hydra-access-controls 8.2.0 → 9.0.0.beta1

data/spec/unit/ability_spec.rb

@@ -12,17 +12,15 @@ describe Ability do
 
   context "for a not-signed in user" do
     before do
-      User.any_instance.stub(:email).and_return(nil)
-      User.any_instance.stub(:new_record?).and_return(true)
+      allow_any_instance_of(User).to receive(:email).and_return(nil)
+      allow_any_instance_of(User).to receive(:new_record?).and_return(true)
     end
     subject { Ability.new(nil) }
     it "should call custom_permissions" do
-      Ability.any_instance.should_receive(:custom_permissions)
+      expect_any_instance_of(Ability).to receive(:custom_permissions)
       subject.can?(:delete, 7)
     end
-    it "should not be able to create ActiveFedora::Base objects" do
-      subject.should_not be_able_to(:create, ActiveFedora::Base)
-    end
+    it { should_not be_able_to(:create, ActiveFedora::Base) }
   end
 
   context "for a signed in user" do
@@ -30,55 +28,51 @@ describe Ability do
       @user = FactoryGirl.build(:registered_user)
     end
     subject { Ability.new(@user) }
-    it "should not be able to create ActiveFedora::Base objects" do
-      subject.should_not be_able_to(:create, ActiveFedora::Base)
-    end
+
+    it { should_not be_able_to(:create, ActiveFedora::Base) }
   end
 
 
-# NOTES: 
+# NOTES:
 #   See spec/requests/... for test coverage describing WHAT should appear on a page based on access permissions
 #   Test coverage for discover permission is in spec/requests/gated_discovery_spec.rb
-  
+
   describe "Given an asset that has been made publicly available (ie. open access)" do
+    #let(:asset) { FactoryGirl.create(:open_access_asset) }
+    let(:asset) { FactoryGirl.create(:asset) }
     before do
-      @asset = FactoryGirl.build(:open_access_asset)
-      @asset.save
+      asset.permissions_attributes = [{ name: "public", access: "read", type: "group" }, { name: "joe_creator", access: "edit", type: "person" }, { name: "calvin_collaborator", access: "edit", type: "person" }]
+      asset.save
     end
+
     context "Then a not-signed-in user" do
-      before do
-        @user = User.new
-        @user.new_record = true
-      end
       subject { Ability.new(nil) }
-      it "should be able to view the asset" do
-        subject.can?(:read, @asset).should be true
-      end
-      it "should not be able to edit, update and destroy the asset" do
-        subject.can?(:edit, @asset).should be false
-        subject.can?(:update, @asset).should be false
-        subject.can?(:destroy, @asset).should be false
-      end
+      it { should     be_able_to(:read, asset) }
+      it { should_not be_able_to(:edit, asset) }
+      it { should_not be_able_to(:update, asset) }
+      it { should_not be_able_to(:destroy, asset) }
     end
+
     context "Then a registered user" do
       before do
         @user = FactoryGirl.build(:registered_user)
       end
       subject { Ability.new(@user) }
-      it "should be able to view the asset" do
-        subject.can?(:read, @asset).should be true
-      end
-      it "should not be able to edit, update and destroy the asset" do
-        subject.can?(:edit, @asset).should be false
-        subject.can?(:update, @asset).should be false
-        subject.can?(:destroy, @asset).should be false
-      end
+      it { should     be_able_to(:read, asset) }
+      it { should_not be_able_to(:edit, asset) }
+      it { should_not be_able_to(:update, asset) }
+      it { should_not be_able_to(:destroy, asset) }
     end
   end
-  
+
   describe "Given an asset with no custom access set" do
-    let(:asset) { FactoryGirl.create(:default_access_asset) }
-    let(:solr_doc) { SolrDocument.new(asset.rightsMetadata.to_solr.merge(id: asset.pid)) }
+    #let(:asset) { FactoryGirl.create(:default_access_asset) }
+    let(:asset) { FactoryGirl.create(:asset) }
+    before do
+      asset.permissions_attributes = [{ name: "joe_creator", access: "edit", type: "person" }]
+      asset.save
+    end
+    let(:solr_doc) { SolrDocument.new(asset.to_solr.merge(id: asset.id)) }
     context "Then a not-signed-in user" do
       let(:user) { User.new.tap {|u| u.new_record = true } }
       subject { Ability.new(user) }
@@ -108,9 +102,11 @@ describe Ability do
   end
 
   describe "Given an asset which registered users have read access to" do
+    # let(:asset) { FactoryGirl.create(:org_read_access_asset) }
+    let(:asset) { FactoryGirl.create(:asset) }
     before do
-      @asset = FactoryGirl.build(:org_read_access_asset)
-      @asset.save
+      asset.permissions_attributes = [{ name: "registered", access: "read", type: "group" }, { name: "joe_creator", access: "edit", type: "person" }, { name: "calvin_collaborator", access: "edit", type: "person" }]
+      asset.save
     end
     context "The a registered user" do
       before do
@@ -118,58 +114,52 @@ describe Ability do
       end
       subject { Ability.new(@user) }
 
-      it "should be able to view the asset" do
-        subject.can?(:read, @asset).should be true
-      end
-      it "should not be able to edit, update and destroy the asset" do
-        subject.can?(:edit, @asset).should be false
-        subject.can?(:update, @asset).should be false
-        subject.can?(:destroy, @asset).should be false
-      end
-      it "should not be able to see the admin view of the asset" do
-        subject.can?(:admin, @asset).should be false
-      end
+      it { should     be_able_to(:read, asset) }
+      it { should_not be_able_to(:edit, asset) }
+      it { should_not be_able_to(:update, asset) }
+      it { should_not be_able_to(:destroy, asset) }
+      it { should_not be_able_to(:admin, asset) }
     end
   end
 
   describe "Given an asset with collaborator" do
-    before { @asset = FactoryGirl.create(:group_edit_asset) }
-    after { @asset.destroy }
+    # let(:asset) { FactoryGirl.create(:group_edit_asset) }
+    let(:asset) { FactoryGirl.create(:asset) }
+    before do
+      asset.permissions_attributes = [{ name:"africana-faculty", access: "edit", type: "group" }, {name: "calvin_collaborator", access: "edit", type: "person"}]
+      asset.save
+    end
+    after { asset.destroy }
     context "Then a collaborator with edit access (user permision)" do
       before do
         @user = FactoryGirl.build(:calvin_collaborator)
       end
       subject { Ability.new(@user) }
 
-      it "should be able to view the asset" do
-        subject.can?(:read, @asset).should be true
-      end
-      it "should be able to edit, update and destroy the asset" do
-        subject.can?(:edit, @asset).should be true
-        subject.can?(:update, @asset).should be true
-        subject.can?(:destroy, @asset).should be true
-      end
-      it "should not be able to see the admin view of the asset" do
-        subject.can?(:admin, @asset).should be false
-      end
+      it { should     be_able_to(:read, asset) }
+      it { should     be_able_to(:edit, asset) }
+      it { should     be_able_to(:update, asset) }
+      it { should     be_able_to(:destroy, asset) }
+      it { should_not be_able_to(:admin, asset) }
     end
+
     context "Then a collaborator with edit access (group permision)" do
       before do
         @user = FactoryGirl.build(:martia_morocco)
-        RoleMapper.stub(:roles).with(@user).and_return(@user.roles)
+        allow(RoleMapper).to receive(:roles).with(@user).and_return(@user.roles)
       end
       subject { Ability.new(@user) }
 
-      it "should be able to view the asset" do
-        subject.can?(:read, @asset).should be true
-      end
+      it { should     be_able_to(:read, asset) }
     end
   end
 
   describe "Given an asset where dept can read & registered users can discover" do
+    # let(:asset) { FactoryGirl.create(:dept_access_asset) }
+    let(:asset) { FactoryGirl.create(:asset) }
     before do
-      @asset = FactoryGirl.build(:dept_access_asset)
-      @asset.save
+      asset.permissions_attributes = [{ name: "africana-faculty", access: "read", type: "group" }, { name: "joe_creator", access: "edit", type: "person" }]
+      asset.save
     end
     context "Then a registered user" do
       before do
@@ -177,36 +167,25 @@ describe Ability do
       end
       subject { Ability.new(@user) }
 
-      it "should not be able to view the asset" do
-        subject.can?(:read, @asset).should be false
-      end
-      it "should not be able to edit, update and destroy the asset" do
-        subject.can?(:edit, @asset).should be false
-        subject.can?(:update, @asset).should be false
-        subject.can?(:destroy, @asset).should be false
-      end
-      it "should not be able to see the admin view of the asset" do
-        subject.can?(:admin, @asset).should be false
-      end
+      it { should_not be_able_to(:read, asset) }
+      it { should_not be_able_to(:edit, asset) }
+      it { should_not be_able_to(:update, asset) }
+      it { should_not be_able_to(:destroy, asset) }
+      it { should_not be_able_to(:admin, asset) }
     end
+
     context "Then someone whose role/group has read access" do
       before do
         @user = FactoryGirl.build(:martia_morocco)
-        RoleMapper.stub(:roles).with(@user).and_return(@user.roles)
+        allow(RoleMapper).to receive(:roles).with(@user).and_return(@user.roles)
       end
       subject { Ability.new(@user) }
 
-      it "should be able to view the asset" do
-        subject.can?(:read, @asset).should be true
-      end
-      it "should not be able to edit, update and destroy the asset" do
-        subject.can?(:edit, @asset).should be false
-        subject.can?(:update, @asset).should be false
-        subject.can?(:destroy, @asset).should be false
-      end
-      it "should not be able to see the admin view of the asset" do
-        subject.can?(:admin, @asset).should be false
-      end
+      it { should     be_able_to(:read, asset) }
+      it { should_not be_able_to(:edit, asset) }
+      it { should_not be_able_to(:update, asset) }
+      it { should_not be_able_to(:destroy, asset) }
+      it { should_not be_able_to(:admin, asset) }
     end
   end
 
@@ -230,56 +209,52 @@ describe Ability do
 
     subject { MyAbility.new(@user) }
 
-    it "should be set the custom permission" do
-      subject.can?(:accept, ActiveFedora::Base).should be true
-    end
+    it { should be_able_to(:accept, ActiveFedora::Base) }
 
   end
 
   describe "calling ability on two separate objects" do
+    #asset1 = FactoryGirl.create(:org_read_access_asset)
+    let(:asset1) { FactoryGirl.create(:asset) }
+    let(:asset2) { FactoryGirl.create(:asset) }
     before do
-      @asset1 = FactoryGirl.create(:org_read_access_asset)
-      @asset2 = FactoryGirl.create(:asset)
+      asset1.permissions_attributes = [{ name: "registered", access: "read", type: "group" }, { name: "joe_creator", access: "edit", type: "person" }, { name: "calvin_collaborator", access: "edit", type: "person" }]
+      asset1.save
       @user = FactoryGirl.build(:calvin_collaborator) # has access to @asset1, but not @asset2
     end
     after do
-      @asset1.destroy
-      @asset2.destroy
+      asset1.destroy
+      asset2.destroy
     end
     subject { Ability.new(@user) }
     it "should be readable in the first instance and not in the second instance" do
       # We had a bug around this where it keeps returning the access for the first object queried
-      subject.can?(:edit, @asset1).should be true  
-      subject.can?(:edit, @asset2).should be false  
+      expect(subject).to be_able_to(:edit, asset1)
+      expect(subject).to_not be_able_to(:edit, asset2)
     end
   end
 
   describe "download permissions" do
-    subject { Ability.new(@user) }
-    before do
-      @asset = FactoryGirl.create(:asset)
-      @user = FactoryGirl.build(:user)
-    end
-    after { @asset.destroy }
+    subject { Ability.new(user) }
+    let(:asset) { FactoryGirl.create(:asset) }
+    let(:user) { FactoryGirl.build(:user) }
+    let(:file) { ActiveFedora::File.new("#{asset.uri}/ds1") }
+
+    after { asset.destroy }
+
     context "user has read permission on the object" do
       before do
-        @asset.read_users = [@user.user_key]
-        @asset.save
-      end
-      it "should permit the user to download the object's datastreams" do
-        subject.can?(:read, @asset).should be true
-        @asset.datastreams.each_value do |ds|
-          subject.can?(:download, ds).should be true
-        end
+        asset.read_users = [user.user_key]
+        asset.save!
       end
+
+      it { should be_able_to(:read, asset.id) }
+      it { should be_able_to(:download, file) }
     end
-    context "user lacks read permission on the object" do
-      it "should not permit the user to download the object's datastreams" do
-        subject.can?(:read, @asset).should be false
-        @asset.datastreams.each_value do |ds|
-          subject.can?(:download, ds).should be false
-        end
-      end
+
+    context "user lacks read permission on the object and file" do
+      it { should_not be_able_to(:read, asset) }
+      it { should_not be_able_to(:download, file) }
     end
   end
 

data/spec/unit/access_controls_enforcement_spec.rb

@@ -5,7 +5,7 @@ describe Hydra::AccessControlsEnforcement do
     class MockController
       include Hydra::AccessControlsEnforcement
       attr_accessor :params
-      
+
       def current_ability
         @current_ability ||= Ability.new(current_user)
       end
@@ -17,32 +17,33 @@ describe Hydra::AccessControlsEnforcement do
     end
   end
   subject { MockController.new }
-  
+
   describe "When I am searching for content" do
     before do
       @solr_parameters = {}
+      @user_parameters = {}
     end
     context "Given I am not logged in" do
       before do
         allow(subject).to receive(:current_user).and_return(User.new(:new_record=>true))
-        subject.send(:apply_gated_discovery, @solr_parameters)
+        subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
       end
       it "Then I should be treated as a member of the 'public' group" do
         expect(@solr_parameters[:fq].first).to eq 'edit_access_group_ssim:public OR discover_access_group_ssim:public OR read_access_group_ssim:public'
       end
       it "Then I should not be treated as a member of the 'registered' group" do
-        expect(@solr_parameters[:fq].first).to_not match(/registered/) 
+        expect(@solr_parameters[:fq].first).to_not match(/registered/)
       end
-      it "Then I should not have individual or group permissions"
-      it "Should change based on the discovery_perissions" do
+      it "Should changed based on the discovery_perissions" do
         @solr_parameters = {}
         discovery_permissions = ["read","edit"]
-        subject.send(:apply_gated_discovery, @solr_parameters)
+        subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
         ["edit","read"].each do |type|
-          expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:public/)      
+          expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:public/)
         end
       end
     end
+
     context "Given I am a registered user" do
       before do
         @user = FactoryGirl.build(:martia_morocco)
@@ -51,39 +52,39 @@ describe Hydra::AccessControlsEnforcement do
         # This is a pretty fragile way to stub it...
         allow(RoleMapper).to receive(:byname).and_return(@user.user_key=>["faculty", "africana-faculty"])
         allow(subject).to receive(:current_user).and_return(@user)
-        subject.send(:apply_gated_discovery, @solr_parameters)
+        subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
       end
       it "Then I should be treated as a member of the 'public' and 'registered' groups" do
         ["discover","edit","read"].each do |type|
-          expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:public/)  
-          expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:registered/)      
+          expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:public/)
+          expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:registered/)
         end
       end
       it "Then I should see assets that I have discover, read, or edit access to" do
         ["discover","edit","read"].each do |type|
-          expect(@solr_parameters[:fq].first).to match(/#{type}_access_person_ssim\:#{@user.user_key}/)      
+          expect(@solr_parameters[:fq].first).to match(/#{type}_access_person_ssim\:#{@user.user_key}/)
         end
       end
       it "Then I should see assets that my groups have discover, read, or edit access to" do
         ["faculty", "africana-faculty"].each do |group_id|
           ["discover","edit","read"].each do |type|
-            expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:#{group_id}/)      
+            expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:#{group_id}/)
           end
         end
       end
-      it "Should change based on the discovery_perissions" do
+      it "Should changed based on the discovery_perissions" do
         @solr_parameters = {}
         discovery_permissions = ["read","edit"]
-        subject.send(:apply_gated_discovery, @solr_parameters)
+        subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
         ["faculty", "africana-faculty"].each do |group_id|
           ["edit","read"].each do |type|
-            expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:#{group_id}/)      
+            expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:#{group_id}/)
           end
         end
       end
     end
   end
-  
+
   describe "enforce_show_permissions" do
     it "should allow a user w/ edit permissions to view an embargoed object" do
       user = User.new :uid=>'testuser@example.com'
@@ -116,32 +117,33 @@ describe Hydra::AccessControlsEnforcement do
       allow(RoleMapper).to receive(:roles).with(@stub_user).and_return(["archivist","researcher"])
       allow(subject).to receive(:current_user).and_return(@stub_user)
       @solr_parameters = {}
+      @user_parameters = {}
     end
     it "should set query fields for the user id checking against the discover, access, read fields" do
-      subject.send(:apply_gated_discovery, @solr_parameters)
+      subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
       ["discover","edit","read"].each do |type|
-        expect(@solr_parameters[:fq].first).to match(/#{type}_access_person_ssim\:#{@stub_user.user_key}/)      
+        expect(@solr_parameters[:fq].first).to match(/#{type}_access_person_ssim\:#{@stub_user.user_key}/)
       end
     end
     it "should set query fields for all roles the user is a member of checking against the discover, access, read fields" do
-      subject.send(:apply_gated_discovery, @solr_parameters)
+      subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
       ["discover","edit","read"].each do |type|
-        expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:archivist/)        
-        expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:researcher/)        
+        expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:archivist/)
+        expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:researcher/)
       end
     end
 
     it "should escape slashes in the group names" do
       allow(RoleMapper).to receive(:roles).with(@stub_user).and_return(["abc/123","cde/567"])
-      subject.send(:apply_gated_discovery, @solr_parameters)
+      subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
       ["discover","edit","read"].each do |type|
-        expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:abc\\\/123/)        
-        expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:cde\\\/567/)        
+        expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:abc\\\/123/)
+        expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:cde\\\/567/)
       end
     end
     it "should escape spaces in the group names" do
       allow(RoleMapper).to receive(:roles).with(@stub_user).and_return(["abc 123","cd/e 567"])
-      subject.send(:apply_gated_discovery, @solr_parameters)
+      subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
       ["discover","edit","read"].each do |type|
         expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:abc\\ 123/)
         expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:cd\\\/e\\ 567/)
@@ -149,7 +151,7 @@ describe Hydra::AccessControlsEnforcement do
     end
     it "should escape colons in the group names" do
       allow(RoleMapper).to receive(:roles).with(@stub_user).and_return(["abc:123","cde:567"])
-      subject.send(:apply_gated_discovery, @solr_parameters)
+      subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
       ["discover","edit","read"].each do |type|
         expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:abc\\:123/)
         expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:cde\\:567/)

data/spec/unit/access_right_spec.rb

@@ -38,7 +38,12 @@ describe Hydra::AccessControls::AccessRight do
     TEXT
 
     it spec_text do
-      permissions = [Hydra::AccessControls::Permission.new({access: :edit, name: givin_permission})]
+      permissions = if givin_permission
+        [Hydra::AccessControls::Permission.new(type: 'group', access: 'edit', name: givin_permission)]
+      else
+        []
+      end
+
       permissionable = double(
         'permissionable',
         permissions: permissions,

data/spec/unit/accessible_by_spec.rb

@@ -3,13 +3,22 @@ require 'spec_helper'
 describe "active_fedora/accessible_by" do
   let(:user) {FactoryGirl.build(:ira_instructor)}
   let(:ability) {Ability.new(user)}
-  let(:private_obj) {FactoryGirl.create(:default_access_asset)}
-  let(:public_obj) {FactoryGirl.create(:open_access_asset)}
-  let(:editable_obj) {FactoryGirl.create(:group_edit_asset)}
+  let(:private_obj) {FactoryGirl.create(:asset)}
+  let(:public_obj) {FactoryGirl.create(:asset)}
+  let(:editable_obj) {FactoryGirl.create(:asset)}
+
+  # let(:private_obj) {FactoryGirl.create(:default_access_asset)}
+  # let(:public_obj) {FactoryGirl.create(:open_access_asset)}
+  # let(:editable_obj) {FactoryGirl.create(:group_edit_asset)}
 
   before do
-    user.should_receive(:groups).at_most(:once).and_return(user.roles)
-    ModsAsset.delete_all
+    private_obj.permissions_attributes = [{ name: "joe_creator", access: "edit", type: "person" }]
+    private_obj.save
+    public_obj.permissions_attributes = [{ name: "public", access: "read", type: "group" }, { name: "joe_creator", access: "edit", type: "person" }, { name: "calvin_collaborator", access: "edit", type: "person" }]
+    public_obj.save
+    editable_obj.permissions_attributes = [{ name:"africana-faculty", access: "edit", type: "group" }, {name: "calvin_collaborator", access: "edit", type: "person"}]
+    editable_obj.save
+    expect(user).to receive(:groups).at_most(:once).and_return(user.roles)
   end
 
   after do