hydra-access-controls 6.5.2 → 7.0.0.pre1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/app/models/concerns/hydra/access_controls/permissions.rb +18 -13
- data/hydra-access-controls.gemspec +2 -2
- data/lib/hydra-access-controls.rb +13 -7
- data/lib/hydra/ability.rb +35 -18
- data/lib/hydra/access_controls/permission.rb +1 -6
- data/lib/hydra/access_controls_enforcement.rb +8 -9
- data/lib/hydra/admin_policy.rb +3 -3
- data/lib/hydra/config.rb +152 -0
- data/lib/hydra/datastream/inheritable_rights_metadata.rb +5 -7
- data/lib/hydra/datastream/rights_metadata.rb +17 -19
- data/lib/hydra/permissions_query.rb +3 -1
- data/lib/hydra/policy_aware_ability.rb +24 -13
- data/lib/hydra/policy_aware_access_controls_enforcement.rb +19 -11
- data/spec/spec_helper.rb +0 -8
- data/spec/support/mods_asset.rb +1 -2
- data/spec/support/solr_document.rb +6 -1
- data/spec/unit/ability_spec.rb +67 -85
- data/spec/unit/access_controls_enforcement_spec.rb +3 -3
- data/spec/unit/admin_policy_spec.rb +0 -17
- data/spec/unit/config_spec.rb +48 -0
- data/spec/unit/hydra_rights_metadata_persistence_spec.rb +1 -1
- data/spec/unit/hydra_rights_metadata_spec.rb +0 -5
- data/spec/unit/permissions_spec.rb +80 -72
- metadata +12 -14
- data/lib/hydra/model_mixins/rights_metadata.rb +0 -27
- data/spec/unit/permission_spec.rb +0 -28
- data/spec/unit/rights_metadata_spec.rb +0 -104
@@ -7,13 +7,11 @@ module Hydra
|
|
7
7
|
@terminology = Hydra::Datastream::RightsMetadata.terminology
|
8
8
|
|
9
9
|
def to_solr(solr_doc=Hash.new)
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
solr_doc[
|
15
|
-
solr_doc[ActiveFedora::SolrService.solr_name('inheritable_edit_access_person', indexer)] = edit_access.machine.person
|
16
|
-
solr_doc[ActiveFedora::SolrService.solr_name('inheritable_embargo_release_date', date_indexer)] = embargo_release_date
|
10
|
+
[:discover, :read, :edit].each do |access|
|
11
|
+
solr_doc[Hydra.config[:permissions][:inheritable][access][:group]] = send("#{access}_access").machine.group
|
12
|
+
solr_doc[Hydra.config[:permissions][:inheritable][access][:individual]] = send("#{access}_access").machine.person
|
13
|
+
end
|
14
|
+
solr_doc[Hydra.config[:permissions][:inheritable][:embargo_release_date]] = embargo_release_date
|
17
15
|
return solr_doc
|
18
16
|
end
|
19
17
|
end
|
@@ -3,6 +3,7 @@ module Hydra
|
|
3
3
|
module Datastream
|
4
4
|
# Implements Hydra RightsMetadata XML terminology for asserting access permissions
|
5
5
|
class RightsMetadata < ActiveFedora::OmDatastream
|
6
|
+
extend Deprecation
|
6
7
|
|
7
8
|
set_terminology do |t|
|
8
9
|
t.root(:path=>"rightsMetadata", :xmlns=>"http://hydra-collab.stanford.edu/schemas/rightsMetadata/v1", :schema=>"http://github.com/projecthydra/schemas/tree/v1/rightsMetadata.xsd")
|
@@ -125,9 +126,14 @@ module Hydra
|
|
125
126
|
return quick_search_by_type(:group)
|
126
127
|
end
|
127
128
|
|
128
|
-
# Reports on which groups have which permissions
|
129
|
-
# @return Hash in format {person_name => person_permissions, person_name => person_permissions}
|
130
129
|
def individuals
|
130
|
+
Deprecation.warn(RightsMetadata, "The method `individuals' is deprecated and will be removed from Hydra::Datastream::RightsMetadata in hydra-head 8.0. Use `users' instead.", caller)
|
131
|
+
users
|
132
|
+
end
|
133
|
+
|
134
|
+
# Reports on which users have which permissions
|
135
|
+
# @return Hash in format {user_name => user_permissions, user_name => user_permissions}
|
136
|
+
def users
|
131
137
|
return quick_search_by_type(:person)
|
132
138
|
end
|
133
139
|
|
@@ -147,7 +153,7 @@ module Hydra
|
|
147
153
|
group_ids = groups.keys | groups_for_update
|
148
154
|
group_ids.each {|group_id| self.permissions({"group"=>group_id}, params['group'].fetch(group_id, 'none'))}
|
149
155
|
users_for_update = params['person'] ? params['person'].keys : []
|
150
|
-
user_ids =
|
156
|
+
user_ids = users.keys | users_for_update
|
151
157
|
user_ids.each {|person_id| self.permissions({"person"=>person_id}, params['person'].fetch(person_id, 'none'))}
|
152
158
|
end
|
153
159
|
|
@@ -170,7 +176,7 @@ module Hydra
|
|
170
176
|
def embargo_release_date=(release_date)
|
171
177
|
release_date = release_date.to_s if release_date.is_a? Date
|
172
178
|
begin
|
173
|
-
|
179
|
+
Date.parse(release_date)
|
174
180
|
rescue
|
175
181
|
return "INVALID DATE"
|
176
182
|
end
|
@@ -189,22 +195,14 @@ module Hydra
|
|
189
195
|
|
190
196
|
def to_solr(solr_doc=Hash.new)
|
191
197
|
super(solr_doc)
|
192
|
-
|
193
|
-
|
194
|
-
|
195
|
-
|
196
|
-
|
197
|
-
|
198
|
-
vals = edit_access.machine.person
|
199
|
-
solr_doc[ActiveFedora::SolrService.solr_name('edit_access_person', indexer)] = vals unless vals.empty?
|
200
|
-
vals = discover_access.machine.person
|
201
|
-
solr_doc[ActiveFedora::SolrService.solr_name('discover_access_person', indexer)] = vals unless vals.empty?
|
202
|
-
vals = read_access.machine.person
|
203
|
-
solr_doc[ActiveFedora::SolrService.solr_name('read_access_person', indexer)] = vals unless vals.empty?
|
204
|
-
|
198
|
+
[:discover, :read, :edit].each do |access|
|
199
|
+
vals = send("#{access}_access").machine.group
|
200
|
+
solr_doc[Hydra.config[:permissions][access][:group]] = vals unless vals.empty?
|
201
|
+
vals = send("#{access}_access").machine.person
|
202
|
+
solr_doc[Hydra.config[:permissions][access][:individual]] = vals unless vals.empty?
|
203
|
+
end
|
205
204
|
if embargo_release_date
|
206
|
-
|
207
|
-
::Solrizer::Extractor.insert_solr_field_value(solr_doc, embargo_release_date_solr_key_name , embargo_release_date(:format=>:solr_date))
|
205
|
+
::Solrizer::Extractor.insert_solr_field_value(solr_doc, Hydra.config[:permissions][:embargo_release_date], embargo_release_date(:format=>:solr_date))
|
208
206
|
end
|
209
207
|
solr_doc
|
210
208
|
end
|
@@ -24,8 +24,10 @@ module Hydra
|
|
24
24
|
# @param [Hash] extra_controller_params (optional)
|
25
25
|
def get_permissions_solr_response_for_doc_id(id=nil, extra_controller_params={})
|
26
26
|
raise Blacklight::Exceptions::InvalidSolrID.new("The application is trying to retrieve permissions without specifying an asset id") if id.nil?
|
27
|
+
#solr_response = Blacklight.solr.get permissions_solr_doc_params(id).merge(extra_controller_params)
|
28
|
+
#path = blacklight_config.solr_path
|
27
29
|
solr_opts = permissions_solr_doc_params(id).merge(extra_controller_params)
|
28
|
-
response =
|
30
|
+
response = Blacklight.solr.get('select', :params=> solr_opts)
|
29
31
|
solr_response = Blacklight::SolrResponse.new(force_to_utf8(response), solr_opts)
|
30
32
|
|
31
33
|
raise Blacklight::Exceptions::InvalidSolrID.new("The solr permissions search handler didn't return anything for id \"#{id}\"") if solr_response.docs.empty?
|
@@ -1,6 +1,7 @@
|
|
1
1
|
# Repeats access controls evaluation methods, but checks against a governing "Policy" object (or "Collection" object) that provides inherited access controls.
|
2
2
|
module Hydra::PolicyAwareAbility
|
3
3
|
extend ActiveSupport::Concern
|
4
|
+
extend Deprecation
|
4
5
|
include Hydra::Ability
|
5
6
|
|
6
7
|
# Extends Hydra::Ability.test_edit to try policy controls if object-level controls deny access
|
@@ -54,7 +55,7 @@ module Hydra::PolicyAwareAbility
|
|
54
55
|
else
|
55
56
|
logger.debug("[CANCAN] -policy- Does the POLICY #{policy_pid} provide EDIT permissions for #{current_user.user_key}?")
|
56
57
|
group_intersection = user_groups & edit_groups_from_policy( policy_pid )
|
57
|
-
result = !group_intersection.empty? ||
|
58
|
+
result = !group_intersection.empty? || edit_users_from_policy( policy_pid ).include?(current_user.user_key)
|
58
59
|
logger.debug("[CANCAN] -policy- decision: #{result}")
|
59
60
|
return result
|
60
61
|
end
|
@@ -68,7 +69,7 @@ module Hydra::PolicyAwareAbility
|
|
68
69
|
else
|
69
70
|
logger.debug("[CANCAN] -policy- Does the POLICY #{policy_pid} provide READ permissions for #{current_user.user_key}?")
|
70
71
|
group_intersection = user_groups & read_groups_from_policy( policy_pid )
|
71
|
-
result = !group_intersection.empty? ||
|
72
|
+
result = !group_intersection.empty? || read_users_from_policy( policy_pid ).include?(current_user.user_key)
|
72
73
|
logger.debug("[CANCAN] -policy- decision: #{result}")
|
73
74
|
result
|
74
75
|
end
|
@@ -93,23 +94,33 @@ module Hydra::PolicyAwareAbility
|
|
93
94
|
return rg
|
94
95
|
end
|
95
96
|
|
96
|
-
# Returns the list of individuals granted edit access by the policy object identified by policy_pid
|
97
97
|
def edit_persons_from_policy(policy_pid)
|
98
|
+
Deprecation.warn(Hydra::PolicyAwareAbility, "The edit_persons_from_policy method is deprecated and will be removed from Hydra::PolicyAwareAbility in hydra-head 8.0. Use edit_users_from_policy instead.", caller)
|
99
|
+
edit_users_from_policy(policy_pid)
|
100
|
+
end
|
101
|
+
|
102
|
+
# Returns the list of users granted edit access by the policy object identified by policy_pid
|
103
|
+
def edit_users_from_policy(policy_pid)
|
98
104
|
policy_permissions = policy_permissions_doc(policy_pid)
|
99
|
-
|
100
|
-
|
101
|
-
logger.debug("[CANCAN] -policy-
|
102
|
-
return
|
105
|
+
edit_user_field = Hydra.config[:permissions][:inheritable][:edit][:individual]
|
106
|
+
eu = ((policy_permissions == nil || policy_permissions.fetch(edit_user_field,nil) == nil) ? [] : policy_permissions.fetch(edit_user_field,nil))
|
107
|
+
logger.debug("[CANCAN] -policy- edit_users: #{eu.inspect}")
|
108
|
+
return eu
|
103
109
|
end
|
104
110
|
|
105
|
-
# Returns the list of individuals granted read access by the policy object identified by policy_pid
|
106
|
-
# Noate: edit implies read, so read_persons is the union of edit and read persons
|
107
111
|
def read_persons_from_policy(policy_pid)
|
112
|
+
Deprecation.warn(Hydra::PolicyAwareAbility, "The read_persons_from_policy method is deprecated and will be removed from Hydra::PolicyAwareAbility in hydra-head 8.0. Use read_users_from_policy instead.", caller)
|
113
|
+
read_users_from_policy(policy_pid)
|
114
|
+
end
|
115
|
+
|
116
|
+
# Returns the list of users granted read access by the policy object identified by policy_pid
|
117
|
+
# Note: edit implies read, so read_users is the union of edit and read users
|
118
|
+
def read_users_from_policy(policy_pid)
|
108
119
|
policy_permissions = policy_permissions_doc(policy_pid)
|
109
|
-
|
110
|
-
|
111
|
-
logger.debug("[CANCAN] -policy-
|
112
|
-
return
|
120
|
+
read_user_field = Hydra.config[:permissions][:inheritable][:read][:individual]
|
121
|
+
ru = edit_users_from_policy(policy_pid) | ((policy_permissions == nil || policy_permissions.fetch(read_user_field, nil) == nil) ? [] : policy_permissions.fetch(read_user_field, nil))
|
122
|
+
logger.debug("[CANCAN] -policy- read_users: #{ru.inspect}")
|
123
|
+
return ru
|
113
124
|
end
|
114
125
|
|
115
126
|
private
|
@@ -1,5 +1,6 @@
|
|
1
1
|
# Repeats access controls evaluation methods, but checks against a governing "Policy" object (or "Collection" object) that provides inherited access controls.
|
2
2
|
module Hydra::PolicyAwareAccessControlsEnforcement
|
3
|
+
extend Deprecation
|
3
4
|
|
4
5
|
# Extends Hydra::AccessControlsEnforcement.apply_gated_discovery to reflect policy-provided access
|
5
6
|
# appends the result of policy_clauses into the :fq
|
@@ -11,7 +12,6 @@ module Hydra::PolicyAwareAccessControlsEnforcement
|
|
11
12
|
logger.debug("POLICY-aware Solr parameters: #{ solr_parameters.inspect }")
|
12
13
|
end
|
13
14
|
|
14
|
-
|
15
15
|
# returns solr query for finding all objects whose policies grant discover access to current_user
|
16
16
|
def policy_clauses
|
17
17
|
policy_pids = policies_with_access
|
@@ -19,33 +19,41 @@ module Hydra::PolicyAwareAccessControlsEnforcement
|
|
19
19
|
'(' + policy_pids.map {|pid| ActiveFedora::SolrService.construct_query_for_rel(is_governed_by: "info:fedora/#{pid}")}.join(' OR ') + ')'
|
20
20
|
end
|
21
21
|
|
22
|
-
|
23
|
-
# find all the policies that grant discover/read/edit permissions to this user or any of it's groups
|
22
|
+
# find all the policies that grant discover/read/edit permissions to this user or any of its groups
|
24
23
|
def policies_with_access
|
25
24
|
#### TODO -- Memoize this and put it in the session?
|
26
25
|
user_access_filters = []
|
27
|
-
# Grant access based on user id &
|
28
|
-
user_access_filters +=
|
29
|
-
user_access_filters +=
|
26
|
+
# Grant access based on user id & group
|
27
|
+
user_access_filters += apply_policy_group_permissions(discovery_permissions)
|
28
|
+
user_access_filters += apply_policy_user_permissions(discovery_permissions)
|
30
29
|
result = policy_class.find_with_conditions( user_access_filters.join(" OR "), :fl => "id", :rows => policy_class.count )
|
31
30
|
logger.debug "get policies: #{result}\n\n"
|
32
31
|
result.map {|h| h['id']}
|
33
32
|
end
|
34
33
|
|
35
|
-
|
36
34
|
def apply_policy_role_permissions(permission_types = discovery_permissions)
|
37
|
-
|
35
|
+
Deprecation.warn(Hydra::PolicyAwareAccessControlsEnforcement, "The method apply_policy_role_permissions is deprecated and will be removed from Hydra::PolicyAwareAccessControlsEnforcement in hydra-head 8.0. Use apply_policy_group_permissions instead.", caller)
|
36
|
+
apply_policy_group_permissions(permission_types)
|
37
|
+
end
|
38
|
+
|
39
|
+
def apply_policy_group_permissions(permission_types = discovery_permissions)
|
40
|
+
# for groups
|
38
41
|
user_access_filters = []
|
39
|
-
current_ability.user_groups.each_with_index do |
|
42
|
+
current_ability.user_groups.each_with_index do |group, i|
|
40
43
|
permission_types.each do |type|
|
41
|
-
user_access_filters << escape_filter(ActiveFedora::SolrService.solr_name("inheritable_#{type}_access_group", Hydra::Datastream::RightsMetadata.indexer ),
|
44
|
+
user_access_filters << escape_filter(ActiveFedora::SolrService.solr_name("inheritable_#{type}_access_group", Hydra::Datastream::RightsMetadata.indexer ), group)
|
42
45
|
end
|
43
46
|
end
|
44
47
|
user_access_filters
|
45
48
|
end
|
46
49
|
|
47
50
|
def apply_policy_individual_permissions(permission_types = discovery_permissions)
|
48
|
-
|
51
|
+
Deprecation.warn(Hydra::PolicyAwareAccessControlsEnforcement, "The method apply_policy_individual_permissions is deprecated and will be removed from Hydra::PolicyAwareAccessControlsEnforcement in hydra-head 8.0. Use apply_policy_user_permissions instead.", caller)
|
52
|
+
apply_policy_user_permissions(permission_types)
|
53
|
+
end
|
54
|
+
|
55
|
+
def apply_policy_user_permissions(permission_types = discovery_permissions)
|
56
|
+
# for individual user access
|
49
57
|
user_access_filters = []
|
50
58
|
if current_user
|
51
59
|
permission_types.each do |type|
|
data/spec/spec_helper.rb
CHANGED
@@ -4,14 +4,6 @@ require 'rspec/mocks'
|
|
4
4
|
require 'rspec/autorun'
|
5
5
|
require 'hydra-access-controls'
|
6
6
|
|
7
|
-
module Hydra
|
8
|
-
# Stubbing Hydra.config[:policy_aware] so Hydra::PolicyAwareAbility will be loaded for tests.
|
9
|
-
def self.config
|
10
|
-
{:permissions=>{:policy_aware => true}}
|
11
|
-
end
|
12
|
-
end
|
13
|
-
|
14
|
-
|
15
7
|
$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
|
16
8
|
$LOAD_PATH.unshift(File.dirname(__FILE__))
|
17
9
|
Hydra::Engine.config.autoload_paths.each { |path| $LOAD_PATH.unshift path }
|
data/spec/support/mods_asset.rb
CHANGED
@@ -1,8 +1,7 @@
|
|
1
1
|
require 'active-fedora'
|
2
|
-
|
3
2
|
class ModsAsset < ActiveFedora::Base
|
4
3
|
include Hydra::AccessControls::Permissions
|
5
|
-
|
4
|
+
|
6
5
|
# This is how we're associating admin policies with assets.
|
7
6
|
# You can associate them however you want, just use the :is_governed_by relationship
|
8
7
|
belongs_to :admin_policy, :class_name=> "Hydra::AdminPolicy", :property=>:is_governed_by
|
data/spec/unit/ability_spec.rb
CHANGED
@@ -1,31 +1,13 @@
|
|
1
1
|
require 'spec_helper'
|
2
|
+
require 'cancan/matchers'
|
2
3
|
|
3
4
|
describe Ability do
|
4
|
-
before do
|
5
|
-
Hydra.stub(:config).and_return({
|
6
|
-
:permissions=>{
|
7
|
-
:discover => {:group =>"discover_access_group_ssim", :individual=>"discover_access_person_ssim"},
|
8
|
-
:read => {:group =>"read_access_group_ssim", :individual=>"read_access_person_ssim"},
|
9
|
-
:edit => {:group =>"edit_access_group_ssim", :individual=>"edit_access_person_ssim"},
|
10
|
-
:owner => "depositor_t",
|
11
|
-
:embargo_release_date => "embargo_release_date_dtsi",
|
12
|
-
|
13
|
-
:inheritable => {
|
14
|
-
:discover => {:group =>"inheritable_discover_access_group_ssim", :individual=>"inheritable_discover_access_person_ssim"},
|
15
|
-
:read => {:group =>"inheritable_read_access_group_ssim", :individual=>"inheritable_read_access_person_ssim"},
|
16
|
-
:edit => {:group =>"inheritable_edit_access_group_ssim", :individual=>"inheritable_edit_access_person_ssim"},
|
17
|
-
:owner => "inheritable_depositor_ssim",
|
18
|
-
:embargo_release_date => "inheritable_embargo_release_date_dtsi"
|
19
|
-
}
|
20
|
-
}})
|
21
|
-
end
|
22
|
-
|
23
5
|
describe "class methods" do
|
24
6
|
subject { Ability }
|
25
7
|
its(:read_group_field) { should == 'read_access_group_ssim'}
|
26
|
-
its(:
|
8
|
+
its(:read_user_field) { should == 'read_access_person_ssim'}
|
27
9
|
its(:edit_group_field) { should == 'edit_access_group_ssim'}
|
28
|
-
its(:
|
10
|
+
its(:edit_user_field) { should == 'edit_access_person_ssim'}
|
29
11
|
end
|
30
12
|
|
31
13
|
context "for a not-signed in user" do
|
@@ -38,17 +20,18 @@ describe Ability do
|
|
38
20
|
Ability.any_instance.should_receive(:custom_permissions)
|
39
21
|
subject.can?(:delete, 7)
|
40
22
|
end
|
41
|
-
it "should not be able to create objects" do
|
42
|
-
subject.
|
23
|
+
it "should not be able to create ActiveFedora::Base objects" do
|
24
|
+
subject.should_not be_able_to(:create, ActiveFedora::Base)
|
43
25
|
end
|
44
26
|
end
|
27
|
+
|
45
28
|
context "for a signed in user" do
|
46
29
|
before do
|
47
30
|
@user = FactoryGirl.build(:registered_user)
|
48
31
|
end
|
49
32
|
subject { Ability.new(@user) }
|
50
|
-
it "should be able to create objects" do
|
51
|
-
subject.
|
33
|
+
it "should not be able to create ActiveFedora::Base objects" do
|
34
|
+
subject.should_not be_able_to(:create, ActiveFedora::Base)
|
52
35
|
end
|
53
36
|
end
|
54
37
|
|
@@ -94,56 +77,33 @@ describe Ability do
|
|
94
77
|
end
|
95
78
|
|
96
79
|
describe "Given an asset with no custom access set" do
|
97
|
-
|
98
|
-
|
99
|
-
@asset.save
|
100
|
-
end
|
80
|
+
let(:asset) { FactoryGirl.create(:default_access_asset) }
|
81
|
+
let(:solr_doc) { SolrDocument.new(asset.rightsMetadata.to_solr.merge(id: asset.pid)) }
|
101
82
|
context "Then a not-signed-in user" do
|
102
|
-
|
103
|
-
|
104
|
-
|
105
|
-
|
106
|
-
|
107
|
-
it
|
108
|
-
subject.can?(:read, @asset).should be_false
|
109
|
-
end
|
110
|
-
it "should not be able to edit, update and destroy the asset" do
|
111
|
-
subject.can?(:edit, @asset).should be_false
|
112
|
-
subject.can?(:update, @asset).should be_false
|
113
|
-
subject.can?(:destroy, @asset).should be_false
|
114
|
-
end
|
83
|
+
let(:user) { User.new.tap {|u| u.new_record = true } }
|
84
|
+
subject { Ability.new(user) }
|
85
|
+
it { should_not be_able_to(:read, asset) }
|
86
|
+
it { should_not be_able_to(:edit, asset) }
|
87
|
+
it { should_not be_able_to(:update, asset) }
|
88
|
+
it { should_not be_able_to(:destroy, asset) }
|
115
89
|
end
|
116
90
|
context "Then a registered user" do
|
117
|
-
|
118
|
-
|
119
|
-
|
120
|
-
|
121
|
-
it
|
122
|
-
subject.can?(:read, @asset).should be_false
|
123
|
-
end
|
124
|
-
it "should not be able to edit, update and destroy the asset" do
|
125
|
-
subject.can?(:edit, @asset).should be_false
|
126
|
-
subject.can?(:update, @asset).should be_false
|
127
|
-
subject.can?(:destroy, @asset).should be_false
|
128
|
-
end
|
91
|
+
subject { Ability.new(FactoryGirl.build(:registered_user)) }
|
92
|
+
it { should_not be_able_to(:read, asset) }
|
93
|
+
it { should_not be_able_to(:edit, asset) }
|
94
|
+
it { should_not be_able_to(:update, asset) }
|
95
|
+
it { should_not be_able_to(:destroy, asset) }
|
129
96
|
end
|
130
97
|
context "Then the Creator" do
|
131
|
-
|
132
|
-
|
133
|
-
|
134
|
-
|
135
|
-
|
136
|
-
it
|
137
|
-
|
138
|
-
|
139
|
-
it
|
140
|
-
subject.can?(:edit, @asset).should be_true
|
141
|
-
subject.can?(:update, @asset).should be_true
|
142
|
-
subject.can?(:destroy, @asset).should be_true
|
143
|
-
end
|
144
|
-
it "should not be able to see the admin view of the asset" do
|
145
|
-
subject.can?(:admin, @asset).should be_false
|
146
|
-
end
|
98
|
+
subject { Ability.new(FactoryGirl.build(:joe_creator)) }
|
99
|
+
it { should be_able_to(:read, asset) }
|
100
|
+
it { should be_able_to(:edit, asset) }
|
101
|
+
it { should be_able_to(:edit, solr_doc) }
|
102
|
+
it { should be_able_to(:update, asset) }
|
103
|
+
it { should be_able_to(:update, solr_doc) }
|
104
|
+
it { should be_able_to(:destroy, asset) }
|
105
|
+
it { should be_able_to(:destroy, solr_doc) }
|
106
|
+
it { should_not be_able_to(:admin, asset) }
|
147
107
|
end
|
148
108
|
end
|
149
109
|
|
@@ -173,9 +133,8 @@ describe Ability do
|
|
173
133
|
end
|
174
134
|
|
175
135
|
describe "Given an asset with collaborator" do
|
176
|
-
before
|
177
|
-
|
178
|
-
end
|
136
|
+
before { @asset = FactoryGirl.create(:group_edit_asset) }
|
137
|
+
after { @asset.destroy }
|
179
138
|
context "Then a collaborator with edit access (user permision)" do
|
180
139
|
before do
|
181
140
|
@user = FactoryGirl.build(:calvin_collaborator)
|
@@ -251,17 +210,6 @@ describe Ability do
|
|
251
210
|
end
|
252
211
|
end
|
253
212
|
|
254
|
-
describe "a user" do
|
255
|
-
before do
|
256
|
-
@user = FactoryGirl.create(:staff)
|
257
|
-
end
|
258
|
-
subject { Ability.new(@user) }
|
259
|
-
|
260
|
-
it "should be able to create admin policies" do
|
261
|
-
subject.can?(:create, Hydra::AdminPolicy).should be_true
|
262
|
-
end
|
263
|
-
|
264
|
-
end
|
265
213
|
|
266
214
|
describe "custom method" do
|
267
215
|
before do
|
@@ -273,13 +221,14 @@ describe Ability do
|
|
273
221
|
can :accept, ActiveFedora::Base
|
274
222
|
end
|
275
223
|
end
|
224
|
+
@user = FactoryGirl.create(:staff)
|
276
225
|
end
|
277
226
|
|
278
227
|
after do
|
279
228
|
Object.send(:remove_const, :MyAbility)
|
280
229
|
end
|
281
230
|
|
282
|
-
subject { MyAbility.new(
|
231
|
+
subject { MyAbility.new(@user) }
|
283
232
|
|
284
233
|
it "should be set the custom permission" do
|
285
234
|
subject.can?(:accept, ActiveFedora::Base).should be_true
|
@@ -293,6 +242,10 @@ describe Ability do
|
|
293
242
|
@asset2 = FactoryGirl.create(:asset)
|
294
243
|
@user = FactoryGirl.build(:calvin_collaborator) # has access to @asset1, but not @asset2
|
295
244
|
end
|
245
|
+
after do
|
246
|
+
@asset1.destroy
|
247
|
+
@asset2.destroy
|
248
|
+
end
|
296
249
|
subject { Ability.new(@user) }
|
297
250
|
it "should be readable in the first instance and not in the second instance" do
|
298
251
|
# We had a bug around this where it keeps returning the access for the first object queried
|
@@ -301,4 +254,33 @@ describe Ability do
|
|
301
254
|
end
|
302
255
|
end
|
303
256
|
|
257
|
+
describe "download permissions" do
|
258
|
+
subject { Ability.new(@user) }
|
259
|
+
before do
|
260
|
+
@asset = FactoryGirl.create(:asset)
|
261
|
+
@user = FactoryGirl.build(:user)
|
262
|
+
end
|
263
|
+
after { @asset.destroy }
|
264
|
+
context "user has read permission on the object" do
|
265
|
+
before do
|
266
|
+
@asset.read_users = [@user.user_key]
|
267
|
+
@asset.save
|
268
|
+
end
|
269
|
+
it "should permit the user to download the object's datastreams" do
|
270
|
+
subject.can?(:read, @asset).should be_true
|
271
|
+
@asset.datastreams.each_value do |ds|
|
272
|
+
subject.can?(:download, ds).should be_true
|
273
|
+
end
|
274
|
+
end
|
275
|
+
end
|
276
|
+
context "user lacks read permission on the object" do
|
277
|
+
it "should not permit the user to download the object's datastreams" do
|
278
|
+
subject.can?(:read, @asset).should be_false
|
279
|
+
@asset.datastreams.each_value do |ds|
|
280
|
+
subject.can?(:download, ds).should be_false
|
281
|
+
end
|
282
|
+
end
|
283
|
+
end
|
284
|
+
end
|
285
|
+
|
304
286
|
end
|