hydra-access-controls 8.2.0 → 9.0.0.beta1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.textile +10 -10
- data/app/models/concerns/hydra/access_controls/access_right.rb +3 -2
- data/app/models/concerns/hydra/access_controls/embargoable.rb +120 -132
- data/app/models/concerns/hydra/access_controls/permissions.rb +137 -103
- data/app/models/concerns/hydra/access_controls/visibility.rb +3 -5
- data/app/models/concerns/hydra/access_controls.rb +0 -1
- data/app/models/concerns/hydra/admin_policy_behavior.rb +27 -2
- data/app/models/concerns/hydra/rights.rb +15 -0
- data/app/models/hydra/access_controls/access_control_list.rb +17 -0
- data/app/models/hydra/access_controls/embargo.rb +65 -0
- data/app/models/hydra/access_controls/lease.rb +66 -0
- data/app/models/hydra/access_controls/permission.rb +85 -0
- data/app/vocabularies/acl.rb +12 -0
- data/app/vocabularies/hydra/acl.rb +20 -0
- data/config/fedora.yml +4 -2
- data/hydra-access-controls.gemspec +6 -7
- data/lib/hydra/ability.rb +45 -43
- data/lib/hydra/access_controls_enforcement.rb +23 -25
- data/lib/hydra/admin_policy.rb +34 -11
- data/lib/hydra/config.rb +4 -15
- data/lib/hydra/permissions_query.rb +2 -2
- data/lib/hydra/permissions_solr_document.rb +4 -6
- data/lib/hydra/policy_aware_ability.rb +56 -53
- data/lib/hydra/policy_aware_access_controls_enforcement.rb +28 -18
- data/lib/hydra-access-controls.rb +1 -1
- data/spec/factories.rb +15 -15
- data/spec/services/embargo_service_spec.rb +6 -6
- data/spec/services/lease_service_spec.rb +6 -6
- data/spec/spec_helper.rb +20 -13
- data/spec/support/mods_asset.rb +3 -3
- data/spec/unit/ability_spec.rb +96 -121
- data/spec/unit/access_controls_enforcement_spec.rb +29 -27
- data/spec/unit/access_right_spec.rb +6 -1
- data/spec/unit/accessible_by_spec.rb +14 -5
- data/spec/unit/admin_policy_spec.rb +99 -92
- data/spec/unit/config_spec.rb +14 -15
- data/spec/unit/embargoable_spec.rb +26 -28
- data/spec/unit/permission_spec.rb +36 -16
- data/spec/unit/permissions_spec.rb +121 -65
- data/spec/unit/policy_aware_ability_spec.rb +64 -78
- data/spec/unit/policy_aware_access_controls_enforcement_spec.rb +81 -77
- data/spec/unit/role_mapper_spec.rb +10 -10
- data/spec/unit/with_access_right_spec.rb +1 -1
- metadata +29 -51
- data/lib/hydra/access_controls/permission.rb +0 -40
- data/lib/hydra/datastream/inheritable_rights_metadata.rb +0 -22
- data/lib/hydra/datastream/rights_metadata.rb +0 -276
- data/lib/hydra/datastream.rb +0 -7
- data/spec/unit/hydra_rights_metadata_persistence_spec.rb +0 -71
- data/spec/unit/hydra_rights_metadata_spec.rb +0 -301
- data/spec/unit/inheritable_rights_metadata_spec.rb +0 -65
@@ -2,75 +2,64 @@ module Hydra
|
|
2
2
|
module AccessControls
|
3
3
|
module Permissions
|
4
4
|
extend ActiveSupport::Concern
|
5
|
+
include Hydra::AccessControls::Visibility
|
5
6
|
|
6
7
|
included do
|
7
|
-
|
8
|
-
|
8
|
+
has_many :permissions, predicate: ::ACL.accessTo, class_name: 'Hydra::AccessControls::Permission', inverse_of: :access_to
|
9
|
+
accepts_nested_attributes_for :permissions, allow_destroy: true
|
10
|
+
alias_method :permissions_attributes_without_uniqueness=, :permissions_attributes=
|
11
|
+
alias_method :permissions_attributes=, :permissions_attributes_with_uniqueness=
|
12
|
+
end
|
13
|
+
|
14
|
+
def to_solr(solr_doc = {})
|
15
|
+
super.tap do |doc|
|
16
|
+
[:discover, :read, :edit].each do |access|
|
17
|
+
vals = send("#{access}_groups")
|
18
|
+
doc[Hydra.config.permissions[access].group] = vals unless vals.empty?
|
19
|
+
vals = send("#{access}_users")
|
20
|
+
doc[Hydra.config.permissions[access].individual] = vals unless vals.empty?
|
21
|
+
end
|
22
|
+
end
|
9
23
|
end
|
10
24
|
|
11
|
-
|
12
|
-
|
13
|
-
# obj.permissions_attributes= [{:name=>"group1", :access=>"discover", :type=>'group'},
|
14
|
-
# {:name=>"group2", :access=>"discover", :type=>'group'}]
|
15
|
-
def permissions_attributes= attributes_collection
|
16
|
-
perm_hash = {'person' => rightsMetadata.users, 'group'=> rightsMetadata.groups}
|
17
|
-
|
25
|
+
# When chaging a permission for an object/user, ensure an update is done, not a duplicate
|
26
|
+
def permissions_attributes_with_uniqueness=(attributes_collection)
|
18
27
|
if attributes_collection.is_a? Hash
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
attributes_collection.each do |row|
|
23
|
-
row = row.with_indifferent_access
|
24
|
-
if row[:type] == 'user' || row[:type] == 'person'
|
25
|
-
if has_destroy_flag? row
|
26
|
-
perm_hash['person'].delete(row[:name])
|
27
|
-
else
|
28
|
-
perm_hash['person'][row[:name]] = row[:access]
|
29
|
-
end
|
30
|
-
elsif row[:type] == 'group'
|
31
|
-
perm_hash['group'][row[:name]] = row[:access]
|
32
|
-
if has_destroy_flag? row
|
33
|
-
perm_hash['group'].delete(row[:name])
|
34
|
-
else
|
35
|
-
perm_hash['group'][row[:name]] = row[:access]
|
36
|
-
end
|
28
|
+
keys = attributes_collection.keys
|
29
|
+
attributes_collection = if keys.include?('id') || keys.include?(:id)
|
30
|
+
Array(attributes_collection)
|
37
31
|
else
|
38
|
-
|
32
|
+
attributes_collection.sort_by { |i, _| i.to_i }.map { |_, attributes| attributes }
|
39
33
|
end
|
40
34
|
end
|
41
|
-
|
42
|
-
rightsMetadata.permissions = perm_hash
|
43
|
-
end
|
44
35
|
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
# @param values [Array<Permission>] a list of permission objects to set
|
52
|
-
def permissions= values
|
53
|
-
perm_hash = {'person' => {}, 'group'=> {}}
|
54
|
-
values.each do |perm|
|
55
|
-
if perm.type == 'user'
|
56
|
-
perm_hash['person'][perm.name] = perm.access
|
57
|
-
else
|
58
|
-
perm_hash['group'][perm.name] = perm.access
|
36
|
+
attributes_collection.each do |prop|
|
37
|
+
existing = case prop[:type]
|
38
|
+
when 'group'
|
39
|
+
search_by_type(:group)
|
40
|
+
when 'person'
|
41
|
+
search_by_type(:person)
|
59
42
|
end
|
43
|
+
|
44
|
+
next unless existing
|
45
|
+
selected = existing.find { |perm| perm.agent_name == prop[:name] }
|
46
|
+
prop['id'] = selected.id if selected
|
60
47
|
end
|
61
|
-
|
48
|
+
|
49
|
+
self.permissions_attributes_without_uniqueness=attributes_collection
|
62
50
|
end
|
63
51
|
|
52
|
+
|
64
53
|
# Return a list of groups that have discover permission
|
65
54
|
def discover_groups
|
66
|
-
|
55
|
+
search_by_type_and_mode(:group, Hydra::ACL.Discover).map { |p| p.agent_name }
|
67
56
|
end
|
68
57
|
|
69
58
|
# Grant discover permissions to the groups specified. Revokes discover permission for all other groups.
|
70
59
|
# @param[Array] groups a list of group names
|
71
60
|
# @example
|
72
61
|
# r.discover_groups= ['one', 'two', 'three']
|
73
|
-
# r.discover_groups
|
62
|
+
# r.discover_groups
|
74
63
|
# => ['one', 'two', 'three']
|
75
64
|
#
|
76
65
|
def discover_groups=(groups)
|
@@ -81,7 +70,7 @@ module Hydra
|
|
81
70
|
# @param[String] groups a list of group names
|
82
71
|
# @example
|
83
72
|
# r.discover_groups_string= 'one, two, three'
|
84
|
-
# r.discover_groups
|
73
|
+
# r.discover_groups
|
85
74
|
# => ['one', 'two', 'three']
|
86
75
|
#
|
87
76
|
def discover_groups_string=(groups)
|
@@ -96,13 +85,13 @@ module Hydra
|
|
96
85
|
# Grant discover permissions to the groups specified. Revokes discover permission for
|
97
86
|
# any of the eligible_groups that are not in groups.
|
98
87
|
# This may be used when different users are responsible for setting different
|
99
|
-
# groups. Supply the groups the current user is responsible for as the
|
88
|
+
# groups. Supply the groups the current user is responsible for as the
|
100
89
|
# 'eligible_groups'
|
101
90
|
# @param[Array] groups a list of groups
|
102
|
-
# @param[Array] eligible_groups the groups that are eligible to have their discover permssion revoked.
|
91
|
+
# @param[Array] eligible_groups the groups that are eligible to have their discover permssion revoked.
|
103
92
|
# @example
|
104
93
|
# r.discover_groups = ['one', 'two', 'three']
|
105
|
-
# r.discover_groups
|
94
|
+
# r.discover_groups
|
106
95
|
# => ['one', 'two', 'three']
|
107
96
|
# r.set_discover_groups(['one'], ['three'])
|
108
97
|
# r.discover_groups
|
@@ -113,14 +102,14 @@ module Hydra
|
|
113
102
|
end
|
114
103
|
|
115
104
|
def discover_users
|
116
|
-
|
105
|
+
search_by_type_and_mode(:person, Hydra::ACL.Discover).map { |p| p.agent_name }
|
117
106
|
end
|
118
107
|
|
119
108
|
# Grant discover permissions to the users specified. Revokes discover permission for all other users.
|
120
109
|
# @param[Array] users a list of usernames
|
121
110
|
# @example
|
122
111
|
# r.discover_users= ['one', 'two', 'three']
|
123
|
-
# r.discover_users
|
112
|
+
# r.discover_users
|
124
113
|
# => ['one', 'two', 'three']
|
125
114
|
#
|
126
115
|
def discover_users=(users)
|
@@ -131,7 +120,7 @@ module Hydra
|
|
131
120
|
# @param[String] users a list of usernames
|
132
121
|
# @example
|
133
122
|
# r.discover_users_string= 'one, two, three'
|
134
|
-
# r.discover_users
|
123
|
+
# r.discover_users
|
135
124
|
# => ['one', 'two', 'three']
|
136
125
|
#
|
137
126
|
def discover_users_string=(users)
|
@@ -146,13 +135,13 @@ module Hydra
|
|
146
135
|
# Grant discover permissions to the users specified. Revokes discover permission for
|
147
136
|
# any of the eligible_users that are not in users.
|
148
137
|
# This may be used when different users are responsible for setting different
|
149
|
-
# users. Supply the users the current user is responsible for as the
|
138
|
+
# users. Supply the users the current user is responsible for as the
|
150
139
|
# 'eligible_users'
|
151
140
|
# @param[Array] users a list of users
|
152
|
-
# @param[Array] eligible_users the users that are eligible to have their discover permssion revoked.
|
141
|
+
# @param[Array] eligible_users the users that are eligible to have their discover permssion revoked.
|
153
142
|
# @example
|
154
143
|
# r.discover_users = ['one', 'two', 'three']
|
155
|
-
# r.discover_users
|
144
|
+
# r.discover_users
|
156
145
|
# => ['one', 'two', 'three']
|
157
146
|
# r.set_discover_users(['one'], ['three'])
|
158
147
|
# r.discover_users
|
@@ -164,14 +153,14 @@ module Hydra
|
|
164
153
|
|
165
154
|
# Return a list of groups that have discover permission
|
166
155
|
def read_groups
|
167
|
-
|
156
|
+
search_by_type_and_mode(:group, ::ACL.Read).map { |p| p.agent_name }
|
168
157
|
end
|
169
158
|
|
170
159
|
# Grant read permissions to the groups specified. Revokes read permission for all other groups.
|
171
160
|
# @param[Array] groups a list of group names
|
172
161
|
# @example
|
173
162
|
# r.read_groups= ['one', 'two', 'three']
|
174
|
-
# r.read_groups
|
163
|
+
# r.read_groups
|
175
164
|
# => ['one', 'two', 'three']
|
176
165
|
#
|
177
166
|
def read_groups=(groups)
|
@@ -182,7 +171,7 @@ module Hydra
|
|
182
171
|
# @param[String] groups a list of group names
|
183
172
|
# @example
|
184
173
|
# r.read_groups_string= 'one, two, three'
|
185
|
-
# r.read_groups
|
174
|
+
# r.read_groups
|
186
175
|
# => ['one', 'two', 'three']
|
187
176
|
#
|
188
177
|
def read_groups_string=(groups)
|
@@ -197,13 +186,13 @@ module Hydra
|
|
197
186
|
# Grant read permissions to the groups specified. Revokes read permission for
|
198
187
|
# any of the eligible_groups that are not in groups.
|
199
188
|
# This may be used when different users are responsible for setting different
|
200
|
-
# groups. Supply the groups the current user is responsible for as the
|
189
|
+
# groups. Supply the groups the current user is responsible for as the
|
201
190
|
# 'eligible_groups'
|
202
191
|
# @param[Array] groups a list of groups
|
203
|
-
# @param[Array] eligible_groups the groups that are eligible to have their read permssion revoked.
|
192
|
+
# @param[Array] eligible_groups the groups that are eligible to have their read permssion revoked.
|
204
193
|
# @example
|
205
194
|
# r.read_groups = ['one', 'two', 'three']
|
206
|
-
# r.read_groups
|
195
|
+
# r.read_groups
|
207
196
|
# => ['one', 'two', 'three']
|
208
197
|
# r.set_read_groups(['one'], ['three'])
|
209
198
|
# r.read_groups
|
@@ -214,14 +203,14 @@ module Hydra
|
|
214
203
|
end
|
215
204
|
|
216
205
|
def read_users
|
217
|
-
|
206
|
+
search_by_type_and_mode(:person, ::ACL.Read).map { |p| p.agent_name }
|
218
207
|
end
|
219
208
|
|
220
209
|
# Grant read permissions to the users specified. Revokes read permission for all other users.
|
221
210
|
# @param[Array] users a list of usernames
|
222
211
|
# @example
|
223
212
|
# r.read_users= ['one', 'two', 'three']
|
224
|
-
# r.read_users
|
213
|
+
# r.read_users
|
225
214
|
# => ['one', 'two', 'three']
|
226
215
|
#
|
227
216
|
def read_users=(users)
|
@@ -232,7 +221,7 @@ module Hydra
|
|
232
221
|
# @param[String] users a list of usernames
|
233
222
|
# @example
|
234
223
|
# r.read_users_string= 'one, two, three'
|
235
|
-
# r.read_users
|
224
|
+
# r.read_users
|
236
225
|
# => ['one', 'two', 'three']
|
237
226
|
#
|
238
227
|
def read_users_string=(users)
|
@@ -247,13 +236,13 @@ module Hydra
|
|
247
236
|
# Grant read permissions to the users specified. Revokes read permission for
|
248
237
|
# any of the eligible_users that are not in users.
|
249
238
|
# This may be used when different users are responsible for setting different
|
250
|
-
# users. Supply the users the current user is responsible for as the
|
239
|
+
# users. Supply the users the current user is responsible for as the
|
251
240
|
# 'eligible_users'
|
252
241
|
# @param[Array] users a list of users
|
253
|
-
# @param[Array] eligible_users the users that are eligible to have their read permssion revoked.
|
242
|
+
# @param[Array] eligible_users the users that are eligible to have their read permssion revoked.
|
254
243
|
# @example
|
255
244
|
# r.read_users = ['one', 'two', 'three']
|
256
|
-
# r.read_users
|
245
|
+
# r.read_users
|
257
246
|
# => ['one', 'two', 'three']
|
258
247
|
# r.set_read_users(['one'], ['three'])
|
259
248
|
# r.read_users
|
@@ -266,14 +255,14 @@ module Hydra
|
|
266
255
|
|
267
256
|
# Return a list of groups that have edit permission
|
268
257
|
def edit_groups
|
269
|
-
|
258
|
+
search_by_type_and_mode(:group, ::ACL.Write).map { |p| p.agent_name }
|
270
259
|
end
|
271
260
|
|
272
261
|
# Grant edit permissions to the groups specified. Revokes edit permission for all other groups.
|
273
262
|
# @param[Array] groups a list of group names
|
274
263
|
# @example
|
275
264
|
# r.edit_groups= ['one', 'two', 'three']
|
276
|
-
# r.edit_groups
|
265
|
+
# r.edit_groups
|
277
266
|
# => ['one', 'two', 'three']
|
278
267
|
#
|
279
268
|
def edit_groups=(groups)
|
@@ -284,7 +273,7 @@ module Hydra
|
|
284
273
|
# @param[String] groups a list of group names
|
285
274
|
# @example
|
286
275
|
# r.edit_groups_string= 'one, two, three'
|
287
|
-
# r.edit_groups
|
276
|
+
# r.edit_groups
|
288
277
|
# => ['one', 'two', 'three']
|
289
278
|
#
|
290
279
|
def edit_groups_string=(groups)
|
@@ -299,13 +288,13 @@ module Hydra
|
|
299
288
|
# Grant edit permissions to the groups specified. Revokes edit permission for
|
300
289
|
# any of the eligible_groups that are not in groups.
|
301
290
|
# This may be used when different users are responsible for setting different
|
302
|
-
# groups. Supply the groups the current user is responsible for as the
|
291
|
+
# groups. Supply the groups the current user is responsible for as the
|
303
292
|
# 'eligible_groups'
|
304
293
|
# @param[Array] groups a list of groups
|
305
|
-
# @param[Array] eligible_groups the groups that are eligible to have their edit permssion revoked.
|
294
|
+
# @param[Array] eligible_groups the groups that are eligible to have their edit permssion revoked.
|
306
295
|
# @example
|
307
296
|
# r.edit_groups = ['one', 'two', 'three']
|
308
|
-
# r.edit_groups
|
297
|
+
# r.edit_groups
|
309
298
|
# => ['one', 'two', 'three']
|
310
299
|
# r.set_edit_groups(['one'], ['three'])
|
311
300
|
# r.edit_groups
|
@@ -316,14 +305,14 @@ module Hydra
|
|
316
305
|
end
|
317
306
|
|
318
307
|
def edit_users
|
319
|
-
|
308
|
+
search_by_type_and_mode(:person, ::ACL.Write).map { |p| p.agent_name }
|
320
309
|
end
|
321
310
|
|
322
311
|
# Grant edit permissions to the groups specified. Revokes edit permission for all other groups.
|
323
312
|
# @param[Array] users a list of usernames
|
324
313
|
# @example
|
325
314
|
# r.edit_users= ['one', 'two', 'three']
|
326
|
-
# r.edit_users
|
315
|
+
# r.edit_users
|
327
316
|
# => ['one', 'two', 'three']
|
328
317
|
#
|
329
318
|
def edit_users=(users)
|
@@ -333,13 +322,13 @@ module Hydra
|
|
333
322
|
# Grant edit permissions to the users specified. Revokes edit permission for
|
334
323
|
# any of the eligible_users that are not in users.
|
335
324
|
# This may be used when different users are responsible for setting different
|
336
|
-
# users. Supply the users the current user is responsible for as the
|
325
|
+
# users. Supply the users the current user is responsible for as the
|
337
326
|
# 'eligible_users'
|
338
327
|
# @param[Array] users a list of users
|
339
|
-
# @param[Array] eligible_users the users that are eligible to have their edit permssion revoked.
|
328
|
+
# @param[Array] eligible_users the users that are eligible to have their edit permssion revoked.
|
340
329
|
# @example
|
341
330
|
# r.edit_users = ['one', 'two', 'three']
|
342
|
-
# r.edit_users
|
331
|
+
# r.edit_users
|
343
332
|
# => ['one', 'two', 'three']
|
344
333
|
# r.set_edit_users(['one'], ['three'])
|
345
334
|
# r.edit_users
|
@@ -349,40 +338,85 @@ module Hydra
|
|
349
338
|
set_entities(:edit, :person, users, eligible_users)
|
350
339
|
end
|
351
340
|
|
352
|
-
protected
|
341
|
+
protected
|
353
342
|
|
354
343
|
def has_destroy_flag?(hash)
|
355
344
|
["1", "true"].include?(hash['_destroy'].to_s)
|
356
345
|
end
|
357
346
|
|
358
|
-
private
|
347
|
+
private
|
359
348
|
|
360
|
-
# @param
|
361
|
-
# @param
|
362
|
-
# @param
|
363
|
-
# @param
|
349
|
+
# @param [Symbol] permission either :discover, :read or :edit
|
350
|
+
# @param [Symbol] type either :person or :group
|
351
|
+
# @param [Array<String>] values Values to set
|
352
|
+
# @param [Array<String>] changeable Values we are allowed to change
|
364
353
|
def set_entities(permission, type, values, changeable)
|
365
|
-
g = preserved(type, permission)
|
366
354
|
(changeable - values).each do |entity|
|
367
|
-
|
368
|
-
|
355
|
+
for_destroy = search_by_type_and_mode(type, permission_to_uri(permission)).select { |p| p.agent_name == entity }
|
356
|
+
permissions.delete(for_destroy)
|
357
|
+
end
|
358
|
+
|
359
|
+
values.each do |agent_name|
|
360
|
+
exists = search_by_type_and_mode(type, permission_to_uri(permission)).select { |p| p.agent_name == agent_name }
|
361
|
+
permissions.build(name: agent_name, access: permission.to_s, type: type ) unless exists.present?
|
362
|
+
end
|
363
|
+
end
|
364
|
+
|
365
|
+
def permission_to_uri(permission)
|
366
|
+
case permission.to_s
|
367
|
+
when 'read'
|
368
|
+
::ACL.Read
|
369
|
+
when 'edit'
|
370
|
+
::ACL.Write
|
371
|
+
when 'discover'
|
372
|
+
Hydra::ACL.Discover
|
373
|
+
else
|
374
|
+
raise "Invalid permission #{permission.inspect}"
|
375
|
+
end
|
376
|
+
end
|
377
|
+
|
378
|
+
# @param [Symbol] type (either :group or :person)
|
379
|
+
# @return [Array<Permission>]
|
380
|
+
def search_by_type(type)
|
381
|
+
case type
|
382
|
+
when :group
|
383
|
+
permissions.to_a.select { |p| group_agent?(p.agent) }
|
384
|
+
when :person
|
385
|
+
permissions.to_a.select { |p| person_agent?(p.agent) }
|
369
386
|
end
|
370
|
-
|
371
|
-
|
372
|
-
|
373
|
-
|
374
|
-
|
375
|
-
def
|
376
|
-
case
|
377
|
-
when :
|
378
|
-
|
379
|
-
when :
|
380
|
-
|
381
|
-
when :discover
|
382
|
-
Hash[rightsMetadata.quick_search_by_type(type).select {|k, v| v == 'discover'}]
|
387
|
+
end
|
388
|
+
|
389
|
+
# @param [Symbol] type either :group or :person
|
390
|
+
# @param [::RDF::URI] mode One of the permissions modes, e.g. ACL.Write, ACL.Read, etc.
|
391
|
+
# @return [Array<Permission>]
|
392
|
+
def search_by_type_and_mode(type, mode)
|
393
|
+
case type
|
394
|
+
when :group
|
395
|
+
permissions.to_a.select { |p| group_agent?(p.agent) && p.mode.first.rdf_subject == mode }
|
396
|
+
when :person
|
397
|
+
permissions.to_a.select { |p| person_agent?(p.agent) && p.mode.first.rdf_subject == mode }
|
383
398
|
end
|
384
399
|
end
|
385
400
|
|
401
|
+
def person_permissions
|
402
|
+
search_by_type(:person)
|
403
|
+
end
|
404
|
+
|
405
|
+
def group_permissions
|
406
|
+
search_by_type(:group)
|
407
|
+
end
|
408
|
+
|
409
|
+
def group_agent?(agent)
|
410
|
+
raise "no agent" unless agent.present?
|
411
|
+
agent.first.rdf_subject.to_s.start_with?(GROUP_AGENT_URL_PREFIX)
|
412
|
+
|
413
|
+
end
|
414
|
+
|
415
|
+
def person_agent?(agent)
|
416
|
+
raise "no agent" unless agent.present?
|
417
|
+
agent.first.rdf_subject.to_s.start_with?(PERSON_AGENT_URL_PREFIX)
|
418
|
+
end
|
419
|
+
|
386
420
|
end
|
387
421
|
end
|
388
422
|
end
|
@@ -39,19 +39,17 @@ module Hydra
|
|
39
39
|
|
40
40
|
def public_visibility!
|
41
41
|
visibility_will_change! unless visibility == Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PUBLIC
|
42
|
-
|
42
|
+
set_read_groups([Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_PUBLIC], [])
|
43
43
|
end
|
44
44
|
|
45
45
|
def registered_visibility!
|
46
46
|
visibility_will_change! unless visibility == Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_AUTHENTICATED
|
47
|
-
|
48
|
-
self.datastreams["rightsMetadata"].permissions({:group=>Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_PUBLIC}, "none")
|
47
|
+
set_read_groups([Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_AUTHENTICATED], [Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_PUBLIC])
|
49
48
|
end
|
50
49
|
|
51
50
|
def private_visibility!
|
52
51
|
visibility_will_change! unless visibility == Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PRIVATE
|
53
|
-
|
54
|
-
self.datastreams["rightsMetadata"].permissions({:group=>Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_PUBLIC}, "none")
|
52
|
+
set_read_groups([], [Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_AUTHENTICATED, Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_PUBLIC])
|
55
53
|
end
|
56
54
|
|
57
55
|
end
|
@@ -3,9 +3,34 @@ module Hydra
|
|
3
3
|
extend ActiveSupport::Concern
|
4
4
|
|
5
5
|
included do
|
6
|
-
|
6
|
+
has_and_belongs_to_many :default_permissions, predicate: Hydra::ACL.defaultPermissions, class_name: 'Hydra::AccessControls::Permission'
|
7
|
+
belongs_to :default_embargo, predicate: Hydra::ACL.hasEmbargo, class_name: 'Hydra::AccessControls::Embargo'
|
7
8
|
end
|
8
9
|
|
10
|
+
def to_solr(solr_doc=Hash.new)
|
11
|
+
f = merged_policies
|
12
|
+
super.tap do |doc|
|
13
|
+
['discover'.freeze, 'read'.freeze, 'edit'.freeze].each do |access|
|
14
|
+
doc[Hydra.config.permissions.inheritable[access.to_sym][:group]] = f[access]['group'.freeze] if f[access]
|
15
|
+
doc[Hydra.config.permissions.inheritable[access.to_sym][:individual]] = f[access]['person'.freeze] if f[access]
|
16
|
+
end
|
17
|
+
if default_embargo
|
18
|
+
key = Hydra.config.permissions.inheritable.embargo.release_date.sub(/_[^_]+$/, '') #Strip off the suffix
|
19
|
+
::Solrizer.insert_field(doc, key, default_embargo.embargo_release_date, :stored_sortable)
|
20
|
+
end
|
21
|
+
end
|
22
|
+
end
|
23
|
+
|
24
|
+
def merged_policies
|
25
|
+
default_permissions.each_with_object({}) do |policy, h|
|
26
|
+
args = policy.to_hash
|
27
|
+
h[args[:access]] ||= {}
|
28
|
+
h[args[:access]][args[:type]] ||= []
|
29
|
+
h[args[:access]][args[:type]] << args[:name]
|
30
|
+
end
|
31
|
+
end
|
32
|
+
|
33
|
+
|
9
34
|
## Updates those permissions that are provided to it. Does not replace any permissions unless they are provided
|
10
35
|
# @example
|
11
36
|
# obj.default_permissions= [{:name=>"group1", :access=>"discover", :type=>'group'},
|
@@ -14,7 +39,7 @@ module Hydra
|
|
14
39
|
perm_hash = {'person' => defaultRights.users, 'group'=> defaultRights.groups}
|
15
40
|
params.each do |row|
|
16
41
|
if row[:type] == 'user' || row[:type] == 'person'
|
17
|
-
perm_hash['person'][row[:name]] = row[:access]
|
42
|
+
perm_hash['person'][row[:name]] = row[:access]
|
18
43
|
elsif row[:type] == 'group'
|
19
44
|
perm_hash['group'][row[:name]] = row[:access]
|
20
45
|
else
|
@@ -0,0 +1,15 @@
|
|
1
|
+
module Hydra
|
2
|
+
module Rights
|
3
|
+
extend ActiveSupport::Concern
|
4
|
+
included do
|
5
|
+
# Rights
|
6
|
+
property :rights, predicate: ::RDF::DC.rights do |index|
|
7
|
+
index.as :facetable
|
8
|
+
end
|
9
|
+
property :rightsHolder, predicate: ::RDF::URI('http://opaquenamespace.org/rights/rightsHolder') do |index|
|
10
|
+
index.as :searchable, :facetable
|
11
|
+
end
|
12
|
+
property :copyrightClaimant, predicate: ::RDF::URI('http://id.loc.gov/vocabulary/relators/cpc')
|
13
|
+
end
|
14
|
+
end
|
15
|
+
end
|
@@ -0,0 +1,17 @@
|
|
1
|
+
module Hydra::AccessControls
|
2
|
+
class AccessControlList < ActiveFedora::Base
|
3
|
+
belongs_to :access_to, predicate: ::ACL.accessTo, class_name: 'ActiveFedora::Base'
|
4
|
+
# has_many :admin_policies, class_name: 'Hydra::AdminPolicy'
|
5
|
+
property :mode, predicate: ::ACL.mode, class_name: 'Hydra::AccessControls::Mode'
|
6
|
+
property :agent, predicate: ::ACL.agent, class_name: 'Hydra::AccessControls::Agent'
|
7
|
+
# property :agentClass, predicate: ACL.agentClass
|
8
|
+
|
9
|
+
# [acl:accessTo <card>; acl:mode acl:Read; acl:agentClass foaf:Agent].
|
10
|
+
# [acl:accessTo <card>; acl:mode acl:Read, acl:Write; acl:agent <card#i>].
|
11
|
+
end
|
12
|
+
|
13
|
+
class Mode < ActiveTriples::Resource
|
14
|
+
end
|
15
|
+
class Agent < ActiveTriples::Resource
|
16
|
+
end
|
17
|
+
end
|
@@ -0,0 +1,65 @@
|
|
1
|
+
module Hydra::AccessControls
|
2
|
+
class Embargo < ActiveFedora::Base
|
3
|
+
property :visibility_during_embargo, predicate: Hydra::ACL.visibilityDuringEmbargo
|
4
|
+
property :visibility_after_embargo, predicate: Hydra::ACL.visibilityAfterEmbargo
|
5
|
+
property :embargo_release_date, predicate: Hydra::ACL.embargoReleaseDate
|
6
|
+
property :embargo_history, predicate: Hydra::ACL.embargoHistory
|
7
|
+
|
8
|
+
# Hack until ActiveFedora supports activeTriples 0.3.0 (then we can just use super)
|
9
|
+
def visibility_during_embargo_with_first
|
10
|
+
visibility_during_embargo_without_first.first
|
11
|
+
end
|
12
|
+
alias_method_chain :visibility_during_embargo, :first
|
13
|
+
|
14
|
+
# Hack until ActiveFedora supports activeTriples 0.3.0 (then we can just use super)
|
15
|
+
def visibility_after_embargo_with_first
|
16
|
+
visibility_after_embargo_without_first.first
|
17
|
+
end
|
18
|
+
alias_method_chain :visibility_after_embargo, :first
|
19
|
+
|
20
|
+
# Hack until ActiveFedora supports activeTriples 0.3.0 (then we can just use super)
|
21
|
+
def embargo_release_date_with_first
|
22
|
+
embargo_release_date_without_first.first
|
23
|
+
end
|
24
|
+
alias_method_chain :embargo_release_date, :first
|
25
|
+
|
26
|
+
# Hack until ActiveFedora supports activeTriples 0.3.0 (then we can just use super)
|
27
|
+
def embargo_release_date_with_casting=(date)
|
28
|
+
date = DateTime.parse(date) if date && date.kind_of?(String)
|
29
|
+
self.embargo_release_date_without_casting = date
|
30
|
+
end
|
31
|
+
alias_method_chain :embargo_release_date=, :casting
|
32
|
+
|
33
|
+
def active?
|
34
|
+
(embargo_release_date.present? && Date.today < embargo_release_date)
|
35
|
+
end
|
36
|
+
|
37
|
+
def deactivate!
|
38
|
+
return unless embargo_release_date
|
39
|
+
embargo_state = active? ? "active" : "expired"
|
40
|
+
embargo_record = embargo_history_message(embargo_state, Date.today, embargo_release_date, visibility_during_embargo, visibility_after_embargo)
|
41
|
+
self.embargo_release_date = nil
|
42
|
+
self.visibility_during_embargo = nil
|
43
|
+
self.visibility_after_embargo = nil
|
44
|
+
self.embargo_history += [embargo_record]
|
45
|
+
end
|
46
|
+
|
47
|
+
def to_hash
|
48
|
+
{}.tap do |doc|
|
49
|
+
date_field_name = Hydra.config.permissions.embargo.release_date.sub(/_dtsi/, '')
|
50
|
+
Solrizer.insert_field(doc, date_field_name, embargo_release_date, :stored_sortable)
|
51
|
+
doc[::Solrizer.solr_name("visibility_during_embargo", :symbol)] = visibility_during_embargo unless visibility_during_embargo.nil?
|
52
|
+
doc[::Solrizer.solr_name("visibility_after_embargo", :symbol)] = visibility_after_embargo unless visibility_after_embargo.nil?
|
53
|
+
doc[::Solrizer.solr_name("embargo_history", :symbol)] = embargo_history unless embargo_history.nil?
|
54
|
+
end
|
55
|
+
end
|
56
|
+
protected
|
57
|
+
|
58
|
+
# Create the log message used when deactivating an embargo
|
59
|
+
# This method may be overriden in order to transform the values of the passed parameters.
|
60
|
+
def embargo_history_message(state, deactivate_date, release_date, visibility_during, visibility_after)
|
61
|
+
I18n.t 'hydra.embargo.history_message', state: state, deactivate_date: deactivate_date, release_date: release_date,
|
62
|
+
visibility_during: visibility_during, visibility_after: visibility_after
|
63
|
+
end
|
64
|
+
end
|
65
|
+
end
|