hydra-access-controls 8.2.0 → 9.0.0.beta1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (52) hide show
  1. checksums.yaml +4 -4
  2. data/README.textile +10 -10
  3. data/app/models/concerns/hydra/access_controls/access_right.rb +3 -2
  4. data/app/models/concerns/hydra/access_controls/embargoable.rb +120 -132
  5. data/app/models/concerns/hydra/access_controls/permissions.rb +137 -103
  6. data/app/models/concerns/hydra/access_controls/visibility.rb +3 -5
  7. data/app/models/concerns/hydra/access_controls.rb +0 -1
  8. data/app/models/concerns/hydra/admin_policy_behavior.rb +27 -2
  9. data/app/models/concerns/hydra/rights.rb +15 -0
  10. data/app/models/hydra/access_controls/access_control_list.rb +17 -0
  11. data/app/models/hydra/access_controls/embargo.rb +65 -0
  12. data/app/models/hydra/access_controls/lease.rb +66 -0
  13. data/app/models/hydra/access_controls/permission.rb +85 -0
  14. data/app/vocabularies/acl.rb +12 -0
  15. data/app/vocabularies/hydra/acl.rb +20 -0
  16. data/config/fedora.yml +4 -2
  17. data/hydra-access-controls.gemspec +6 -7
  18. data/lib/hydra/ability.rb +45 -43
  19. data/lib/hydra/access_controls_enforcement.rb +23 -25
  20. data/lib/hydra/admin_policy.rb +34 -11
  21. data/lib/hydra/config.rb +4 -15
  22. data/lib/hydra/permissions_query.rb +2 -2
  23. data/lib/hydra/permissions_solr_document.rb +4 -6
  24. data/lib/hydra/policy_aware_ability.rb +56 -53
  25. data/lib/hydra/policy_aware_access_controls_enforcement.rb +28 -18
  26. data/lib/hydra-access-controls.rb +1 -1
  27. data/spec/factories.rb +15 -15
  28. data/spec/services/embargo_service_spec.rb +6 -6
  29. data/spec/services/lease_service_spec.rb +6 -6
  30. data/spec/spec_helper.rb +20 -13
  31. data/spec/support/mods_asset.rb +3 -3
  32. data/spec/unit/ability_spec.rb +96 -121
  33. data/spec/unit/access_controls_enforcement_spec.rb +29 -27
  34. data/spec/unit/access_right_spec.rb +6 -1
  35. data/spec/unit/accessible_by_spec.rb +14 -5
  36. data/spec/unit/admin_policy_spec.rb +99 -92
  37. data/spec/unit/config_spec.rb +14 -15
  38. data/spec/unit/embargoable_spec.rb +26 -28
  39. data/spec/unit/permission_spec.rb +36 -16
  40. data/spec/unit/permissions_spec.rb +121 -65
  41. data/spec/unit/policy_aware_ability_spec.rb +64 -78
  42. data/spec/unit/policy_aware_access_controls_enforcement_spec.rb +81 -77
  43. data/spec/unit/role_mapper_spec.rb +10 -10
  44. data/spec/unit/with_access_right_spec.rb +1 -1
  45. metadata +29 -51
  46. data/lib/hydra/access_controls/permission.rb +0 -40
  47. data/lib/hydra/datastream/inheritable_rights_metadata.rb +0 -22
  48. data/lib/hydra/datastream/rights_metadata.rb +0 -276
  49. data/lib/hydra/datastream.rb +0 -7
  50. data/spec/unit/hydra_rights_metadata_persistence_spec.rb +0 -71
  51. data/spec/unit/hydra_rights_metadata_spec.rb +0 -301
  52. data/spec/unit/inheritable_rights_metadata_spec.rb +0 -65
@@ -2,75 +2,64 @@ module Hydra
2
2
  module AccessControls
3
3
  module Permissions
4
4
  extend ActiveSupport::Concern
5
+ include Hydra::AccessControls::Visibility
5
6
 
6
7
  included do
7
- include Hydra::AccessControls::Visibility
8
- has_metadata "rightsMetadata", type: Hydra::Datastream::RightsMetadata
8
+ has_many :permissions, predicate: ::ACL.accessTo, class_name: 'Hydra::AccessControls::Permission', inverse_of: :access_to
9
+ accepts_nested_attributes_for :permissions, allow_destroy: true
10
+ alias_method :permissions_attributes_without_uniqueness=, :permissions_attributes=
11
+ alias_method :permissions_attributes=, :permissions_attributes_with_uniqueness=
12
+ end
13
+
14
+ def to_solr(solr_doc = {})
15
+ super.tap do |doc|
16
+ [:discover, :read, :edit].each do |access|
17
+ vals = send("#{access}_groups")
18
+ doc[Hydra.config.permissions[access].group] = vals unless vals.empty?
19
+ vals = send("#{access}_users")
20
+ doc[Hydra.config.permissions[access].individual] = vals unless vals.empty?
21
+ end
22
+ end
9
23
  end
10
24
 
11
- ## Updates those permissions that are provided to it. Does not replace any permissions unless they are provided
12
- # @example
13
- # obj.permissions_attributes= [{:name=>"group1", :access=>"discover", :type=>'group'},
14
- # {:name=>"group2", :access=>"discover", :type=>'group'}]
15
- def permissions_attributes= attributes_collection
16
- perm_hash = {'person' => rightsMetadata.users, 'group'=> rightsMetadata.groups}
17
-
25
+ # When chaging a permission for an object/user, ensure an update is done, not a duplicate
26
+ def permissions_attributes_with_uniqueness=(attributes_collection)
18
27
  if attributes_collection.is_a? Hash
19
- attributes_collection = attributes_collection.sort_by { |i, _| i.to_i }.map { |_, attributes| attributes }
20
- end
21
-
22
- attributes_collection.each do |row|
23
- row = row.with_indifferent_access
24
- if row[:type] == 'user' || row[:type] == 'person'
25
- if has_destroy_flag? row
26
- perm_hash['person'].delete(row[:name])
27
- else
28
- perm_hash['person'][row[:name]] = row[:access]
29
- end
30
- elsif row[:type] == 'group'
31
- perm_hash['group'][row[:name]] = row[:access]
32
- if has_destroy_flag? row
33
- perm_hash['group'].delete(row[:name])
34
- else
35
- perm_hash['group'][row[:name]] = row[:access]
36
- end
28
+ keys = attributes_collection.keys
29
+ attributes_collection = if keys.include?('id') || keys.include?(:id)
30
+ Array(attributes_collection)
37
31
  else
38
- raise ArgumentError, "Permission type must be 'user', 'person' (alias for 'user'), or 'group'"
32
+ attributes_collection.sort_by { |i, _| i.to_i }.map { |_, attributes| attributes }
39
33
  end
40
34
  end
41
-
42
- rightsMetadata.permissions = perm_hash
43
- end
44
35
 
45
- ## Returns a list with all the permissions on the object.
46
- def permissions
47
- (rightsMetadata.groups.map {|x| Permission.new(type: 'group', access: x[1], name: x[0] )} +
48
- rightsMetadata.users.map {|x| Permission.new(type: 'user', access: x[1], name: x[0] )})
49
- end
50
-
51
- # @param values [Array<Permission>] a list of permission objects to set
52
- def permissions= values
53
- perm_hash = {'person' => {}, 'group'=> {}}
54
- values.each do |perm|
55
- if perm.type == 'user'
56
- perm_hash['person'][perm.name] = perm.access
57
- else
58
- perm_hash['group'][perm.name] = perm.access
36
+ attributes_collection.each do |prop|
37
+ existing = case prop[:type]
38
+ when 'group'
39
+ search_by_type(:group)
40
+ when 'person'
41
+ search_by_type(:person)
59
42
  end
43
+
44
+ next unless existing
45
+ selected = existing.find { |perm| perm.agent_name == prop[:name] }
46
+ prop['id'] = selected.id if selected
60
47
  end
61
- rightsMetadata.permissions = perm_hash
48
+
49
+ self.permissions_attributes_without_uniqueness=attributes_collection
62
50
  end
63
51
 
52
+
64
53
  # Return a list of groups that have discover permission
65
54
  def discover_groups
66
- rightsMetadata.groups.map {|k, v| k if v == 'discover'}.compact
55
+ search_by_type_and_mode(:group, Hydra::ACL.Discover).map { |p| p.agent_name }
67
56
  end
68
57
 
69
58
  # Grant discover permissions to the groups specified. Revokes discover permission for all other groups.
70
59
  # @param[Array] groups a list of group names
71
60
  # @example
72
61
  # r.discover_groups= ['one', 'two', 'three']
73
- # r.discover_groups
62
+ # r.discover_groups
74
63
  # => ['one', 'two', 'three']
75
64
  #
76
65
  def discover_groups=(groups)
@@ -81,7 +70,7 @@ module Hydra
81
70
  # @param[String] groups a list of group names
82
71
  # @example
83
72
  # r.discover_groups_string= 'one, two, three'
84
- # r.discover_groups
73
+ # r.discover_groups
85
74
  # => ['one', 'two', 'three']
86
75
  #
87
76
  def discover_groups_string=(groups)
@@ -96,13 +85,13 @@ module Hydra
96
85
  # Grant discover permissions to the groups specified. Revokes discover permission for
97
86
  # any of the eligible_groups that are not in groups.
98
87
  # This may be used when different users are responsible for setting different
99
- # groups. Supply the groups the current user is responsible for as the
88
+ # groups. Supply the groups the current user is responsible for as the
100
89
  # 'eligible_groups'
101
90
  # @param[Array] groups a list of groups
102
- # @param[Array] eligible_groups the groups that are eligible to have their discover permssion revoked.
91
+ # @param[Array] eligible_groups the groups that are eligible to have their discover permssion revoked.
103
92
  # @example
104
93
  # r.discover_groups = ['one', 'two', 'three']
105
- # r.discover_groups
94
+ # r.discover_groups
106
95
  # => ['one', 'two', 'three']
107
96
  # r.set_discover_groups(['one'], ['three'])
108
97
  # r.discover_groups
@@ -113,14 +102,14 @@ module Hydra
113
102
  end
114
103
 
115
104
  def discover_users
116
- rightsMetadata.users.map {|k, v| k if v == 'discover'}.compact
105
+ search_by_type_and_mode(:person, Hydra::ACL.Discover).map { |p| p.agent_name }
117
106
  end
118
107
 
119
108
  # Grant discover permissions to the users specified. Revokes discover permission for all other users.
120
109
  # @param[Array] users a list of usernames
121
110
  # @example
122
111
  # r.discover_users= ['one', 'two', 'three']
123
- # r.discover_users
112
+ # r.discover_users
124
113
  # => ['one', 'two', 'three']
125
114
  #
126
115
  def discover_users=(users)
@@ -131,7 +120,7 @@ module Hydra
131
120
  # @param[String] users a list of usernames
132
121
  # @example
133
122
  # r.discover_users_string= 'one, two, three'
134
- # r.discover_users
123
+ # r.discover_users
135
124
  # => ['one', 'two', 'three']
136
125
  #
137
126
  def discover_users_string=(users)
@@ -146,13 +135,13 @@ module Hydra
146
135
  # Grant discover permissions to the users specified. Revokes discover permission for
147
136
  # any of the eligible_users that are not in users.
148
137
  # This may be used when different users are responsible for setting different
149
- # users. Supply the users the current user is responsible for as the
138
+ # users. Supply the users the current user is responsible for as the
150
139
  # 'eligible_users'
151
140
  # @param[Array] users a list of users
152
- # @param[Array] eligible_users the users that are eligible to have their discover permssion revoked.
141
+ # @param[Array] eligible_users the users that are eligible to have their discover permssion revoked.
153
142
  # @example
154
143
  # r.discover_users = ['one', 'two', 'three']
155
- # r.discover_users
144
+ # r.discover_users
156
145
  # => ['one', 'two', 'three']
157
146
  # r.set_discover_users(['one'], ['three'])
158
147
  # r.discover_users
@@ -164,14 +153,14 @@ module Hydra
164
153
 
165
154
  # Return a list of groups that have discover permission
166
155
  def read_groups
167
- rightsMetadata.groups.map {|k, v| k if v == 'read'}.compact
156
+ search_by_type_and_mode(:group, ::ACL.Read).map { |p| p.agent_name }
168
157
  end
169
158
 
170
159
  # Grant read permissions to the groups specified. Revokes read permission for all other groups.
171
160
  # @param[Array] groups a list of group names
172
161
  # @example
173
162
  # r.read_groups= ['one', 'two', 'three']
174
- # r.read_groups
163
+ # r.read_groups
175
164
  # => ['one', 'two', 'three']
176
165
  #
177
166
  def read_groups=(groups)
@@ -182,7 +171,7 @@ module Hydra
182
171
  # @param[String] groups a list of group names
183
172
  # @example
184
173
  # r.read_groups_string= 'one, two, three'
185
- # r.read_groups
174
+ # r.read_groups
186
175
  # => ['one', 'two', 'three']
187
176
  #
188
177
  def read_groups_string=(groups)
@@ -197,13 +186,13 @@ module Hydra
197
186
  # Grant read permissions to the groups specified. Revokes read permission for
198
187
  # any of the eligible_groups that are not in groups.
199
188
  # This may be used when different users are responsible for setting different
200
- # groups. Supply the groups the current user is responsible for as the
189
+ # groups. Supply the groups the current user is responsible for as the
201
190
  # 'eligible_groups'
202
191
  # @param[Array] groups a list of groups
203
- # @param[Array] eligible_groups the groups that are eligible to have their read permssion revoked.
192
+ # @param[Array] eligible_groups the groups that are eligible to have their read permssion revoked.
204
193
  # @example
205
194
  # r.read_groups = ['one', 'two', 'three']
206
- # r.read_groups
195
+ # r.read_groups
207
196
  # => ['one', 'two', 'three']
208
197
  # r.set_read_groups(['one'], ['three'])
209
198
  # r.read_groups
@@ -214,14 +203,14 @@ module Hydra
214
203
  end
215
204
 
216
205
  def read_users
217
- rightsMetadata.users.map {|k, v| k if v == 'read'}.compact
206
+ search_by_type_and_mode(:person, ::ACL.Read).map { |p| p.agent_name }
218
207
  end
219
208
 
220
209
  # Grant read permissions to the users specified. Revokes read permission for all other users.
221
210
  # @param[Array] users a list of usernames
222
211
  # @example
223
212
  # r.read_users= ['one', 'two', 'three']
224
- # r.read_users
213
+ # r.read_users
225
214
  # => ['one', 'two', 'three']
226
215
  #
227
216
  def read_users=(users)
@@ -232,7 +221,7 @@ module Hydra
232
221
  # @param[String] users a list of usernames
233
222
  # @example
234
223
  # r.read_users_string= 'one, two, three'
235
- # r.read_users
224
+ # r.read_users
236
225
  # => ['one', 'two', 'three']
237
226
  #
238
227
  def read_users_string=(users)
@@ -247,13 +236,13 @@ module Hydra
247
236
  # Grant read permissions to the users specified. Revokes read permission for
248
237
  # any of the eligible_users that are not in users.
249
238
  # This may be used when different users are responsible for setting different
250
- # users. Supply the users the current user is responsible for as the
239
+ # users. Supply the users the current user is responsible for as the
251
240
  # 'eligible_users'
252
241
  # @param[Array] users a list of users
253
- # @param[Array] eligible_users the users that are eligible to have their read permssion revoked.
242
+ # @param[Array] eligible_users the users that are eligible to have their read permssion revoked.
254
243
  # @example
255
244
  # r.read_users = ['one', 'two', 'three']
256
- # r.read_users
245
+ # r.read_users
257
246
  # => ['one', 'two', 'three']
258
247
  # r.set_read_users(['one'], ['three'])
259
248
  # r.read_users
@@ -266,14 +255,14 @@ module Hydra
266
255
 
267
256
  # Return a list of groups that have edit permission
268
257
  def edit_groups
269
- rightsMetadata.groups.map {|k, v| k if v == 'edit'}.compact
258
+ search_by_type_and_mode(:group, ::ACL.Write).map { |p| p.agent_name }
270
259
  end
271
260
 
272
261
  # Grant edit permissions to the groups specified. Revokes edit permission for all other groups.
273
262
  # @param[Array] groups a list of group names
274
263
  # @example
275
264
  # r.edit_groups= ['one', 'two', 'three']
276
- # r.edit_groups
265
+ # r.edit_groups
277
266
  # => ['one', 'two', 'three']
278
267
  #
279
268
  def edit_groups=(groups)
@@ -284,7 +273,7 @@ module Hydra
284
273
  # @param[String] groups a list of group names
285
274
  # @example
286
275
  # r.edit_groups_string= 'one, two, three'
287
- # r.edit_groups
276
+ # r.edit_groups
288
277
  # => ['one', 'two', 'three']
289
278
  #
290
279
  def edit_groups_string=(groups)
@@ -299,13 +288,13 @@ module Hydra
299
288
  # Grant edit permissions to the groups specified. Revokes edit permission for
300
289
  # any of the eligible_groups that are not in groups.
301
290
  # This may be used when different users are responsible for setting different
302
- # groups. Supply the groups the current user is responsible for as the
291
+ # groups. Supply the groups the current user is responsible for as the
303
292
  # 'eligible_groups'
304
293
  # @param[Array] groups a list of groups
305
- # @param[Array] eligible_groups the groups that are eligible to have their edit permssion revoked.
294
+ # @param[Array] eligible_groups the groups that are eligible to have their edit permssion revoked.
306
295
  # @example
307
296
  # r.edit_groups = ['one', 'two', 'three']
308
- # r.edit_groups
297
+ # r.edit_groups
309
298
  # => ['one', 'two', 'three']
310
299
  # r.set_edit_groups(['one'], ['three'])
311
300
  # r.edit_groups
@@ -316,14 +305,14 @@ module Hydra
316
305
  end
317
306
 
318
307
  def edit_users
319
- rightsMetadata.users.map {|k, v| k if v == 'edit'}.compact
308
+ search_by_type_and_mode(:person, ::ACL.Write).map { |p| p.agent_name }
320
309
  end
321
310
 
322
311
  # Grant edit permissions to the groups specified. Revokes edit permission for all other groups.
323
312
  # @param[Array] users a list of usernames
324
313
  # @example
325
314
  # r.edit_users= ['one', 'two', 'three']
326
- # r.edit_users
315
+ # r.edit_users
327
316
  # => ['one', 'two', 'three']
328
317
  #
329
318
  def edit_users=(users)
@@ -333,13 +322,13 @@ module Hydra
333
322
  # Grant edit permissions to the users specified. Revokes edit permission for
334
323
  # any of the eligible_users that are not in users.
335
324
  # This may be used when different users are responsible for setting different
336
- # users. Supply the users the current user is responsible for as the
325
+ # users. Supply the users the current user is responsible for as the
337
326
  # 'eligible_users'
338
327
  # @param[Array] users a list of users
339
- # @param[Array] eligible_users the users that are eligible to have their edit permssion revoked.
328
+ # @param[Array] eligible_users the users that are eligible to have their edit permssion revoked.
340
329
  # @example
341
330
  # r.edit_users = ['one', 'two', 'three']
342
- # r.edit_users
331
+ # r.edit_users
343
332
  # => ['one', 'two', 'three']
344
333
  # r.set_edit_users(['one'], ['three'])
345
334
  # r.edit_users
@@ -349,40 +338,85 @@ module Hydra
349
338
  set_entities(:edit, :person, users, eligible_users)
350
339
  end
351
340
 
352
- protected
341
+ protected
353
342
 
354
343
  def has_destroy_flag?(hash)
355
344
  ["1", "true"].include?(hash['_destroy'].to_s)
356
345
  end
357
346
 
358
- private
347
+ private
359
348
 
360
- # @param permission either :discover, :read or :edit
361
- # @param type either :person or :group
362
- # @param values Values to set
363
- # @param changeable Values we are allowed to change
349
+ # @param [Symbol] permission either :discover, :read or :edit
350
+ # @param [Symbol] type either :person or :group
351
+ # @param [Array<String>] values Values to set
352
+ # @param [Array<String>] changeable Values we are allowed to change
364
353
  def set_entities(permission, type, values, changeable)
365
- g = preserved(type, permission)
366
354
  (changeable - values).each do |entity|
367
- #Strip permissions from users not provided
368
- g[entity] = 'none'
355
+ for_destroy = search_by_type_and_mode(type, permission_to_uri(permission)).select { |p| p.agent_name == entity }
356
+ permissions.delete(for_destroy)
357
+ end
358
+
359
+ values.each do |agent_name|
360
+ exists = search_by_type_and_mode(type, permission_to_uri(permission)).select { |p| p.agent_name == agent_name }
361
+ permissions.build(name: agent_name, access: permission.to_s, type: type ) unless exists.present?
362
+ end
363
+ end
364
+
365
+ def permission_to_uri(permission)
366
+ case permission.to_s
367
+ when 'read'
368
+ ::ACL.Read
369
+ when 'edit'
370
+ ::ACL.Write
371
+ when 'discover'
372
+ Hydra::ACL.Discover
373
+ else
374
+ raise "Invalid permission #{permission.inspect}"
375
+ end
376
+ end
377
+
378
+ # @param [Symbol] type (either :group or :person)
379
+ # @return [Array<Permission>]
380
+ def search_by_type(type)
381
+ case type
382
+ when :group
383
+ permissions.to_a.select { |p| group_agent?(p.agent) }
384
+ when :person
385
+ permissions.to_a.select { |p| person_agent?(p.agent) }
369
386
  end
370
- values.each { |name| g[name] = permission.to_s}
371
- rightsMetadata.update_permissions(type.to_s=>g)
372
- end
373
-
374
- ## Get those permissions we don't want to change
375
- def preserved(type, permission)
376
- case permission
377
- when :edit
378
- g = {}
379
- when :read
380
- Hash[rightsMetadata.quick_search_by_type(type).select {|k, v| v == 'edit'}]
381
- when :discover
382
- Hash[rightsMetadata.quick_search_by_type(type).select {|k, v| v == 'discover'}]
387
+ end
388
+
389
+ # @param [Symbol] type either :group or :person
390
+ # @param [::RDF::URI] mode One of the permissions modes, e.g. ACL.Write, ACL.Read, etc.
391
+ # @return [Array<Permission>]
392
+ def search_by_type_and_mode(type, mode)
393
+ case type
394
+ when :group
395
+ permissions.to_a.select { |p| group_agent?(p.agent) && p.mode.first.rdf_subject == mode }
396
+ when :person
397
+ permissions.to_a.select { |p| person_agent?(p.agent) && p.mode.first.rdf_subject == mode }
383
398
  end
384
399
  end
385
400
 
401
+ def person_permissions
402
+ search_by_type(:person)
403
+ end
404
+
405
+ def group_permissions
406
+ search_by_type(:group)
407
+ end
408
+
409
+ def group_agent?(agent)
410
+ raise "no agent" unless agent.present?
411
+ agent.first.rdf_subject.to_s.start_with?(GROUP_AGENT_URL_PREFIX)
412
+
413
+ end
414
+
415
+ def person_agent?(agent)
416
+ raise "no agent" unless agent.present?
417
+ agent.first.rdf_subject.to_s.start_with?(PERSON_AGENT_URL_PREFIX)
418
+ end
419
+
386
420
  end
387
421
  end
388
422
  end
@@ -39,19 +39,17 @@ module Hydra
39
39
 
40
40
  def public_visibility!
41
41
  visibility_will_change! unless visibility == Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PUBLIC
42
- self.datastreams["rightsMetadata"].permissions({:group=>Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_PUBLIC}, "read")
42
+ set_read_groups([Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_PUBLIC], [])
43
43
  end
44
44
 
45
45
  def registered_visibility!
46
46
  visibility_will_change! unless visibility == Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_AUTHENTICATED
47
- self.datastreams["rightsMetadata"].permissions({:group=>Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_AUTHENTICATED}, "read")
48
- self.datastreams["rightsMetadata"].permissions({:group=>Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_PUBLIC}, "none")
47
+ set_read_groups([Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_AUTHENTICATED], [Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_PUBLIC])
49
48
  end
50
49
 
51
50
  def private_visibility!
52
51
  visibility_will_change! unless visibility == Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PRIVATE
53
- self.datastreams["rightsMetadata"].permissions({:group=>Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_AUTHENTICATED}, "none")
54
- self.datastreams["rightsMetadata"].permissions({:group=>Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_PUBLIC}, "none")
52
+ set_read_groups([], [Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_AUTHENTICATED, Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_PUBLIC])
55
53
  end
56
54
 
57
55
  end
@@ -5,7 +5,6 @@ module Hydra
5
5
  autoload :WithAccessRight
6
6
  autoload :Embargoable
7
7
  autoload :Visibility
8
- autoload :Permission
9
8
  autoload :Permissions
10
9
  end
11
10
  end
@@ -3,9 +3,34 @@ module Hydra
3
3
  extend ActiveSupport::Concern
4
4
 
5
5
  included do
6
- has_metadata "defaultRights", type: Hydra::Datastream::InheritableRightsMetadata
6
+ has_and_belongs_to_many :default_permissions, predicate: Hydra::ACL.defaultPermissions, class_name: 'Hydra::AccessControls::Permission'
7
+ belongs_to :default_embargo, predicate: Hydra::ACL.hasEmbargo, class_name: 'Hydra::AccessControls::Embargo'
7
8
  end
8
9
 
10
+ def to_solr(solr_doc=Hash.new)
11
+ f = merged_policies
12
+ super.tap do |doc|
13
+ ['discover'.freeze, 'read'.freeze, 'edit'.freeze].each do |access|
14
+ doc[Hydra.config.permissions.inheritable[access.to_sym][:group]] = f[access]['group'.freeze] if f[access]
15
+ doc[Hydra.config.permissions.inheritable[access.to_sym][:individual]] = f[access]['person'.freeze] if f[access]
16
+ end
17
+ if default_embargo
18
+ key = Hydra.config.permissions.inheritable.embargo.release_date.sub(/_[^_]+$/, '') #Strip off the suffix
19
+ ::Solrizer.insert_field(doc, key, default_embargo.embargo_release_date, :stored_sortable)
20
+ end
21
+ end
22
+ end
23
+
24
+ def merged_policies
25
+ default_permissions.each_with_object({}) do |policy, h|
26
+ args = policy.to_hash
27
+ h[args[:access]] ||= {}
28
+ h[args[:access]][args[:type]] ||= []
29
+ h[args[:access]][args[:type]] << args[:name]
30
+ end
31
+ end
32
+
33
+
9
34
  ## Updates those permissions that are provided to it. Does not replace any permissions unless they are provided
10
35
  # @example
11
36
  # obj.default_permissions= [{:name=>"group1", :access=>"discover", :type=>'group'},
@@ -14,7 +39,7 @@ module Hydra
14
39
  perm_hash = {'person' => defaultRights.users, 'group'=> defaultRights.groups}
15
40
  params.each do |row|
16
41
  if row[:type] == 'user' || row[:type] == 'person'
17
- perm_hash['person'][row[:name]] = row[:access]
42
+ perm_hash['person'][row[:name]] = row[:access]
18
43
  elsif row[:type] == 'group'
19
44
  perm_hash['group'][row[:name]] = row[:access]
20
45
  else
@@ -0,0 +1,15 @@
1
+ module Hydra
2
+ module Rights
3
+ extend ActiveSupport::Concern
4
+ included do
5
+ # Rights
6
+ property :rights, predicate: ::RDF::DC.rights do |index|
7
+ index.as :facetable
8
+ end
9
+ property :rightsHolder, predicate: ::RDF::URI('http://opaquenamespace.org/rights/rightsHolder') do |index|
10
+ index.as :searchable, :facetable
11
+ end
12
+ property :copyrightClaimant, predicate: ::RDF::URI('http://id.loc.gov/vocabulary/relators/cpc')
13
+ end
14
+ end
15
+ end
@@ -0,0 +1,17 @@
1
+ module Hydra::AccessControls
2
+ class AccessControlList < ActiveFedora::Base
3
+ belongs_to :access_to, predicate: ::ACL.accessTo, class_name: 'ActiveFedora::Base'
4
+ # has_many :admin_policies, class_name: 'Hydra::AdminPolicy'
5
+ property :mode, predicate: ::ACL.mode, class_name: 'Hydra::AccessControls::Mode'
6
+ property :agent, predicate: ::ACL.agent, class_name: 'Hydra::AccessControls::Agent'
7
+ # property :agentClass, predicate: ACL.agentClass
8
+
9
+ # [acl:accessTo <card>; acl:mode acl:Read; acl:agentClass foaf:Agent].
10
+ # [acl:accessTo <card>; acl:mode acl:Read, acl:Write; acl:agent <card#i>].
11
+ end
12
+
13
+ class Mode < ActiveTriples::Resource
14
+ end
15
+ class Agent < ActiveTriples::Resource
16
+ end
17
+ end
@@ -0,0 +1,65 @@
1
+ module Hydra::AccessControls
2
+ class Embargo < ActiveFedora::Base
3
+ property :visibility_during_embargo, predicate: Hydra::ACL.visibilityDuringEmbargo
4
+ property :visibility_after_embargo, predicate: Hydra::ACL.visibilityAfterEmbargo
5
+ property :embargo_release_date, predicate: Hydra::ACL.embargoReleaseDate
6
+ property :embargo_history, predicate: Hydra::ACL.embargoHistory
7
+
8
+ # Hack until ActiveFedora supports activeTriples 0.3.0 (then we can just use super)
9
+ def visibility_during_embargo_with_first
10
+ visibility_during_embargo_without_first.first
11
+ end
12
+ alias_method_chain :visibility_during_embargo, :first
13
+
14
+ # Hack until ActiveFedora supports activeTriples 0.3.0 (then we can just use super)
15
+ def visibility_after_embargo_with_first
16
+ visibility_after_embargo_without_first.first
17
+ end
18
+ alias_method_chain :visibility_after_embargo, :first
19
+
20
+ # Hack until ActiveFedora supports activeTriples 0.3.0 (then we can just use super)
21
+ def embargo_release_date_with_first
22
+ embargo_release_date_without_first.first
23
+ end
24
+ alias_method_chain :embargo_release_date, :first
25
+
26
+ # Hack until ActiveFedora supports activeTriples 0.3.0 (then we can just use super)
27
+ def embargo_release_date_with_casting=(date)
28
+ date = DateTime.parse(date) if date && date.kind_of?(String)
29
+ self.embargo_release_date_without_casting = date
30
+ end
31
+ alias_method_chain :embargo_release_date=, :casting
32
+
33
+ def active?
34
+ (embargo_release_date.present? && Date.today < embargo_release_date)
35
+ end
36
+
37
+ def deactivate!
38
+ return unless embargo_release_date
39
+ embargo_state = active? ? "active" : "expired"
40
+ embargo_record = embargo_history_message(embargo_state, Date.today, embargo_release_date, visibility_during_embargo, visibility_after_embargo)
41
+ self.embargo_release_date = nil
42
+ self.visibility_during_embargo = nil
43
+ self.visibility_after_embargo = nil
44
+ self.embargo_history += [embargo_record]
45
+ end
46
+
47
+ def to_hash
48
+ {}.tap do |doc|
49
+ date_field_name = Hydra.config.permissions.embargo.release_date.sub(/_dtsi/, '')
50
+ Solrizer.insert_field(doc, date_field_name, embargo_release_date, :stored_sortable)
51
+ doc[::Solrizer.solr_name("visibility_during_embargo", :symbol)] = visibility_during_embargo unless visibility_during_embargo.nil?
52
+ doc[::Solrizer.solr_name("visibility_after_embargo", :symbol)] = visibility_after_embargo unless visibility_after_embargo.nil?
53
+ doc[::Solrizer.solr_name("embargo_history", :symbol)] = embargo_history unless embargo_history.nil?
54
+ end
55
+ end
56
+ protected
57
+
58
+ # Create the log message used when deactivating an embargo
59
+ # This method may be overriden in order to transform the values of the passed parameters.
60
+ def embargo_history_message(state, deactivate_date, release_date, visibility_during, visibility_after)
61
+ I18n.t 'hydra.embargo.history_message', state: state, deactivate_date: deactivate_date, release_date: release_date,
62
+ visibility_during: visibility_during, visibility_after: visibility_after
63
+ end
64
+ end
65
+ end