hydra-access-controls 8.2.0 → 9.0.0.beta1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.textile +10 -10
- data/app/models/concerns/hydra/access_controls/access_right.rb +3 -2
- data/app/models/concerns/hydra/access_controls/embargoable.rb +120 -132
- data/app/models/concerns/hydra/access_controls/permissions.rb +137 -103
- data/app/models/concerns/hydra/access_controls/visibility.rb +3 -5
- data/app/models/concerns/hydra/access_controls.rb +0 -1
- data/app/models/concerns/hydra/admin_policy_behavior.rb +27 -2
- data/app/models/concerns/hydra/rights.rb +15 -0
- data/app/models/hydra/access_controls/access_control_list.rb +17 -0
- data/app/models/hydra/access_controls/embargo.rb +65 -0
- data/app/models/hydra/access_controls/lease.rb +66 -0
- data/app/models/hydra/access_controls/permission.rb +85 -0
- data/app/vocabularies/acl.rb +12 -0
- data/app/vocabularies/hydra/acl.rb +20 -0
- data/config/fedora.yml +4 -2
- data/hydra-access-controls.gemspec +6 -7
- data/lib/hydra/ability.rb +45 -43
- data/lib/hydra/access_controls_enforcement.rb +23 -25
- data/lib/hydra/admin_policy.rb +34 -11
- data/lib/hydra/config.rb +4 -15
- data/lib/hydra/permissions_query.rb +2 -2
- data/lib/hydra/permissions_solr_document.rb +4 -6
- data/lib/hydra/policy_aware_ability.rb +56 -53
- data/lib/hydra/policy_aware_access_controls_enforcement.rb +28 -18
- data/lib/hydra-access-controls.rb +1 -1
- data/spec/factories.rb +15 -15
- data/spec/services/embargo_service_spec.rb +6 -6
- data/spec/services/lease_service_spec.rb +6 -6
- data/spec/spec_helper.rb +20 -13
- data/spec/support/mods_asset.rb +3 -3
- data/spec/unit/ability_spec.rb +96 -121
- data/spec/unit/access_controls_enforcement_spec.rb +29 -27
- data/spec/unit/access_right_spec.rb +6 -1
- data/spec/unit/accessible_by_spec.rb +14 -5
- data/spec/unit/admin_policy_spec.rb +99 -92
- data/spec/unit/config_spec.rb +14 -15
- data/spec/unit/embargoable_spec.rb +26 -28
- data/spec/unit/permission_spec.rb +36 -16
- data/spec/unit/permissions_spec.rb +121 -65
- data/spec/unit/policy_aware_ability_spec.rb +64 -78
- data/spec/unit/policy_aware_access_controls_enforcement_spec.rb +81 -77
- data/spec/unit/role_mapper_spec.rb +10 -10
- data/spec/unit/with_access_right_spec.rb +1 -1
- metadata +29 -51
- data/lib/hydra/access_controls/permission.rb +0 -40
- data/lib/hydra/datastream/inheritable_rights_metadata.rb +0 -22
- data/lib/hydra/datastream/rights_metadata.rb +0 -276
- data/lib/hydra/datastream.rb +0 -7
- data/spec/unit/hydra_rights_metadata_persistence_spec.rb +0 -71
- data/spec/unit/hydra_rights_metadata_spec.rb +0 -301
- data/spec/unit/inheritable_rights_metadata_spec.rb +0 -65
@@ -2,75 +2,64 @@ module Hydra
|
|
2
2
|
module AccessControls
|
3
3
|
module Permissions
|
4
4
|
extend ActiveSupport::Concern
|
5
|
+
include Hydra::AccessControls::Visibility
|
5
6
|
|
6
7
|
included do
|
7
|
-
|
8
|
-
|
8
|
+
has_many :permissions, predicate: ::ACL.accessTo, class_name: 'Hydra::AccessControls::Permission', inverse_of: :access_to
|
9
|
+
accepts_nested_attributes_for :permissions, allow_destroy: true
|
10
|
+
alias_method :permissions_attributes_without_uniqueness=, :permissions_attributes=
|
11
|
+
alias_method :permissions_attributes=, :permissions_attributes_with_uniqueness=
|
12
|
+
end
|
13
|
+
|
14
|
+
def to_solr(solr_doc = {})
|
15
|
+
super.tap do |doc|
|
16
|
+
[:discover, :read, :edit].each do |access|
|
17
|
+
vals = send("#{access}_groups")
|
18
|
+
doc[Hydra.config.permissions[access].group] = vals unless vals.empty?
|
19
|
+
vals = send("#{access}_users")
|
20
|
+
doc[Hydra.config.permissions[access].individual] = vals unless vals.empty?
|
21
|
+
end
|
22
|
+
end
|
9
23
|
end
|
10
24
|
|
11
|
-
|
12
|
-
|
13
|
-
# obj.permissions_attributes= [{:name=>"group1", :access=>"discover", :type=>'group'},
|
14
|
-
# {:name=>"group2", :access=>"discover", :type=>'group'}]
|
15
|
-
def permissions_attributes= attributes_collection
|
16
|
-
perm_hash = {'person' => rightsMetadata.users, 'group'=> rightsMetadata.groups}
|
17
|
-
|
25
|
+
# When chaging a permission for an object/user, ensure an update is done, not a duplicate
|
26
|
+
def permissions_attributes_with_uniqueness=(attributes_collection)
|
18
27
|
if attributes_collection.is_a? Hash
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
attributes_collection.each do |row|
|
23
|
-
row = row.with_indifferent_access
|
24
|
-
if row[:type] == 'user' || row[:type] == 'person'
|
25
|
-
if has_destroy_flag? row
|
26
|
-
perm_hash['person'].delete(row[:name])
|
27
|
-
else
|
28
|
-
perm_hash['person'][row[:name]] = row[:access]
|
29
|
-
end
|
30
|
-
elsif row[:type] == 'group'
|
31
|
-
perm_hash['group'][row[:name]] = row[:access]
|
32
|
-
if has_destroy_flag? row
|
33
|
-
perm_hash['group'].delete(row[:name])
|
34
|
-
else
|
35
|
-
perm_hash['group'][row[:name]] = row[:access]
|
36
|
-
end
|
28
|
+
keys = attributes_collection.keys
|
29
|
+
attributes_collection = if keys.include?('id') || keys.include?(:id)
|
30
|
+
Array(attributes_collection)
|
37
31
|
else
|
38
|
-
|
32
|
+
attributes_collection.sort_by { |i, _| i.to_i }.map { |_, attributes| attributes }
|
39
33
|
end
|
40
34
|
end
|
41
|
-
|
42
|
-
rightsMetadata.permissions = perm_hash
|
43
|
-
end
|
44
35
|
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
# @param values [Array<Permission>] a list of permission objects to set
|
52
|
-
def permissions= values
|
53
|
-
perm_hash = {'person' => {}, 'group'=> {}}
|
54
|
-
values.each do |perm|
|
55
|
-
if perm.type == 'user'
|
56
|
-
perm_hash['person'][perm.name] = perm.access
|
57
|
-
else
|
58
|
-
perm_hash['group'][perm.name] = perm.access
|
36
|
+
attributes_collection.each do |prop|
|
37
|
+
existing = case prop[:type]
|
38
|
+
when 'group'
|
39
|
+
search_by_type(:group)
|
40
|
+
when 'person'
|
41
|
+
search_by_type(:person)
|
59
42
|
end
|
43
|
+
|
44
|
+
next unless existing
|
45
|
+
selected = existing.find { |perm| perm.agent_name == prop[:name] }
|
46
|
+
prop['id'] = selected.id if selected
|
60
47
|
end
|
61
|
-
|
48
|
+
|
49
|
+
self.permissions_attributes_without_uniqueness=attributes_collection
|
62
50
|
end
|
63
51
|
|
52
|
+
|
64
53
|
# Return a list of groups that have discover permission
|
65
54
|
def discover_groups
|
66
|
-
|
55
|
+
search_by_type_and_mode(:group, Hydra::ACL.Discover).map { |p| p.agent_name }
|
67
56
|
end
|
68
57
|
|
69
58
|
# Grant discover permissions to the groups specified. Revokes discover permission for all other groups.
|
70
59
|
# @param[Array] groups a list of group names
|
71
60
|
# @example
|
72
61
|
# r.discover_groups= ['one', 'two', 'three']
|
73
|
-
# r.discover_groups
|
62
|
+
# r.discover_groups
|
74
63
|
# => ['one', 'two', 'three']
|
75
64
|
#
|
76
65
|
def discover_groups=(groups)
|
@@ -81,7 +70,7 @@ module Hydra
|
|
81
70
|
# @param[String] groups a list of group names
|
82
71
|
# @example
|
83
72
|
# r.discover_groups_string= 'one, two, three'
|
84
|
-
# r.discover_groups
|
73
|
+
# r.discover_groups
|
85
74
|
# => ['one', 'two', 'three']
|
86
75
|
#
|
87
76
|
def discover_groups_string=(groups)
|
@@ -96,13 +85,13 @@ module Hydra
|
|
96
85
|
# Grant discover permissions to the groups specified. Revokes discover permission for
|
97
86
|
# any of the eligible_groups that are not in groups.
|
98
87
|
# This may be used when different users are responsible for setting different
|
99
|
-
# groups. Supply the groups the current user is responsible for as the
|
88
|
+
# groups. Supply the groups the current user is responsible for as the
|
100
89
|
# 'eligible_groups'
|
101
90
|
# @param[Array] groups a list of groups
|
102
|
-
# @param[Array] eligible_groups the groups that are eligible to have their discover permssion revoked.
|
91
|
+
# @param[Array] eligible_groups the groups that are eligible to have their discover permssion revoked.
|
103
92
|
# @example
|
104
93
|
# r.discover_groups = ['one', 'two', 'three']
|
105
|
-
# r.discover_groups
|
94
|
+
# r.discover_groups
|
106
95
|
# => ['one', 'two', 'three']
|
107
96
|
# r.set_discover_groups(['one'], ['three'])
|
108
97
|
# r.discover_groups
|
@@ -113,14 +102,14 @@ module Hydra
|
|
113
102
|
end
|
114
103
|
|
115
104
|
def discover_users
|
116
|
-
|
105
|
+
search_by_type_and_mode(:person, Hydra::ACL.Discover).map { |p| p.agent_name }
|
117
106
|
end
|
118
107
|
|
119
108
|
# Grant discover permissions to the users specified. Revokes discover permission for all other users.
|
120
109
|
# @param[Array] users a list of usernames
|
121
110
|
# @example
|
122
111
|
# r.discover_users= ['one', 'two', 'three']
|
123
|
-
# r.discover_users
|
112
|
+
# r.discover_users
|
124
113
|
# => ['one', 'two', 'three']
|
125
114
|
#
|
126
115
|
def discover_users=(users)
|
@@ -131,7 +120,7 @@ module Hydra
|
|
131
120
|
# @param[String] users a list of usernames
|
132
121
|
# @example
|
133
122
|
# r.discover_users_string= 'one, two, three'
|
134
|
-
# r.discover_users
|
123
|
+
# r.discover_users
|
135
124
|
# => ['one', 'two', 'three']
|
136
125
|
#
|
137
126
|
def discover_users_string=(users)
|
@@ -146,13 +135,13 @@ module Hydra
|
|
146
135
|
# Grant discover permissions to the users specified. Revokes discover permission for
|
147
136
|
# any of the eligible_users that are not in users.
|
148
137
|
# This may be used when different users are responsible for setting different
|
149
|
-
# users. Supply the users the current user is responsible for as the
|
138
|
+
# users. Supply the users the current user is responsible for as the
|
150
139
|
# 'eligible_users'
|
151
140
|
# @param[Array] users a list of users
|
152
|
-
# @param[Array] eligible_users the users that are eligible to have their discover permssion revoked.
|
141
|
+
# @param[Array] eligible_users the users that are eligible to have their discover permssion revoked.
|
153
142
|
# @example
|
154
143
|
# r.discover_users = ['one', 'two', 'three']
|
155
|
-
# r.discover_users
|
144
|
+
# r.discover_users
|
156
145
|
# => ['one', 'two', 'three']
|
157
146
|
# r.set_discover_users(['one'], ['three'])
|
158
147
|
# r.discover_users
|
@@ -164,14 +153,14 @@ module Hydra
|
|
164
153
|
|
165
154
|
# Return a list of groups that have discover permission
|
166
155
|
def read_groups
|
167
|
-
|
156
|
+
search_by_type_and_mode(:group, ::ACL.Read).map { |p| p.agent_name }
|
168
157
|
end
|
169
158
|
|
170
159
|
# Grant read permissions to the groups specified. Revokes read permission for all other groups.
|
171
160
|
# @param[Array] groups a list of group names
|
172
161
|
# @example
|
173
162
|
# r.read_groups= ['one', 'two', 'three']
|
174
|
-
# r.read_groups
|
163
|
+
# r.read_groups
|
175
164
|
# => ['one', 'two', 'three']
|
176
165
|
#
|
177
166
|
def read_groups=(groups)
|
@@ -182,7 +171,7 @@ module Hydra
|
|
182
171
|
# @param[String] groups a list of group names
|
183
172
|
# @example
|
184
173
|
# r.read_groups_string= 'one, two, three'
|
185
|
-
# r.read_groups
|
174
|
+
# r.read_groups
|
186
175
|
# => ['one', 'two', 'three']
|
187
176
|
#
|
188
177
|
def read_groups_string=(groups)
|
@@ -197,13 +186,13 @@ module Hydra
|
|
197
186
|
# Grant read permissions to the groups specified. Revokes read permission for
|
198
187
|
# any of the eligible_groups that are not in groups.
|
199
188
|
# This may be used when different users are responsible for setting different
|
200
|
-
# groups. Supply the groups the current user is responsible for as the
|
189
|
+
# groups. Supply the groups the current user is responsible for as the
|
201
190
|
# 'eligible_groups'
|
202
191
|
# @param[Array] groups a list of groups
|
203
|
-
# @param[Array] eligible_groups the groups that are eligible to have their read permssion revoked.
|
192
|
+
# @param[Array] eligible_groups the groups that are eligible to have their read permssion revoked.
|
204
193
|
# @example
|
205
194
|
# r.read_groups = ['one', 'two', 'three']
|
206
|
-
# r.read_groups
|
195
|
+
# r.read_groups
|
207
196
|
# => ['one', 'two', 'three']
|
208
197
|
# r.set_read_groups(['one'], ['three'])
|
209
198
|
# r.read_groups
|
@@ -214,14 +203,14 @@ module Hydra
|
|
214
203
|
end
|
215
204
|
|
216
205
|
def read_users
|
217
|
-
|
206
|
+
search_by_type_and_mode(:person, ::ACL.Read).map { |p| p.agent_name }
|
218
207
|
end
|
219
208
|
|
220
209
|
# Grant read permissions to the users specified. Revokes read permission for all other users.
|
221
210
|
# @param[Array] users a list of usernames
|
222
211
|
# @example
|
223
212
|
# r.read_users= ['one', 'two', 'three']
|
224
|
-
# r.read_users
|
213
|
+
# r.read_users
|
225
214
|
# => ['one', 'two', 'three']
|
226
215
|
#
|
227
216
|
def read_users=(users)
|
@@ -232,7 +221,7 @@ module Hydra
|
|
232
221
|
# @param[String] users a list of usernames
|
233
222
|
# @example
|
234
223
|
# r.read_users_string= 'one, two, three'
|
235
|
-
# r.read_users
|
224
|
+
# r.read_users
|
236
225
|
# => ['one', 'two', 'three']
|
237
226
|
#
|
238
227
|
def read_users_string=(users)
|
@@ -247,13 +236,13 @@ module Hydra
|
|
247
236
|
# Grant read permissions to the users specified. Revokes read permission for
|
248
237
|
# any of the eligible_users that are not in users.
|
249
238
|
# This may be used when different users are responsible for setting different
|
250
|
-
# users. Supply the users the current user is responsible for as the
|
239
|
+
# users. Supply the users the current user is responsible for as the
|
251
240
|
# 'eligible_users'
|
252
241
|
# @param[Array] users a list of users
|
253
|
-
# @param[Array] eligible_users the users that are eligible to have their read permssion revoked.
|
242
|
+
# @param[Array] eligible_users the users that are eligible to have their read permssion revoked.
|
254
243
|
# @example
|
255
244
|
# r.read_users = ['one', 'two', 'three']
|
256
|
-
# r.read_users
|
245
|
+
# r.read_users
|
257
246
|
# => ['one', 'two', 'three']
|
258
247
|
# r.set_read_users(['one'], ['three'])
|
259
248
|
# r.read_users
|
@@ -266,14 +255,14 @@ module Hydra
|
|
266
255
|
|
267
256
|
# Return a list of groups that have edit permission
|
268
257
|
def edit_groups
|
269
|
-
|
258
|
+
search_by_type_and_mode(:group, ::ACL.Write).map { |p| p.agent_name }
|
270
259
|
end
|
271
260
|
|
272
261
|
# Grant edit permissions to the groups specified. Revokes edit permission for all other groups.
|
273
262
|
# @param[Array] groups a list of group names
|
274
263
|
# @example
|
275
264
|
# r.edit_groups= ['one', 'two', 'three']
|
276
|
-
# r.edit_groups
|
265
|
+
# r.edit_groups
|
277
266
|
# => ['one', 'two', 'three']
|
278
267
|
#
|
279
268
|
def edit_groups=(groups)
|
@@ -284,7 +273,7 @@ module Hydra
|
|
284
273
|
# @param[String] groups a list of group names
|
285
274
|
# @example
|
286
275
|
# r.edit_groups_string= 'one, two, three'
|
287
|
-
# r.edit_groups
|
276
|
+
# r.edit_groups
|
288
277
|
# => ['one', 'two', 'three']
|
289
278
|
#
|
290
279
|
def edit_groups_string=(groups)
|
@@ -299,13 +288,13 @@ module Hydra
|
|
299
288
|
# Grant edit permissions to the groups specified. Revokes edit permission for
|
300
289
|
# any of the eligible_groups that are not in groups.
|
301
290
|
# This may be used when different users are responsible for setting different
|
302
|
-
# groups. Supply the groups the current user is responsible for as the
|
291
|
+
# groups. Supply the groups the current user is responsible for as the
|
303
292
|
# 'eligible_groups'
|
304
293
|
# @param[Array] groups a list of groups
|
305
|
-
# @param[Array] eligible_groups the groups that are eligible to have their edit permssion revoked.
|
294
|
+
# @param[Array] eligible_groups the groups that are eligible to have their edit permssion revoked.
|
306
295
|
# @example
|
307
296
|
# r.edit_groups = ['one', 'two', 'three']
|
308
|
-
# r.edit_groups
|
297
|
+
# r.edit_groups
|
309
298
|
# => ['one', 'two', 'three']
|
310
299
|
# r.set_edit_groups(['one'], ['three'])
|
311
300
|
# r.edit_groups
|
@@ -316,14 +305,14 @@ module Hydra
|
|
316
305
|
end
|
317
306
|
|
318
307
|
def edit_users
|
319
|
-
|
308
|
+
search_by_type_and_mode(:person, ::ACL.Write).map { |p| p.agent_name }
|
320
309
|
end
|
321
310
|
|
322
311
|
# Grant edit permissions to the groups specified. Revokes edit permission for all other groups.
|
323
312
|
# @param[Array] users a list of usernames
|
324
313
|
# @example
|
325
314
|
# r.edit_users= ['one', 'two', 'three']
|
326
|
-
# r.edit_users
|
315
|
+
# r.edit_users
|
327
316
|
# => ['one', 'two', 'three']
|
328
317
|
#
|
329
318
|
def edit_users=(users)
|
@@ -333,13 +322,13 @@ module Hydra
|
|
333
322
|
# Grant edit permissions to the users specified. Revokes edit permission for
|
334
323
|
# any of the eligible_users that are not in users.
|
335
324
|
# This may be used when different users are responsible for setting different
|
336
|
-
# users. Supply the users the current user is responsible for as the
|
325
|
+
# users. Supply the users the current user is responsible for as the
|
337
326
|
# 'eligible_users'
|
338
327
|
# @param[Array] users a list of users
|
339
|
-
# @param[Array] eligible_users the users that are eligible to have their edit permssion revoked.
|
328
|
+
# @param[Array] eligible_users the users that are eligible to have their edit permssion revoked.
|
340
329
|
# @example
|
341
330
|
# r.edit_users = ['one', 'two', 'three']
|
342
|
-
# r.edit_users
|
331
|
+
# r.edit_users
|
343
332
|
# => ['one', 'two', 'three']
|
344
333
|
# r.set_edit_users(['one'], ['three'])
|
345
334
|
# r.edit_users
|
@@ -349,40 +338,85 @@ module Hydra
|
|
349
338
|
set_entities(:edit, :person, users, eligible_users)
|
350
339
|
end
|
351
340
|
|
352
|
-
protected
|
341
|
+
protected
|
353
342
|
|
354
343
|
def has_destroy_flag?(hash)
|
355
344
|
["1", "true"].include?(hash['_destroy'].to_s)
|
356
345
|
end
|
357
346
|
|
358
|
-
private
|
347
|
+
private
|
359
348
|
|
360
|
-
# @param
|
361
|
-
# @param
|
362
|
-
# @param
|
363
|
-
# @param
|
349
|
+
# @param [Symbol] permission either :discover, :read or :edit
|
350
|
+
# @param [Symbol] type either :person or :group
|
351
|
+
# @param [Array<String>] values Values to set
|
352
|
+
# @param [Array<String>] changeable Values we are allowed to change
|
364
353
|
def set_entities(permission, type, values, changeable)
|
365
|
-
g = preserved(type, permission)
|
366
354
|
(changeable - values).each do |entity|
|
367
|
-
|
368
|
-
|
355
|
+
for_destroy = search_by_type_and_mode(type, permission_to_uri(permission)).select { |p| p.agent_name == entity }
|
356
|
+
permissions.delete(for_destroy)
|
357
|
+
end
|
358
|
+
|
359
|
+
values.each do |agent_name|
|
360
|
+
exists = search_by_type_and_mode(type, permission_to_uri(permission)).select { |p| p.agent_name == agent_name }
|
361
|
+
permissions.build(name: agent_name, access: permission.to_s, type: type ) unless exists.present?
|
362
|
+
end
|
363
|
+
end
|
364
|
+
|
365
|
+
def permission_to_uri(permission)
|
366
|
+
case permission.to_s
|
367
|
+
when 'read'
|
368
|
+
::ACL.Read
|
369
|
+
when 'edit'
|
370
|
+
::ACL.Write
|
371
|
+
when 'discover'
|
372
|
+
Hydra::ACL.Discover
|
373
|
+
else
|
374
|
+
raise "Invalid permission #{permission.inspect}"
|
375
|
+
end
|
376
|
+
end
|
377
|
+
|
378
|
+
# @param [Symbol] type (either :group or :person)
|
379
|
+
# @return [Array<Permission>]
|
380
|
+
def search_by_type(type)
|
381
|
+
case type
|
382
|
+
when :group
|
383
|
+
permissions.to_a.select { |p| group_agent?(p.agent) }
|
384
|
+
when :person
|
385
|
+
permissions.to_a.select { |p| person_agent?(p.agent) }
|
369
386
|
end
|
370
|
-
|
371
|
-
|
372
|
-
|
373
|
-
|
374
|
-
|
375
|
-
def
|
376
|
-
case
|
377
|
-
when :
|
378
|
-
|
379
|
-
when :
|
380
|
-
|
381
|
-
when :discover
|
382
|
-
Hash[rightsMetadata.quick_search_by_type(type).select {|k, v| v == 'discover'}]
|
387
|
+
end
|
388
|
+
|
389
|
+
# @param [Symbol] type either :group or :person
|
390
|
+
# @param [::RDF::URI] mode One of the permissions modes, e.g. ACL.Write, ACL.Read, etc.
|
391
|
+
# @return [Array<Permission>]
|
392
|
+
def search_by_type_and_mode(type, mode)
|
393
|
+
case type
|
394
|
+
when :group
|
395
|
+
permissions.to_a.select { |p| group_agent?(p.agent) && p.mode.first.rdf_subject == mode }
|
396
|
+
when :person
|
397
|
+
permissions.to_a.select { |p| person_agent?(p.agent) && p.mode.first.rdf_subject == mode }
|
383
398
|
end
|
384
399
|
end
|
385
400
|
|
401
|
+
def person_permissions
|
402
|
+
search_by_type(:person)
|
403
|
+
end
|
404
|
+
|
405
|
+
def group_permissions
|
406
|
+
search_by_type(:group)
|
407
|
+
end
|
408
|
+
|
409
|
+
def group_agent?(agent)
|
410
|
+
raise "no agent" unless agent.present?
|
411
|
+
agent.first.rdf_subject.to_s.start_with?(GROUP_AGENT_URL_PREFIX)
|
412
|
+
|
413
|
+
end
|
414
|
+
|
415
|
+
def person_agent?(agent)
|
416
|
+
raise "no agent" unless agent.present?
|
417
|
+
agent.first.rdf_subject.to_s.start_with?(PERSON_AGENT_URL_PREFIX)
|
418
|
+
end
|
419
|
+
|
386
420
|
end
|
387
421
|
end
|
388
422
|
end
|
@@ -39,19 +39,17 @@ module Hydra
|
|
39
39
|
|
40
40
|
def public_visibility!
|
41
41
|
visibility_will_change! unless visibility == Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PUBLIC
|
42
|
-
|
42
|
+
set_read_groups([Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_PUBLIC], [])
|
43
43
|
end
|
44
44
|
|
45
45
|
def registered_visibility!
|
46
46
|
visibility_will_change! unless visibility == Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_AUTHENTICATED
|
47
|
-
|
48
|
-
self.datastreams["rightsMetadata"].permissions({:group=>Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_PUBLIC}, "none")
|
47
|
+
set_read_groups([Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_AUTHENTICATED], [Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_PUBLIC])
|
49
48
|
end
|
50
49
|
|
51
50
|
def private_visibility!
|
52
51
|
visibility_will_change! unless visibility == Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PRIVATE
|
53
|
-
|
54
|
-
self.datastreams["rightsMetadata"].permissions({:group=>Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_PUBLIC}, "none")
|
52
|
+
set_read_groups([], [Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_AUTHENTICATED, Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_PUBLIC])
|
55
53
|
end
|
56
54
|
|
57
55
|
end
|
@@ -3,9 +3,34 @@ module Hydra
|
|
3
3
|
extend ActiveSupport::Concern
|
4
4
|
|
5
5
|
included do
|
6
|
-
|
6
|
+
has_and_belongs_to_many :default_permissions, predicate: Hydra::ACL.defaultPermissions, class_name: 'Hydra::AccessControls::Permission'
|
7
|
+
belongs_to :default_embargo, predicate: Hydra::ACL.hasEmbargo, class_name: 'Hydra::AccessControls::Embargo'
|
7
8
|
end
|
8
9
|
|
10
|
+
def to_solr(solr_doc=Hash.new)
|
11
|
+
f = merged_policies
|
12
|
+
super.tap do |doc|
|
13
|
+
['discover'.freeze, 'read'.freeze, 'edit'.freeze].each do |access|
|
14
|
+
doc[Hydra.config.permissions.inheritable[access.to_sym][:group]] = f[access]['group'.freeze] if f[access]
|
15
|
+
doc[Hydra.config.permissions.inheritable[access.to_sym][:individual]] = f[access]['person'.freeze] if f[access]
|
16
|
+
end
|
17
|
+
if default_embargo
|
18
|
+
key = Hydra.config.permissions.inheritable.embargo.release_date.sub(/_[^_]+$/, '') #Strip off the suffix
|
19
|
+
::Solrizer.insert_field(doc, key, default_embargo.embargo_release_date, :stored_sortable)
|
20
|
+
end
|
21
|
+
end
|
22
|
+
end
|
23
|
+
|
24
|
+
def merged_policies
|
25
|
+
default_permissions.each_with_object({}) do |policy, h|
|
26
|
+
args = policy.to_hash
|
27
|
+
h[args[:access]] ||= {}
|
28
|
+
h[args[:access]][args[:type]] ||= []
|
29
|
+
h[args[:access]][args[:type]] << args[:name]
|
30
|
+
end
|
31
|
+
end
|
32
|
+
|
33
|
+
|
9
34
|
## Updates those permissions that are provided to it. Does not replace any permissions unless they are provided
|
10
35
|
# @example
|
11
36
|
# obj.default_permissions= [{:name=>"group1", :access=>"discover", :type=>'group'},
|
@@ -14,7 +39,7 @@ module Hydra
|
|
14
39
|
perm_hash = {'person' => defaultRights.users, 'group'=> defaultRights.groups}
|
15
40
|
params.each do |row|
|
16
41
|
if row[:type] == 'user' || row[:type] == 'person'
|
17
|
-
perm_hash['person'][row[:name]] = row[:access]
|
42
|
+
perm_hash['person'][row[:name]] = row[:access]
|
18
43
|
elsif row[:type] == 'group'
|
19
44
|
perm_hash['group'][row[:name]] = row[:access]
|
20
45
|
else
|
@@ -0,0 +1,15 @@
|
|
1
|
+
module Hydra
|
2
|
+
module Rights
|
3
|
+
extend ActiveSupport::Concern
|
4
|
+
included do
|
5
|
+
# Rights
|
6
|
+
property :rights, predicate: ::RDF::DC.rights do |index|
|
7
|
+
index.as :facetable
|
8
|
+
end
|
9
|
+
property :rightsHolder, predicate: ::RDF::URI('http://opaquenamespace.org/rights/rightsHolder') do |index|
|
10
|
+
index.as :searchable, :facetable
|
11
|
+
end
|
12
|
+
property :copyrightClaimant, predicate: ::RDF::URI('http://id.loc.gov/vocabulary/relators/cpc')
|
13
|
+
end
|
14
|
+
end
|
15
|
+
end
|
@@ -0,0 +1,17 @@
|
|
1
|
+
module Hydra::AccessControls
|
2
|
+
class AccessControlList < ActiveFedora::Base
|
3
|
+
belongs_to :access_to, predicate: ::ACL.accessTo, class_name: 'ActiveFedora::Base'
|
4
|
+
# has_many :admin_policies, class_name: 'Hydra::AdminPolicy'
|
5
|
+
property :mode, predicate: ::ACL.mode, class_name: 'Hydra::AccessControls::Mode'
|
6
|
+
property :agent, predicate: ::ACL.agent, class_name: 'Hydra::AccessControls::Agent'
|
7
|
+
# property :agentClass, predicate: ACL.agentClass
|
8
|
+
|
9
|
+
# [acl:accessTo <card>; acl:mode acl:Read; acl:agentClass foaf:Agent].
|
10
|
+
# [acl:accessTo <card>; acl:mode acl:Read, acl:Write; acl:agent <card#i>].
|
11
|
+
end
|
12
|
+
|
13
|
+
class Mode < ActiveTriples::Resource
|
14
|
+
end
|
15
|
+
class Agent < ActiveTriples::Resource
|
16
|
+
end
|
17
|
+
end
|
@@ -0,0 +1,65 @@
|
|
1
|
+
module Hydra::AccessControls
|
2
|
+
class Embargo < ActiveFedora::Base
|
3
|
+
property :visibility_during_embargo, predicate: Hydra::ACL.visibilityDuringEmbargo
|
4
|
+
property :visibility_after_embargo, predicate: Hydra::ACL.visibilityAfterEmbargo
|
5
|
+
property :embargo_release_date, predicate: Hydra::ACL.embargoReleaseDate
|
6
|
+
property :embargo_history, predicate: Hydra::ACL.embargoHistory
|
7
|
+
|
8
|
+
# Hack until ActiveFedora supports activeTriples 0.3.0 (then we can just use super)
|
9
|
+
def visibility_during_embargo_with_first
|
10
|
+
visibility_during_embargo_without_first.first
|
11
|
+
end
|
12
|
+
alias_method_chain :visibility_during_embargo, :first
|
13
|
+
|
14
|
+
# Hack until ActiveFedora supports activeTriples 0.3.0 (then we can just use super)
|
15
|
+
def visibility_after_embargo_with_first
|
16
|
+
visibility_after_embargo_without_first.first
|
17
|
+
end
|
18
|
+
alias_method_chain :visibility_after_embargo, :first
|
19
|
+
|
20
|
+
# Hack until ActiveFedora supports activeTriples 0.3.0 (then we can just use super)
|
21
|
+
def embargo_release_date_with_first
|
22
|
+
embargo_release_date_without_first.first
|
23
|
+
end
|
24
|
+
alias_method_chain :embargo_release_date, :first
|
25
|
+
|
26
|
+
# Hack until ActiveFedora supports activeTriples 0.3.0 (then we can just use super)
|
27
|
+
def embargo_release_date_with_casting=(date)
|
28
|
+
date = DateTime.parse(date) if date && date.kind_of?(String)
|
29
|
+
self.embargo_release_date_without_casting = date
|
30
|
+
end
|
31
|
+
alias_method_chain :embargo_release_date=, :casting
|
32
|
+
|
33
|
+
def active?
|
34
|
+
(embargo_release_date.present? && Date.today < embargo_release_date)
|
35
|
+
end
|
36
|
+
|
37
|
+
def deactivate!
|
38
|
+
return unless embargo_release_date
|
39
|
+
embargo_state = active? ? "active" : "expired"
|
40
|
+
embargo_record = embargo_history_message(embargo_state, Date.today, embargo_release_date, visibility_during_embargo, visibility_after_embargo)
|
41
|
+
self.embargo_release_date = nil
|
42
|
+
self.visibility_during_embargo = nil
|
43
|
+
self.visibility_after_embargo = nil
|
44
|
+
self.embargo_history += [embargo_record]
|
45
|
+
end
|
46
|
+
|
47
|
+
def to_hash
|
48
|
+
{}.tap do |doc|
|
49
|
+
date_field_name = Hydra.config.permissions.embargo.release_date.sub(/_dtsi/, '')
|
50
|
+
Solrizer.insert_field(doc, date_field_name, embargo_release_date, :stored_sortable)
|
51
|
+
doc[::Solrizer.solr_name("visibility_during_embargo", :symbol)] = visibility_during_embargo unless visibility_during_embargo.nil?
|
52
|
+
doc[::Solrizer.solr_name("visibility_after_embargo", :symbol)] = visibility_after_embargo unless visibility_after_embargo.nil?
|
53
|
+
doc[::Solrizer.solr_name("embargo_history", :symbol)] = embargo_history unless embargo_history.nil?
|
54
|
+
end
|
55
|
+
end
|
56
|
+
protected
|
57
|
+
|
58
|
+
# Create the log message used when deactivating an embargo
|
59
|
+
# This method may be overriden in order to transform the values of the passed parameters.
|
60
|
+
def embargo_history_message(state, deactivate_date, release_date, visibility_during, visibility_after)
|
61
|
+
I18n.t 'hydra.embargo.history_message', state: state, deactivate_date: deactivate_date, release_date: release_date,
|
62
|
+
visibility_during: visibility_during, visibility_after: visibility_after
|
63
|
+
end
|
64
|
+
end
|
65
|
+
end
|