RubyGems - hydra-access-controls - Versions diffs - 8.2.0 → 9.0.0.beta1 - Mend

hydra-access-controls 8.2.0 → 9.0.0.beta1

Files changed (52) hide show

checksums.yaml +4 -4
data/README.textile +10 -10
data/app/models/concerns/hydra/access_controls/access_right.rb +3 -2
data/app/models/concerns/hydra/access_controls/embargoable.rb +120 -132
data/app/models/concerns/hydra/access_controls/permissions.rb +137 -103
data/app/models/concerns/hydra/access_controls/visibility.rb +3 -5
data/app/models/concerns/hydra/access_controls.rb +0 -1
data/app/models/concerns/hydra/admin_policy_behavior.rb +27 -2
data/app/models/concerns/hydra/rights.rb +15 -0
data/app/models/hydra/access_controls/access_control_list.rb +17 -0
data/app/models/hydra/access_controls/embargo.rb +65 -0
data/app/models/hydra/access_controls/lease.rb +66 -0
data/app/models/hydra/access_controls/permission.rb +85 -0
data/app/vocabularies/acl.rb +12 -0
data/app/vocabularies/hydra/acl.rb +20 -0
data/config/fedora.yml +4 -2
data/hydra-access-controls.gemspec +6 -7
data/lib/hydra/ability.rb +45 -43
data/lib/hydra/access_controls_enforcement.rb +23 -25
data/lib/hydra/admin_policy.rb +34 -11
data/lib/hydra/config.rb +4 -15
data/lib/hydra/permissions_query.rb +2 -2
data/lib/hydra/permissions_solr_document.rb +4 -6
data/lib/hydra/policy_aware_ability.rb +56 -53
data/lib/hydra/policy_aware_access_controls_enforcement.rb +28 -18
data/lib/hydra-access-controls.rb +1 -1
data/spec/factories.rb +15 -15
data/spec/services/embargo_service_spec.rb +6 -6
data/spec/services/lease_service_spec.rb +6 -6
data/spec/spec_helper.rb +20 -13
data/spec/support/mods_asset.rb +3 -3
data/spec/unit/ability_spec.rb +96 -121
data/spec/unit/access_controls_enforcement_spec.rb +29 -27
data/spec/unit/access_right_spec.rb +6 -1
data/spec/unit/accessible_by_spec.rb +14 -5
data/spec/unit/admin_policy_spec.rb +99 -92
data/spec/unit/config_spec.rb +14 -15
data/spec/unit/embargoable_spec.rb +26 -28
data/spec/unit/permission_spec.rb +36 -16
data/spec/unit/permissions_spec.rb +121 -65
data/spec/unit/policy_aware_ability_spec.rb +64 -78
data/spec/unit/policy_aware_access_controls_enforcement_spec.rb +81 -77
data/spec/unit/role_mapper_spec.rb +10 -10
data/spec/unit/with_access_right_spec.rb +1 -1
metadata +29 -51
data/lib/hydra/access_controls/permission.rb +0 -40
data/lib/hydra/datastream/inheritable_rights_metadata.rb +0 -22
data/lib/hydra/datastream/rights_metadata.rb +0 -276
data/lib/hydra/datastream.rb +0 -7
data/spec/unit/hydra_rights_metadata_persistence_spec.rb +0 -71
data/spec/unit/hydra_rights_metadata_spec.rb +0 -301
data/spec/unit/inheritable_rights_metadata_spec.rb +0 -65

data/spec/unit/permissions_spec.rb CHANGED Viewed

@@ -9,79 +9,126 @@ describe Hydra::AccessControls::Permissions do
   subject { Foo.new }
+  it "should have many permissions" do
+    expect(subject.permissions).to eq []
+  end
+  #TODO is permission same as an acl?
   it "should have a set of permissions" do
     subject.read_groups=['group1', 'group2']
     subject.edit_users=['user1']
     subject.read_users=['user2', 'user3']
-    subject.permissions.should == [Hydra::AccessControls::Permission.new(:type=>"group", :access=>"read", :name=>"group1"),
+    expect(subject.permissions).to match_array [Hydra::AccessControls::Permission.new(:type=>"group", :access=>"read", :name=>"group1"),
         Hydra::AccessControls::Permission.new({:type=>"group", :access=>"read", :name=>"group2"}),
-        Hydra::AccessControls::Permission.new({:type=>"user", :access=>"read", :name=>"user2"}),
-        Hydra::AccessControls::Permission.new({:type=>"user", :access=>"read", :name=>"user3"}),
-        Hydra::AccessControls::Permission.new({:type=>"user", :access=>"edit", :name=>"user1"})]
+        Hydra::AccessControls::Permission.new({:type=>"person", :access=>"read", :name=>"user2"}),
+        Hydra::AccessControls::Permission.new({:type=>"person", :access=>"read", :name=>"user3"}),
+        Hydra::AccessControls::Permission.new({:type=>"person", :access=>"edit", :name=>"user1"})]
+  end
+  describe "building a new permission" do
+    before { subject.save! }
+    it "should set the accessTo association" do
+      perm = subject.permissions.build(name: 'user1', type: 'person', access: 'read')
+      subject.save
+      expect(perm.access_to_id).to eq subject.id
+    end
   end
   describe "updating permissions" do
     describe "with nested attributes" do
       before do
-        subject.permissions_attributes = [{:type=>"user", :access=>"edit", :name=>"jcoyne"}]
+        subject.save!
+        subject.permissions_attributes = [{:type=>"person", :access=>"edit", :name=>"jcoyne"}]
       end
-      it "should handle a hash" do
-        subject.permissions_attributes = {'0' => {type: "group", access:"read", name:"group1"}, '1'=> {type: 'user', access: 'edit', name: 'user2'}}
-        subject.permissions.should == [Hydra::AccessControls::Permission.new(:type=>"group", :access=>"read", :name=>"group1"),
-                                     Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"jcoyne"),
-                                     Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"user2")]
+      context "when a hash is passed" do
+        before do
+          subject.permissions_attributes = {'0' => {type: "group", access:"read", name:"group1"},
+                                            '1' => {type: 'person', access: 'edit', name: 'user2'}}
+        end
+        it "should handle a hash" do
+          expect(subject.permissions.size).to eq 3
+          expect(subject.permissions.to_a).to all(be_a(Hydra::AccessControls::Permission))
+          expect(subject.permissions.map(&:to_hash)).to match_array [
+              {type: "person", access: "edit", name: "jcoyne"},
+              {type: "group", access: "read", name: "group1"},
+              {type: "person", access: "edit", name: "user2"}]
+        end
       end
       it "should create new group permissions" do
-        subject.permissions_attributes = [{:type=>"group", :access=>"read", :name=>"group1"}]
-        subject.permissions.should == [Hydra::AccessControls::Permission.new(:type=>"group", :access=>"read", :name=>"group1"),
-                                     Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"jcoyne")]
+        subject.permissions_attributes = [{type: "group", access: "read", name: "group1"}]
+        expect(subject.permissions.size).to eq 2
+        expect(subject.permissions.to_a).to all(be_a(Hydra::AccessControls::Permission))
+        expect(subject.permissions[0].to_hash).to eq(type: "person", access: "edit", name: "jcoyne")
+        expect(subject.permissions[1].to_hash).to eq(type: "group", access: "read", name: "group1")
       end
       it "should create new user permissions" do
-        subject.permissions_attributes = [{:type=>"user", :access=>"read", :name=>"user1"}]
-        subject.permissions.should == [Hydra::AccessControls::Permission.new(:type=>"user", :access=>"read", :name=>"user1"),
-                                     Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"jcoyne")]
-      end
-      it "should not replace existing groups" do
-        subject.permissions_attributes = [{:type=>"group", :access=>"read", :name=>"group1"}]
-        subject.permissions_attributes = [{:type=>"group", :access=>"read", :name=>"group2"}]
-        subject.permissions.should == [Hydra::AccessControls::Permission.new(:type=>"group", :access=>"read", :name=>"group1"),
-                                     Hydra::AccessControls::Permission.new(:type=>"group", :access=>"read", :name=>"group2"),
-                                     Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"jcoyne")]
-      end
-      it "should not replace existing users" do
-        subject.permissions_attributes = [{:type=>"user", :access=>"read", :name=>"user1"}]
-        subject.permissions_attributes = [{:type=>"user", :access=>"read", :name=>"user2"}]
-        subject.permissions.should == [Hydra::AccessControls::Permission.new(:type=>"user", :access=>"read", :name=>"user1"),
-                                     Hydra::AccessControls::Permission.new(:type=>"user", :access=>"read", :name=>"user2"),
-                                     Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"jcoyne")]
+        subject.permissions_attributes = [{:type=>"person", :access=>"read", :name=>"user1"}]
+        expect(subject.permissions.size).to eq 2
+        expect(subject.permissions.to_a).to all(be_a(Hydra::AccessControls::Permission))
+        expect(subject.permissions[0].to_hash).to eq(type: "person", access: "edit", name: "jcoyne")
+        expect(subject.permissions[1].to_hash).to eq(type: "person", access: "read", name: "user1")
       end
-      it "should update permissions on existing users" do
-        subject.permissions_attributes = [{:type=>"user", :access=>"read", :name=>"user1"}]
-        subject.permissions_attributes = [{:type=>"user", :access=>"edit", :name=>"user1"}]
-        subject.permissions.should == [Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"user1"),
-                                     Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"jcoyne")]
-      end
-      it "should update permissions on existing groups" do
-        subject.permissions_attributes = [{:type=>"group", :access=>"read", :name=>"group1"}]
-        subject.permissions_attributes = [{:type=>"group", :access=>"edit", :name=>"group1"}]
-        subject.permissions.should == [Hydra::AccessControls::Permission.new(:type=>"group", :access=>"edit", :name=>"group1"),
-                                     Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"jcoyne")]
+      context "when called multiple times" do
+        it "should not replace existing groups" do
+          subject.permissions_attributes = [{:type=>"group", :access=>"read", :name=>"group1"}]
+          subject.permissions_attributes = [{:type=>"group", :access=>"read", :name=>"group2"}]
+          expect(subject.permissions.size).to eq 3
+          expect(subject.permissions.to_a).to all(be_a(Hydra::AccessControls::Permission))
+          expect(subject.permissions[0].to_hash).to eq(type: "person", access: "edit", name: "jcoyne")
+          expect(subject.permissions[1].to_hash).to eq(type: "group", access: "read", name: "group1")
+          expect(subject.permissions[2].to_hash).to eq(type: "group", access: "read", name: "group2")
+        end
+        it "should not replace existing users" do
+          subject.permissions_attributes = [{:type=>"person", :access=>"read", :name=>"user1"}]
+          subject.permissions_attributes = [{:type=>"person", :access=>"read", :name=>"user2"}]
+          expect(subject.permissions.size).to eq 3
+          expect(subject.permissions.to_a).to all(be_a(Hydra::AccessControls::Permission))
+          expect(subject.permissions[0].to_hash).to eq(type: "person", access: "edit", name: "jcoyne")
+          expect(subject.permissions[1].to_hash).to eq(type: "person", access: "read", name: "user1")
+          expect(subject.permissions[2].to_hash).to eq(type: "person", access: "read", name: "user2")
+        end
+        it "should update permissions on existing users" do
+          subject.update permissions_attributes: [{:type=>"person", :access=>"read", :name=>"user1"}]
+          subject.update permissions_attributes: [{:type=>"person", :access=>"edit", :name=>"user1"}]
+          expect(subject.permissions.size).to eq 2
+          expect(subject.permissions.to_a).to all(be_a(Hydra::AccessControls::Permission))
+          expect(subject.permissions[0].to_hash).to eq(type: "person", access: "edit", name: "jcoyne")
+          expect(subject.permissions[1].to_hash).to eq(type: "person", access: "edit", name: "user1")
+        end
+        it "should update permissions on existing groups" do
+          subject.update permissions_attributes: [{:type=>"group", :access=>"read", :name=>"group1"}]
+          subject.update permissions_attributes: [{:type=>"group", :access=>"edit", :name=>"group1"}]
+          expect(subject.permissions.map(&:to_hash)).to match_array [
+                                            {:type=>"group", :access=>"edit", :name=>"group1"},
+                                            {:type=>"person", :access=>"edit", :name=>"jcoyne"}]
+        end
       end
       it "should remove permissions on existing users" do
-        subject.permissions_attributes = [{:type=>"user", :access=>"read", :name=>"user1"}]
-        subject.permissions_attributes = [{:type=>"user", :access=>"edit", :name=>"user1", _destroy: true}]
-        subject.permissions.should == [Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"jcoyne")]
+        subject.update permissions_attributes: [{:type=>"person", :access=>"read", :name=>"user1"}]
+        subject.update permissions_attributes: [{:id=>ActiveFedora::Base.uri_to_id(subject.permissions.last.rdf_subject.to_s), :type=>"person", :access=>"edit", :name=>"user1", _destroy: true}]
+        expect(subject.permissions.reload.map(&:to_hash)).to eq [{ :name=>"jcoyne", :type=>"person", :access=>"edit" }]
       end
       it "should remove permissions on existing groups" do
-        subject.permissions_attributes = [{:type=>"group", :access=>"read", :name=>"group1"}]
-        subject.permissions_attributes = [{:type=>"group", :access=>"edit", :name=>"group1", _destroy: '1'}]
-        subject.permissions.should == [Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"jcoyne")]
+        subject.update permissions_attributes: [{:type=>"group", :access=>"read", :name=>"group1"}]
+        subject.update permissions_attributes: [{:id=>ActiveFedora::Base.uri_to_id(subject.permissions.last.rdf_subject.to_s), :type=>"group", :access=>"edit", :name=>"group1", _destroy: '1'}]
+        expect(subject.permissions.reload.map(&:to_hash)).to eq [{:type=>"person", :access=>"edit", :name=>"jcoyne"}]
       end
       it "should not remove when destroy flag is falsy" do
-        subject.permissions_attributes = [{:type=>"group", :access=>"read", :name=>"group1"}]
-        subject.permissions_attributes = [{:type=>"group", :access=>"edit", :name=>"group1", _destroy: '0'}]
-        subject.permissions.should == [ Hydra::AccessControls::Permission.new(:type=>"group", :access=>"edit", :name=>"group1"),
-                                        Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"jcoyne")]
+        subject.update permissions_attributes: [{:type=>"group", :access=>"read", :name=>"group1"}]
+        subject.update permissions_attributes: [{:id=>ActiveFedora::Base.uri_to_id(subject.permissions.last.rdf_subject.to_s), :type=>"group", :access=>"edit", :name=>"group1", _destroy: '0'}]
+        expect(subject.permissions.reload.map(&:to_hash)).to match_array [{:type=>"group", :access=>"edit", :name=>"group1"},
+                                                          {:type=>"person", :access=>"edit", :name=>"jcoyne"}]
       end
     end
@@ -89,7 +136,8 @@ describe Hydra::AccessControls::Permissions do
       before do
         subject.permissions = [
           Hydra::AccessControls::Permission.new(:type=>"group", :access=>"edit", :name=>"group1"),
-          Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"jcoyne")]
+          Hydra::AccessControls::Permission.new(:type=>"person", :access=>"edit", :name=>"jcoyne")]
+        subject.save!
       end
       it "should set the permissions" do
         expect(subject.edit_users).to eq ['jcoyne']
@@ -103,30 +151,38 @@ describe Hydra::AccessControls::Permissions do
   end
   context "with rightsMetadata" do
     before do
-      subject.rightsMetadata.update_permissions("person"=>{"person1"=>"read","person2"=>"discover"}, "group"=>{'group-6' => 'read', "group-7"=>'read', 'group-8'=>'edit'})
+      subject.permissions.build(type: 'person', access: 'read', name: 'person1')
+      subject.permissions.build(type: 'person', access: 'discover', name: 'person2')
+      subject.permissions.build(type: 'group', access: 'read', name: 'group-6')
+      subject.permissions.build(type: 'group', access: 'read', name: 'group-7')
+      subject.permissions.build(type: 'group', access: 'edit', name: 'group-8')
     end
     it "should have read groups accessor" do
-      subject.read_groups.should == ['group-6', 'group-7']
+      expect(subject.read_groups).to eq ['group-6', 'group-7']
     end
     it "should have read groups string accessor" do
-      subject.read_groups_string.should == 'group-6, group-7'
-    end
-    it "should have read groups writer" do
-      subject.read_groups = ['group-2', 'group-3']
-      subject.rightsMetadata.groups.should == {'group-2' => 'read', 'group-3'=>'read', 'group-8' => 'edit'}
-      subject.rightsMetadata.users.should == {"person1"=>"read","person2"=>"discover"}
+      expect(subject.read_groups_string).to eq 'group-6, group-7'
     end
     it "should have read groups string writer" do
       subject.read_groups_string = 'umg/up.dlt.staff, group-3'
-      subject.rightsMetadata.groups.should == {'umg/up.dlt.staff' => 'read', 'group-3'=>'read', 'group-8' => 'edit'}
-      subject.rightsMetadata.users.should == {"person1"=>"read","person2"=>"discover"}
+      expect(subject.read_groups).to eq ['umg/up.dlt.staff', 'group-3']
+      expect(subject.edit_groups).to eq ['group-8']
+      expect(subject.read_users).to eq ['person1']
     end
     it "should only revoke eligible groups" do
       subject.set_read_groups(['group-2', 'group-3'], ['group-6'])
       # 'group-7' is not eligible to be revoked
-      subject.rightsMetadata.groups.should == {'group-2' => 'read', 'group-3'=>'read', 'group-7' => 'read', 'group-8' => 'edit'}
-      subject.rightsMetadata.users.should == {"person1"=>"read","person2"=>"discover"}
+      expect(subject.permissions.map(&:to_hash)).to match_array([
+        {name: 'group-2', type: 'group', access: 'read'},
+        {name: 'group-3', type: 'group', access: 'read'},
+        {name: 'group-7', type: 'group', access: 'read'},
+        {name: 'group-8', type: 'group', access: 'edit'},
+        {name: 'person1', type: 'person', access: 'read'},
+        {name: 'person2', type: 'person', access: 'discover'}])
     end
   end
 end

data/spec/unit/policy_aware_ability_spec.rb CHANGED Viewed

@@ -2,59 +2,49 @@ require 'spec_helper'
 describe Hydra::PolicyAwareAbility do
   before do
-    Hydra.stub(:config).and_return({
-      :permissions=>{
-        :discover => {:group =>"discover_access_group_ssim", :individual=>"discover_access_person_ssim"},
-        :read => {:group =>"read_access_group_ssim", :individual=>"read_access_person_ssim"},
-        :edit => {:group =>"edit_access_group_ssim", :individual=>"edit_access_person_ssim"},
-        :owner => "depositor_ssim",
-        :embargo_release_date => "embargo_release_date_dtsi",
-        :inheritable => {
-          :discover => {:group =>"inheritable_discover_access_group_ssim", :individual=>"inheritable_discover_access_person_ssim"},
-          :read => {:group =>"inheritable_read_access_group_ssim", :individual=>"inheritable_read_access_person_ssim"},
-          :edit => {:group =>"inheritable_edit_access_group_ssim", :individual=>"inheritable_edit_access_person_ssim"},
-          :owner => "inheritable_depositor_ssim",
-          :embargo_release_date => "inheritable_embargo_release_date_dtsi"
-        }
-    }})
+    allow(Hydra.config.permissions).to receive(:inheritable).and_return({
+        :discover => {:group =>"inheritable_discover_access_group_ssim", :individual=>"inheritable_discover_access_person_ssim"},
+        :read => {:group =>"inheritable_read_access_group_ssim", :individual=>"inheritable_read_access_person_ssim"},
+        :edit => {:group =>"inheritable_edit_access_group_ssim", :individual=>"inheritable_edit_access_person_ssim"},
+        :owner => "inheritable_depositor_ssim",
+        :embargo_release_date => "inheritable_embargo_release_date_dtsi"
+    })
   end
-  before(:all) do
+  before do
     class PolicyAwareClass
       include Hydra::PolicyAwareAbility
     end
-    @policy = Hydra::AdminPolicy.new
+    @policy = Hydra::AdminPolicy.create
     # Set the inheritable permissions
-    @policy.default_permissions = [
+    @policy.default_permissions.create [
         {:type=>"group", :access=>"read", :name=>"africana-faculty"},
         {:type=>"group", :access=>"edit", :name=>"cool_kids"},
         {:type=>"group", :access=>"edit", :name=>"in_crowd"},
-        {:type=>"user", :access=>"read", :name=>"nero"},
-        {:type=>"user", :access=>"edit", :name=>"julius_caesar"}
+        {:type=>"person", :access=>"read", :name=>"nero"},
+        {:type=>"person", :access=>"edit", :name=>"julius_caesar"}
       ]
-    @policy.save
+    @policy.save!
     @asset = ModsAsset.new
     @asset.admin_policy = @policy
-    @asset.save
+    @asset.save!
   end
-  after(:all) do
-    @policy.delete
-    @asset.delete
+  after do
     Object.send(:remove_const, :PolicyAwareClass)
-  end
+  end
   subject { PolicyAwareClass.new( User.new ) }
   describe "policy_pid_for" do
     before do
-      @policy2 = Hydra::AdminPolicy.new
-      @policy2.default_permissions =
-        [
+      @policy2 = Hydra::AdminPolicy.create
+      @policy2.default_permissions.create [
          {:type=>"group", :access=>"read", :name=>"untenured-faculty"},
          {:type=>"group", :access=>"edit", :name=>"awesome_kids"},
          {:type=>"group", :access=>"edit", :name=>"bad_crowd"},
-         {:type=>"user", :access=>"read", :name=>"constantine"},
-         {:type=>"user", :access=>"edit", :name=>"brutus"}
+         {:type=>"person", :access=>"read", :name=>"constantine"},
+         {:type=>"person", :access=>"edit", :name=>"brutus"}
         ]
       @policy2.save
       @asset2 = ModsAsset.new
@@ -62,124 +52,120 @@ describe Hydra::PolicyAwareAbility do
       @asset2.save
       @asset3 = ModsAsset.create
     end
-    after do
-      @policy2.delete
-      @asset2.delete
-      @asset3.delete
-    end
     it "should retrieve the pid doc for the current object's governing policy" do
-      subject.policy_pid_for(@asset.pid).should == @policy.pid
-      subject.policy_pid_for(@asset2.pid).should == @policy2.pid
-      subject.policy_pid_for(@asset3.pid).should be_nil
+      expect(subject.policy_pid_for(@asset.id)).to eq @policy.id
+      expect(subject.policy_pid_for(@asset2.id)).to eq @policy2.id
+      expect(subject.policy_pid_for(@asset3.id)).to be_nil
     end
   end
   describe "policy_permissions_doc" do
     it "should retrieve the permissions doc for the current object's policy and store for re-use" do
-      subject.should_receive(:get_permissions_solr_response_for_doc_id).with(@policy.pid).once.and_return("mock solr doc")
-      subject.policy_permissions_doc(@policy.pid).should == "mock solr doc"
-      subject.policy_permissions_doc(@policy.pid).should == "mock solr doc"
-      subject.policy_permissions_doc(@policy.pid).should == "mock solr doc"
+      expect(subject).to receive(:get_permissions_solr_response_for_doc_id).with(@policy.id).once.and_return("mock solr doc")
+      expect(subject.policy_permissions_doc(@policy.id)).to eq "mock solr doc"
+      expect(subject.policy_permissions_doc(@policy.id)).to eq "mock solr doc"
+      expect(subject.policy_permissions_doc(@policy.id)).to eq "mock solr doc"
     end
   end
   describe "test_edit_from_policy" do
     context "public user" do
       it "should return false" do
-        subject.stub(:user_groups).and_return(["public"])
-        subject.test_edit_from_policy(@asset.pid).should be false
+        allow(subject).to receive(:user_groups).and_return(["public"])
+        expect(subject.test_edit_from_policy(@asset.id)).to be false
       end
     end
     context "registered user" do
       it "should return false" do
-        subject.user_groups.should include("registered")
-        subject.test_edit_from_policy(@asset.pid).should be false
+        expect(subject.user_groups).to include("registered")
+        expect(subject.test_edit_from_policy(@asset.id)).to be false
       end
     end
     context "user with policy read access only" do
       it "should return false" do
-        subject.current_user.stub(:user_key).and_return("nero")
-        subject.test_edit_from_policy(@asset.pid).should be false
+        allow(subject.current_user).to receive(:user_key).and_return("nero")
+        expect(subject.test_edit_from_policy(@asset.id)).to be false
       end
     end
     context "user with policy edit access" do
       it "should return true" do
-        subject.current_user.stub(:user_key).and_return("julius_caesar")
-        subject.test_edit_from_policy(@asset.pid).should be true
+        allow(subject.current_user).to receive(:user_key).and_return("julius_caesar")
+        expect(subject.test_edit_from_policy(@asset.id)).to be true
       end
     end
     context "user in group with policy read access" do
       it "should return false" do
-        subject.stub(:user_groups).and_return(["africana-faculty"])
-        subject.test_edit_from_policy(@asset.pid).should be false
+        allow(subject).to receive(:user_groups).and_return(["africana-faculty"])
+        expect(subject.test_edit_from_policy(@asset.id)).to be false
       end
     end
     context "user in group with policy edit access" do
       it "should return true" do
-        subject.stub(:user_groups).and_return(["cool_kids"])
-        subject.test_edit_from_policy(@asset.pid).should be true
+        allow(subject).to receive(:user_groups).and_return(["cool_kids"])
+        expect(subject.test_edit_from_policy(@asset.id)).to be true
       end
     end
   end
   describe "test_read_from_policy" do
     context "public user" do
       it "should return false" do
-        subject.stub(:user_groups).and_return(["public"])
-        subject.test_read_from_policy(@asset.pid).should be false
+        allow(subject).to receive(:user_groups).and_return(["public"])
+        expect(subject.test_read_from_policy(@asset.id)).to be false
       end
     end
     context "registered user" do
       it "should return false" do
-        subject.user_groups.should include("registered")
-        subject.test_read_from_policy(@asset.pid).should be false
+        expect(subject.user_groups).to include("registered")
+        expect(subject.test_read_from_policy(@asset.id)).to be false
       end
     end
     context "user with policy read access only" do
       it "should return false" do
-        subject.current_user.stub(:user_key).and_return("nero")
-        subject.test_read_from_policy(@asset.pid).should be true
+        allow(subject.current_user).to receive(:user_key).and_return("nero")
+        expect(subject.test_read_from_policy(@asset.id)).to be true
       end
     end
     context "user with policy edit access" do
       it "should return true" do
-        subject.current_user.stub(:user_key).and_return("julius_caesar")
-        subject.test_read_from_policy(@asset.pid).should be true
+        allow(subject.current_user).to receive(:user_key).and_return("julius_caesar")
+        expect(subject.test_read_from_policy(@asset.id)).to be true
       end
     end
     context "user in group with policy read access" do
       it "should return false" do
-        subject.stub(:user_groups).and_return(["africana-faculty"])
-        subject.test_read_from_policy(@asset.pid).should be true
+        allow(subject).to receive(:user_groups).and_return(["africana-faculty"])
+        expect(subject.test_read_from_policy(@asset.id)).to be true
       end
     end
     context "user in group with policy edit access" do
       it "should return true" do
-        subject.stub(:user_groups).and_return(["cool_kids"])
-        subject.test_read_from_policy(@asset.pid).should be true
+        allow(subject).to receive(:user_groups).and_return(["cool_kids"])
+        expect(subject.test_read_from_policy(@asset.id)).to be true
       end
     end
   end
   describe "edit_groups_from_policy" do
     it "should retrieve the list of groups with edit access from the policy" do
-      result = subject.edit_groups_from_policy(@policy.pid)
-      result.length.should == 2
-      result.should include("cool_kids","in_crowd")
+      result = subject.edit_groups_from_policy(@policy.id)
+      expect(result.length).to eq 2
+      expect(result).to include("cool_kids","in_crowd")
     end
   end
   describe "edit_persons_from_policy" do
     it "should retrieve the list of individuals with edit access from the policy" do
-      expect(subject.edit_users_from_policy(@policy.pid)).to eq ["julius_caesar"]
+      expect(subject.edit_users_from_policy(@policy.id)).to eq ["julius_caesar"]
     end
   end
   describe "read_groups_from_policy" do
     it "should retrieve the list of groups with read access from the policy" do
-      result = subject.read_groups_from_policy(@policy.pid)
-      result.length.should == 3
-      result.should include("cool_kids", "in_crowd", "africana-faculty")
+      result = subject.read_groups_from_policy(@policy.id)
+      expect(result.length).to eq 3
+      expect(result).to include("cool_kids", "in_crowd", "africana-faculty")
     end
   end
   describe "read_persons_from_policy" do
     it "should retrieve the list of individuals with read access from the policy" do
-      expect(subject.read_users_from_policy(@policy.pid)).to eq ["julius_caesar","nero"]
+      expect(subject.read_users_from_policy(@policy.id)).to eq ["julius_caesar","nero"]
     end
   end
 end