RubyGems - hydra-access-controls - Versions diffs - 8.2.0 → 9.0.0.beta1 - Mend

hydra-access-controls 8.2.0 → 9.0.0.beta1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (52) hide show

checksums.yaml +4 -4
data/README.textile +10 -10
data/app/models/concerns/hydra/access_controls/access_right.rb +3 -2
data/app/models/concerns/hydra/access_controls/embargoable.rb +120 -132
data/app/models/concerns/hydra/access_controls/permissions.rb +137 -103
data/app/models/concerns/hydra/access_controls/visibility.rb +3 -5
data/app/models/concerns/hydra/access_controls.rb +0 -1
data/app/models/concerns/hydra/admin_policy_behavior.rb +27 -2
data/app/models/concerns/hydra/rights.rb +15 -0
data/app/models/hydra/access_controls/access_control_list.rb +17 -0
data/app/models/hydra/access_controls/embargo.rb +65 -0
data/app/models/hydra/access_controls/lease.rb +66 -0
data/app/models/hydra/access_controls/permission.rb +85 -0
data/app/vocabularies/acl.rb +12 -0
data/app/vocabularies/hydra/acl.rb +20 -0
data/config/fedora.yml +4 -2
data/hydra-access-controls.gemspec +6 -7
data/lib/hydra/ability.rb +45 -43
data/lib/hydra/access_controls_enforcement.rb +23 -25
data/lib/hydra/admin_policy.rb +34 -11
data/lib/hydra/config.rb +4 -15
data/lib/hydra/permissions_query.rb +2 -2
data/lib/hydra/permissions_solr_document.rb +4 -6
data/lib/hydra/policy_aware_ability.rb +56 -53
data/lib/hydra/policy_aware_access_controls_enforcement.rb +28 -18
data/lib/hydra-access-controls.rb +1 -1
data/spec/factories.rb +15 -15
data/spec/services/embargo_service_spec.rb +6 -6
data/spec/services/lease_service_spec.rb +6 -6
data/spec/spec_helper.rb +20 -13
data/spec/support/mods_asset.rb +3 -3
data/spec/unit/ability_spec.rb +96 -121
data/spec/unit/access_controls_enforcement_spec.rb +29 -27
data/spec/unit/access_right_spec.rb +6 -1
data/spec/unit/accessible_by_spec.rb +14 -5
data/spec/unit/admin_policy_spec.rb +99 -92
data/spec/unit/config_spec.rb +14 -15
data/spec/unit/embargoable_spec.rb +26 -28
data/spec/unit/permission_spec.rb +36 -16
data/spec/unit/permissions_spec.rb +121 -65
data/spec/unit/policy_aware_ability_spec.rb +64 -78
data/spec/unit/policy_aware_access_controls_enforcement_spec.rb +81 -77
data/spec/unit/role_mapper_spec.rb +10 -10
data/spec/unit/with_access_right_spec.rb +1 -1
metadata +29 -51
data/lib/hydra/access_controls/permission.rb +0 -40
data/lib/hydra/datastream/inheritable_rights_metadata.rb +0 -22
data/lib/hydra/datastream/rights_metadata.rb +0 -276
data/lib/hydra/datastream.rb +0 -7
data/spec/unit/hydra_rights_metadata_persistence_spec.rb +0 -71
data/spec/unit/hydra_rights_metadata_spec.rb +0 -301
data/spec/unit/inheritable_rights_metadata_spec.rb +0 -65

data/spec/unit/permissions_spec.rb CHANGED Viewed

@@ -9,79 +9,126 @@ describe Hydra::AccessControls::Permissions do
   subject { Foo.new }
+  it "should have many permissions" do
+    expect(subject.permissions).to eq []
+  end
+  #TODO is permission same as an acl?
   it "should have a set of permissions" do
     subject.read_groups=['group1', 'group2']
     subject.edit_users=['user1']
     subject.read_users=['user2', 'user3']
-    subject.permissions.should == [Hydra::AccessControls::Permission.new(:type=>"group", :access=>"read", :name=>"group1"),
+    expect(subject.permissions).to match_array [Hydra::AccessControls::Permission.new(:type=>"group", :access=>"read", :name=>"group1"),
         Hydra::AccessControls::Permission.new({:type=>"group", :access=>"read", :name=>"group2"}),
-        Hydra::AccessControls::Permission.new({:type=>"user", :access=>"read", :name=>"user2"}),
-        Hydra::AccessControls::Permission.new({:type=>"user", :access=>"read", :name=>"user3"}),
-        Hydra::AccessControls::Permission.new({:type=>"user", :access=>"edit", :name=>"user1"})]
+        Hydra::AccessControls::Permission.new({:type=>"person", :access=>"read", :name=>"user2"}),
+        Hydra::AccessControls::Permission.new({:type=>"person", :access=>"read", :name=>"user3"}),
+        Hydra::AccessControls::Permission.new({:type=>"person", :access=>"edit", :name=>"user1"})]
+  end
+  describe "building a new permission" do
+    before { subject.save! }
+    it "should set the accessTo association" do
+      perm = subject.permissions.build(name: 'user1', type: 'person', access: 'read')
+      subject.save
+      expect(perm.access_to_id).to eq subject.id
+    end
   end
   describe "updating permissions" do
     describe "with nested attributes" do
       before do
-        subject.permissions_attributes = [{:type=>"user", :access=>"edit", :name=>"jcoyne"}]
+        subject.save!
+        subject.permissions_attributes = [{:type=>"person", :access=>"edit", :name=>"jcoyne"}]
       end
-      it "should handle a hash" do
-        subject.permissions_attributes = {'0' => {type: "group", access:"read", name:"group1"}, '1'=> {type: 'user', access: 'edit', name: 'user2'}}
-        subject.permissions.should == [Hydra::AccessControls::Permission.new(:type=>"group", :access=>"read", :name=>"group1"),
-                                     Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"jcoyne"),
-                                     Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"user2")]
+      context "when a hash is passed" do
+        before do
+          subject.permissions_attributes = {'0' => {type: "group", access:"read", name:"group1"},
+                                            '1' => {type: 'person', access: 'edit', name: 'user2'}}
+        end
+        it "should handle a hash" do
+          expect(subject.permissions.size).to eq 3
+          expect(subject.permissions.to_a).to all(be_a(Hydra::AccessControls::Permission))
+          expect(subject.permissions.map(&:to_hash)).to match_array [
+              {type: "person", access: "edit", name: "jcoyne"},
+              {type: "group", access: "read", name: "group1"},
+              {type: "person", access: "edit", name: "user2"}]
+        end
       end
       it "should create new group permissions" do
-        subject.permissions_attributes = [{:type=>"group", :access=>"read", :name=>"group1"}]
-        subject.permissions.should == [Hydra::AccessControls::Permission.new(:type=>"group", :access=>"read", :name=>"group1"),
-                                     Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"jcoyne")]
+        subject.permissions_attributes = [{type: "group", access: "read", name: "group1"}]
+        expect(subject.permissions.size).to eq 2
+        expect(subject.permissions.to_a).to all(be_a(Hydra::AccessControls::Permission))
+        expect(subject.permissions[0].to_hash).to eq(type: "person", access: "edit", name: "jcoyne")
+        expect(subject.permissions[1].to_hash).to eq(type: "group", access: "read", name: "group1")
       end
       it "should create new user permissions" do
-        subject.permissions_attributes = [{:type=>"user", :access=>"read", :name=>"user1"}]
-        subject.permissions.should == [Hydra::AccessControls::Permission.new(:type=>"user", :access=>"read", :name=>"user1"),
-                                     Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"jcoyne")]
-      end
-      it "should not replace existing groups" do
-        subject.permissions_attributes = [{:type=>"group", :access=>"read", :name=>"group1"}]
-        subject.permissions_attributes = [{:type=>"group", :access=>"read", :name=>"group2"}]
-        subject.permissions.should == [Hydra::AccessControls::Permission.new(:type=>"group", :access=>"read", :name=>"group1"),
-                                     Hydra::AccessControls::Permission.new(:type=>"group", :access=>"read", :name=>"group2"),
-                                     Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"jcoyne")]
-      end
-      it "should not replace existing users" do
-        subject.permissions_attributes = [{:type=>"user", :access=>"read", :name=>"user1"}]
-        subject.permissions_attributes = [{:type=>"user", :access=>"read", :name=>"user2"}]
-        subject.permissions.should == [Hydra::AccessControls::Permission.new(:type=>"user", :access=>"read", :name=>"user1"),
-                                     Hydra::AccessControls::Permission.new(:type=>"user", :access=>"read", :name=>"user2"),
-                                     Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"jcoyne")]
+        subject.permissions_attributes = [{:type=>"person", :access=>"read", :name=>"user1"}]
+        expect(subject.permissions.size).to eq 2
+        expect(subject.permissions.to_a).to all(be_a(Hydra::AccessControls::Permission))
+        expect(subject.permissions[0].to_hash).to eq(type: "person", access: "edit", name: "jcoyne")
+        expect(subject.permissions[1].to_hash).to eq(type: "person", access: "read", name: "user1")
       end
-      it "should update permissions on existing users" do
-        subject.permissions_attributes = [{:type=>"user", :access=>"read", :name=>"user1"}]
-        subject.permissions_attributes = [{:type=>"user", :access=>"edit", :name=>"user1"}]
-        subject.permissions.should == [Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"user1"),
-                                     Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"jcoyne")]
-      end
-      it "should update permissions on existing groups" do
-        subject.permissions_attributes = [{:type=>"group", :access=>"read", :name=>"group1"}]
-        subject.permissions_attributes = [{:type=>"group", :access=>"edit", :name=>"group1"}]
-        subject.permissions.should == [Hydra::AccessControls::Permission.new(:type=>"group", :access=>"edit", :name=>"group1"),
-                                     Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"jcoyne")]
+      context "when called multiple times" do
+        it "should not replace existing groups" do
+          subject.permissions_attributes = [{:type=>"group", :access=>"read", :name=>"group1"}]
+          subject.permissions_attributes = [{:type=>"group", :access=>"read", :name=>"group2"}]
+          expect(subject.permissions.size).to eq 3
+          expect(subject.permissions.to_a).to all(be_a(Hydra::AccessControls::Permission))
+          expect(subject.permissions[0].to_hash).to eq(type: "person", access: "edit", name: "jcoyne")
+          expect(subject.permissions[1].to_hash).to eq(type: "group", access: "read", name: "group1")
+          expect(subject.permissions[2].to_hash).to eq(type: "group", access: "read", name: "group2")
+        end
+        it "should not replace existing users" do
+          subject.permissions_attributes = [{:type=>"person", :access=>"read", :name=>"user1"}]
+          subject.permissions_attributes = [{:type=>"person", :access=>"read", :name=>"user2"}]
+          expect(subject.permissions.size).to eq 3
+          expect(subject.permissions.to_a).to all(be_a(Hydra::AccessControls::Permission))
+          expect(subject.permissions[0].to_hash).to eq(type: "person", access: "edit", name: "jcoyne")
+          expect(subject.permissions[1].to_hash).to eq(type: "person", access: "read", name: "user1")
+          expect(subject.permissions[2].to_hash).to eq(type: "person", access: "read", name: "user2")
+        end
+        it "should update permissions on existing users" do
+          subject.update permissions_attributes: [{:type=>"person", :access=>"read", :name=>"user1"}]
+          subject.update permissions_attributes: [{:type=>"person", :access=>"edit", :name=>"user1"}]
+          expect(subject.permissions.size).to eq 2
+          expect(subject.permissions.to_a).to all(be_a(Hydra::AccessControls::Permission))
+          expect(subject.permissions[0].to_hash).to eq(type: "person", access: "edit", name: "jcoyne")
+          expect(subject.permissions[1].to_hash).to eq(type: "person", access: "edit", name: "user1")
+        end
+        it "should update permissions on existing groups" do
+          subject.update permissions_attributes: [{:type=>"group", :access=>"read", :name=>"group1"}]
+          subject.update permissions_attributes: [{:type=>"group", :access=>"edit", :name=>"group1"}]
+          expect(subject.permissions.map(&:to_hash)).to match_array [
+                                            {:type=>"group", :access=>"edit", :name=>"group1"},
+                                            {:type=>"person", :access=>"edit", :name=>"jcoyne"}]
+        end
       end
       it "should remove permissions on existing users" do
-        subject.permissions_attributes = [{:type=>"user", :access=>"read", :name=>"user1"}]
-        subject.permissions_attributes = [{:type=>"user", :access=>"edit", :name=>"user1", _destroy: true}]
-        subject.permissions.should == [Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"jcoyne")]
+        subject.update permissions_attributes: [{:type=>"person", :access=>"read", :name=>"user1"}]
+        subject.update permissions_attributes: [{:id=>ActiveFedora::Base.uri_to_id(subject.permissions.last.rdf_subject.to_s), :type=>"person", :access=>"edit", :name=>"user1", _destroy: true}]
+        expect(subject.permissions.reload.map(&:to_hash)).to eq [{ :name=>"jcoyne", :type=>"person", :access=>"edit" }]
       end
       it "should remove permissions on existing groups" do
-        subject.permissions_attributes = [{:type=>"group", :access=>"read", :name=>"group1"}]
-        subject.permissions_attributes = [{:type=>"group", :access=>"edit", :name=>"group1", _destroy: '1'}]
-        subject.permissions.should == [Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"jcoyne")]
+        subject.update permissions_attributes: [{:type=>"group", :access=>"read", :name=>"group1"}]
+        subject.update permissions_attributes: [{:id=>ActiveFedora::Base.uri_to_id(subject.permissions.last.rdf_subject.to_s), :type=>"group", :access=>"edit", :name=>"group1", _destroy: '1'}]
+        expect(subject.permissions.reload.map(&:to_hash)).to eq [{:type=>"person", :access=>"edit", :name=>"jcoyne"}]
       end
       it "should not remove when destroy flag is falsy" do
-        subject.permissions_attributes = [{:type=>"group", :access=>"read", :name=>"group1"}]
-        subject.permissions_attributes = [{:type=>"group", :access=>"edit", :name=>"group1", _destroy: '0'}]
-        subject.permissions.should == [ Hydra::AccessControls::Permission.new(:type=>"group", :access=>"edit", :name=>"group1"),
-                                        Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"jcoyne")]
+        subject.update permissions_attributes: [{:type=>"group", :access=>"read", :name=>"group1"}]
+        subject.update permissions_attributes: [{:id=>ActiveFedora::Base.uri_to_id(subject.permissions.last.rdf_subject.to_s), :type=>"group", :access=>"edit", :name=>"group1", _destroy: '0'}]
+        expect(subject.permissions.reload.map(&:to_hash)).to match_array [{:type=>"group", :access=>"edit", :name=>"group1"},
+                                                          {:type=>"person", :access=>"edit", :name=>"jcoyne"}]
       end
     end
@@ -89,7 +136,8 @@ describe Hydra::AccessControls::Permissions do
       before do
         subject.permissions = [
           Hydra::AccessControls::Permission.new(:type=>"group", :access=>"edit", :name=>"group1"),
-          Hydra::AccessControls::Permission.new(:type=>"user", :access=>"edit", :name=>"jcoyne")]
+          Hydra::AccessControls::Permission.new(:type=>"person", :access=>"edit", :name=>"jcoyne")]
+        subject.save!
       end
       it "should set the permissions" do
         expect(subject.edit_users).to eq ['jcoyne']
@@ -103,30 +151,38 @@ describe Hydra::AccessControls::Permissions do
   end
   context "with rightsMetadata" do
     before do
-      subject.rightsMetadata.update_permissions("person"=>{"person1"=>"read","person2"=>"discover"}, "group"=>{'group-6' => 'read', "group-7"=>'read', 'group-8'=>'edit'})
+      subject.permissions.build(type: 'person', access: 'read', name: 'person1')
+      subject.permissions.build(type: 'person', access: 'discover', name: 'person2')
+      subject.permissions.build(type: 'group', access: 'read', name: 'group-6')
+      subject.permissions.build(type: 'group', access: 'read', name: 'group-7')
+      subject.permissions.build(type: 'group', access: 'edit', name: 'group-8')
     end
     it "should have read groups accessor" do
-      subject.read_groups.should == ['group-6', 'group-7']
+      expect(subject.read_groups).to eq ['group-6', 'group-7']
     end
     it "should have read groups string accessor" do
-      subject.read_groups_string.should == 'group-6, group-7'
-    end
-    it "should have read groups writer" do
-      subject.read_groups = ['group-2', 'group-3']
-      subject.rightsMetadata.groups.should == {'group-2' => 'read', 'group-3'=>'read', 'group-8' => 'edit'}
-      subject.rightsMetadata.users.should == {"person1"=>"read","person2"=>"discover"}
+      expect(subject.read_groups_string).to eq 'group-6, group-7'
     end
     it "should have read groups string writer" do
       subject.read_groups_string = 'umg/up.dlt.staff, group-3'
-      subject.rightsMetadata.groups.should == {'umg/up.dlt.staff' => 'read', 'group-3'=>'read', 'group-8' => 'edit'}
-      subject.rightsMetadata.users.should == {"person1"=>"read","person2"=>"discover"}
+      expect(subject.read_groups).to eq ['umg/up.dlt.staff', 'group-3']
+      expect(subject.edit_groups).to eq ['group-8']
+      expect(subject.read_users).to eq ['person1']
     end
     it "should only revoke eligible groups" do
       subject.set_read_groups(['group-2', 'group-3'], ['group-6'])
       # 'group-7' is not eligible to be revoked
-      subject.rightsMetadata.groups.should == {'group-2' => 'read', 'group-3'=>'read', 'group-7' => 'read', 'group-8' => 'edit'}
-      subject.rightsMetadata.users.should == {"person1"=>"read","person2"=>"discover"}
+      expect(subject.permissions.map(&:to_hash)).to match_array([
+        {name: 'group-2', type: 'group', access: 'read'},
+        {name: 'group-3', type: 'group', access: 'read'},
+        {name: 'group-7', type: 'group', access: 'read'},
+        {name: 'group-8', type: 'group', access: 'edit'},
+        {name: 'person1', type: 'person', access: 'read'},
+        {name: 'person2', type: 'person', access: 'discover'}])
     end
   end
 end

data/spec/unit/policy_aware_ability_spec.rb CHANGED Viewed

@@ -2,59 +2,49 @@ require 'spec_helper'
 describe Hydra::PolicyAwareAbility do
   before do
-    Hydra.stub(:config).and_return({
-      :permissions=>{
-        :discover => {:group =>"discover_access_group_ssim", :individual=>"discover_access_person_ssim"},
-        :read => {:group =>"read_access_group_ssim", :individual=>"read_access_person_ssim"},
-        :edit => {:group =>"edit_access_group_ssim", :individual=>"edit_access_person_ssim"},
-        :owner => "depositor_ssim",
-        :embargo_release_date => "embargo_release_date_dtsi",
-        :inheritable => {
-          :discover => {:group =>"inheritable_discover_access_group_ssim", :individual=>"inheritable_discover_access_person_ssim"},
-          :read => {:group =>"inheritable_read_access_group_ssim", :individual=>"inheritable_read_access_person_ssim"},
-          :edit => {:group =>"inheritable_edit_access_group_ssim", :individual=>"inheritable_edit_access_person_ssim"},
-          :owner => "inheritable_depositor_ssim",
-          :embargo_release_date => "inheritable_embargo_release_date_dtsi"
-        }
-    }})
+    allow(Hydra.config.permissions).to receive(:inheritable).and_return({
+        :discover => {:group =>"inheritable_discover_access_group_ssim", :individual=>"inheritable_discover_access_person_ssim"},
+        :read => {:group =>"inheritable_read_access_group_ssim", :individual=>"inheritable_read_access_person_ssim"},
+        :edit => {:group =>"inheritable_edit_access_group_ssim", :individual=>"inheritable_edit_access_person_ssim"},
+        :owner => "inheritable_depositor_ssim",
+        :embargo_release_date => "inheritable_embargo_release_date_dtsi"
+    })
   end
-  before(:all) do
+  before do
     class PolicyAwareClass
       include Hydra::PolicyAwareAbility
     end
-    @policy = Hydra::AdminPolicy.new
+    @policy = Hydra::AdminPolicy.create
     # Set the inheritable permissions
-    @policy.default_permissions = [
+    @policy.default_permissions.create [
         {:type=>"group", :access=>"read", :name=>"africana-faculty"},
         {:type=>"group", :access=>"edit", :name=>"cool_kids"},
         {:type=>"group", :access=>"edit", :name=>"in_crowd"},
-        {:type=>"user", :access=>"read", :name=>"nero"},
-        {:type=>"user", :access=>"edit", :name=>"julius_caesar"}
+        {:type=>"person", :access=>"read", :name=>"nero"},
+        {:type=>"person", :access=>"edit", :name=>"julius_caesar"}
       ]
-    @policy.save
+    @policy.save!
     @asset = ModsAsset.new
     @asset.admin_policy = @policy
-    @asset.save
+    @asset.save!
   end
-  after(:all) do
-    @policy.delete
-    @asset.delete
+  after do
     Object.send(:remove_const, :PolicyAwareClass)
-  end
+  end
   subject { PolicyAwareClass.new( User.new ) }
   describe "policy_pid_for" do
     before do
-      @policy2 = Hydra::AdminPolicy.new
-      @policy2.default_permissions =
-        [
+      @policy2 = Hydra::AdminPolicy.create
+      @policy2.default_permissions.create [
          {:type=>"group", :access=>"read", :name=>"untenured-faculty"},
          {:type=>"group", :access=>"edit", :name=>"awesome_kids"},
          {:type=>"group", :access=>"edit", :name=>"bad_crowd"},
-         {:type=>"user", :access=>"read", :name=>"constantine"},
-         {:type=>"user", :access=>"edit", :name=>"brutus"}
+         {:type=>"person", :access=>"read", :name=>"constantine"},
+         {:type=>"person", :access=>"edit", :name=>"brutus"}
         ]
       @policy2.save
       @asset2 = ModsAsset.new
@@ -62,124 +52,120 @@ describe Hydra::PolicyAwareAbility do
       @asset2.save
       @asset3 = ModsAsset.create
     end
-    after do
-      @policy2.delete
-      @asset2.delete
-      @asset3.delete
-    end
     it "should retrieve the pid doc for the current object's governing policy" do
-      subject.policy_pid_for(@asset.pid).should == @policy.pid
-      subject.policy_pid_for(@asset2.pid).should == @policy2.pid
-      subject.policy_pid_for(@asset3.pid).should be_nil
+      expect(subject.policy_pid_for(@asset.id)).to eq @policy.id
+      expect(subject.policy_pid_for(@asset2.id)).to eq @policy2.id
+      expect(subject.policy_pid_for(@asset3.id)).to be_nil
     end
   end
   describe "policy_permissions_doc" do
     it "should retrieve the permissions doc for the current object's policy and store for re-use" do
-      subject.should_receive(:get_permissions_solr_response_for_doc_id).with(@policy.pid).once.and_return("mock solr doc")
-      subject.policy_permissions_doc(@policy.pid).should == "mock solr doc"
-      subject.policy_permissions_doc(@policy.pid).should == "mock solr doc"
-      subject.policy_permissions_doc(@policy.pid).should == "mock solr doc"
+      expect(subject).to receive(:get_permissions_solr_response_for_doc_id).with(@policy.id).once.and_return("mock solr doc")
+      expect(subject.policy_permissions_doc(@policy.id)).to eq "mock solr doc"
+      expect(subject.policy_permissions_doc(@policy.id)).to eq "mock solr doc"
+      expect(subject.policy_permissions_doc(@policy.id)).to eq "mock solr doc"
     end
   end
   describe "test_edit_from_policy" do
     context "public user" do
       it "should return false" do
-        subject.stub(:user_groups).and_return(["public"])
-        subject.test_edit_from_policy(@asset.pid).should be false
+        allow(subject).to receive(:user_groups).and_return(["public"])
+        expect(subject.test_edit_from_policy(@asset.id)).to be false
       end
     end
     context "registered user" do
       it "should return false" do
-        subject.user_groups.should include("registered")
-        subject.test_edit_from_policy(@asset.pid).should be false
+        expect(subject.user_groups).to include("registered")
+        expect(subject.test_edit_from_policy(@asset.id)).to be false
       end
     end
     context "user with policy read access only" do
       it "should return false" do
-        subject.current_user.stub(:user_key).and_return("nero")
-        subject.test_edit_from_policy(@asset.pid).should be false
+        allow(subject.current_user).to receive(:user_key).and_return("nero")
+        expect(subject.test_edit_from_policy(@asset.id)).to be false
       end
     end
     context "user with policy edit access" do
       it "should return true" do
-        subject.current_user.stub(:user_key).and_return("julius_caesar")
-        subject.test_edit_from_policy(@asset.pid).should be true
+        allow(subject.current_user).to receive(:user_key).and_return("julius_caesar")
+        expect(subject.test_edit_from_policy(@asset.id)).to be true
       end
     end
     context "user in group with policy read access" do
       it "should return false" do
-        subject.stub(:user_groups).and_return(["africana-faculty"])
-        subject.test_edit_from_policy(@asset.pid).should be false
+        allow(subject).to receive(:user_groups).and_return(["africana-faculty"])
+        expect(subject.test_edit_from_policy(@asset.id)).to be false
       end
     end
     context "user in group with policy edit access" do
       it "should return true" do
-        subject.stub(:user_groups).and_return(["cool_kids"])
-        subject.test_edit_from_policy(@asset.pid).should be true
+        allow(subject).to receive(:user_groups).and_return(["cool_kids"])
+        expect(subject.test_edit_from_policy(@asset.id)).to be true
       end
     end
   end
   describe "test_read_from_policy" do
     context "public user" do
       it "should return false" do
-        subject.stub(:user_groups).and_return(["public"])
-        subject.test_read_from_policy(@asset.pid).should be false
+        allow(subject).to receive(:user_groups).and_return(["public"])
+        expect(subject.test_read_from_policy(@asset.id)).to be false
       end
     end
     context "registered user" do
       it "should return false" do
-        subject.user_groups.should include("registered")
-        subject.test_read_from_policy(@asset.pid).should be false
+        expect(subject.user_groups).to include("registered")
+        expect(subject.test_read_from_policy(@asset.id)).to be false
       end
     end
     context "user with policy read access only" do
       it "should return false" do
-        subject.current_user.stub(:user_key).and_return("nero")
-        subject.test_read_from_policy(@asset.pid).should be true
+        allow(subject.current_user).to receive(:user_key).and_return("nero")
+        expect(subject.test_read_from_policy(@asset.id)).to be true
       end
     end
     context "user with policy edit access" do
       it "should return true" do
-        subject.current_user.stub(:user_key).and_return("julius_caesar")
-        subject.test_read_from_policy(@asset.pid).should be true
+        allow(subject.current_user).to receive(:user_key).and_return("julius_caesar")
+        expect(subject.test_read_from_policy(@asset.id)).to be true
       end
     end
     context "user in group with policy read access" do
       it "should return false" do
-        subject.stub(:user_groups).and_return(["africana-faculty"])
-        subject.test_read_from_policy(@asset.pid).should be true
+        allow(subject).to receive(:user_groups).and_return(["africana-faculty"])
+        expect(subject.test_read_from_policy(@asset.id)).to be true
       end
     end
     context "user in group with policy edit access" do
       it "should return true" do
-        subject.stub(:user_groups).and_return(["cool_kids"])
-        subject.test_read_from_policy(@asset.pid).should be true
+        allow(subject).to receive(:user_groups).and_return(["cool_kids"])
+        expect(subject.test_read_from_policy(@asset.id)).to be true
       end
     end
   end
   describe "edit_groups_from_policy" do
     it "should retrieve the list of groups with edit access from the policy" do
-      result = subject.edit_groups_from_policy(@policy.pid)
-      result.length.should == 2
-      result.should include("cool_kids","in_crowd")
+      result = subject.edit_groups_from_policy(@policy.id)
+      expect(result.length).to eq 2
+      expect(result).to include("cool_kids","in_crowd")
     end
   end
   describe "edit_persons_from_policy" do
     it "should retrieve the list of individuals with edit access from the policy" do
-      expect(subject.edit_users_from_policy(@policy.pid)).to eq ["julius_caesar"]
+      expect(subject.edit_users_from_policy(@policy.id)).to eq ["julius_caesar"]
     end
   end
   describe "read_groups_from_policy" do
     it "should retrieve the list of groups with read access from the policy" do
-      result = subject.read_groups_from_policy(@policy.pid)
-      result.length.should == 3
-      result.should include("cool_kids", "in_crowd", "africana-faculty")
+      result = subject.read_groups_from_policy(@policy.id)
+      expect(result.length).to eq 3
+      expect(result).to include("cool_kids", "in_crowd", "africana-faculty")
     end
   end
   describe "read_persons_from_policy" do
     it "should retrieve the list of individuals with read access from the policy" do
-      expect(subject.read_users_from_policy(@policy.pid)).to eq ["julius_caesar","nero"]
+      expect(subject.read_users_from_policy(@policy.id)).to eq ["julius_caesar","nero"]
     end
   end
 end