hydra-access-controls 8.2.0 → 9.0.0.beta1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (52) hide show
  1. checksums.yaml +4 -4
  2. data/README.textile +10 -10
  3. data/app/models/concerns/hydra/access_controls/access_right.rb +3 -2
  4. data/app/models/concerns/hydra/access_controls/embargoable.rb +120 -132
  5. data/app/models/concerns/hydra/access_controls/permissions.rb +137 -103
  6. data/app/models/concerns/hydra/access_controls/visibility.rb +3 -5
  7. data/app/models/concerns/hydra/access_controls.rb +0 -1
  8. data/app/models/concerns/hydra/admin_policy_behavior.rb +27 -2
  9. data/app/models/concerns/hydra/rights.rb +15 -0
  10. data/app/models/hydra/access_controls/access_control_list.rb +17 -0
  11. data/app/models/hydra/access_controls/embargo.rb +65 -0
  12. data/app/models/hydra/access_controls/lease.rb +66 -0
  13. data/app/models/hydra/access_controls/permission.rb +85 -0
  14. data/app/vocabularies/acl.rb +12 -0
  15. data/app/vocabularies/hydra/acl.rb +20 -0
  16. data/config/fedora.yml +4 -2
  17. data/hydra-access-controls.gemspec +6 -7
  18. data/lib/hydra/ability.rb +45 -43
  19. data/lib/hydra/access_controls_enforcement.rb +23 -25
  20. data/lib/hydra/admin_policy.rb +34 -11
  21. data/lib/hydra/config.rb +4 -15
  22. data/lib/hydra/permissions_query.rb +2 -2
  23. data/lib/hydra/permissions_solr_document.rb +4 -6
  24. data/lib/hydra/policy_aware_ability.rb +56 -53
  25. data/lib/hydra/policy_aware_access_controls_enforcement.rb +28 -18
  26. data/lib/hydra-access-controls.rb +1 -1
  27. data/spec/factories.rb +15 -15
  28. data/spec/services/embargo_service_spec.rb +6 -6
  29. data/spec/services/lease_service_spec.rb +6 -6
  30. data/spec/spec_helper.rb +20 -13
  31. data/spec/support/mods_asset.rb +3 -3
  32. data/spec/unit/ability_spec.rb +96 -121
  33. data/spec/unit/access_controls_enforcement_spec.rb +29 -27
  34. data/spec/unit/access_right_spec.rb +6 -1
  35. data/spec/unit/accessible_by_spec.rb +14 -5
  36. data/spec/unit/admin_policy_spec.rb +99 -92
  37. data/spec/unit/config_spec.rb +14 -15
  38. data/spec/unit/embargoable_spec.rb +26 -28
  39. data/spec/unit/permission_spec.rb +36 -16
  40. data/spec/unit/permissions_spec.rb +121 -65
  41. data/spec/unit/policy_aware_ability_spec.rb +64 -78
  42. data/spec/unit/policy_aware_access_controls_enforcement_spec.rb +81 -77
  43. data/spec/unit/role_mapper_spec.rb +10 -10
  44. data/spec/unit/with_access_right_spec.rb +1 -1
  45. metadata +29 -51
  46. data/lib/hydra/access_controls/permission.rb +0 -40
  47. data/lib/hydra/datastream/inheritable_rights_metadata.rb +0 -22
  48. data/lib/hydra/datastream/rights_metadata.rb +0 -276
  49. data/lib/hydra/datastream.rb +0 -7
  50. data/spec/unit/hydra_rights_metadata_persistence_spec.rb +0 -71
  51. data/spec/unit/hydra_rights_metadata_spec.rb +0 -301
  52. data/spec/unit/inheritable_rights_metadata_spec.rb +0 -65
@@ -12,17 +12,15 @@ describe Ability do
12
12
 
13
13
  context "for a not-signed in user" do
14
14
  before do
15
- User.any_instance.stub(:email).and_return(nil)
16
- User.any_instance.stub(:new_record?).and_return(true)
15
+ allow_any_instance_of(User).to receive(:email).and_return(nil)
16
+ allow_any_instance_of(User).to receive(:new_record?).and_return(true)
17
17
  end
18
18
  subject { Ability.new(nil) }
19
19
  it "should call custom_permissions" do
20
- Ability.any_instance.should_receive(:custom_permissions)
20
+ expect_any_instance_of(Ability).to receive(:custom_permissions)
21
21
  subject.can?(:delete, 7)
22
22
  end
23
- it "should not be able to create ActiveFedora::Base objects" do
24
- subject.should_not be_able_to(:create, ActiveFedora::Base)
25
- end
23
+ it { should_not be_able_to(:create, ActiveFedora::Base) }
26
24
  end
27
25
 
28
26
  context "for a signed in user" do
@@ -30,55 +28,51 @@ describe Ability do
30
28
  @user = FactoryGirl.build(:registered_user)
31
29
  end
32
30
  subject { Ability.new(@user) }
33
- it "should not be able to create ActiveFedora::Base objects" do
34
- subject.should_not be_able_to(:create, ActiveFedora::Base)
35
- end
31
+
32
+ it { should_not be_able_to(:create, ActiveFedora::Base) }
36
33
  end
37
34
 
38
35
 
39
- # NOTES:
36
+ # NOTES:
40
37
  # See spec/requests/... for test coverage describing WHAT should appear on a page based on access permissions
41
38
  # Test coverage for discover permission is in spec/requests/gated_discovery_spec.rb
42
-
39
+
43
40
  describe "Given an asset that has been made publicly available (ie. open access)" do
41
+ #let(:asset) { FactoryGirl.create(:open_access_asset) }
42
+ let(:asset) { FactoryGirl.create(:asset) }
44
43
  before do
45
- @asset = FactoryGirl.build(:open_access_asset)
46
- @asset.save
44
+ asset.permissions_attributes = [{ name: "public", access: "read", type: "group" }, { name: "joe_creator", access: "edit", type: "person" }, { name: "calvin_collaborator", access: "edit", type: "person" }]
45
+ asset.save
47
46
  end
47
+
48
48
  context "Then a not-signed-in user" do
49
- before do
50
- @user = User.new
51
- @user.new_record = true
52
- end
53
49
  subject { Ability.new(nil) }
54
- it "should be able to view the asset" do
55
- subject.can?(:read, @asset).should be true
56
- end
57
- it "should not be able to edit, update and destroy the asset" do
58
- subject.can?(:edit, @asset).should be false
59
- subject.can?(:update, @asset).should be false
60
- subject.can?(:destroy, @asset).should be false
61
- end
50
+ it { should be_able_to(:read, asset) }
51
+ it { should_not be_able_to(:edit, asset) }
52
+ it { should_not be_able_to(:update, asset) }
53
+ it { should_not be_able_to(:destroy, asset) }
62
54
  end
55
+
63
56
  context "Then a registered user" do
64
57
  before do
65
58
  @user = FactoryGirl.build(:registered_user)
66
59
  end
67
60
  subject { Ability.new(@user) }
68
- it "should be able to view the asset" do
69
- subject.can?(:read, @asset).should be true
70
- end
71
- it "should not be able to edit, update and destroy the asset" do
72
- subject.can?(:edit, @asset).should be false
73
- subject.can?(:update, @asset).should be false
74
- subject.can?(:destroy, @asset).should be false
75
- end
61
+ it { should be_able_to(:read, asset) }
62
+ it { should_not be_able_to(:edit, asset) }
63
+ it { should_not be_able_to(:update, asset) }
64
+ it { should_not be_able_to(:destroy, asset) }
76
65
  end
77
66
  end
78
-
67
+
79
68
  describe "Given an asset with no custom access set" do
80
- let(:asset) { FactoryGirl.create(:default_access_asset) }
81
- let(:solr_doc) { SolrDocument.new(asset.rightsMetadata.to_solr.merge(id: asset.pid)) }
69
+ #let(:asset) { FactoryGirl.create(:default_access_asset) }
70
+ let(:asset) { FactoryGirl.create(:asset) }
71
+ before do
72
+ asset.permissions_attributes = [{ name: "joe_creator", access: "edit", type: "person" }]
73
+ asset.save
74
+ end
75
+ let(:solr_doc) { SolrDocument.new(asset.to_solr.merge(id: asset.id)) }
82
76
  context "Then a not-signed-in user" do
83
77
  let(:user) { User.new.tap {|u| u.new_record = true } }
84
78
  subject { Ability.new(user) }
@@ -108,9 +102,11 @@ describe Ability do
108
102
  end
109
103
 
110
104
  describe "Given an asset which registered users have read access to" do
105
+ # let(:asset) { FactoryGirl.create(:org_read_access_asset) }
106
+ let(:asset) { FactoryGirl.create(:asset) }
111
107
  before do
112
- @asset = FactoryGirl.build(:org_read_access_asset)
113
- @asset.save
108
+ asset.permissions_attributes = [{ name: "registered", access: "read", type: "group" }, { name: "joe_creator", access: "edit", type: "person" }, { name: "calvin_collaborator", access: "edit", type: "person" }]
109
+ asset.save
114
110
  end
115
111
  context "The a registered user" do
116
112
  before do
@@ -118,58 +114,52 @@ describe Ability do
118
114
  end
119
115
  subject { Ability.new(@user) }
120
116
 
121
- it "should be able to view the asset" do
122
- subject.can?(:read, @asset).should be true
123
- end
124
- it "should not be able to edit, update and destroy the asset" do
125
- subject.can?(:edit, @asset).should be false
126
- subject.can?(:update, @asset).should be false
127
- subject.can?(:destroy, @asset).should be false
128
- end
129
- it "should not be able to see the admin view of the asset" do
130
- subject.can?(:admin, @asset).should be false
131
- end
117
+ it { should be_able_to(:read, asset) }
118
+ it { should_not be_able_to(:edit, asset) }
119
+ it { should_not be_able_to(:update, asset) }
120
+ it { should_not be_able_to(:destroy, asset) }
121
+ it { should_not be_able_to(:admin, asset) }
132
122
  end
133
123
  end
134
124
 
135
125
  describe "Given an asset with collaborator" do
136
- before { @asset = FactoryGirl.create(:group_edit_asset) }
137
- after { @asset.destroy }
126
+ # let(:asset) { FactoryGirl.create(:group_edit_asset) }
127
+ let(:asset) { FactoryGirl.create(:asset) }
128
+ before do
129
+ asset.permissions_attributes = [{ name:"africana-faculty", access: "edit", type: "group" }, {name: "calvin_collaborator", access: "edit", type: "person"}]
130
+ asset.save
131
+ end
132
+ after { asset.destroy }
138
133
  context "Then a collaborator with edit access (user permision)" do
139
134
  before do
140
135
  @user = FactoryGirl.build(:calvin_collaborator)
141
136
  end
142
137
  subject { Ability.new(@user) }
143
138
 
144
- it "should be able to view the asset" do
145
- subject.can?(:read, @asset).should be true
146
- end
147
- it "should be able to edit, update and destroy the asset" do
148
- subject.can?(:edit, @asset).should be true
149
- subject.can?(:update, @asset).should be true
150
- subject.can?(:destroy, @asset).should be true
151
- end
152
- it "should not be able to see the admin view of the asset" do
153
- subject.can?(:admin, @asset).should be false
154
- end
139
+ it { should be_able_to(:read, asset) }
140
+ it { should be_able_to(:edit, asset) }
141
+ it { should be_able_to(:update, asset) }
142
+ it { should be_able_to(:destroy, asset) }
143
+ it { should_not be_able_to(:admin, asset) }
155
144
  end
145
+
156
146
  context "Then a collaborator with edit access (group permision)" do
157
147
  before do
158
148
  @user = FactoryGirl.build(:martia_morocco)
159
- RoleMapper.stub(:roles).with(@user).and_return(@user.roles)
149
+ allow(RoleMapper).to receive(:roles).with(@user).and_return(@user.roles)
160
150
  end
161
151
  subject { Ability.new(@user) }
162
152
 
163
- it "should be able to view the asset" do
164
- subject.can?(:read, @asset).should be true
165
- end
153
+ it { should be_able_to(:read, asset) }
166
154
  end
167
155
  end
168
156
 
169
157
  describe "Given an asset where dept can read & registered users can discover" do
158
+ # let(:asset) { FactoryGirl.create(:dept_access_asset) }
159
+ let(:asset) { FactoryGirl.create(:asset) }
170
160
  before do
171
- @asset = FactoryGirl.build(:dept_access_asset)
172
- @asset.save
161
+ asset.permissions_attributes = [{ name: "africana-faculty", access: "read", type: "group" }, { name: "joe_creator", access: "edit", type: "person" }]
162
+ asset.save
173
163
  end
174
164
  context "Then a registered user" do
175
165
  before do
@@ -177,36 +167,25 @@ describe Ability do
177
167
  end
178
168
  subject { Ability.new(@user) }
179
169
 
180
- it "should not be able to view the asset" do
181
- subject.can?(:read, @asset).should be false
182
- end
183
- it "should not be able to edit, update and destroy the asset" do
184
- subject.can?(:edit, @asset).should be false
185
- subject.can?(:update, @asset).should be false
186
- subject.can?(:destroy, @asset).should be false
187
- end
188
- it "should not be able to see the admin view of the asset" do
189
- subject.can?(:admin, @asset).should be false
190
- end
170
+ it { should_not be_able_to(:read, asset) }
171
+ it { should_not be_able_to(:edit, asset) }
172
+ it { should_not be_able_to(:update, asset) }
173
+ it { should_not be_able_to(:destroy, asset) }
174
+ it { should_not be_able_to(:admin, asset) }
191
175
  end
176
+
192
177
  context "Then someone whose role/group has read access" do
193
178
  before do
194
179
  @user = FactoryGirl.build(:martia_morocco)
195
- RoleMapper.stub(:roles).with(@user).and_return(@user.roles)
180
+ allow(RoleMapper).to receive(:roles).with(@user).and_return(@user.roles)
196
181
  end
197
182
  subject { Ability.new(@user) }
198
183
 
199
- it "should be able to view the asset" do
200
- subject.can?(:read, @asset).should be true
201
- end
202
- it "should not be able to edit, update and destroy the asset" do
203
- subject.can?(:edit, @asset).should be false
204
- subject.can?(:update, @asset).should be false
205
- subject.can?(:destroy, @asset).should be false
206
- end
207
- it "should not be able to see the admin view of the asset" do
208
- subject.can?(:admin, @asset).should be false
209
- end
184
+ it { should be_able_to(:read, asset) }
185
+ it { should_not be_able_to(:edit, asset) }
186
+ it { should_not be_able_to(:update, asset) }
187
+ it { should_not be_able_to(:destroy, asset) }
188
+ it { should_not be_able_to(:admin, asset) }
210
189
  end
211
190
  end
212
191
 
@@ -230,56 +209,52 @@ describe Ability do
230
209
 
231
210
  subject { MyAbility.new(@user) }
232
211
 
233
- it "should be set the custom permission" do
234
- subject.can?(:accept, ActiveFedora::Base).should be true
235
- end
212
+ it { should be_able_to(:accept, ActiveFedora::Base) }
236
213
 
237
214
  end
238
215
 
239
216
  describe "calling ability on two separate objects" do
217
+ #asset1 = FactoryGirl.create(:org_read_access_asset)
218
+ let(:asset1) { FactoryGirl.create(:asset) }
219
+ let(:asset2) { FactoryGirl.create(:asset) }
240
220
  before do
241
- @asset1 = FactoryGirl.create(:org_read_access_asset)
242
- @asset2 = FactoryGirl.create(:asset)
221
+ asset1.permissions_attributes = [{ name: "registered", access: "read", type: "group" }, { name: "joe_creator", access: "edit", type: "person" }, { name: "calvin_collaborator", access: "edit", type: "person" }]
222
+ asset1.save
243
223
  @user = FactoryGirl.build(:calvin_collaborator) # has access to @asset1, but not @asset2
244
224
  end
245
225
  after do
246
- @asset1.destroy
247
- @asset2.destroy
226
+ asset1.destroy
227
+ asset2.destroy
248
228
  end
249
229
  subject { Ability.new(@user) }
250
230
  it "should be readable in the first instance and not in the second instance" do
251
231
  # We had a bug around this where it keeps returning the access for the first object queried
252
- subject.can?(:edit, @asset1).should be true
253
- subject.can?(:edit, @asset2).should be false
232
+ expect(subject).to be_able_to(:edit, asset1)
233
+ expect(subject).to_not be_able_to(:edit, asset2)
254
234
  end
255
235
  end
256
236
 
257
237
  describe "download permissions" do
258
- subject { Ability.new(@user) }
259
- before do
260
- @asset = FactoryGirl.create(:asset)
261
- @user = FactoryGirl.build(:user)
262
- end
263
- after { @asset.destroy }
238
+ subject { Ability.new(user) }
239
+ let(:asset) { FactoryGirl.create(:asset) }
240
+ let(:user) { FactoryGirl.build(:user) }
241
+ let(:file) { ActiveFedora::File.new("#{asset.uri}/ds1") }
242
+
243
+ after { asset.destroy }
244
+
264
245
  context "user has read permission on the object" do
265
246
  before do
266
- @asset.read_users = [@user.user_key]
267
- @asset.save
268
- end
269
- it "should permit the user to download the object's datastreams" do
270
- subject.can?(:read, @asset).should be true
271
- @asset.datastreams.each_value do |ds|
272
- subject.can?(:download, ds).should be true
273
- end
247
+ asset.read_users = [user.user_key]
248
+ asset.save!
274
249
  end
250
+
251
+ it { should be_able_to(:read, asset.id) }
252
+ it { should be_able_to(:download, file) }
275
253
  end
276
- context "user lacks read permission on the object" do
277
- it "should not permit the user to download the object's datastreams" do
278
- subject.can?(:read, @asset).should be false
279
- @asset.datastreams.each_value do |ds|
280
- subject.can?(:download, ds).should be false
281
- end
282
- end
254
+
255
+ context "user lacks read permission on the object and file" do
256
+ it { should_not be_able_to(:read, asset) }
257
+ it { should_not be_able_to(:download, file) }
283
258
  end
284
259
  end
285
260
 
@@ -5,7 +5,7 @@ describe Hydra::AccessControlsEnforcement do
5
5
  class MockController
6
6
  include Hydra::AccessControlsEnforcement
7
7
  attr_accessor :params
8
-
8
+
9
9
  def current_ability
10
10
  @current_ability ||= Ability.new(current_user)
11
11
  end
@@ -17,32 +17,33 @@ describe Hydra::AccessControlsEnforcement do
17
17
  end
18
18
  end
19
19
  subject { MockController.new }
20
-
20
+
21
21
  describe "When I am searching for content" do
22
22
  before do
23
23
  @solr_parameters = {}
24
+ @user_parameters = {}
24
25
  end
25
26
  context "Given I am not logged in" do
26
27
  before do
27
28
  allow(subject).to receive(:current_user).and_return(User.new(:new_record=>true))
28
- subject.send(:apply_gated_discovery, @solr_parameters)
29
+ subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
29
30
  end
30
31
  it "Then I should be treated as a member of the 'public' group" do
31
32
  expect(@solr_parameters[:fq].first).to eq 'edit_access_group_ssim:public OR discover_access_group_ssim:public OR read_access_group_ssim:public'
32
33
  end
33
34
  it "Then I should not be treated as a member of the 'registered' group" do
34
- expect(@solr_parameters[:fq].first).to_not match(/registered/)
35
+ expect(@solr_parameters[:fq].first).to_not match(/registered/)
35
36
  end
36
- it "Then I should not have individual or group permissions"
37
- it "Should change based on the discovery_perissions" do
37
+ it "Should changed based on the discovery_perissions" do
38
38
  @solr_parameters = {}
39
39
  discovery_permissions = ["read","edit"]
40
- subject.send(:apply_gated_discovery, @solr_parameters)
40
+ subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
41
41
  ["edit","read"].each do |type|
42
- expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:public/)
42
+ expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:public/)
43
43
  end
44
44
  end
45
45
  end
46
+
46
47
  context "Given I am a registered user" do
47
48
  before do
48
49
  @user = FactoryGirl.build(:martia_morocco)
@@ -51,39 +52,39 @@ describe Hydra::AccessControlsEnforcement do
51
52
  # This is a pretty fragile way to stub it...
52
53
  allow(RoleMapper).to receive(:byname).and_return(@user.user_key=>["faculty", "africana-faculty"])
53
54
  allow(subject).to receive(:current_user).and_return(@user)
54
- subject.send(:apply_gated_discovery, @solr_parameters)
55
+ subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
55
56
  end
56
57
  it "Then I should be treated as a member of the 'public' and 'registered' groups" do
57
58
  ["discover","edit","read"].each do |type|
58
- expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:public/)
59
- expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:registered/)
59
+ expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:public/)
60
+ expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:registered/)
60
61
  end
61
62
  end
62
63
  it "Then I should see assets that I have discover, read, or edit access to" do
63
64
  ["discover","edit","read"].each do |type|
64
- expect(@solr_parameters[:fq].first).to match(/#{type}_access_person_ssim\:#{@user.user_key}/)
65
+ expect(@solr_parameters[:fq].first).to match(/#{type}_access_person_ssim\:#{@user.user_key}/)
65
66
  end
66
67
  end
67
68
  it "Then I should see assets that my groups have discover, read, or edit access to" do
68
69
  ["faculty", "africana-faculty"].each do |group_id|
69
70
  ["discover","edit","read"].each do |type|
70
- expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:#{group_id}/)
71
+ expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:#{group_id}/)
71
72
  end
72
73
  end
73
74
  end
74
- it "Should change based on the discovery_perissions" do
75
+ it "Should changed based on the discovery_perissions" do
75
76
  @solr_parameters = {}
76
77
  discovery_permissions = ["read","edit"]
77
- subject.send(:apply_gated_discovery, @solr_parameters)
78
+ subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
78
79
  ["faculty", "africana-faculty"].each do |group_id|
79
80
  ["edit","read"].each do |type|
80
- expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:#{group_id}/)
81
+ expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:#{group_id}/)
81
82
  end
82
83
  end
83
84
  end
84
85
  end
85
86
  end
86
-
87
+
87
88
  describe "enforce_show_permissions" do
88
89
  it "should allow a user w/ edit permissions to view an embargoed object" do
89
90
  user = User.new :uid=>'testuser@example.com'
@@ -116,32 +117,33 @@ describe Hydra::AccessControlsEnforcement do
116
117
  allow(RoleMapper).to receive(:roles).with(@stub_user).and_return(["archivist","researcher"])
117
118
  allow(subject).to receive(:current_user).and_return(@stub_user)
118
119
  @solr_parameters = {}
120
+ @user_parameters = {}
119
121
  end
120
122
  it "should set query fields for the user id checking against the discover, access, read fields" do
121
- subject.send(:apply_gated_discovery, @solr_parameters)
123
+ subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
122
124
  ["discover","edit","read"].each do |type|
123
- expect(@solr_parameters[:fq].first).to match(/#{type}_access_person_ssim\:#{@stub_user.user_key}/)
125
+ expect(@solr_parameters[:fq].first).to match(/#{type}_access_person_ssim\:#{@stub_user.user_key}/)
124
126
  end
125
127
  end
126
128
  it "should set query fields for all roles the user is a member of checking against the discover, access, read fields" do
127
- subject.send(:apply_gated_discovery, @solr_parameters)
129
+ subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
128
130
  ["discover","edit","read"].each do |type|
129
- expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:archivist/)
130
- expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:researcher/)
131
+ expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:archivist/)
132
+ expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:researcher/)
131
133
  end
132
134
  end
133
135
 
134
136
  it "should escape slashes in the group names" do
135
137
  allow(RoleMapper).to receive(:roles).with(@stub_user).and_return(["abc/123","cde/567"])
136
- subject.send(:apply_gated_discovery, @solr_parameters)
138
+ subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
137
139
  ["discover","edit","read"].each do |type|
138
- expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:abc\\\/123/)
139
- expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:cde\\\/567/)
140
+ expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:abc\\\/123/)
141
+ expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:cde\\\/567/)
140
142
  end
141
143
  end
142
144
  it "should escape spaces in the group names" do
143
145
  allow(RoleMapper).to receive(:roles).with(@stub_user).and_return(["abc 123","cd/e 567"])
144
- subject.send(:apply_gated_discovery, @solr_parameters)
146
+ subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
145
147
  ["discover","edit","read"].each do |type|
146
148
  expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:abc\\ 123/)
147
149
  expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:cd\\\/e\\ 567/)
@@ -149,7 +151,7 @@ describe Hydra::AccessControlsEnforcement do
149
151
  end
150
152
  it "should escape colons in the group names" do
151
153
  allow(RoleMapper).to receive(:roles).with(@stub_user).and_return(["abc:123","cde:567"])
152
- subject.send(:apply_gated_discovery, @solr_parameters)
154
+ subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
153
155
  ["discover","edit","read"].each do |type|
154
156
  expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:abc\\:123/)
155
157
  expect(@solr_parameters[:fq].first).to match(/#{type}_access_group_ssim\:cde\\:567/)
@@ -38,7 +38,12 @@ describe Hydra::AccessControls::AccessRight do
38
38
  TEXT
39
39
 
40
40
  it spec_text do
41
- permissions = [Hydra::AccessControls::Permission.new({access: :edit, name: givin_permission})]
41
+ permissions = if givin_permission
42
+ [Hydra::AccessControls::Permission.new(type: 'group', access: 'edit', name: givin_permission)]
43
+ else
44
+ []
45
+ end
46
+
42
47
  permissionable = double(
43
48
  'permissionable',
44
49
  permissions: permissions,
@@ -3,13 +3,22 @@ require 'spec_helper'
3
3
  describe "active_fedora/accessible_by" do
4
4
  let(:user) {FactoryGirl.build(:ira_instructor)}
5
5
  let(:ability) {Ability.new(user)}
6
- let(:private_obj) {FactoryGirl.create(:default_access_asset)}
7
- let(:public_obj) {FactoryGirl.create(:open_access_asset)}
8
- let(:editable_obj) {FactoryGirl.create(:group_edit_asset)}
6
+ let(:private_obj) {FactoryGirl.create(:asset)}
7
+ let(:public_obj) {FactoryGirl.create(:asset)}
8
+ let(:editable_obj) {FactoryGirl.create(:asset)}
9
+
10
+ # let(:private_obj) {FactoryGirl.create(:default_access_asset)}
11
+ # let(:public_obj) {FactoryGirl.create(:open_access_asset)}
12
+ # let(:editable_obj) {FactoryGirl.create(:group_edit_asset)}
9
13
 
10
14
  before do
11
- user.should_receive(:groups).at_most(:once).and_return(user.roles)
12
- ModsAsset.delete_all
15
+ private_obj.permissions_attributes = [{ name: "joe_creator", access: "edit", type: "person" }]
16
+ private_obj.save
17
+ public_obj.permissions_attributes = [{ name: "public", access: "read", type: "group" }, { name: "joe_creator", access: "edit", type: "person" }, { name: "calvin_collaborator", access: "edit", type: "person" }]
18
+ public_obj.save
19
+ editable_obj.permissions_attributes = [{ name:"africana-faculty", access: "edit", type: "group" }, {name: "calvin_collaborator", access: "edit", type: "person"}]
20
+ editable_obj.save
21
+ expect(user).to receive(:groups).at_most(:once).and_return(user.roles)
13
22
  end
14
23
 
15
24
  after do