hydra-access-controls 8.2.0 → 9.0.0.beta1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (52) hide show
  1. checksums.yaml +4 -4
  2. data/README.textile +10 -10
  3. data/app/models/concerns/hydra/access_controls/access_right.rb +3 -2
  4. data/app/models/concerns/hydra/access_controls/embargoable.rb +120 -132
  5. data/app/models/concerns/hydra/access_controls/permissions.rb +137 -103
  6. data/app/models/concerns/hydra/access_controls/visibility.rb +3 -5
  7. data/app/models/concerns/hydra/access_controls.rb +0 -1
  8. data/app/models/concerns/hydra/admin_policy_behavior.rb +27 -2
  9. data/app/models/concerns/hydra/rights.rb +15 -0
  10. data/app/models/hydra/access_controls/access_control_list.rb +17 -0
  11. data/app/models/hydra/access_controls/embargo.rb +65 -0
  12. data/app/models/hydra/access_controls/lease.rb +66 -0
  13. data/app/models/hydra/access_controls/permission.rb +85 -0
  14. data/app/vocabularies/acl.rb +12 -0
  15. data/app/vocabularies/hydra/acl.rb +20 -0
  16. data/config/fedora.yml +4 -2
  17. data/hydra-access-controls.gemspec +6 -7
  18. data/lib/hydra/ability.rb +45 -43
  19. data/lib/hydra/access_controls_enforcement.rb +23 -25
  20. data/lib/hydra/admin_policy.rb +34 -11
  21. data/lib/hydra/config.rb +4 -15
  22. data/lib/hydra/permissions_query.rb +2 -2
  23. data/lib/hydra/permissions_solr_document.rb +4 -6
  24. data/lib/hydra/policy_aware_ability.rb +56 -53
  25. data/lib/hydra/policy_aware_access_controls_enforcement.rb +28 -18
  26. data/lib/hydra-access-controls.rb +1 -1
  27. data/spec/factories.rb +15 -15
  28. data/spec/services/embargo_service_spec.rb +6 -6
  29. data/spec/services/lease_service_spec.rb +6 -6
  30. data/spec/spec_helper.rb +20 -13
  31. data/spec/support/mods_asset.rb +3 -3
  32. data/spec/unit/ability_spec.rb +96 -121
  33. data/spec/unit/access_controls_enforcement_spec.rb +29 -27
  34. data/spec/unit/access_right_spec.rb +6 -1
  35. data/spec/unit/accessible_by_spec.rb +14 -5
  36. data/spec/unit/admin_policy_spec.rb +99 -92
  37. data/spec/unit/config_spec.rb +14 -15
  38. data/spec/unit/embargoable_spec.rb +26 -28
  39. data/spec/unit/permission_spec.rb +36 -16
  40. data/spec/unit/permissions_spec.rb +121 -65
  41. data/spec/unit/policy_aware_ability_spec.rb +64 -78
  42. data/spec/unit/policy_aware_access_controls_enforcement_spec.rb +81 -77
  43. data/spec/unit/role_mapper_spec.rb +10 -10
  44. data/spec/unit/with_access_right_spec.rb +1 -1
  45. metadata +29 -51
  46. data/lib/hydra/access_controls/permission.rb +0 -40
  47. data/lib/hydra/datastream/inheritable_rights_metadata.rb +0 -22
  48. data/lib/hydra/datastream/rights_metadata.rb +0 -276
  49. data/lib/hydra/datastream.rb +0 -7
  50. data/spec/unit/hydra_rights_metadata_persistence_spec.rb +0 -71
  51. data/spec/unit/hydra_rights_metadata_spec.rb +0 -301
  52. data/spec/unit/inheritable_rights_metadata_spec.rb +0 -65
@@ -2,75 +2,64 @@ module Hydra
2
2
  module AccessControls
3
3
  module Permissions
4
4
  extend ActiveSupport::Concern
5
+ include Hydra::AccessControls::Visibility
5
6
 
6
7
  included do
7
- include Hydra::AccessControls::Visibility
8
- has_metadata "rightsMetadata", type: Hydra::Datastream::RightsMetadata
8
+ has_many :permissions, predicate: ::ACL.accessTo, class_name: 'Hydra::AccessControls::Permission', inverse_of: :access_to
9
+ accepts_nested_attributes_for :permissions, allow_destroy: true
10
+ alias_method :permissions_attributes_without_uniqueness=, :permissions_attributes=
11
+ alias_method :permissions_attributes=, :permissions_attributes_with_uniqueness=
12
+ end
13
+
14
+ def to_solr(solr_doc = {})
15
+ super.tap do |doc|
16
+ [:discover, :read, :edit].each do |access|
17
+ vals = send("#{access}_groups")
18
+ doc[Hydra.config.permissions[access].group] = vals unless vals.empty?
19
+ vals = send("#{access}_users")
20
+ doc[Hydra.config.permissions[access].individual] = vals unless vals.empty?
21
+ end
22
+ end
9
23
  end
10
24
 
11
- ## Updates those permissions that are provided to it. Does not replace any permissions unless they are provided
12
- # @example
13
- # obj.permissions_attributes= [{:name=>"group1", :access=>"discover", :type=>'group'},
14
- # {:name=>"group2", :access=>"discover", :type=>'group'}]
15
- def permissions_attributes= attributes_collection
16
- perm_hash = {'person' => rightsMetadata.users, 'group'=> rightsMetadata.groups}
17
-
25
+ # When chaging a permission for an object/user, ensure an update is done, not a duplicate
26
+ def permissions_attributes_with_uniqueness=(attributes_collection)
18
27
  if attributes_collection.is_a? Hash
19
- attributes_collection = attributes_collection.sort_by { |i, _| i.to_i }.map { |_, attributes| attributes }
20
- end
21
-
22
- attributes_collection.each do |row|
23
- row = row.with_indifferent_access
24
- if row[:type] == 'user' || row[:type] == 'person'
25
- if has_destroy_flag? row
26
- perm_hash['person'].delete(row[:name])
27
- else
28
- perm_hash['person'][row[:name]] = row[:access]
29
- end
30
- elsif row[:type] == 'group'
31
- perm_hash['group'][row[:name]] = row[:access]
32
- if has_destroy_flag? row
33
- perm_hash['group'].delete(row[:name])
34
- else
35
- perm_hash['group'][row[:name]] = row[:access]
36
- end
28
+ keys = attributes_collection.keys
29
+ attributes_collection = if keys.include?('id') || keys.include?(:id)
30
+ Array(attributes_collection)
37
31
  else
38
- raise ArgumentError, "Permission type must be 'user', 'person' (alias for 'user'), or 'group'"
32
+ attributes_collection.sort_by { |i, _| i.to_i }.map { |_, attributes| attributes }
39
33
  end
40
34
  end
41
-
42
- rightsMetadata.permissions = perm_hash
43
- end
44
35
 
45
- ## Returns a list with all the permissions on the object.
46
- def permissions
47
- (rightsMetadata.groups.map {|x| Permission.new(type: 'group', access: x[1], name: x[0] )} +
48
- rightsMetadata.users.map {|x| Permission.new(type: 'user', access: x[1], name: x[0] )})
49
- end
50
-
51
- # @param values [Array<Permission>] a list of permission objects to set
52
- def permissions= values
53
- perm_hash = {'person' => {}, 'group'=> {}}
54
- values.each do |perm|
55
- if perm.type == 'user'
56
- perm_hash['person'][perm.name] = perm.access
57
- else
58
- perm_hash['group'][perm.name] = perm.access
36
+ attributes_collection.each do |prop|
37
+ existing = case prop[:type]
38
+ when 'group'
39
+ search_by_type(:group)
40
+ when 'person'
41
+ search_by_type(:person)
59
42
  end
43
+
44
+ next unless existing
45
+ selected = existing.find { |perm| perm.agent_name == prop[:name] }
46
+ prop['id'] = selected.id if selected
60
47
  end
61
- rightsMetadata.permissions = perm_hash
48
+
49
+ self.permissions_attributes_without_uniqueness=attributes_collection
62
50
  end
63
51
 
52
+
64
53
  # Return a list of groups that have discover permission
65
54
  def discover_groups
66
- rightsMetadata.groups.map {|k, v| k if v == 'discover'}.compact
55
+ search_by_type_and_mode(:group, Hydra::ACL.Discover).map { |p| p.agent_name }
67
56
  end
68
57
 
69
58
  # Grant discover permissions to the groups specified. Revokes discover permission for all other groups.
70
59
  # @param[Array] groups a list of group names
71
60
  # @example
72
61
  # r.discover_groups= ['one', 'two', 'three']
73
- # r.discover_groups
62
+ # r.discover_groups
74
63
  # => ['one', 'two', 'three']
75
64
  #
76
65
  def discover_groups=(groups)
@@ -81,7 +70,7 @@ module Hydra
81
70
  # @param[String] groups a list of group names
82
71
  # @example
83
72
  # r.discover_groups_string= 'one, two, three'
84
- # r.discover_groups
73
+ # r.discover_groups
85
74
  # => ['one', 'two', 'three']
86
75
  #
87
76
  def discover_groups_string=(groups)
@@ -96,13 +85,13 @@ module Hydra
96
85
  # Grant discover permissions to the groups specified. Revokes discover permission for
97
86
  # any of the eligible_groups that are not in groups.
98
87
  # This may be used when different users are responsible for setting different
99
- # groups. Supply the groups the current user is responsible for as the
88
+ # groups. Supply the groups the current user is responsible for as the
100
89
  # 'eligible_groups'
101
90
  # @param[Array] groups a list of groups
102
- # @param[Array] eligible_groups the groups that are eligible to have their discover permssion revoked.
91
+ # @param[Array] eligible_groups the groups that are eligible to have their discover permssion revoked.
103
92
  # @example
104
93
  # r.discover_groups = ['one', 'two', 'three']
105
- # r.discover_groups
94
+ # r.discover_groups
106
95
  # => ['one', 'two', 'three']
107
96
  # r.set_discover_groups(['one'], ['three'])
108
97
  # r.discover_groups
@@ -113,14 +102,14 @@ module Hydra
113
102
  end
114
103
 
115
104
  def discover_users
116
- rightsMetadata.users.map {|k, v| k if v == 'discover'}.compact
105
+ search_by_type_and_mode(:person, Hydra::ACL.Discover).map { |p| p.agent_name }
117
106
  end
118
107
 
119
108
  # Grant discover permissions to the users specified. Revokes discover permission for all other users.
120
109
  # @param[Array] users a list of usernames
121
110
  # @example
122
111
  # r.discover_users= ['one', 'two', 'three']
123
- # r.discover_users
112
+ # r.discover_users
124
113
  # => ['one', 'two', 'three']
125
114
  #
126
115
  def discover_users=(users)
@@ -131,7 +120,7 @@ module Hydra
131
120
  # @param[String] users a list of usernames
132
121
  # @example
133
122
  # r.discover_users_string= 'one, two, three'
134
- # r.discover_users
123
+ # r.discover_users
135
124
  # => ['one', 'two', 'three']
136
125
  #
137
126
  def discover_users_string=(users)
@@ -146,13 +135,13 @@ module Hydra
146
135
  # Grant discover permissions to the users specified. Revokes discover permission for
147
136
  # any of the eligible_users that are not in users.
148
137
  # This may be used when different users are responsible for setting different
149
- # users. Supply the users the current user is responsible for as the
138
+ # users. Supply the users the current user is responsible for as the
150
139
  # 'eligible_users'
151
140
  # @param[Array] users a list of users
152
- # @param[Array] eligible_users the users that are eligible to have their discover permssion revoked.
141
+ # @param[Array] eligible_users the users that are eligible to have their discover permssion revoked.
153
142
  # @example
154
143
  # r.discover_users = ['one', 'two', 'three']
155
- # r.discover_users
144
+ # r.discover_users
156
145
  # => ['one', 'two', 'three']
157
146
  # r.set_discover_users(['one'], ['three'])
158
147
  # r.discover_users
@@ -164,14 +153,14 @@ module Hydra
164
153
 
165
154
  # Return a list of groups that have discover permission
166
155
  def read_groups
167
- rightsMetadata.groups.map {|k, v| k if v == 'read'}.compact
156
+ search_by_type_and_mode(:group, ::ACL.Read).map { |p| p.agent_name }
168
157
  end
169
158
 
170
159
  # Grant read permissions to the groups specified. Revokes read permission for all other groups.
171
160
  # @param[Array] groups a list of group names
172
161
  # @example
173
162
  # r.read_groups= ['one', 'two', 'three']
174
- # r.read_groups
163
+ # r.read_groups
175
164
  # => ['one', 'two', 'three']
176
165
  #
177
166
  def read_groups=(groups)
@@ -182,7 +171,7 @@ module Hydra
182
171
  # @param[String] groups a list of group names
183
172
  # @example
184
173
  # r.read_groups_string= 'one, two, three'
185
- # r.read_groups
174
+ # r.read_groups
186
175
  # => ['one', 'two', 'three']
187
176
  #
188
177
  def read_groups_string=(groups)
@@ -197,13 +186,13 @@ module Hydra
197
186
  # Grant read permissions to the groups specified. Revokes read permission for
198
187
  # any of the eligible_groups that are not in groups.
199
188
  # This may be used when different users are responsible for setting different
200
- # groups. Supply the groups the current user is responsible for as the
189
+ # groups. Supply the groups the current user is responsible for as the
201
190
  # 'eligible_groups'
202
191
  # @param[Array] groups a list of groups
203
- # @param[Array] eligible_groups the groups that are eligible to have their read permssion revoked.
192
+ # @param[Array] eligible_groups the groups that are eligible to have their read permssion revoked.
204
193
  # @example
205
194
  # r.read_groups = ['one', 'two', 'three']
206
- # r.read_groups
195
+ # r.read_groups
207
196
  # => ['one', 'two', 'three']
208
197
  # r.set_read_groups(['one'], ['three'])
209
198
  # r.read_groups
@@ -214,14 +203,14 @@ module Hydra
214
203
  end
215
204
 
216
205
  def read_users
217
- rightsMetadata.users.map {|k, v| k if v == 'read'}.compact
206
+ search_by_type_and_mode(:person, ::ACL.Read).map { |p| p.agent_name }
218
207
  end
219
208
 
220
209
  # Grant read permissions to the users specified. Revokes read permission for all other users.
221
210
  # @param[Array] users a list of usernames
222
211
  # @example
223
212
  # r.read_users= ['one', 'two', 'three']
224
- # r.read_users
213
+ # r.read_users
225
214
  # => ['one', 'two', 'three']
226
215
  #
227
216
  def read_users=(users)
@@ -232,7 +221,7 @@ module Hydra
232
221
  # @param[String] users a list of usernames
233
222
  # @example
234
223
  # r.read_users_string= 'one, two, three'
235
- # r.read_users
224
+ # r.read_users
236
225
  # => ['one', 'two', 'three']
237
226
  #
238
227
  def read_users_string=(users)
@@ -247,13 +236,13 @@ module Hydra
247
236
  # Grant read permissions to the users specified. Revokes read permission for
248
237
  # any of the eligible_users that are not in users.
249
238
  # This may be used when different users are responsible for setting different
250
- # users. Supply the users the current user is responsible for as the
239
+ # users. Supply the users the current user is responsible for as the
251
240
  # 'eligible_users'
252
241
  # @param[Array] users a list of users
253
- # @param[Array] eligible_users the users that are eligible to have their read permssion revoked.
242
+ # @param[Array] eligible_users the users that are eligible to have their read permssion revoked.
254
243
  # @example
255
244
  # r.read_users = ['one', 'two', 'three']
256
- # r.read_users
245
+ # r.read_users
257
246
  # => ['one', 'two', 'three']
258
247
  # r.set_read_users(['one'], ['three'])
259
248
  # r.read_users
@@ -266,14 +255,14 @@ module Hydra
266
255
 
267
256
  # Return a list of groups that have edit permission
268
257
  def edit_groups
269
- rightsMetadata.groups.map {|k, v| k if v == 'edit'}.compact
258
+ search_by_type_and_mode(:group, ::ACL.Write).map { |p| p.agent_name }
270
259
  end
271
260
 
272
261
  # Grant edit permissions to the groups specified. Revokes edit permission for all other groups.
273
262
  # @param[Array] groups a list of group names
274
263
  # @example
275
264
  # r.edit_groups= ['one', 'two', 'three']
276
- # r.edit_groups
265
+ # r.edit_groups
277
266
  # => ['one', 'two', 'three']
278
267
  #
279
268
  def edit_groups=(groups)
@@ -284,7 +273,7 @@ module Hydra
284
273
  # @param[String] groups a list of group names
285
274
  # @example
286
275
  # r.edit_groups_string= 'one, two, three'
287
- # r.edit_groups
276
+ # r.edit_groups
288
277
  # => ['one', 'two', 'three']
289
278
  #
290
279
  def edit_groups_string=(groups)
@@ -299,13 +288,13 @@ module Hydra
299
288
  # Grant edit permissions to the groups specified. Revokes edit permission for
300
289
  # any of the eligible_groups that are not in groups.
301
290
  # This may be used when different users are responsible for setting different
302
- # groups. Supply the groups the current user is responsible for as the
291
+ # groups. Supply the groups the current user is responsible for as the
303
292
  # 'eligible_groups'
304
293
  # @param[Array] groups a list of groups
305
- # @param[Array] eligible_groups the groups that are eligible to have their edit permssion revoked.
294
+ # @param[Array] eligible_groups the groups that are eligible to have their edit permssion revoked.
306
295
  # @example
307
296
  # r.edit_groups = ['one', 'two', 'three']
308
- # r.edit_groups
297
+ # r.edit_groups
309
298
  # => ['one', 'two', 'three']
310
299
  # r.set_edit_groups(['one'], ['three'])
311
300
  # r.edit_groups
@@ -316,14 +305,14 @@ module Hydra
316
305
  end
317
306
 
318
307
  def edit_users
319
- rightsMetadata.users.map {|k, v| k if v == 'edit'}.compact
308
+ search_by_type_and_mode(:person, ::ACL.Write).map { |p| p.agent_name }
320
309
  end
321
310
 
322
311
  # Grant edit permissions to the groups specified. Revokes edit permission for all other groups.
323
312
  # @param[Array] users a list of usernames
324
313
  # @example
325
314
  # r.edit_users= ['one', 'two', 'three']
326
- # r.edit_users
315
+ # r.edit_users
327
316
  # => ['one', 'two', 'three']
328
317
  #
329
318
  def edit_users=(users)
@@ -333,13 +322,13 @@ module Hydra
333
322
  # Grant edit permissions to the users specified. Revokes edit permission for
334
323
  # any of the eligible_users that are not in users.
335
324
  # This may be used when different users are responsible for setting different
336
- # users. Supply the users the current user is responsible for as the
325
+ # users. Supply the users the current user is responsible for as the
337
326
  # 'eligible_users'
338
327
  # @param[Array] users a list of users
339
- # @param[Array] eligible_users the users that are eligible to have their edit permssion revoked.
328
+ # @param[Array] eligible_users the users that are eligible to have their edit permssion revoked.
340
329
  # @example
341
330
  # r.edit_users = ['one', 'two', 'three']
342
- # r.edit_users
331
+ # r.edit_users
343
332
  # => ['one', 'two', 'three']
344
333
  # r.set_edit_users(['one'], ['three'])
345
334
  # r.edit_users
@@ -349,40 +338,85 @@ module Hydra
349
338
  set_entities(:edit, :person, users, eligible_users)
350
339
  end
351
340
 
352
- protected
341
+ protected
353
342
 
354
343
  def has_destroy_flag?(hash)
355
344
  ["1", "true"].include?(hash['_destroy'].to_s)
356
345
  end
357
346
 
358
- private
347
+ private
359
348
 
360
- # @param permission either :discover, :read or :edit
361
- # @param type either :person or :group
362
- # @param values Values to set
363
- # @param changeable Values we are allowed to change
349
+ # @param [Symbol] permission either :discover, :read or :edit
350
+ # @param [Symbol] type either :person or :group
351
+ # @param [Array<String>] values Values to set
352
+ # @param [Array<String>] changeable Values we are allowed to change
364
353
  def set_entities(permission, type, values, changeable)
365
- g = preserved(type, permission)
366
354
  (changeable - values).each do |entity|
367
- #Strip permissions from users not provided
368
- g[entity] = 'none'
355
+ for_destroy = search_by_type_and_mode(type, permission_to_uri(permission)).select { |p| p.agent_name == entity }
356
+ permissions.delete(for_destroy)
357
+ end
358
+
359
+ values.each do |agent_name|
360
+ exists = search_by_type_and_mode(type, permission_to_uri(permission)).select { |p| p.agent_name == agent_name }
361
+ permissions.build(name: agent_name, access: permission.to_s, type: type ) unless exists.present?
362
+ end
363
+ end
364
+
365
+ def permission_to_uri(permission)
366
+ case permission.to_s
367
+ when 'read'
368
+ ::ACL.Read
369
+ when 'edit'
370
+ ::ACL.Write
371
+ when 'discover'
372
+ Hydra::ACL.Discover
373
+ else
374
+ raise "Invalid permission #{permission.inspect}"
375
+ end
376
+ end
377
+
378
+ # @param [Symbol] type (either :group or :person)
379
+ # @return [Array<Permission>]
380
+ def search_by_type(type)
381
+ case type
382
+ when :group
383
+ permissions.to_a.select { |p| group_agent?(p.agent) }
384
+ when :person
385
+ permissions.to_a.select { |p| person_agent?(p.agent) }
369
386
  end
370
- values.each { |name| g[name] = permission.to_s}
371
- rightsMetadata.update_permissions(type.to_s=>g)
372
- end
373
-
374
- ## Get those permissions we don't want to change
375
- def preserved(type, permission)
376
- case permission
377
- when :edit
378
- g = {}
379
- when :read
380
- Hash[rightsMetadata.quick_search_by_type(type).select {|k, v| v == 'edit'}]
381
- when :discover
382
- Hash[rightsMetadata.quick_search_by_type(type).select {|k, v| v == 'discover'}]
387
+ end
388
+
389
+ # @param [Symbol] type either :group or :person
390
+ # @param [::RDF::URI] mode One of the permissions modes, e.g. ACL.Write, ACL.Read, etc.
391
+ # @return [Array<Permission>]
392
+ def search_by_type_and_mode(type, mode)
393
+ case type
394
+ when :group
395
+ permissions.to_a.select { |p| group_agent?(p.agent) && p.mode.first.rdf_subject == mode }
396
+ when :person
397
+ permissions.to_a.select { |p| person_agent?(p.agent) && p.mode.first.rdf_subject == mode }
383
398
  end
384
399
  end
385
400
 
401
+ def person_permissions
402
+ search_by_type(:person)
403
+ end
404
+
405
+ def group_permissions
406
+ search_by_type(:group)
407
+ end
408
+
409
+ def group_agent?(agent)
410
+ raise "no agent" unless agent.present?
411
+ agent.first.rdf_subject.to_s.start_with?(GROUP_AGENT_URL_PREFIX)
412
+
413
+ end
414
+
415
+ def person_agent?(agent)
416
+ raise "no agent" unless agent.present?
417
+ agent.first.rdf_subject.to_s.start_with?(PERSON_AGENT_URL_PREFIX)
418
+ end
419
+
386
420
  end
387
421
  end
388
422
  end
@@ -39,19 +39,17 @@ module Hydra
39
39
 
40
40
  def public_visibility!
41
41
  visibility_will_change! unless visibility == Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PUBLIC
42
- self.datastreams["rightsMetadata"].permissions({:group=>Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_PUBLIC}, "read")
42
+ set_read_groups([Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_PUBLIC], [])
43
43
  end
44
44
 
45
45
  def registered_visibility!
46
46
  visibility_will_change! unless visibility == Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_AUTHENTICATED
47
- self.datastreams["rightsMetadata"].permissions({:group=>Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_AUTHENTICATED}, "read")
48
- self.datastreams["rightsMetadata"].permissions({:group=>Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_PUBLIC}, "none")
47
+ set_read_groups([Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_AUTHENTICATED], [Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_PUBLIC])
49
48
  end
50
49
 
51
50
  def private_visibility!
52
51
  visibility_will_change! unless visibility == Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PRIVATE
53
- self.datastreams["rightsMetadata"].permissions({:group=>Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_AUTHENTICATED}, "none")
54
- self.datastreams["rightsMetadata"].permissions({:group=>Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_PUBLIC}, "none")
52
+ set_read_groups([], [Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_AUTHENTICATED, Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_PUBLIC])
55
53
  end
56
54
 
57
55
  end
@@ -5,7 +5,6 @@ module Hydra
5
5
  autoload :WithAccessRight
6
6
  autoload :Embargoable
7
7
  autoload :Visibility
8
- autoload :Permission
9
8
  autoload :Permissions
10
9
  end
11
10
  end
@@ -3,9 +3,34 @@ module Hydra
3
3
  extend ActiveSupport::Concern
4
4
 
5
5
  included do
6
- has_metadata "defaultRights", type: Hydra::Datastream::InheritableRightsMetadata
6
+ has_and_belongs_to_many :default_permissions, predicate: Hydra::ACL.defaultPermissions, class_name: 'Hydra::AccessControls::Permission'
7
+ belongs_to :default_embargo, predicate: Hydra::ACL.hasEmbargo, class_name: 'Hydra::AccessControls::Embargo'
7
8
  end
8
9
 
10
+ def to_solr(solr_doc=Hash.new)
11
+ f = merged_policies
12
+ super.tap do |doc|
13
+ ['discover'.freeze, 'read'.freeze, 'edit'.freeze].each do |access|
14
+ doc[Hydra.config.permissions.inheritable[access.to_sym][:group]] = f[access]['group'.freeze] if f[access]
15
+ doc[Hydra.config.permissions.inheritable[access.to_sym][:individual]] = f[access]['person'.freeze] if f[access]
16
+ end
17
+ if default_embargo
18
+ key = Hydra.config.permissions.inheritable.embargo.release_date.sub(/_[^_]+$/, '') #Strip off the suffix
19
+ ::Solrizer.insert_field(doc, key, default_embargo.embargo_release_date, :stored_sortable)
20
+ end
21
+ end
22
+ end
23
+
24
+ def merged_policies
25
+ default_permissions.each_with_object({}) do |policy, h|
26
+ args = policy.to_hash
27
+ h[args[:access]] ||= {}
28
+ h[args[:access]][args[:type]] ||= []
29
+ h[args[:access]][args[:type]] << args[:name]
30
+ end
31
+ end
32
+
33
+
9
34
  ## Updates those permissions that are provided to it. Does not replace any permissions unless they are provided
10
35
  # @example
11
36
  # obj.default_permissions= [{:name=>"group1", :access=>"discover", :type=>'group'},
@@ -14,7 +39,7 @@ module Hydra
14
39
  perm_hash = {'person' => defaultRights.users, 'group'=> defaultRights.groups}
15
40
  params.each do |row|
16
41
  if row[:type] == 'user' || row[:type] == 'person'
17
- perm_hash['person'][row[:name]] = row[:access]
42
+ perm_hash['person'][row[:name]] = row[:access]
18
43
  elsif row[:type] == 'group'
19
44
  perm_hash['group'][row[:name]] = row[:access]
20
45
  else
@@ -0,0 +1,15 @@
1
+ module Hydra
2
+ module Rights
3
+ extend ActiveSupport::Concern
4
+ included do
5
+ # Rights
6
+ property :rights, predicate: ::RDF::DC.rights do |index|
7
+ index.as :facetable
8
+ end
9
+ property :rightsHolder, predicate: ::RDF::URI('http://opaquenamespace.org/rights/rightsHolder') do |index|
10
+ index.as :searchable, :facetable
11
+ end
12
+ property :copyrightClaimant, predicate: ::RDF::URI('http://id.loc.gov/vocabulary/relators/cpc')
13
+ end
14
+ end
15
+ end
@@ -0,0 +1,17 @@
1
+ module Hydra::AccessControls
2
+ class AccessControlList < ActiveFedora::Base
3
+ belongs_to :access_to, predicate: ::ACL.accessTo, class_name: 'ActiveFedora::Base'
4
+ # has_many :admin_policies, class_name: 'Hydra::AdminPolicy'
5
+ property :mode, predicate: ::ACL.mode, class_name: 'Hydra::AccessControls::Mode'
6
+ property :agent, predicate: ::ACL.agent, class_name: 'Hydra::AccessControls::Agent'
7
+ # property :agentClass, predicate: ACL.agentClass
8
+
9
+ # [acl:accessTo <card>; acl:mode acl:Read; acl:agentClass foaf:Agent].
10
+ # [acl:accessTo <card>; acl:mode acl:Read, acl:Write; acl:agent <card#i>].
11
+ end
12
+
13
+ class Mode < ActiveTriples::Resource
14
+ end
15
+ class Agent < ActiveTriples::Resource
16
+ end
17
+ end
@@ -0,0 +1,65 @@
1
+ module Hydra::AccessControls
2
+ class Embargo < ActiveFedora::Base
3
+ property :visibility_during_embargo, predicate: Hydra::ACL.visibilityDuringEmbargo
4
+ property :visibility_after_embargo, predicate: Hydra::ACL.visibilityAfterEmbargo
5
+ property :embargo_release_date, predicate: Hydra::ACL.embargoReleaseDate
6
+ property :embargo_history, predicate: Hydra::ACL.embargoHistory
7
+
8
+ # Hack until ActiveFedora supports activeTriples 0.3.0 (then we can just use super)
9
+ def visibility_during_embargo_with_first
10
+ visibility_during_embargo_without_first.first
11
+ end
12
+ alias_method_chain :visibility_during_embargo, :first
13
+
14
+ # Hack until ActiveFedora supports activeTriples 0.3.0 (then we can just use super)
15
+ def visibility_after_embargo_with_first
16
+ visibility_after_embargo_without_first.first
17
+ end
18
+ alias_method_chain :visibility_after_embargo, :first
19
+
20
+ # Hack until ActiveFedora supports activeTriples 0.3.0 (then we can just use super)
21
+ def embargo_release_date_with_first
22
+ embargo_release_date_without_first.first
23
+ end
24
+ alias_method_chain :embargo_release_date, :first
25
+
26
+ # Hack until ActiveFedora supports activeTriples 0.3.0 (then we can just use super)
27
+ def embargo_release_date_with_casting=(date)
28
+ date = DateTime.parse(date) if date && date.kind_of?(String)
29
+ self.embargo_release_date_without_casting = date
30
+ end
31
+ alias_method_chain :embargo_release_date=, :casting
32
+
33
+ def active?
34
+ (embargo_release_date.present? && Date.today < embargo_release_date)
35
+ end
36
+
37
+ def deactivate!
38
+ return unless embargo_release_date
39
+ embargo_state = active? ? "active" : "expired"
40
+ embargo_record = embargo_history_message(embargo_state, Date.today, embargo_release_date, visibility_during_embargo, visibility_after_embargo)
41
+ self.embargo_release_date = nil
42
+ self.visibility_during_embargo = nil
43
+ self.visibility_after_embargo = nil
44
+ self.embargo_history += [embargo_record]
45
+ end
46
+
47
+ def to_hash
48
+ {}.tap do |doc|
49
+ date_field_name = Hydra.config.permissions.embargo.release_date.sub(/_dtsi/, '')
50
+ Solrizer.insert_field(doc, date_field_name, embargo_release_date, :stored_sortable)
51
+ doc[::Solrizer.solr_name("visibility_during_embargo", :symbol)] = visibility_during_embargo unless visibility_during_embargo.nil?
52
+ doc[::Solrizer.solr_name("visibility_after_embargo", :symbol)] = visibility_after_embargo unless visibility_after_embargo.nil?
53
+ doc[::Solrizer.solr_name("embargo_history", :symbol)] = embargo_history unless embargo_history.nil?
54
+ end
55
+ end
56
+ protected
57
+
58
+ # Create the log message used when deactivating an embargo
59
+ # This method may be overriden in order to transform the values of the passed parameters.
60
+ def embargo_history_message(state, deactivate_date, release_date, visibility_during, visibility_after)
61
+ I18n.t 'hydra.embargo.history_message', state: state, deactivate_date: deactivate_date, release_date: release_date,
62
+ visibility_during: visibility_during, visibility_after: visibility_after
63
+ end
64
+ end
65
+ end