
@@ -4,14 +4,6 @@ require 'rspec/mocks'
4
4
  require 'rspec/autorun'
5
5
  require 'hydra-access-controls'
6
6
 
7
- module Hydra
8
- # Stubbing Hydra.config[:policy_aware] so Hydra::PolicyAwareAbility will be loaded for tests.
9
- def self.config
10
- {:permissions=>{:policy_aware => true}}
11
- end
12
- end
13
-
14
-
15
7
  $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
16
8
  $LOAD_PATH.unshift(File.dirname(__FILE__))
17
9
  Hydra::Engine.config.autoload_paths.each { |path| $LOAD_PATH.unshift path }
@@ -1,8 +1,7 @@
1
1
  require 'active-fedora'
2
-
3
2
  class ModsAsset < ActiveFedora::Base
4
3
  include Hydra::AccessControls::Permissions
5
-
4
+
6
5
  # This is how we're associating admin policies with assets.
7
6
  # You can associate them however you want, just use the :is_governed_by relationship
8
7
  belongs_to :admin_policy, :class_name=> "Hydra::AdminPolicy", :property=>:is_governed_by
@@ -2,7 +2,12 @@ class SolrDocument
2
2
  def initialize(source_doc={}, solr_response=nil)
3
3
  @source_doc = source_doc
4
4
  end
5
- def fetch(field, default)
5
+
6
+ def id
7
+ fetch(:id)
8
+ end
9
+
10
+ def fetch(field, default = nil)
6
11
  @source_doc[field]
7
12
  end
8
13
 
@@ -1,31 +1,13 @@
1
1
  require 'spec_helper'
2
+ require 'cancan/matchers'
2
3
 
3
4
  describe Ability do
4
- before do
5
- Hydra.stub(:config).and_return({
6
- :permissions=>{
7
- :discover => {:group =>"discover_access_group_ssim", :individual=>"discover_access_person_ssim"},
8
- :read => {:group =>"read_access_group_ssim", :individual=>"read_access_person_ssim"},
9
- :edit => {:group =>"edit_access_group_ssim", :individual=>"edit_access_person_ssim"},
10
- :owner => "depositor_t",
11
- :embargo_release_date => "embargo_release_date_dtsi",
12
-
13
- :inheritable => {
14
- :discover => {:group =>"inheritable_discover_access_group_ssim", :individual=>"inheritable_discover_access_person_ssim"},
15
- :read => {:group =>"inheritable_read_access_group_ssim", :individual=>"inheritable_read_access_person_ssim"},
16
- :edit => {:group =>"inheritable_edit_access_group_ssim", :individual=>"inheritable_edit_access_person_ssim"},
17
- :owner => "inheritable_depositor_ssim",
18
- :embargo_release_date => "inheritable_embargo_release_date_dtsi"
19
- }
20
- }})
21
- end
22
-
23
5
  describe "class methods" do
24
6
  subject { Ability }
25
7
  its(:read_group_field) { should == 'read_access_group_ssim'}
26
- its(:read_person_field) { should == 'read_access_person_ssim'}
8
+ its(:read_user_field) { should == 'read_access_person_ssim'}
27
9
  its(:edit_group_field) { should == 'edit_access_group_ssim'}
28
- its(:edit_person_field) { should == 'edit_access_person_ssim'}
10
+ its(:edit_user_field) { should == 'edit_access_person_ssim'}
29
11
  end
30
12
 
31
13
  context "for a not-signed in user" do
@@ -38,17 +20,18 @@ describe Ability do
38
20
  Ability.any_instance.should_receive(:custom_permissions)
39
21
  subject.can?(:delete, 7)
40
22
  end
41
- it "should not be able to create objects" do
42
- subject.can?(:create, :any).should be_false
23
+ it "should not be able to create ActiveFedora::Base objects" do
24
+ subject.should_not be_able_to(:create, ActiveFedora::Base)
43
25
  end
44
26
  end
27
+
45
28
  context "for a signed in user" do
46
29
  before do
47
30
  @user = FactoryGirl.build(:registered_user)
48
31
  end
49
32
  subject { Ability.new(@user) }
50
- it "should be able to create objects" do
51
- subject.can?(:create, :any).should be_true
33
+ it "should not be able to create ActiveFedora::Base objects" do
34
+ subject.should_not be_able_to(:create, ActiveFedora::Base)
52
35
  end
53
36
  end
54
37
 
@@ -94,56 +77,33 @@ describe Ability do
94
77
  end
95
78
 
96
79
  describe "Given an asset with no custom access set" do
97
- before do
98
- @asset = FactoryGirl.build(:default_access_asset)
99
- @asset.save
100
- end
80
+ let(:asset) { FactoryGirl.create(:default_access_asset) }
81
+ let(:solr_doc) { SolrDocument.new(asset.rightsMetadata.to_solr.merge(id: asset.pid)) }
101
82
  context "Then a not-signed-in user" do
102
- before do
103
- @user = User.new
104
- @user.new_record = true
105
- end
106
- subject { Ability.new(@user) }
107
- it "should not be able to view the asset" do
108
- subject.can?(:read, @asset).should be_false
109
- end
110
- it "should not be able to edit, update and destroy the asset" do
111
- subject.can?(:edit, @asset).should be_false
112
- subject.can?(:update, @asset).should be_false
113
- subject.can?(:destroy, @asset).should be_false
114
- end
83
+ let(:user) { User.new.tap {|u| u.new_record = true } }
84
+ subject { Ability.new(user) }
85
+ it { should_not be_able_to(:read, asset) }
86
+ it { should_not be_able_to(:edit, asset) }
87
+ it { should_not be_able_to(:update, asset) }
88
+ it { should_not be_able_to(:destroy, asset) }
115
89
  end
116
90
  context "Then a registered user" do
117
- before do
118
- @user = FactoryGirl.build(:registered_user)
119
- end
120
- subject { Ability.new(@user) }
121
- it "should not be able to view the asset" do
122
- subject.can?(:read, @asset).should be_false
123
- end
124
- it "should not be able to edit, update and destroy the asset" do
125
- subject.can?(:edit, @asset).should be_false
126
- subject.can?(:update, @asset).should be_false
127
- subject.can?(:destroy, @asset).should be_false
128
- end
91
+ subject { Ability.new(FactoryGirl.build(:registered_user)) }
92
+ it { should_not be_able_to(:read, asset) }
93
+ it { should_not be_able_to(:edit, asset) }
94
+ it { should_not be_able_to(:update, asset) }
95
+ it { should_not be_able_to(:destroy, asset) }
129
96
  end
130
97
  context "Then the Creator" do
131
- before do
132
- @user = FactoryGirl.build(:joe_creator)
133
- end
134
- subject { Ability.new(@user) }
135
-
136
- it "should be able to view the asset" do
137
- subject.can?(:read, @asset).should be_true
138
- end
139
- it "should be able to edit, update and destroy the asset" do
140
- subject.can?(:edit, @asset).should be_true
141
- subject.can?(:update, @asset).should be_true
142
- subject.can?(:destroy, @asset).should be_true
143
- end
144
- it "should not be able to see the admin view of the asset" do
145
- subject.can?(:admin, @asset).should be_false
146
- end
98
+ subject { Ability.new(FactoryGirl.build(:joe_creator)) }
99
+ it { should be_able_to(:read, asset) }
100
+ it { should be_able_to(:edit, asset) }
101
+ it { should be_able_to(:edit, solr_doc) }
102
+ it { should be_able_to(:update, asset) }
103
+ it { should be_able_to(:update, solr_doc) }
104
+ it { should be_able_to(:destroy, asset) }
105
+ it { should be_able_to(:destroy, solr_doc) }
106
+ it { should_not be_able_to(:admin, asset) }
147
107
  end
148
108
  end
149
109
 
@@ -173,9 +133,8 @@ describe Ability do
173
133
  end
174
134
 
175
135
  describe "Given an asset with collaborator" do
176
- before do
177
- @asset = FactoryGirl.create(:group_edit_asset)
178
- end
136
+ before { @asset = FactoryGirl.create(:group_edit_asset) }
137
+ after { @asset.destroy }
179
138
  context "Then a collaborator with edit access (user permision)" do
180
139
  before do
181
140
  @user = FactoryGirl.build(:calvin_collaborator)
@@ -251,17 +210,6 @@ describe Ability do
251
210
  end
252
211
  end
253
212
 
254
- describe "a user" do
255
- before do
256
- @user = FactoryGirl.create(:staff)
257
- end
258
- subject { Ability.new(@user) }
259
-
260
- it "should be able to create admin policies" do
261
- subject.can?(:create, Hydra::AdminPolicy).should be_true
262
- end
263
-
264
- end
265
213
 
266
214
  describe "custom method" do
267
215
  before do
@@ -273,13 +221,14 @@ describe Ability do
273
221
  can :accept, ActiveFedora::Base
274
222
  end
275
223
  end
224
+ @user = FactoryGirl.create(:staff)
276
225
  end
277
226
 
278
227
  after do
279
228
  Object.send(:remove_const, :MyAbility)
280
229
  end
281
230
 
282
- subject { MyAbility.new(FactoryGirl.create(:staff)) }
231
+ subject { MyAbility.new(@user) }
283
232
 
284
233
  it "should be set the custom permission" do
285
234
  subject.can?(:accept, ActiveFedora::Base).should be_true
@@ -293,6 +242,10 @@ describe Ability do
293
242
  @asset2 = FactoryGirl.create(:asset)
294
243
  @user = FactoryGirl.build(:calvin_collaborator) # has access to @asset1, but not @asset2
295
244
  end
245
+ after do
246
+ @asset1.destroy
247
+ @asset2.destroy
248
+ end
296
249
  subject { Ability.new(@user) }
297
250
  it "should be readable in the first instance and not in the second instance" do
298
251
  # We had a bug around this where it keeps returning the access for the first object queried
@@ -301,4 +254,33 @@ describe Ability do
301
254
  end
302
255
  end
303
256
 
257
+ describe "download permissions" do
258
+ subject { Ability.new(@user) }
259
+ before do
260
+ @asset = FactoryGirl.create(:asset)
261
+ @user = FactoryGirl.build(:user)
262
+ end
263
+ after { @asset.destroy }
264
+ context "user has read permission on the object" do
265
+ before do
266
+ @asset.read_users = [@user.user_key]
267
+ @asset.save
268
+ end
269
+ it "should permit the user to download the object's datastreams" do
270
+ subject.can?(:read, @asset).should be_true
271
+ @asset.datastreams.each_value do |ds|
272
+ subject.can?(:download, ds).should be_true
273
+ end
274
+ end
275
+ end
276
+ context "user lacks read permission on the object" do
277
+ it "should not permit the user to download the object's datastreams" do
278
+ subject.can?(:read, @asset).should be_false
279
+ @asset.datastreams.each_value do |ds|
280
+ subject.can?(:download, ds).should be_false
281
+ end
282
+ end
283
+ end
284
+ end
285
+
304
286
  end