hydra-access-controls 8.2.0 → 9.0.0.beta1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.textile +10 -10
- data/app/models/concerns/hydra/access_controls/access_right.rb +3 -2
- data/app/models/concerns/hydra/access_controls/embargoable.rb +120 -132
- data/app/models/concerns/hydra/access_controls/permissions.rb +137 -103
- data/app/models/concerns/hydra/access_controls/visibility.rb +3 -5
- data/app/models/concerns/hydra/access_controls.rb +0 -1
- data/app/models/concerns/hydra/admin_policy_behavior.rb +27 -2
- data/app/models/concerns/hydra/rights.rb +15 -0
- data/app/models/hydra/access_controls/access_control_list.rb +17 -0
- data/app/models/hydra/access_controls/embargo.rb +65 -0
- data/app/models/hydra/access_controls/lease.rb +66 -0
- data/app/models/hydra/access_controls/permission.rb +85 -0
- data/app/vocabularies/acl.rb +12 -0
- data/app/vocabularies/hydra/acl.rb +20 -0
- data/config/fedora.yml +4 -2
- data/hydra-access-controls.gemspec +6 -7
- data/lib/hydra/ability.rb +45 -43
- data/lib/hydra/access_controls_enforcement.rb +23 -25
- data/lib/hydra/admin_policy.rb +34 -11
- data/lib/hydra/config.rb +4 -15
- data/lib/hydra/permissions_query.rb +2 -2
- data/lib/hydra/permissions_solr_document.rb +4 -6
- data/lib/hydra/policy_aware_ability.rb +56 -53
- data/lib/hydra/policy_aware_access_controls_enforcement.rb +28 -18
- data/lib/hydra-access-controls.rb +1 -1
- data/spec/factories.rb +15 -15
- data/spec/services/embargo_service_spec.rb +6 -6
- data/spec/services/lease_service_spec.rb +6 -6
- data/spec/spec_helper.rb +20 -13
- data/spec/support/mods_asset.rb +3 -3
- data/spec/unit/ability_spec.rb +96 -121
- data/spec/unit/access_controls_enforcement_spec.rb +29 -27
- data/spec/unit/access_right_spec.rb +6 -1
- data/spec/unit/accessible_by_spec.rb +14 -5
- data/spec/unit/admin_policy_spec.rb +99 -92
- data/spec/unit/config_spec.rb +14 -15
- data/spec/unit/embargoable_spec.rb +26 -28
- data/spec/unit/permission_spec.rb +36 -16
- data/spec/unit/permissions_spec.rb +121 -65
- data/spec/unit/policy_aware_ability_spec.rb +64 -78
- data/spec/unit/policy_aware_access_controls_enforcement_spec.rb +81 -77
- data/spec/unit/role_mapper_spec.rb +10 -10
- data/spec/unit/with_access_right_spec.rb +1 -1
- metadata +29 -51
- data/lib/hydra/access_controls/permission.rb +0 -40
- data/lib/hydra/datastream/inheritable_rights_metadata.rb +0 -22
- data/lib/hydra/datastream/rights_metadata.rb +0 -276
- data/lib/hydra/datastream.rb +0 -7
- data/spec/unit/hydra_rights_metadata_persistence_spec.rb +0 -71
- data/spec/unit/hydra_rights_metadata_spec.rb +0 -301
- data/spec/unit/inheritable_rights_metadata_spec.rb +0 -65
data/spec/unit/ability_spec.rb
CHANGED
@@ -12,17 +12,15 @@ describe Ability do
|
|
12
12
|
|
13
13
|
context "for a not-signed in user" do
|
14
14
|
before do
|
15
|
-
User.
|
16
|
-
User.
|
15
|
+
allow_any_instance_of(User).to receive(:email).and_return(nil)
|
16
|
+
allow_any_instance_of(User).to receive(:new_record?).and_return(true)
|
17
17
|
end
|
18
18
|
subject { Ability.new(nil) }
|
19
19
|
it "should call custom_permissions" do
|
20
|
-
Ability.
|
20
|
+
expect_any_instance_of(Ability).to receive(:custom_permissions)
|
21
21
|
subject.can?(:delete, 7)
|
22
22
|
end
|
23
|
-
it
|
24
|
-
subject.should_not be_able_to(:create, ActiveFedora::Base)
|
25
|
-
end
|
23
|
+
it { should_not be_able_to(:create, ActiveFedora::Base) }
|
26
24
|
end
|
27
25
|
|
28
26
|
context "for a signed in user" do
|
@@ -30,55 +28,51 @@ describe Ability do
|
|
30
28
|
@user = FactoryGirl.build(:registered_user)
|
31
29
|
end
|
32
30
|
subject { Ability.new(@user) }
|
33
|
-
|
34
|
-
|
35
|
-
end
|
31
|
+
|
32
|
+
it { should_not be_able_to(:create, ActiveFedora::Base) }
|
36
33
|
end
|
37
34
|
|
38
35
|
|
39
|
-
# NOTES:
|
36
|
+
# NOTES:
|
40
37
|
# See spec/requests/... for test coverage describing WHAT should appear on a page based on access permissions
|
41
38
|
# Test coverage for discover permission is in spec/requests/gated_discovery_spec.rb
|
42
|
-
|
39
|
+
|
43
40
|
describe "Given an asset that has been made publicly available (ie. open access)" do
|
41
|
+
#let(:asset) { FactoryGirl.create(:open_access_asset) }
|
42
|
+
let(:asset) { FactoryGirl.create(:asset) }
|
44
43
|
before do
|
45
|
-
|
46
|
-
|
44
|
+
asset.permissions_attributes = [{ name: "public", access: "read", type: "group" }, { name: "joe_creator", access: "edit", type: "person" }, { name: "calvin_collaborator", access: "edit", type: "person" }]
|
45
|
+
asset.save
|
47
46
|
end
|
47
|
+
|
48
48
|
context "Then a not-signed-in user" do
|
49
|
-
before do
|
50
|
-
@user = User.new
|
51
|
-
@user.new_record = true
|
52
|
-
end
|
53
49
|
subject { Ability.new(nil) }
|
54
|
-
it
|
55
|
-
|
56
|
-
|
57
|
-
it
|
58
|
-
subject.can?(:edit, @asset).should be false
|
59
|
-
subject.can?(:update, @asset).should be false
|
60
|
-
subject.can?(:destroy, @asset).should be false
|
61
|
-
end
|
50
|
+
it { should be_able_to(:read, asset) }
|
51
|
+
it { should_not be_able_to(:edit, asset) }
|
52
|
+
it { should_not be_able_to(:update, asset) }
|
53
|
+
it { should_not be_able_to(:destroy, asset) }
|
62
54
|
end
|
55
|
+
|
63
56
|
context "Then a registered user" do
|
64
57
|
before do
|
65
58
|
@user = FactoryGirl.build(:registered_user)
|
66
59
|
end
|
67
60
|
subject { Ability.new(@user) }
|
68
|
-
it
|
69
|
-
|
70
|
-
|
71
|
-
it
|
72
|
-
subject.can?(:edit, @asset).should be false
|
73
|
-
subject.can?(:update, @asset).should be false
|
74
|
-
subject.can?(:destroy, @asset).should be false
|
75
|
-
end
|
61
|
+
it { should be_able_to(:read, asset) }
|
62
|
+
it { should_not be_able_to(:edit, asset) }
|
63
|
+
it { should_not be_able_to(:update, asset) }
|
64
|
+
it { should_not be_able_to(:destroy, asset) }
|
76
65
|
end
|
77
66
|
end
|
78
|
-
|
67
|
+
|
79
68
|
describe "Given an asset with no custom access set" do
|
80
|
-
let(:asset) { FactoryGirl.create(:default_access_asset) }
|
81
|
-
let(:
|
69
|
+
#let(:asset) { FactoryGirl.create(:default_access_asset) }
|
70
|
+
let(:asset) { FactoryGirl.create(:asset) }
|
71
|
+
before do
|
72
|
+
asset.permissions_attributes = [{ name: "joe_creator", access: "edit", type: "person" }]
|
73
|
+
asset.save
|
74
|
+
end
|
75
|
+
let(:solr_doc) { SolrDocument.new(asset.to_solr.merge(id: asset.id)) }
|
82
76
|
context "Then a not-signed-in user" do
|
83
77
|
let(:user) { User.new.tap {|u| u.new_record = true } }
|
84
78
|
subject { Ability.new(user) }
|
@@ -108,9 +102,11 @@ describe Ability do
|
|
108
102
|
end
|
109
103
|
|
110
104
|
describe "Given an asset which registered users have read access to" do
|
105
|
+
# let(:asset) { FactoryGirl.create(:org_read_access_asset) }
|
106
|
+
let(:asset) { FactoryGirl.create(:asset) }
|
111
107
|
before do
|
112
|
-
|
113
|
-
|
108
|
+
asset.permissions_attributes = [{ name: "registered", access: "read", type: "group" }, { name: "joe_creator", access: "edit", type: "person" }, { name: "calvin_collaborator", access: "edit", type: "person" }]
|
109
|
+
asset.save
|
114
110
|
end
|
115
111
|
context "The a registered user" do
|
116
112
|
before do
|
@@ -118,58 +114,52 @@ describe Ability do
|
|
118
114
|
end
|
119
115
|
subject { Ability.new(@user) }
|
120
116
|
|
121
|
-
it
|
122
|
-
|
123
|
-
|
124
|
-
it
|
125
|
-
|
126
|
-
subject.can?(:update, @asset).should be false
|
127
|
-
subject.can?(:destroy, @asset).should be false
|
128
|
-
end
|
129
|
-
it "should not be able to see the admin view of the asset" do
|
130
|
-
subject.can?(:admin, @asset).should be false
|
131
|
-
end
|
117
|
+
it { should be_able_to(:read, asset) }
|
118
|
+
it { should_not be_able_to(:edit, asset) }
|
119
|
+
it { should_not be_able_to(:update, asset) }
|
120
|
+
it { should_not be_able_to(:destroy, asset) }
|
121
|
+
it { should_not be_able_to(:admin, asset) }
|
132
122
|
end
|
133
123
|
end
|
134
124
|
|
135
125
|
describe "Given an asset with collaborator" do
|
136
|
-
|
137
|
-
|
126
|
+
# let(:asset) { FactoryGirl.create(:group_edit_asset) }
|
127
|
+
let(:asset) { FactoryGirl.create(:asset) }
|
128
|
+
before do
|
129
|
+
asset.permissions_attributes = [{ name:"africana-faculty", access: "edit", type: "group" }, {name: "calvin_collaborator", access: "edit", type: "person"}]
|
130
|
+
asset.save
|
131
|
+
end
|
132
|
+
after { asset.destroy }
|
138
133
|
context "Then a collaborator with edit access (user permision)" do
|
139
134
|
before do
|
140
135
|
@user = FactoryGirl.build(:calvin_collaborator)
|
141
136
|
end
|
142
137
|
subject { Ability.new(@user) }
|
143
138
|
|
144
|
-
it
|
145
|
-
|
146
|
-
|
147
|
-
it
|
148
|
-
|
149
|
-
subject.can?(:update, @asset).should be true
|
150
|
-
subject.can?(:destroy, @asset).should be true
|
151
|
-
end
|
152
|
-
it "should not be able to see the admin view of the asset" do
|
153
|
-
subject.can?(:admin, @asset).should be false
|
154
|
-
end
|
139
|
+
it { should be_able_to(:read, asset) }
|
140
|
+
it { should be_able_to(:edit, asset) }
|
141
|
+
it { should be_able_to(:update, asset) }
|
142
|
+
it { should be_able_to(:destroy, asset) }
|
143
|
+
it { should_not be_able_to(:admin, asset) }
|
155
144
|
end
|
145
|
+
|
156
146
|
context "Then a collaborator with edit access (group permision)" do
|
157
147
|
before do
|
158
148
|
@user = FactoryGirl.build(:martia_morocco)
|
159
|
-
RoleMapper.
|
149
|
+
allow(RoleMapper).to receive(:roles).with(@user).and_return(@user.roles)
|
160
150
|
end
|
161
151
|
subject { Ability.new(@user) }
|
162
152
|
|
163
|
-
it
|
164
|
-
subject.can?(:read, @asset).should be true
|
165
|
-
end
|
153
|
+
it { should be_able_to(:read, asset) }
|
166
154
|
end
|
167
155
|
end
|
168
156
|
|
169
157
|
describe "Given an asset where dept can read & registered users can discover" do
|
158
|
+
# let(:asset) { FactoryGirl.create(:dept_access_asset) }
|
159
|
+
let(:asset) { FactoryGirl.create(:asset) }
|
170
160
|
before do
|
171
|
-
|
172
|
-
|
161
|
+
asset.permissions_attributes = [{ name: "africana-faculty", access: "read", type: "group" }, { name: "joe_creator", access: "edit", type: "person" }]
|
162
|
+
asset.save
|
173
163
|
end
|
174
164
|
context "Then a registered user" do
|
175
165
|
before do
|
@@ -177,36 +167,25 @@ describe Ability do
|
|
177
167
|
end
|
178
168
|
subject { Ability.new(@user) }
|
179
169
|
|
180
|
-
it
|
181
|
-
|
182
|
-
|
183
|
-
it
|
184
|
-
|
185
|
-
subject.can?(:update, @asset).should be false
|
186
|
-
subject.can?(:destroy, @asset).should be false
|
187
|
-
end
|
188
|
-
it "should not be able to see the admin view of the asset" do
|
189
|
-
subject.can?(:admin, @asset).should be false
|
190
|
-
end
|
170
|
+
it { should_not be_able_to(:read, asset) }
|
171
|
+
it { should_not be_able_to(:edit, asset) }
|
172
|
+
it { should_not be_able_to(:update, asset) }
|
173
|
+
it { should_not be_able_to(:destroy, asset) }
|
174
|
+
it { should_not be_able_to(:admin, asset) }
|
191
175
|
end
|
176
|
+
|
192
177
|
context "Then someone whose role/group has read access" do
|
193
178
|
before do
|
194
179
|
@user = FactoryGirl.build(:martia_morocco)
|
195
|
-
RoleMapper.
|
180
|
+
allow(RoleMapper).to receive(:roles).with(@user).and_return(@user.roles)
|
196
181
|
end
|
197
182
|
subject { Ability.new(@user) }
|
198
183
|
|
199
|
-
it
|
200
|
-
|
201
|
-
|
202
|
-
it
|
203
|
-
|
204
|
-
subject.can?(:update, @asset).should be false
|
205
|
-
subject.can?(:destroy, @asset).should be false
|
206
|
-
end
|
207
|
-
it "should not be able to see the admin view of the asset" do
|
208
|
-
subject.can?(:admin, @asset).should be false
|
209
|
-
end
|
184
|
+
it { should be_able_to(:read, asset) }
|
185
|
+
it { should_not be_able_to(:edit, asset) }
|
186
|
+
it { should_not be_able_to(:update, asset) }
|
187
|
+
it { should_not be_able_to(:destroy, asset) }
|
188
|
+
it { should_not be_able_to(:admin, asset) }
|
210
189
|
end
|
211
190
|
end
|
212
191
|
|
@@ -230,56 +209,52 @@ describe Ability do
|
|
230
209
|
|
231
210
|
subject { MyAbility.new(@user) }
|
232
211
|
|
233
|
-
it
|
234
|
-
subject.can?(:accept, ActiveFedora::Base).should be true
|
235
|
-
end
|
212
|
+
it { should be_able_to(:accept, ActiveFedora::Base) }
|
236
213
|
|
237
214
|
end
|
238
215
|
|
239
216
|
describe "calling ability on two separate objects" do
|
217
|
+
#asset1 = FactoryGirl.create(:org_read_access_asset)
|
218
|
+
let(:asset1) { FactoryGirl.create(:asset) }
|
219
|
+
let(:asset2) { FactoryGirl.create(:asset) }
|
240
220
|
before do
|
241
|
-
|
242
|
-
|
221
|
+
asset1.permissions_attributes = [{ name: "registered", access: "read", type: "group" }, { name: "joe_creator", access: "edit", type: "person" }, { name: "calvin_collaborator", access: "edit", type: "person" }]
|
222
|
+
asset1.save
|
243
223
|
@user = FactoryGirl.build(:calvin_collaborator) # has access to @asset1, but not @asset2
|
244
224
|
end
|
245
225
|
after do
|
246
|
-
|
247
|
-
|
226
|
+
asset1.destroy
|
227
|
+
asset2.destroy
|
248
228
|
end
|
249
229
|
subject { Ability.new(@user) }
|
250
230
|
it "should be readable in the first instance and not in the second instance" do
|
251
231
|
# We had a bug around this where it keeps returning the access for the first object queried
|
252
|
-
subject.
|
253
|
-
subject.
|
232
|
+
expect(subject).to be_able_to(:edit, asset1)
|
233
|
+
expect(subject).to_not be_able_to(:edit, asset2)
|
254
234
|
end
|
255
235
|
end
|
256
236
|
|
257
237
|
describe "download permissions" do
|
258
|
-
subject { Ability.new(
|
259
|
-
|
260
|
-
|
261
|
-
|
262
|
-
|
263
|
-
after {
|
238
|
+
subject { Ability.new(user) }
|
239
|
+
let(:asset) { FactoryGirl.create(:asset) }
|
240
|
+
let(:user) { FactoryGirl.build(:user) }
|
241
|
+
let(:file) { ActiveFedora::File.new("#{asset.uri}/ds1") }
|
242
|
+
|
243
|
+
after { asset.destroy }
|
244
|
+
|
264
245
|
context "user has read permission on the object" do
|
265
246
|
before do
|
266
|
-
|
267
|
-
|
268
|
-
end
|
269
|
-
it "should permit the user to download the object's datastreams" do
|
270
|
-
subject.can?(:read, @asset).should be true
|
271
|
-
@asset.datastreams.each_value do |ds|
|
272
|
-
subject.can?(:download, ds).should be true
|
273
|
-
end
|
247
|
+
asset.read_users = [user.user_key]
|
248
|
+
asset.save!
|
274
249
|
end
|
250
|
+
|
251
|
+
it { should be_able_to(:read, asset.id) }
|
252
|
+
it { should be_able_to(:download, file) }
|
275
253
|
end
|
276
|
-
|
277
|
-
|
278
|
-
|
279
|
-
|
280
|
-
subject.can?(:download, ds).should be false
|
281
|
-
end
|
282
|
-
end
|
254
|
+
|
255
|
+
context "user lacks read permission on the object and file" do
|
256
|
+
it { should_not be_able_to(:read, asset) }
|
257
|
+
it { should_not be_able_to(:download, file) }
|
283
258
|
end
|
284
259
|
end
|
285
260
|
|
@@ -5,7 +5,7 @@ describe Hydra::AccessControlsEnforcement do
|
|
5
5
|
class MockController
|
6
6
|
include Hydra::AccessControlsEnforcement
|
7
7
|
attr_accessor :params
|
8
|
-
|
8
|
+
|
9
9
|
def current_ability
|
10
10
|
@current_ability ||= Ability.new(current_user)
|
11
11
|
end
|
@@ -17,32 +17,33 @@ describe Hydra::AccessControlsEnforcement do
|
|
17
17
|
end
|
18
18
|
end
|
19
19
|
subject { MockController.new }
|
20
|
-
|
20
|
+
|
21
21
|
describe "When I am searching for content" do
|
22
22
|
before do
|
23
23
|
@solr_parameters = {}
|
24
|
+
@user_parameters = {}
|
24
25
|
end
|
25
26
|
context "Given I am not logged in" do
|
26
27
|
before do
|
27
28
|
allow(subject).to receive(:current_user).and_return(User.new(:new_record=>true))
|
28
|
-
subject.send(:apply_gated_discovery, @solr_parameters)
|
29
|
+
subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
|
29
30
|
end
|
30
31
|
it "Then I should be treated as a member of the 'public' group" do
|
31
32
|
expect(@solr_parameters[:fq].first).to eq 'edit_access_group_ssim:public OR discover_access_group_ssim:public OR read_access_group_ssim:public'
|
32
33
|
end
|
33
34
|
it "Then I should not be treated as a member of the 'registered' group" do
|
34
|
-
expect(@solr_parameters[:fq].first).to_not match(/registered/)
|
35
|
+
expect(@solr_parameters[:fq].first).to_not match(/registered/)
|
35
36
|
end
|
36
|
-
it "
|
37
|
-
it "Should change based on the discovery_perissions" do
|
37
|
+
it "Should changed based on the discovery_perissions" do
|
38
38
|
@solr_parameters = {}
|
39
39
|
discovery_permissions = ["read","edit"]
|
40
|
-
subject.send(:apply_gated_discovery, @solr_parameters)
|
40
|
+
subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
|
41
41
|
["edit","read"].each do |type|
|
42
|
-
expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:public/)
|
42
|
+
expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:public/)
|
43
43
|
end
|
44
44
|
end
|
45
45
|
end
|
46
|
+
|
46
47
|
context "Given I am a registered user" do
|
47
48
|
before do
|
48
49
|
@user = FactoryGirl.build(:martia_morocco)
|
@@ -51,39 +52,39 @@ describe Hydra::AccessControlsEnforcement do
|
|
51
52
|
# This is a pretty fragile way to stub it...
|
52
53
|
allow(RoleMapper).to receive(:byname).and_return(@user.user_key=>["faculty", "africana-faculty"])
|
53
54
|
allow(subject).to receive(:current_user).and_return(@user)
|
54
|
-
subject.send(:apply_gated_discovery, @solr_parameters)
|
55
|
+
subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
|
55
56
|
end
|
56
57
|
it "Then I should be treated as a member of the 'public' and 'registered' groups" do
|
57
58
|
["discover","edit","read"].each do |type|
|
58
|
-
expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:public/)
|
59
|
-
expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:registered/)
|
59
|
+
expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:public/)
|
60
|
+
expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:registered/)
|
60
61
|
end
|
61
62
|
end
|
62
63
|
it "Then I should see assets that I have discover, read, or edit access to" do
|
63
64
|
["discover","edit","read"].each do |type|
|
64
|
-
expect(@solr_parameters[:fq].first).to match(/#{type}_access_person_ssim\:#{@user.user_key}/)
|
65
|
+
expect(@solr_parameters[:fq].first).to match(/#{type}_access_person_ssim\:#{@user.user_key}/)
|
65
66
|
end
|
66
67
|
end
|
67
68
|
it "Then I should see assets that my groups have discover, read, or edit access to" do
|
68
69
|
["faculty", "africana-faculty"].each do |group_id|
|
69
70
|
["discover","edit","read"].each do |type|
|
70
|
-
expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:#{group_id}/)
|
71
|
+
expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:#{group_id}/)
|
71
72
|
end
|
72
73
|
end
|
73
74
|
end
|
74
|
-
it "Should
|
75
|
+
it "Should changed based on the discovery_perissions" do
|
75
76
|
@solr_parameters = {}
|
76
77
|
discovery_permissions = ["read","edit"]
|
77
|
-
subject.send(:apply_gated_discovery, @solr_parameters)
|
78
|
+
subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
|
78
79
|
["faculty", "africana-faculty"].each do |group_id|
|
79
80
|
["edit","read"].each do |type|
|
80
|
-
expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:#{group_id}/)
|
81
|
+
expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:#{group_id}/)
|
81
82
|
end
|
82
83
|
end
|
83
84
|
end
|
84
85
|
end
|
85
86
|
end
|
86
|
-
|
87
|
+
|
87
88
|
describe "enforce_show_permissions" do
|
88
89
|
it "should allow a user w/ edit permissions to view an embargoed object" do
|
89
90
|
user = User.new :uid=>'testuser@example.com'
|
@@ -116,32 +117,33 @@ describe Hydra::AccessControlsEnforcement do
|
|
116
117
|
allow(RoleMapper).to receive(:roles).with(@stub_user).and_return(["archivist","researcher"])
|
117
118
|
allow(subject).to receive(:current_user).and_return(@stub_user)
|
118
119
|
@solr_parameters = {}
|
120
|
+
@user_parameters = {}
|
119
121
|
end
|
120
122
|
it "should set query fields for the user id checking against the discover, access, read fields" do
|
121
|
-
subject.send(:apply_gated_discovery, @solr_parameters)
|
123
|
+
subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
|
122
124
|
["discover","edit","read"].each do |type|
|
123
|
-
expect(@solr_parameters[:fq].first).to match(/#{type}_access_person_ssim\:#{@stub_user.user_key}/)
|
125
|
+
expect(@solr_parameters[:fq].first).to match(/#{type}_access_person_ssim\:#{@stub_user.user_key}/)
|
124
126
|
end
|
125
127
|
end
|
126
128
|
it "should set query fields for all roles the user is a member of checking against the discover, access, read fields" do
|
127
|
-
subject.send(:apply_gated_discovery, @solr_parameters)
|
129
|
+
subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
|
128
130
|
["discover","edit","read"].each do |type|
|
129
|
-
expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:archivist/)
|
130
|
-
expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:researcher/)
|
131
|
+
expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:archivist/)
|
132
|
+
expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:researcher/)
|
131
133
|
end
|
132
134
|
end
|
133
135
|
|
134
136
|
it "should escape slashes in the group names" do
|
135
137
|
allow(RoleMapper).to receive(:roles).with(@stub_user).and_return(["abc/123","cde/567"])
|
136
|
-
subject.send(:apply_gated_discovery, @solr_parameters)
|
138
|
+
subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
|
137
139
|
["discover","edit","read"].each do |type|
|
138
|
-
expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:abc\\\/123/)
|
139
|
-
expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:cde\\\/567/)
|
140
|
+
expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:abc\\\/123/)
|
141
|
+
expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:cde\\\/567/)
|
140
142
|
end
|
141
143
|
end
|
142
144
|
it "should escape spaces in the group names" do
|
143
145
|
allow(RoleMapper).to receive(:roles).with(@stub_user).and_return(["abc 123","cd/e 567"])
|
144
|
-
subject.send(:apply_gated_discovery, @solr_parameters)
|
146
|
+
subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
|
145
147
|
["discover","edit","read"].each do |type|
|
146
148
|
expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:abc\\ 123/)
|
147
149
|
expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:cd\\\/e\\ 567/)
|
@@ -149,7 +151,7 @@ describe Hydra::AccessControlsEnforcement do
|
|
149
151
|
end
|
150
152
|
it "should escape colons in the group names" do
|
151
153
|
allow(RoleMapper).to receive(:roles).with(@stub_user).and_return(["abc:123","cde:567"])
|
152
|
-
subject.send(:apply_gated_discovery, @solr_parameters)
|
154
|
+
subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
|
153
155
|
["discover","edit","read"].each do |type|
|
154
156
|
expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:abc\\:123/)
|
155
157
|
expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:cde\\:567/)
|
@@ -38,7 +38,12 @@ describe Hydra::AccessControls::AccessRight do
|
|
38
38
|
TEXT
|
39
39
|
|
40
40
|
it spec_text do
|
41
|
-
permissions =
|
41
|
+
permissions = if givin_permission
|
42
|
+
[Hydra::AccessControls::Permission.new(type: 'group', access: 'edit', name: givin_permission)]
|
43
|
+
else
|
44
|
+
[]
|
45
|
+
end
|
46
|
+
|
42
47
|
permissionable = double(
|
43
48
|
'permissionable',
|
44
49
|
permissions: permissions,
|
@@ -3,13 +3,22 @@ require 'spec_helper'
|
|
3
3
|
describe "active_fedora/accessible_by" do
|
4
4
|
let(:user) {FactoryGirl.build(:ira_instructor)}
|
5
5
|
let(:ability) {Ability.new(user)}
|
6
|
-
let(:private_obj) {FactoryGirl.create(:
|
7
|
-
let(:public_obj) {FactoryGirl.create(:
|
8
|
-
let(:editable_obj) {FactoryGirl.create(:
|
6
|
+
let(:private_obj) {FactoryGirl.create(:asset)}
|
7
|
+
let(:public_obj) {FactoryGirl.create(:asset)}
|
8
|
+
let(:editable_obj) {FactoryGirl.create(:asset)}
|
9
|
+
|
10
|
+
# let(:private_obj) {FactoryGirl.create(:default_access_asset)}
|
11
|
+
# let(:public_obj) {FactoryGirl.create(:open_access_asset)}
|
12
|
+
# let(:editable_obj) {FactoryGirl.create(:group_edit_asset)}
|
9
13
|
|
10
14
|
before do
|
11
|
-
|
12
|
-
|
15
|
+
private_obj.permissions_attributes = [{ name: "joe_creator", access: "edit", type: "person" }]
|
16
|
+
private_obj.save
|
17
|
+
public_obj.permissions_attributes = [{ name: "public", access: "read", type: "group" }, { name: "joe_creator", access: "edit", type: "person" }, { name: "calvin_collaborator", access: "edit", type: "person" }]
|
18
|
+
public_obj.save
|
19
|
+
editable_obj.permissions_attributes = [{ name:"africana-faculty", access: "edit", type: "group" }, {name: "calvin_collaborator", access: "edit", type: "person"}]
|
20
|
+
editable_obj.save
|
21
|
+
expect(user).to receive(:groups).at_most(:once).and_return(user.roles)
|
13
22
|
end
|
14
23
|
|
15
24
|
after do
|