hydra-access-controls 8.2.0 → 9.0.0.beta1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.textile +10 -10
- data/app/models/concerns/hydra/access_controls/access_right.rb +3 -2
- data/app/models/concerns/hydra/access_controls/embargoable.rb +120 -132
- data/app/models/concerns/hydra/access_controls/permissions.rb +137 -103
- data/app/models/concerns/hydra/access_controls/visibility.rb +3 -5
- data/app/models/concerns/hydra/access_controls.rb +0 -1
- data/app/models/concerns/hydra/admin_policy_behavior.rb +27 -2
- data/app/models/concerns/hydra/rights.rb +15 -0
- data/app/models/hydra/access_controls/access_control_list.rb +17 -0
- data/app/models/hydra/access_controls/embargo.rb +65 -0
- data/app/models/hydra/access_controls/lease.rb +66 -0
- data/app/models/hydra/access_controls/permission.rb +85 -0
- data/app/vocabularies/acl.rb +12 -0
- data/app/vocabularies/hydra/acl.rb +20 -0
- data/config/fedora.yml +4 -2
- data/hydra-access-controls.gemspec +6 -7
- data/lib/hydra/ability.rb +45 -43
- data/lib/hydra/access_controls_enforcement.rb +23 -25
- data/lib/hydra/admin_policy.rb +34 -11
- data/lib/hydra/config.rb +4 -15
- data/lib/hydra/permissions_query.rb +2 -2
- data/lib/hydra/permissions_solr_document.rb +4 -6
- data/lib/hydra/policy_aware_ability.rb +56 -53
- data/lib/hydra/policy_aware_access_controls_enforcement.rb +28 -18
- data/lib/hydra-access-controls.rb +1 -1
- data/spec/factories.rb +15 -15
- data/spec/services/embargo_service_spec.rb +6 -6
- data/spec/services/lease_service_spec.rb +6 -6
- data/spec/spec_helper.rb +20 -13
- data/spec/support/mods_asset.rb +3 -3
- data/spec/unit/ability_spec.rb +96 -121
- data/spec/unit/access_controls_enforcement_spec.rb +29 -27
- data/spec/unit/access_right_spec.rb +6 -1
- data/spec/unit/accessible_by_spec.rb +14 -5
- data/spec/unit/admin_policy_spec.rb +99 -92
- data/spec/unit/config_spec.rb +14 -15
- data/spec/unit/embargoable_spec.rb +26 -28
- data/spec/unit/permission_spec.rb +36 -16
- data/spec/unit/permissions_spec.rb +121 -65
- data/spec/unit/policy_aware_ability_spec.rb +64 -78
- data/spec/unit/policy_aware_access_controls_enforcement_spec.rb +81 -77
- data/spec/unit/role_mapper_spec.rb +10 -10
- data/spec/unit/with_access_right_spec.rb +1 -1
- metadata +29 -51
- data/lib/hydra/access_controls/permission.rb +0 -40
- data/lib/hydra/datastream/inheritable_rights_metadata.rb +0 -22
- data/lib/hydra/datastream/rights_metadata.rb +0 -276
- data/lib/hydra/datastream.rb +0 -7
- data/spec/unit/hydra_rights_metadata_persistence_spec.rb +0 -71
- data/spec/unit/hydra_rights_metadata_spec.rb +0 -301
- data/spec/unit/inheritable_rights_metadata_spec.rb +0 -65
|
@@ -0,0 +1,66 @@
|
|
|
1
|
+
module Hydra::AccessControls
|
|
2
|
+
class Lease < ActiveFedora::Base
|
|
3
|
+
property :visibility_during_lease, predicate: Hydra::ACL.visibilityDuringLease
|
|
4
|
+
property :visibility_after_lease, predicate: Hydra::ACL.visibilityAfterLease
|
|
5
|
+
property :lease_expiration_date, predicate: Hydra::ACL.leaseExpirationDate
|
|
6
|
+
property :lease_history, predicate: Hydra::ACL.leaseHistory
|
|
7
|
+
|
|
8
|
+
# Hack until ActiveFedora supports activeTriples 0.3.0 (then we can just use super)
|
|
9
|
+
def visibility_during_lease_with_first
|
|
10
|
+
visibility_during_lease_without_first.first
|
|
11
|
+
end
|
|
12
|
+
alias_method_chain :visibility_during_lease, :first
|
|
13
|
+
|
|
14
|
+
# Hack until ActiveFedora supports activeTriples 0.3.0 (then we can just use super)
|
|
15
|
+
def visibility_after_lease_with_first
|
|
16
|
+
visibility_after_lease_without_first.first
|
|
17
|
+
end
|
|
18
|
+
alias_method_chain :visibility_after_lease, :first
|
|
19
|
+
|
|
20
|
+
# Hack until ActiveFedora supports activeTriples 0.3.0 (then we can just use super)
|
|
21
|
+
def lease_expiration_date_with_first
|
|
22
|
+
lease_expiration_date_without_first.first
|
|
23
|
+
end
|
|
24
|
+
alias_method_chain :lease_expiration_date, :first
|
|
25
|
+
|
|
26
|
+
# Hack until ActiveFedora supports activeTriples 0.3.0 (then we can just use super)
|
|
27
|
+
def lease_expiration_date_with_casting=(date)
|
|
28
|
+
date = DateTime.parse(date) if date && date.kind_of?(String)
|
|
29
|
+
self.lease_expiration_date_without_casting = date
|
|
30
|
+
end
|
|
31
|
+
alias_method_chain :lease_expiration_date=, :casting
|
|
32
|
+
|
|
33
|
+
def active?
|
|
34
|
+
lease_expiration_date.present? && Date.today < lease_expiration_date
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
def deactivate!
|
|
38
|
+
return unless lease_expiration_date
|
|
39
|
+
lease_state = active? ? "active" : "expired"
|
|
40
|
+
lease_record = lease_history_message(lease_state, Date.today, lease_expiration_date, visibility_during_lease, visibility_after_lease)
|
|
41
|
+
self.lease_expiration_date = nil
|
|
42
|
+
self.visibility_during_lease = nil
|
|
43
|
+
self.visibility_after_lease = nil
|
|
44
|
+
self.lease_history += [lease_record]
|
|
45
|
+
end
|
|
46
|
+
|
|
47
|
+
def to_hash
|
|
48
|
+
{}.tap do |doc|
|
|
49
|
+
date_field_name = Hydra.config.permissions.lease.expiration_date.sub(/_dtsi/, '')
|
|
50
|
+
Solrizer.insert_field(doc, date_field_name, lease_expiration_date, :stored_sortable)
|
|
51
|
+
|
|
52
|
+
doc[::Solrizer.solr_name("visibility_during_lease", :symbol)] = visibility_during_lease unless visibility_during_lease.nil?
|
|
53
|
+
doc[::Solrizer.solr_name("visibility_after_lease", :symbol)] = visibility_after_lease unless visibility_after_lease.nil?
|
|
54
|
+
doc[::Solrizer.solr_name("lease_history", :symbol)] = lease_history unless lease_history.nil?
|
|
55
|
+
end
|
|
56
|
+
end
|
|
57
|
+
|
|
58
|
+
protected
|
|
59
|
+
# Create the log message used when deactivating a lease
|
|
60
|
+
# This method may be overriden in order to transform the values of the passed parameters.
|
|
61
|
+
def lease_history_message(state, deactivate_date, expiration_date, visibility_during, visibility_after)
|
|
62
|
+
I18n.t 'hydra.lease.history_message', state: state, deactivate_date: deactivate_date, expiration_date: expiration_date,
|
|
63
|
+
visibility_during: visibility_during, visibility_after: visibility_after
|
|
64
|
+
end
|
|
65
|
+
end
|
|
66
|
+
end
|
|
@@ -0,0 +1,85 @@
|
|
|
1
|
+
module Hydra::AccessControls
|
|
2
|
+
AGENT_URL_PREFIX = "http://projecthydra.org/ns/auth/".freeze
|
|
3
|
+
GROUP_AGENT_URL_PREFIX = "http://projecthydra.org/ns/auth/group".freeze
|
|
4
|
+
PERSON_AGENT_URL_PREFIX = 'http://projecthydra.org/ns/auth/person'.freeze
|
|
5
|
+
class Permission < AccessControlList
|
|
6
|
+
def initialize(args)
|
|
7
|
+
super()
|
|
8
|
+
build_agent(args[:name], args[:type].to_s)
|
|
9
|
+
build_access(args[:access])
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
def to_hash
|
|
13
|
+
{ name: agent_name, type: type, access: access }
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
def inspect
|
|
17
|
+
agent_value = agent.first.rdf_subject.to_s.inspect if agent.first
|
|
18
|
+
mode_value = mode.first.rdf_subject.to_s.inspect if mode.first
|
|
19
|
+
"<#{self.class.name} id: #{id} agent: #{agent_value} mode: #{mode_value} access_to: #{access_to_id.inspect}>"
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
def == other
|
|
23
|
+
other.is_a?(Permission) && id == other.id && self.access_to_id == other.access_to_id &&
|
|
24
|
+
self.agent.first.rdf_subject == other.agent.first.rdf_subject && self.mode.first.rdf_subject == other.mode.first.rdf_subject
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
def attributes=(attributes)
|
|
28
|
+
attrs = attributes.dup
|
|
29
|
+
name = attrs.delete(:name)
|
|
30
|
+
type = attrs.delete(:type)
|
|
31
|
+
build_agent(name, type) if name && type
|
|
32
|
+
access = attrs.delete(:access)
|
|
33
|
+
build_access(access) if access
|
|
34
|
+
super(attrs)
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
def agent_name
|
|
38
|
+
parsed_agent.last
|
|
39
|
+
end
|
|
40
|
+
|
|
41
|
+
def access
|
|
42
|
+
@access ||= mode.first.rdf_subject.to_s.split('#').last.downcase.sub('write', 'edit')
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
def type
|
|
46
|
+
parsed_agent.first
|
|
47
|
+
end
|
|
48
|
+
|
|
49
|
+
protected
|
|
50
|
+
|
|
51
|
+
def parsed_agent
|
|
52
|
+
@parsed_agent ||= agent.first.rdf_subject.to_s.sub(AGENT_URL_PREFIX, '').split('#')
|
|
53
|
+
end
|
|
54
|
+
|
|
55
|
+
def build_agent(name, type)
|
|
56
|
+
raise "Can't build agent #{inspect}" unless name && type
|
|
57
|
+
self.agent = case type
|
|
58
|
+
when "group"
|
|
59
|
+
Agent.new(::RDF::URI.new("#{GROUP_AGENT_URL_PREFIX}##{name}"))
|
|
60
|
+
when "person"
|
|
61
|
+
Agent.new(::RDF::URI.new("#{PERSON_AGENT_URL_PREFIX}##{name}"))
|
|
62
|
+
when "user"
|
|
63
|
+
Deprecation.warn Permission, "Passing \"user\" as the type to Permission is deprecated. Use \"person\" instead. This will be an error in ActiveFedora 9."
|
|
64
|
+
Agent.new(::RDF::URI.new("#{PERSON_AGENT_URL_PREFIX}##{name}"))
|
|
65
|
+
else
|
|
66
|
+
raise ArgumentError, "Unknown agent type #{type.inspect}"
|
|
67
|
+
end
|
|
68
|
+
end
|
|
69
|
+
|
|
70
|
+
def build_access(access)
|
|
71
|
+
raise "Can't build access #{inspect}" unless access
|
|
72
|
+
self.mode = case access
|
|
73
|
+
when "read"
|
|
74
|
+
Mode.new(::ACL.Read)
|
|
75
|
+
when "edit"
|
|
76
|
+
Mode.new(::ACL.Write)
|
|
77
|
+
when "discover"
|
|
78
|
+
Mode.new(Hydra::ACL.Discover)
|
|
79
|
+
else
|
|
80
|
+
raise ArgumentError, "Unknown access #{access.inspect}"
|
|
81
|
+
end
|
|
82
|
+
end
|
|
83
|
+
|
|
84
|
+
end
|
|
85
|
+
end
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
module Hydra
|
|
2
|
+
class ACL < RDF::StrictVocabulary('http://projecthydra.org/ns/auth/acl#')
|
|
3
|
+
property :Discover # extends http://www.w3.org/ns/auth/acl#Access
|
|
4
|
+
|
|
5
|
+
property :hasEmbargo
|
|
6
|
+
property :hasLease
|
|
7
|
+
|
|
8
|
+
property :visibilityDuringEmbargo
|
|
9
|
+
property :visibilityAfterEmbargo
|
|
10
|
+
property :embargoReleaseDate
|
|
11
|
+
property :visibilityDuringLease
|
|
12
|
+
property :visibilityAfterLease
|
|
13
|
+
property :leaseExpirationDate
|
|
14
|
+
|
|
15
|
+
property :embargoHistory
|
|
16
|
+
property :leaseHistory
|
|
17
|
+
|
|
18
|
+
property :defaultPermissions
|
|
19
|
+
end
|
|
20
|
+
end
|
data/config/fedora.yml
CHANGED
|
@@ -1,8 +1,10 @@
|
|
|
1
1
|
development:
|
|
2
2
|
user: fedoraAdmin
|
|
3
3
|
password: fedoraAdmin
|
|
4
|
-
url: http://
|
|
4
|
+
url: http://localhost:8983/fedora/rest
|
|
5
|
+
base_path: /dev
|
|
5
6
|
test:
|
|
6
7
|
user: fedoraAdmin
|
|
7
8
|
password: fedoraAdmin
|
|
8
|
-
url: http://
|
|
9
|
+
url: http://localhost:8983/fedora/rest
|
|
10
|
+
base_path: /test
|
|
@@ -16,14 +16,13 @@ Gem::Specification.new do |gem|
|
|
|
16
16
|
gem.version = version
|
|
17
17
|
gem.license = "APACHE2"
|
|
18
18
|
|
|
19
|
-
gem.required_ruby_version = '>=
|
|
19
|
+
gem.required_ruby_version = '>= 1.9.3'
|
|
20
20
|
|
|
21
|
-
gem.add_dependency 'activesupport'
|
|
22
|
-
gem.add_dependency "active-fedora", '~>
|
|
23
|
-
gem.add_dependency
|
|
24
|
-
gem.add_dependency '
|
|
25
|
-
gem.add_dependency
|
|
26
|
-
gem.add_dependency "blacklight", '~> 5.10'
|
|
21
|
+
gem.add_dependency 'activesupport'
|
|
22
|
+
gem.add_dependency "active-fedora", '~> 9.0.0.beta3'
|
|
23
|
+
gem.add_dependency 'cancancan'
|
|
24
|
+
gem.add_dependency 'deprecation'
|
|
25
|
+
gem.add_dependency "blacklight", '~> 5.3'
|
|
27
26
|
|
|
28
27
|
# sass-rails is typically generated into the app's gemfile by `rails new`
|
|
29
28
|
# In rails 3 it's put into the "assets" group and thus not available to the
|
data/lib/hydra/ability.rb
CHANGED
|
@@ -3,15 +3,15 @@ require 'cancan'
|
|
|
3
3
|
module Hydra
|
|
4
4
|
module Ability
|
|
5
5
|
extend ActiveSupport::Concern
|
|
6
|
-
|
|
6
|
+
|
|
7
7
|
# once you include Hydra::Ability you can add custom permission methods by appending to ability_logic like so:
|
|
8
8
|
#
|
|
9
9
|
# self.ability_logic +=[:setup_my_permissions]
|
|
10
|
-
|
|
10
|
+
|
|
11
11
|
included do
|
|
12
12
|
include CanCan::Ability
|
|
13
13
|
include Hydra::PermissionsQuery
|
|
14
|
-
include Blacklight::
|
|
14
|
+
include Blacklight::SolrHelper
|
|
15
15
|
class_attribute :ability_logic
|
|
16
16
|
self.ability_logic = [:create_permissions, :edit_permissions, :read_permissions, :download_permissions, :custom_permissions]
|
|
17
17
|
end
|
|
@@ -33,7 +33,7 @@ module Hydra
|
|
|
33
33
|
## You can override this method if you are using a different AuthZ (such as LDAP)
|
|
34
34
|
def user_groups
|
|
35
35
|
return @user_groups if @user_groups
|
|
36
|
-
|
|
36
|
+
|
|
37
37
|
@user_groups = default_user_groups
|
|
38
38
|
@user_groups |= current_user.groups if current_user and current_user.respond_to? :groups
|
|
39
39
|
@user_groups |= ['registered'] unless current_user.new_record?
|
|
@@ -44,7 +44,7 @@ module Hydra
|
|
|
44
44
|
# # everyone is automatically a member of the group 'public'
|
|
45
45
|
['public']
|
|
46
46
|
end
|
|
47
|
-
|
|
47
|
+
|
|
48
48
|
|
|
49
49
|
def hydra_default_permissions
|
|
50
50
|
Rails.logger.debug("Usergroups are " + user_groups.inspect)
|
|
@@ -58,65 +58,67 @@ module Hydra
|
|
|
58
58
|
end
|
|
59
59
|
|
|
60
60
|
def edit_permissions
|
|
61
|
-
can [:edit, :update, :destroy], String do |
|
|
62
|
-
test_edit(
|
|
63
|
-
end
|
|
61
|
+
can [:edit, :update, :destroy], String do |id|
|
|
62
|
+
test_edit(id)
|
|
63
|
+
end
|
|
64
64
|
|
|
65
65
|
can [:edit, :update, :destroy], ActiveFedora::Base do |obj|
|
|
66
|
-
test_edit(obj.
|
|
66
|
+
test_edit(obj.id)
|
|
67
67
|
end
|
|
68
|
-
|
|
68
|
+
|
|
69
69
|
can [:edit, :update, :destroy], SolrDocument do |obj|
|
|
70
70
|
cache.put(obj.id, obj)
|
|
71
71
|
test_edit(obj.id)
|
|
72
|
-
end
|
|
72
|
+
end
|
|
73
73
|
end
|
|
74
74
|
|
|
75
75
|
def read_permissions
|
|
76
|
-
can :read, String do |
|
|
77
|
-
test_read(
|
|
76
|
+
can :read, String do |id|
|
|
77
|
+
test_read(id)
|
|
78
78
|
end
|
|
79
79
|
|
|
80
80
|
can :read, ActiveFedora::Base do |obj|
|
|
81
|
-
test_read(obj.
|
|
82
|
-
end
|
|
83
|
-
|
|
81
|
+
test_read(obj.id)
|
|
82
|
+
end
|
|
83
|
+
|
|
84
84
|
can :read, SolrDocument do |obj|
|
|
85
85
|
cache.put(obj.id, obj)
|
|
86
86
|
test_read(obj.id)
|
|
87
|
-
end
|
|
87
|
+
end
|
|
88
88
|
end
|
|
89
89
|
|
|
90
90
|
# Download permissions are exercised in Hydra::Controller::DownloadBehavior
|
|
91
91
|
def download_permissions
|
|
92
|
-
can :download, ActiveFedora::
|
|
93
|
-
|
|
92
|
+
can :download, ActiveFedora::File do |file|
|
|
93
|
+
parent_uri = file.uri.sub(/\/[^\/]*$/, '')
|
|
94
|
+
parent_id = ActiveFedora::Base.uri_to_id(parent_uri)
|
|
95
|
+
can? :read, parent_id # i.e, can download if can read parent resource
|
|
94
96
|
end
|
|
95
97
|
end
|
|
96
98
|
|
|
97
99
|
## Override custom permissions in your own app to add more permissions beyond what is defined by default.
|
|
98
100
|
def custom_permissions
|
|
99
101
|
end
|
|
100
|
-
|
|
102
|
+
|
|
101
103
|
protected
|
|
102
104
|
|
|
103
|
-
def test_edit(
|
|
105
|
+
def test_edit(id)
|
|
104
106
|
Rails.logger.debug("[CANCAN] Checking edit permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
|
|
105
|
-
group_intersection = user_groups & edit_groups(
|
|
106
|
-
result = !group_intersection.empty? || edit_users(
|
|
107
|
+
group_intersection = user_groups & edit_groups(id)
|
|
108
|
+
result = !group_intersection.empty? || edit_users(id).include?(current_user.user_key)
|
|
107
109
|
Rails.logger.debug("[CANCAN] decision: #{result}")
|
|
108
110
|
result
|
|
109
|
-
end
|
|
110
|
-
|
|
111
|
-
def test_read(
|
|
111
|
+
end
|
|
112
|
+
|
|
113
|
+
def test_read(id)
|
|
112
114
|
Rails.logger.debug("[CANCAN] Checking read permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
|
|
113
|
-
group_intersection = user_groups & read_groups(
|
|
114
|
-
result = !group_intersection.empty? || read_users(
|
|
115
|
+
group_intersection = user_groups & read_groups(id)
|
|
116
|
+
result = !group_intersection.empty? || read_users(id).include?(current_user.user_key)
|
|
115
117
|
result
|
|
116
|
-
end
|
|
117
|
-
|
|
118
|
-
def edit_groups(
|
|
119
|
-
doc = permissions_doc(
|
|
118
|
+
end
|
|
119
|
+
|
|
120
|
+
def edit_groups(id)
|
|
121
|
+
doc = permissions_doc(id)
|
|
120
122
|
return [] if doc.nil?
|
|
121
123
|
eg = doc[self.class.edit_group_field] || []
|
|
122
124
|
Rails.logger.debug("[CANCAN] edit_groups: #{eg.inspect}")
|
|
@@ -124,16 +126,16 @@ module Hydra
|
|
|
124
126
|
end
|
|
125
127
|
|
|
126
128
|
# edit implies read, so read_groups is the union of edit and read groups
|
|
127
|
-
def read_groups(
|
|
128
|
-
doc = permissions_doc(
|
|
129
|
+
def read_groups(id)
|
|
130
|
+
doc = permissions_doc(id)
|
|
129
131
|
return [] if doc.nil?
|
|
130
|
-
rg = edit_groups(
|
|
132
|
+
rg = edit_groups(id) | (doc[self.class.read_group_field] || [])
|
|
131
133
|
Rails.logger.debug("[CANCAN] read_groups: #{rg.inspect}")
|
|
132
134
|
return rg
|
|
133
135
|
end
|
|
134
136
|
|
|
135
|
-
def edit_users(
|
|
136
|
-
doc = permissions_doc(
|
|
137
|
+
def edit_users(id)
|
|
138
|
+
doc = permissions_doc(id)
|
|
137
139
|
return [] if doc.nil?
|
|
138
140
|
ep = doc[self.class.edit_user_field] || []
|
|
139
141
|
Rails.logger.debug("[CANCAN] edit_users: #{ep.inspect}")
|
|
@@ -141,24 +143,24 @@ module Hydra
|
|
|
141
143
|
end
|
|
142
144
|
|
|
143
145
|
# edit implies read, so read_users is the union of edit and read users
|
|
144
|
-
def read_users(
|
|
145
|
-
doc = permissions_doc(
|
|
146
|
+
def read_users(id)
|
|
147
|
+
doc = permissions_doc(id)
|
|
146
148
|
return [] if doc.nil?
|
|
147
|
-
rp = edit_users(
|
|
149
|
+
rp = edit_users(id) | (doc[self.class.read_user_field] || [])
|
|
148
150
|
Rails.logger.debug("[CANCAN] read_users: #{rp.inspect}")
|
|
149
151
|
return rp
|
|
150
152
|
end
|
|
151
153
|
|
|
152
154
|
module ClassMethods
|
|
153
|
-
def read_group_field
|
|
155
|
+
def read_group_field
|
|
154
156
|
Hydra.config.permissions.read.group
|
|
155
157
|
end
|
|
156
158
|
|
|
157
|
-
def edit_user_field
|
|
159
|
+
def edit_user_field
|
|
158
160
|
Hydra.config.permissions.edit.individual
|
|
159
161
|
end
|
|
160
162
|
|
|
161
|
-
def read_user_field
|
|
163
|
+
def read_user_field
|
|
162
164
|
Hydra.config.permissions.read.individual
|
|
163
165
|
end
|
|
164
166
|
|
|
@@ -1,8 +1,7 @@
|
|
|
1
1
|
module Hydra::AccessControlsEnforcement
|
|
2
2
|
extend ActiveSupport::Concern
|
|
3
3
|
|
|
4
|
-
included do
|
|
5
|
-
attr_writer :current_ability
|
|
4
|
+
included do
|
|
6
5
|
class_attribute :solr_access_filters_logic
|
|
7
6
|
|
|
8
7
|
# Set defaults. Each symbol identifies a _method_ that must be in
|
|
@@ -15,15 +14,11 @@ module Hydra::AccessControlsEnforcement
|
|
|
15
14
|
|
|
16
15
|
end
|
|
17
16
|
|
|
18
|
-
def current_ability
|
|
19
|
-
@current_ability || raise("current_ability has not been set on #{self}")
|
|
20
|
-
end
|
|
21
|
-
|
|
22
17
|
protected
|
|
23
18
|
|
|
24
19
|
def gated_discovery_filters(permission_types = discovery_permissions, ability = current_ability)
|
|
25
20
|
user_access_filters = []
|
|
26
|
-
|
|
21
|
+
|
|
27
22
|
# Grant access based on user id & group
|
|
28
23
|
solr_access_filters_logic.each do |method_name|
|
|
29
24
|
user_access_filters += send(method_name, permission_types, ability)
|
|
@@ -33,8 +28,8 @@ module Hydra::AccessControlsEnforcement
|
|
|
33
28
|
|
|
34
29
|
def under_embargo?
|
|
35
30
|
load_permissions_from_solr
|
|
36
|
-
embargo_key =
|
|
37
|
-
if @permissions_solr_document[embargo_key]
|
|
31
|
+
embargo_key = Hydra.config.permissions.embargo.release_date
|
|
32
|
+
if @permissions_solr_document[embargo_key]
|
|
38
33
|
embargo_date = Date.parse(@permissions_solr_document[embargo_key].split(/T/)[0])
|
|
39
34
|
return embargo_date > Date.parse(Time.now.to_s)
|
|
40
35
|
end
|
|
@@ -44,7 +39,7 @@ module Hydra::AccessControlsEnforcement
|
|
|
44
39
|
#
|
|
45
40
|
# Action-specific enforcement
|
|
46
41
|
#
|
|
47
|
-
|
|
42
|
+
|
|
48
43
|
# Controller "before" filter for enforcing access controls on show actions
|
|
49
44
|
# @param [Hash] opts (optional, not currently used)
|
|
50
45
|
def enforce_show_permissions(opts={})
|
|
@@ -52,28 +47,30 @@ module Hydra::AccessControlsEnforcement
|
|
|
52
47
|
if permissions.under_embargo? && !can?(:edit, permissions)
|
|
53
48
|
raise Hydra::AccessDenied.new("This item is under embargo. You do not have sufficient access privileges to read this document.", :edit, params[:id])
|
|
54
49
|
end
|
|
55
|
-
unless can? :read, permissions
|
|
50
|
+
unless can? :read, permissions
|
|
56
51
|
raise Hydra::AccessDenied.new("You do not have sufficient access privileges to read this document, which has been marked private.", :read, params[:id])
|
|
57
52
|
end
|
|
58
53
|
end
|
|
59
|
-
|
|
54
|
+
|
|
60
55
|
# Solr query modifications
|
|
61
56
|
#
|
|
62
|
-
|
|
63
|
-
# Set solr_parameters to enforce appropriate permissions
|
|
57
|
+
|
|
58
|
+
# Set solr_parameters to enforce appropriate permissions
|
|
64
59
|
# * Applies a lucene query to the solr :q parameter for gated discovery
|
|
65
60
|
# * Uses public_qt search handler if user does not have "read" permissions
|
|
66
61
|
# @param solr_parameters the current solr parameters
|
|
62
|
+
# @param user_parameters the current user-subitted parameters
|
|
67
63
|
#
|
|
68
|
-
# @example This method should be added to your
|
|
69
|
-
# class CatalogController < ApplicationController
|
|
70
|
-
#
|
|
64
|
+
# @example This method should be added to your Catalog Controller's solr_search_params_logic
|
|
65
|
+
# class CatalogController < ApplicationController
|
|
66
|
+
# include Hydra::Controller::ControllerBehavior
|
|
67
|
+
# CatalogController.solr_search_params_logic << :add_access_controls_to_solr_params
|
|
71
68
|
# end
|
|
72
|
-
def add_access_controls_to_solr_params(solr_parameters)
|
|
73
|
-
apply_gated_discovery(solr_parameters)
|
|
69
|
+
def add_access_controls_to_solr_params(solr_parameters, user_parameters)
|
|
70
|
+
apply_gated_discovery(solr_parameters, user_parameters)
|
|
74
71
|
end
|
|
75
72
|
|
|
76
|
-
|
|
73
|
+
|
|
77
74
|
# Which permission levels (logical OR) will grant you the ability to discover documents in a search.
|
|
78
75
|
|
|
79
76
|
# Override this method if you want it to be something other than the default
|
|
@@ -86,19 +83,20 @@ module Hydra::AccessControlsEnforcement
|
|
|
86
83
|
|
|
87
84
|
# Contrller before filter that sets up access-controlled lucene query in order to provide gated discovery behavior
|
|
88
85
|
# @param solr_parameters the current solr parameters
|
|
89
|
-
|
|
86
|
+
# @param user_parameters the current user-subitted parameters
|
|
87
|
+
def apply_gated_discovery(solr_parameters, user_parameters)
|
|
90
88
|
solr_parameters[:fq] ||= []
|
|
91
89
|
solr_parameters[:fq] << gated_discovery_filters.join(" OR ")
|
|
92
|
-
|
|
90
|
+
logger.debug("Solr parameters: #{ solr_parameters.inspect }")
|
|
93
91
|
end
|
|
94
92
|
|
|
95
|
-
|
|
93
|
+
|
|
96
94
|
def apply_group_permissions(permission_types, ability = current_ability)
|
|
97
95
|
# for groups
|
|
98
96
|
user_access_filters = []
|
|
99
97
|
ability.user_groups.each_with_index do |group, i|
|
|
100
98
|
permission_types.each do |type|
|
|
101
|
-
user_access_filters << escape_filter(
|
|
99
|
+
user_access_filters << escape_filter(Hydra.config.permissions[type.to_sym].group, group)
|
|
102
100
|
end
|
|
103
101
|
end
|
|
104
102
|
user_access_filters
|
|
@@ -114,7 +112,7 @@ module Hydra::AccessControlsEnforcement
|
|
|
114
112
|
user = ability.current_user
|
|
115
113
|
if user && user.user_key.present?
|
|
116
114
|
permission_types.each do |type|
|
|
117
|
-
user_access_filters << escape_filter(
|
|
115
|
+
user_access_filters << escape_filter(Hydra.config.permissions[type.to_sym].individual, user.user_key)
|
|
118
116
|
end
|
|
119
117
|
end
|
|
120
118
|
user_access_filters
|
data/lib/hydra/admin_policy.rb
CHANGED
|
@@ -1,15 +1,38 @@
|
|
|
1
|
-
|
|
2
|
-
|
|
3
|
-
include Hydra::AdminPolicyBehavior
|
|
4
|
-
include Hydra::AccessControls::Permissions
|
|
1
|
+
module Hydra
|
|
2
|
+
class AdminPolicy < ActiveFedora::Base
|
|
5
3
|
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
4
|
+
include Hydra::AdminPolicyBehavior
|
|
5
|
+
include Hydra::AccessControls::Permissions
|
|
6
|
+
|
|
7
|
+
property :title, predicate: ::RDF::DC.title do |index|
|
|
8
|
+
index.as :stored_searchable
|
|
9
|
+
end
|
|
10
|
+
property :description, predicate: ::RDF::DC.description do |index|
|
|
11
|
+
index.as :searchable
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
# Hack until ActiveFedora supports activeTriples 0.3.0 (then we can just use super)
|
|
15
|
+
def description_with_first
|
|
16
|
+
description_without_first.first
|
|
17
|
+
end
|
|
18
|
+
alias_method_chain :description, :first
|
|
9
19
|
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
20
|
+
# Hack until ActiveFedora supports activeTriples 0.3.0 (then we can just use super)
|
|
21
|
+
def title_with_first
|
|
22
|
+
title_without_first.first
|
|
23
|
+
end
|
|
24
|
+
alias_method_chain :title, :first
|
|
14
25
|
|
|
26
|
+
def license_title=(_)
|
|
27
|
+
Deprecation.warn AdminPolicy, "license_title= has been remove from AdminPolicy. Look at Hydra::Rights instead"
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
def license_description=(_)
|
|
31
|
+
Deprecation.warn AdminPolicy, "license_title= has been remove from AdminPolicy. Look at Hydra::Rights instead"
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
def license_url=(_)
|
|
35
|
+
Deprecation.warn AdminPolicy, "license_title= has been remove from AdminPolicy. Look at Hydra::Rights instead"
|
|
36
|
+
end
|
|
37
|
+
end
|
|
15
38
|
end
|
data/lib/hydra/config.rb
CHANGED
|
@@ -47,11 +47,6 @@ module Hydra
|
|
|
47
47
|
@lease = LeaseConfig.new({}, prefix: prefix)
|
|
48
48
|
end
|
|
49
49
|
|
|
50
|
-
def embargo_release_date
|
|
51
|
-
Deprecation.warn PermissionsConfig, "embargo_release_date is deprecated, use embargo.release_date instead"
|
|
52
|
-
embargo.release_date
|
|
53
|
-
end
|
|
54
|
-
|
|
55
50
|
def merge! values
|
|
56
51
|
values.each {|k, v| self[k] = v }
|
|
57
52
|
end
|
|
@@ -62,9 +57,6 @@ module Hydra
|
|
|
62
57
|
self.assign_value key, value
|
|
63
58
|
when :inheritable
|
|
64
59
|
inheritable.merge! value
|
|
65
|
-
when :embargo_release_date
|
|
66
|
-
Deprecation.warn PermissionsConfig, "[:embargo_release_date]= is deprecated, use embargo.release_date= instead"
|
|
67
|
-
embargo.release_date = value
|
|
68
60
|
when :policy_class
|
|
69
61
|
self.policy_class = value
|
|
70
62
|
when :owner
|
|
@@ -80,9 +72,6 @@ module Hydra
|
|
|
80
72
|
@values[key]
|
|
81
73
|
when :inheritable
|
|
82
74
|
inheritable
|
|
83
|
-
when :embargo_release_date
|
|
84
|
-
Deprecation.warn PermissionsConfig, "[:embargo_release_date] is deprecated, use embargo.release_date= instead"
|
|
85
|
-
embargo.release_date
|
|
86
75
|
when :policy_class
|
|
87
76
|
@policy_class
|
|
88
77
|
else
|
|
@@ -118,7 +107,7 @@ module Hydra
|
|
|
118
107
|
assign_value :edit, val
|
|
119
108
|
end
|
|
120
109
|
|
|
121
|
-
protected
|
|
110
|
+
protected
|
|
122
111
|
|
|
123
112
|
def prefix
|
|
124
113
|
end
|
|
@@ -128,7 +117,7 @@ module Hydra
|
|
|
128
117
|
end
|
|
129
118
|
|
|
130
119
|
def solr_name(*args)
|
|
131
|
-
ActiveFedora::
|
|
120
|
+
ActiveFedora::SolrQueryBuilder.solr_name(*args)
|
|
132
121
|
end
|
|
133
122
|
|
|
134
123
|
class EmbargoConfig
|
|
@@ -141,7 +130,7 @@ module Hydra
|
|
|
141
130
|
end
|
|
142
131
|
|
|
143
132
|
def solr_name(*args)
|
|
144
|
-
ActiveFedora::
|
|
133
|
+
ActiveFedora::SolrQueryBuilder.solr_name(*args)
|
|
145
134
|
end
|
|
146
135
|
end
|
|
147
136
|
|
|
@@ -155,7 +144,7 @@ module Hydra
|
|
|
155
144
|
end
|
|
156
145
|
|
|
157
146
|
def solr_name(*args)
|
|
158
|
-
ActiveFedora::
|
|
147
|
+
ActiveFedora::SolrQueryBuilder.solr_name(*args)
|
|
159
148
|
end
|
|
160
149
|
end
|
|
161
150
|
|
|
@@ -32,8 +32,8 @@ module Hydra
|
|
|
32
32
|
#
|
|
33
33
|
# Solr integration
|
|
34
34
|
#
|
|
35
|
-
|
|
36
|
-
# returns a params hash with the permissions info for a single solr document
|
|
35
|
+
|
|
36
|
+
# returns a params hash with the permissions info for a single solr document
|
|
37
37
|
# If the id arg is nil, then the value is fetched from params[:id]
|
|
38
38
|
# This method is primary called by the get_permissions_solr_response_for_doc_id method.
|
|
39
39
|
# Modeled on Blacklight::SolrHelper.solr_doc_params
|
|
@@ -1,13 +1,11 @@
|
|
|
1
1
|
class Hydra::PermissionsSolrDocument < SolrDocument
|
|
2
|
-
|
|
3
2
|
def under_embargo?
|
|
4
|
-
|
|
5
|
-
|
|
3
|
+
#permissions = permissions_doc(params[:id])
|
|
4
|
+
embargo_key = Hydra.config.permissions.embargo.release_date
|
|
5
|
+
if self[embargo_key]
|
|
6
6
|
embargo_date = Date.parse(self[embargo_key].split(/T/)[0])
|
|
7
7
|
return embargo_date > Date.parse(Time.now.to_s)
|
|
8
8
|
end
|
|
9
9
|
false
|
|
10
|
-
end
|
|
11
|
-
|
|
10
|
+
end
|
|
12
11
|
end
|
|
13
|
-
|