hydra-access-controls 9.10.0 → 10.0.0.beta1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.textile +1 -4
- data/Rakefile +0 -1
- data/app/models/concerns/hydra/access_controls/embargoable.rb +0 -11
- data/app/models/concerns/hydra/access_controls/permissions.rb +50 -39
- data/app/models/hydra/access_control.rb +81 -0
- data/app/models/hydra/access_controls/permission.rb +33 -34
- data/app/vocabularies/acl.rb +1 -0
- data/hydra-access-controls.gemspec +2 -2
- data/lib/hydra-access-controls.rb +0 -1
- data/lib/hydra/admin_policy.rb +0 -12
- data/spec/spec_helper.rb +6 -12
- data/spec/unit/ability_spec.rb +3 -0
- data/spec/unit/access_controls_enforcement_spec.rb +3 -0
- data/spec/unit/admin_policy_spec.rb +3 -0
- data/spec/unit/permissions_spec.rb +17 -9
- data/spec/unit/policy_aware_access_controls_enforcement_spec.rb +2 -0
- data/spec/unit/role_mapper_spec.rb +10 -6
- metadata +18 -18
- data/lib/hydra/permissions_cache.rb +0 -6
- data/spec/support/config/blacklight.yml +0 -6
- data/spec/support/config/hydra_ip_range.yml +0 -9
- data/spec/support/rails.rb +0 -23
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e70730aa7b919d1cbf3e4815db314bdf6c7ab61b
|
|
4
|
+
data.tar.gz: be22eb4d9e206a741b8e7543d355bcec3a9342dd
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ebeb634bda7b08ac09e6a4210c87ba55863a6d63ad7d6abe9b6d31f8fd8d313bcd916494f2c5f9f3b50fea52012141b2caf5201593043747dbe451dc0d3b94b3
|
|
7
|
+
data.tar.gz: f13e52899116432172f7bcf87d53b55abf1173c294a70c4c66b28037339807297305ca54b8b1b948bb6ef6cccb57e347b48188e2c85c987bc5ec8b231cbe067b
|
data/README.textile
CHANGED
data/Rakefile
CHANGED
|
@@ -81,12 +81,6 @@ module Hydra
|
|
|
81
81
|
visibility_will_change!
|
|
82
82
|
end
|
|
83
83
|
|
|
84
|
-
# Validate that the current visibility is what is specified in the embargo
|
|
85
|
-
def validate_embargo
|
|
86
|
-
Deprecation.warn Embargoable, "validate_embargo is deprecated and will be removed in hydra-access-controls 9.0.0. Use validate_visibility_complies_with_embargo instead."
|
|
87
|
-
validate_visibility_complies_with_embargo
|
|
88
|
-
end
|
|
89
|
-
|
|
90
84
|
# Validate that the current visibility is what is specified in the embargo
|
|
91
85
|
def validate_visibility_complies_with_embargo
|
|
92
86
|
return true unless embargo_release_date
|
|
@@ -117,11 +111,6 @@ module Hydra
|
|
|
117
111
|
end
|
|
118
112
|
end
|
|
119
113
|
|
|
120
|
-
def validate_lease
|
|
121
|
-
Deprecation.warn Embargoable, "validate_lease is deprecated and will be removed in hydra-access-controls 9.0.0. Use validate_visibility_complies_with_lease instead."
|
|
122
|
-
validate_visibility_complies_with_lease
|
|
123
|
-
end
|
|
124
|
-
|
|
125
114
|
def validate_visibility_complies_with_lease
|
|
126
115
|
return true unless lease_expiration_date
|
|
127
116
|
if active_lease?
|
|
@@ -5,10 +5,24 @@ module Hydra
|
|
|
5
5
|
include Hydra::AccessControls::Visibility
|
|
6
6
|
|
|
7
7
|
included do
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
8
|
+
belongs_to :access_control, predicate: ::ACL.accessControl, class_name: 'Hydra::AccessControl'
|
|
9
|
+
before_destroy do |obj|
|
|
10
|
+
access_control.destroy
|
|
11
|
+
end
|
|
12
|
+
after_save do
|
|
13
|
+
# Only force save if autosave woudn't be called normally
|
|
14
|
+
access_control.save! unless access_control.changed?
|
|
15
|
+
end
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
delegate :permissions, :permissions=, to: :permission_delegate
|
|
19
|
+
|
|
20
|
+
def permissions_attributes_without_uniqueness=(attrs)
|
|
21
|
+
permission_delegate.permissions_attributes = attrs
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
def permission_delegate
|
|
25
|
+
(access_control || create_access_control).tap { |d| d.owner = self }
|
|
12
26
|
end
|
|
13
27
|
|
|
14
28
|
def to_solr(solr_doc = {})
|
|
@@ -23,36 +37,36 @@ module Hydra
|
|
|
23
37
|
end
|
|
24
38
|
|
|
25
39
|
# When chaging a permission for an object/user, ensure an update is done, not a duplicate
|
|
26
|
-
def
|
|
40
|
+
def permissions_attributes=(attributes_collection)
|
|
27
41
|
if attributes_collection.is_a? Hash
|
|
28
42
|
keys = attributes_collection.keys
|
|
29
43
|
attributes_collection = if keys.include?('id') || keys.include?(:id)
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
44
|
+
Array(attributes_collection)
|
|
45
|
+
else
|
|
46
|
+
attributes_collection.sort_by { |i, _| i.to_i }.map { |_, attributes| attributes }
|
|
33
47
|
end
|
|
34
48
|
end
|
|
35
49
|
|
|
50
|
+
attributes_collection = attributes_collection.map(&:with_indifferent_access)
|
|
36
51
|
attributes_collection.each do |prop|
|
|
37
52
|
existing = case prop[:type]
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
53
|
+
when 'group'
|
|
54
|
+
search_by_type(:group)
|
|
55
|
+
when 'person'
|
|
56
|
+
search_by_type(:person)
|
|
42
57
|
end
|
|
43
58
|
|
|
44
|
-
next
|
|
59
|
+
next if existing.blank?
|
|
45
60
|
selected = existing.find { |perm| perm.agent_name == prop[:name] }
|
|
46
61
|
prop['id'] = selected.id if selected
|
|
47
62
|
end
|
|
48
63
|
|
|
49
|
-
self.permissions_attributes_without_uniqueness=attributes_collection
|
|
64
|
+
self.permissions_attributes_without_uniqueness = attributes_collection
|
|
50
65
|
end
|
|
51
66
|
|
|
52
|
-
|
|
53
67
|
# Return a list of groups that have discover permission
|
|
54
68
|
def discover_groups
|
|
55
|
-
search_by_type_and_mode(:group, Hydra::ACL.Discover).map
|
|
69
|
+
search_by_type_and_mode(:group, Hydra::ACL.Discover).map(&:agent_name)
|
|
56
70
|
end
|
|
57
71
|
|
|
58
72
|
# Grant discover permissions to the groups specified. Revokes discover permission for all other groups.
|
|
@@ -74,12 +88,12 @@ module Hydra
|
|
|
74
88
|
# => ['one', 'two', 'three']
|
|
75
89
|
#
|
|
76
90
|
def discover_groups_string=(groups)
|
|
77
|
-
self.discover_groups=groups.split(/[\s,]+/)
|
|
91
|
+
self.discover_groups = groups.split(/[\s,]+/)
|
|
78
92
|
end
|
|
79
93
|
|
|
80
94
|
# Display the groups a comma delimeted string
|
|
81
95
|
def discover_groups_string
|
|
82
|
-
|
|
96
|
+
discover_groups.join(', ')
|
|
83
97
|
end
|
|
84
98
|
|
|
85
99
|
# Grant discover permissions to the groups specified. Revokes discover permission for
|
|
@@ -102,7 +116,7 @@ module Hydra
|
|
|
102
116
|
end
|
|
103
117
|
|
|
104
118
|
def discover_users
|
|
105
|
-
search_by_type_and_mode(:person, Hydra::ACL.Discover).map
|
|
119
|
+
search_by_type_and_mode(:person, Hydra::ACL.Discover).map(&:agent_name)
|
|
106
120
|
end
|
|
107
121
|
|
|
108
122
|
# Grant discover permissions to the users specified. Revokes discover permission for all other users.
|
|
@@ -124,12 +138,12 @@ module Hydra
|
|
|
124
138
|
# => ['one', 'two', 'three']
|
|
125
139
|
#
|
|
126
140
|
def discover_users_string=(users)
|
|
127
|
-
self.discover_users=users.split(/[\s,]+/)
|
|
141
|
+
self.discover_users = users.split(/[\s,]+/)
|
|
128
142
|
end
|
|
129
143
|
|
|
130
144
|
# Display the users as a comma delimeted string
|
|
131
145
|
def discover_users_string
|
|
132
|
-
|
|
146
|
+
discover_users.join(', ')
|
|
133
147
|
end
|
|
134
148
|
|
|
135
149
|
# Grant discover permissions to the users specified. Revokes discover permission for
|
|
@@ -153,7 +167,7 @@ module Hydra
|
|
|
153
167
|
|
|
154
168
|
# Return a list of groups that have discover permission
|
|
155
169
|
def read_groups
|
|
156
|
-
search_by_type_and_mode(:group, ::ACL.Read).map
|
|
170
|
+
search_by_type_and_mode(:group, ::ACL.Read).map(&:agent_name)
|
|
157
171
|
end
|
|
158
172
|
|
|
159
173
|
# Grant read permissions to the groups specified. Revokes read permission for all other groups.
|
|
@@ -175,12 +189,12 @@ module Hydra
|
|
|
175
189
|
# => ['one', 'two', 'three']
|
|
176
190
|
#
|
|
177
191
|
def read_groups_string=(groups)
|
|
178
|
-
self.read_groups=groups.split(/[\s,]+/)
|
|
192
|
+
self.read_groups = groups.split(/[\s,]+/)
|
|
179
193
|
end
|
|
180
194
|
|
|
181
195
|
# Display the groups a comma delimeted string
|
|
182
196
|
def read_groups_string
|
|
183
|
-
|
|
197
|
+
read_groups.join(', ')
|
|
184
198
|
end
|
|
185
199
|
|
|
186
200
|
# Grant read permissions to the groups specified. Revokes read permission for
|
|
@@ -203,7 +217,7 @@ module Hydra
|
|
|
203
217
|
end
|
|
204
218
|
|
|
205
219
|
def read_users
|
|
206
|
-
search_by_type_and_mode(:person, ::ACL.Read).map
|
|
220
|
+
search_by_type_and_mode(:person, ::ACL.Read).map(&:agent_name)
|
|
207
221
|
end
|
|
208
222
|
|
|
209
223
|
# Grant read permissions to the users specified. Revokes read permission for all other users.
|
|
@@ -225,12 +239,12 @@ module Hydra
|
|
|
225
239
|
# => ['one', 'two', 'three']
|
|
226
240
|
#
|
|
227
241
|
def read_users_string=(users)
|
|
228
|
-
self.read_users=users.split(/[\s,]+/)
|
|
242
|
+
self.read_users = users.split(/[\s,]+/)
|
|
229
243
|
end
|
|
230
244
|
|
|
231
245
|
# Display the users as a comma delimeted string
|
|
232
246
|
def read_users_string
|
|
233
|
-
|
|
247
|
+
read_users.join(', ')
|
|
234
248
|
end
|
|
235
249
|
|
|
236
250
|
# Grant read permissions to the users specified. Revokes read permission for
|
|
@@ -252,10 +266,9 @@ module Hydra
|
|
|
252
266
|
set_entities(:read, :person, users, eligible_users)
|
|
253
267
|
end
|
|
254
268
|
|
|
255
|
-
|
|
256
269
|
# Return a list of groups that have edit permission
|
|
257
270
|
def edit_groups
|
|
258
|
-
search_by_type_and_mode(:group, ::ACL.Write).map
|
|
271
|
+
search_by_type_and_mode(:group, ::ACL.Write).map(&:agent_name)
|
|
259
272
|
end
|
|
260
273
|
|
|
261
274
|
# Grant edit permissions to the groups specified. Revokes edit permission for all other groups.
|
|
@@ -277,12 +290,12 @@ module Hydra
|
|
|
277
290
|
# => ['one', 'two', 'three']
|
|
278
291
|
#
|
|
279
292
|
def edit_groups_string=(groups)
|
|
280
|
-
self.edit_groups=groups.split(/[\s,]+/)
|
|
293
|
+
self.edit_groups = groups.split(/[\s,]+/)
|
|
281
294
|
end
|
|
282
295
|
|
|
283
296
|
# Display the groups a comma delimeted string
|
|
284
297
|
def edit_groups_string
|
|
285
|
-
|
|
298
|
+
edit_groups.join(', ')
|
|
286
299
|
end
|
|
287
300
|
|
|
288
301
|
# Grant edit permissions to the groups specified. Revokes edit permission for
|
|
@@ -305,7 +318,7 @@ module Hydra
|
|
|
305
318
|
end
|
|
306
319
|
|
|
307
320
|
def edit_users
|
|
308
|
-
search_by_type_and_mode(:person, ::ACL.Write).map
|
|
321
|
+
search_by_type_and_mode(:person, ::ACL.Write).map(&:agent_name)
|
|
309
322
|
end
|
|
310
323
|
|
|
311
324
|
# Grant edit permissions to the groups specified. Revokes edit permission for all other groups.
|
|
@@ -341,7 +354,7 @@ module Hydra
|
|
|
341
354
|
protected
|
|
342
355
|
|
|
343
356
|
def has_destroy_flag?(hash)
|
|
344
|
-
|
|
357
|
+
%w(1 true).include?(hash['_destroy'].to_s)
|
|
345
358
|
end
|
|
346
359
|
|
|
347
360
|
private
|
|
@@ -358,7 +371,7 @@ module Hydra
|
|
|
358
371
|
|
|
359
372
|
values.each do |agent_name|
|
|
360
373
|
exists = search_by_type_and_mode(type, permission_to_uri(permission)).select { |p| p.agent_name == agent_name }
|
|
361
|
-
permissions.build(name: agent_name, access: permission.to_s, type: type
|
|
374
|
+
permissions.build(name: agent_name, access: permission.to_s, type: type) unless exists.present?
|
|
362
375
|
end
|
|
363
376
|
end
|
|
364
377
|
|
|
@@ -401,7 +414,7 @@ module Hydra
|
|
|
401
414
|
# @param [RDF::URI] mode One of the permissions modes, e.g. ACL.Write, ACL.Read, etc.
|
|
402
415
|
# @yieldparam [Array<ActiveFedora::Base>] agent the agent type assertions
|
|
403
416
|
# @return [Array<Permission>] list of permissions where the mode is as selected, the block evaluates to true and the target is not marked for delete
|
|
404
|
-
def search_by_mode(mode
|
|
417
|
+
def search_by_mode(mode)
|
|
405
418
|
permissions.to_a.select do |p|
|
|
406
419
|
yield(p.agent) && !p.marked_for_destruction? && p.mode.first.rdf_subject == mode
|
|
407
420
|
end
|
|
@@ -416,16 +429,14 @@ module Hydra
|
|
|
416
429
|
end
|
|
417
430
|
|
|
418
431
|
def group_agent?(agent)
|
|
419
|
-
raise
|
|
432
|
+
raise 'no agent' unless agent.present?
|
|
420
433
|
agent.first.rdf_subject.to_s.start_with?(GROUP_AGENT_URL_PREFIX)
|
|
421
|
-
|
|
422
434
|
end
|
|
423
435
|
|
|
424
436
|
def person_agent?(agent)
|
|
425
|
-
raise
|
|
437
|
+
raise 'no agent' unless agent.present?
|
|
426
438
|
agent.first.rdf_subject.to_s.start_with?(PERSON_AGENT_URL_PREFIX)
|
|
427
439
|
end
|
|
428
|
-
|
|
429
440
|
end
|
|
430
441
|
end
|
|
431
442
|
end
|
|
@@ -0,0 +1,81 @@
|
|
|
1
|
+
module Hydra
|
|
2
|
+
class AccessControl < ActiveFedora::Base
|
|
3
|
+
|
|
4
|
+
before_destroy do |obj|
|
|
5
|
+
contains.destroy_all
|
|
6
|
+
end
|
|
7
|
+
|
|
8
|
+
is_a_container class_name: 'Hydra::AccessControls::Permission'
|
|
9
|
+
accepts_nested_attributes_for :contains, allow_destroy: true
|
|
10
|
+
|
|
11
|
+
attr_accessor :owner
|
|
12
|
+
|
|
13
|
+
def permissions
|
|
14
|
+
relationship
|
|
15
|
+
end
|
|
16
|
+
|
|
17
|
+
def permissions=(records)
|
|
18
|
+
relationship.replace(records)
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
def permissions_attributes=(attribute_list)
|
|
22
|
+
raise ArgumentError unless attribute_list.is_a? Array
|
|
23
|
+
attribute_list.each do |attributes|
|
|
24
|
+
if attributes.key?(:id)
|
|
25
|
+
obj = relationship.find(attributes[:id])
|
|
26
|
+
if has_destroy_flag?(attributes)
|
|
27
|
+
obj.destroy
|
|
28
|
+
else
|
|
29
|
+
obj.update(attributes.except(:id, '_destroy'))
|
|
30
|
+
end
|
|
31
|
+
else
|
|
32
|
+
relationship.create(attributes)
|
|
33
|
+
end
|
|
34
|
+
end
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
# def has_destroy_flag?(hash)
|
|
38
|
+
# ActiveFedora::Type::Boolean.new.cast(hash['_destroy'])
|
|
39
|
+
# end
|
|
40
|
+
|
|
41
|
+
def relationship
|
|
42
|
+
@relationship ||= CollectionRelationship.new(self, :contains)
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
class CollectionRelationship
|
|
46
|
+
def initialize(owner, reflection)
|
|
47
|
+
@owner = owner
|
|
48
|
+
@relationship = @owner.send(reflection)
|
|
49
|
+
end
|
|
50
|
+
|
|
51
|
+
delegate :to_a, :to_ary, :map, :delete, :last, :size, :count, :[],
|
|
52
|
+
:==, :detect, to: :@relationship
|
|
53
|
+
|
|
54
|
+
# TODO: if directly_contained relationships supported find, we could just
|
|
55
|
+
# delegate find.
|
|
56
|
+
def find(id)
|
|
57
|
+
return to_a.find { |record| record.id == id } if @relationship.loaded?
|
|
58
|
+
|
|
59
|
+
unless id.start_with?(@owner.id)
|
|
60
|
+
raise ArgumentError, "requested ACL (#{id}) is not a member of #{@owner.id}"
|
|
61
|
+
end
|
|
62
|
+
ActiveFedora::Base.find(id)
|
|
63
|
+
end
|
|
64
|
+
|
|
65
|
+
# adds one to the target.
|
|
66
|
+
def build(attributes)
|
|
67
|
+
@relationship.build(attributes) do |record|
|
|
68
|
+
record.access_to = @owner.owner
|
|
69
|
+
end
|
|
70
|
+
end
|
|
71
|
+
|
|
72
|
+
def create(attributes)
|
|
73
|
+
build(attributes).tap(&:save!)
|
|
74
|
+
end
|
|
75
|
+
|
|
76
|
+
def replace(*args)
|
|
77
|
+
@relationship.replace(*args)
|
|
78
|
+
end
|
|
79
|
+
end
|
|
80
|
+
end
|
|
81
|
+
end
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
module Hydra::AccessControls
|
|
2
|
-
AGENT_URL_PREFIX =
|
|
3
|
-
GROUP_AGENT_URL_PREFIX =
|
|
2
|
+
AGENT_URL_PREFIX = 'http://projecthydra.org/ns/auth/'.freeze
|
|
3
|
+
GROUP_AGENT_URL_PREFIX = 'http://projecthydra.org/ns/auth/group'.freeze
|
|
4
4
|
PERSON_AGENT_URL_PREFIX = 'http://projecthydra.org/ns/auth/person'.freeze
|
|
5
5
|
class Permission < AccessControlList
|
|
6
6
|
has_many :admin_policies, inverse_of: :default_permissions, class_name: 'Hydra::AdminPolicy'
|
|
@@ -21,12 +21,12 @@ module Hydra::AccessControls
|
|
|
21
21
|
"<#{self.class.name} id: #{id} agent: #{agent_value} mode: #{mode_value} access_to: #{access_to_id.inspect}>"
|
|
22
22
|
end
|
|
23
23
|
|
|
24
|
-
def ==
|
|
25
|
-
other.is_a?(Permission) && id == other.id &&
|
|
26
|
-
|
|
24
|
+
def ==(other)
|
|
25
|
+
other.is_a?(Permission) && id == other.id && access_to_id == other.access_to_id &&
|
|
26
|
+
agent.first.rdf_subject == other.agent.first.rdf_subject && mode.first.rdf_subject == other.mode.first.rdf_subject
|
|
27
27
|
end
|
|
28
28
|
|
|
29
|
-
def
|
|
29
|
+
def assign_attributes(attributes)
|
|
30
30
|
attrs = attributes.dup
|
|
31
31
|
name = attrs.delete(:name)
|
|
32
32
|
type = attrs.delete(:type)
|
|
@@ -50,35 +50,34 @@ module Hydra::AccessControls
|
|
|
50
50
|
|
|
51
51
|
protected
|
|
52
52
|
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
def build_agent(name, type)
|
|
58
|
-
raise "Can't build agent #{inspect}" unless name && type
|
|
59
|
-
self.agent = case type
|
|
60
|
-
when "group"
|
|
61
|
-
Agent.new(::RDF::URI.new("#{GROUP_AGENT_URL_PREFIX}##{name}"))
|
|
62
|
-
when "person"
|
|
63
|
-
Agent.new(::RDF::URI.new("#{PERSON_AGENT_URL_PREFIX}##{name}"))
|
|
64
|
-
else
|
|
65
|
-
raise ArgumentError, "Unknown agent type #{type.inspect}"
|
|
66
|
-
end
|
|
67
|
-
end
|
|
53
|
+
def parsed_agent
|
|
54
|
+
@parsed_agent ||= agent.first.rdf_subject.to_s.sub(AGENT_URL_PREFIX, '').split('#')
|
|
55
|
+
end
|
|
68
56
|
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
end
|
|
81
|
-
end
|
|
57
|
+
def build_agent(name, type)
|
|
58
|
+
raise "Can't build agent #{inspect}" unless name && type
|
|
59
|
+
self.agent = case type
|
|
60
|
+
when 'group'
|
|
61
|
+
Agent.new(::RDF::URI.new("#{GROUP_AGENT_URL_PREFIX}##{name}"))
|
|
62
|
+
when 'person'
|
|
63
|
+
Agent.new(::RDF::URI.new("#{PERSON_AGENT_URL_PREFIX}##{name}"))
|
|
64
|
+
else
|
|
65
|
+
raise ArgumentError, "Unknown agent type #{type.inspect}"
|
|
66
|
+
end
|
|
67
|
+
end
|
|
82
68
|
|
|
69
|
+
def build_access(access)
|
|
70
|
+
raise "Can't build access #{inspect}" unless access
|
|
71
|
+
self.mode = case access
|
|
72
|
+
when 'read'
|
|
73
|
+
Mode.new(::ACL.Read)
|
|
74
|
+
when 'edit'
|
|
75
|
+
Mode.new(::ACL.Write)
|
|
76
|
+
when 'discover'
|
|
77
|
+
Mode.new(Hydra::ACL.Discover)
|
|
78
|
+
else
|
|
79
|
+
raise ArgumentError, "Unknown access #{access.inspect}"
|
|
80
|
+
end
|
|
81
|
+
end
|
|
83
82
|
end
|
|
84
83
|
end
|
data/app/vocabularies/acl.rb
CHANGED
|
@@ -19,9 +19,9 @@ Gem::Specification.new do |gem|
|
|
|
19
19
|
gem.required_ruby_version = '>= 1.9.3'
|
|
20
20
|
|
|
21
21
|
gem.add_dependency 'activesupport', '~> 4.0'
|
|
22
|
-
gem.add_dependency "active-fedora", '
|
|
22
|
+
gem.add_dependency "active-fedora", '>= 10.0.0.beta1', '< 11'
|
|
23
23
|
gem.add_dependency 'cancancan', '~> 1.8'
|
|
24
|
-
gem.add_dependency 'deprecation', '~> 0
|
|
24
|
+
gem.add_dependency 'deprecation', '~> 1.0'
|
|
25
25
|
gem.add_dependency "blacklight", '>= 5.16'
|
|
26
26
|
gem.add_dependency "blacklight-access_controls", '~> 0.1'
|
|
27
27
|
|
data/lib/hydra/admin_policy.rb
CHANGED
|
@@ -22,17 +22,5 @@ module Hydra
|
|
|
22
22
|
title_without_first.first
|
|
23
23
|
end
|
|
24
24
|
alias_method_chain :title, :first
|
|
25
|
-
|
|
26
|
-
def license_title=(_)
|
|
27
|
-
Deprecation.warn AdminPolicy, "license_title= has been removed from AdminPolicy. Look at Hydra::Rights instead"
|
|
28
|
-
end
|
|
29
|
-
|
|
30
|
-
def license_description=(_)
|
|
31
|
-
Deprecation.warn AdminPolicy, "license_description= has been removed from AdminPolicy. Look at Hydra::Rights instead"
|
|
32
|
-
end
|
|
33
|
-
|
|
34
|
-
def license_url=(_)
|
|
35
|
-
Deprecation.warn AdminPolicy, "license_url= has been removed from AdminPolicy. Look at Hydra::Rights instead"
|
|
36
|
-
end
|
|
37
25
|
end
|
|
38
26
|
end
|
data/spec/spec_helper.rb
CHANGED
|
@@ -1,7 +1,8 @@
|
|
|
1
|
-
ENV[
|
|
1
|
+
ENV['RAILS_ENV'] ||= 'test'
|
|
2
|
+
require 'engine_cart'
|
|
3
|
+
path = File.expand_path(File.join('..', '..', '..', '.internal_test_app'), __FILE__)
|
|
4
|
+
EngineCart.load_application! path
|
|
2
5
|
|
|
3
|
-
require 'rspec/mocks'
|
|
4
|
-
require 'rspec/its'
|
|
5
6
|
require 'hydra-access-controls'
|
|
6
7
|
|
|
7
8
|
$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
|
|
@@ -18,9 +19,6 @@ if ENV['COVERAGE'] and RUBY_VERSION =~ /^1.9/
|
|
|
18
19
|
SimpleCov.start
|
|
19
20
|
end
|
|
20
21
|
|
|
21
|
-
|
|
22
|
-
require 'support/rails'
|
|
23
|
-
|
|
24
22
|
# Since we're not doing a Rails Engine test, we have to load these classes manually:
|
|
25
23
|
require 'active_support'
|
|
26
24
|
require 'active_support/dependencies'
|
|
@@ -38,6 +36,8 @@ require 'support/mods_asset'
|
|
|
38
36
|
require 'support/solr_document'
|
|
39
37
|
require "support/user"
|
|
40
38
|
require "factory_girl"
|
|
39
|
+
require 'rspec/mocks'
|
|
40
|
+
require 'rspec/its'
|
|
41
41
|
require "factories"
|
|
42
42
|
|
|
43
43
|
# HttpLogger.logger = Logger.new(STDOUT)
|
|
@@ -53,9 +53,3 @@ RSpec.configure do |config|
|
|
|
53
53
|
end
|
|
54
54
|
end
|
|
55
55
|
|
|
56
|
-
# Stubbing Devise
|
|
57
|
-
class Devise
|
|
58
|
-
def self.authentication_keys
|
|
59
|
-
["uid"]
|
|
60
|
-
end
|
|
61
|
-
end
|
data/spec/unit/ability_spec.rb
CHANGED
|
@@ -2,6 +2,9 @@ require 'spec_helper'
|
|
|
2
2
|
require 'cancan/matchers'
|
|
3
3
|
|
|
4
4
|
describe Ability do
|
|
5
|
+
before do
|
|
6
|
+
allow(Devise).to receive(:authentication_keys).and_return(['uid'])
|
|
7
|
+
end
|
|
5
8
|
describe "class methods" do
|
|
6
9
|
subject { Ability }
|
|
7
10
|
its(:read_group_field) { should == 'read_access_group_ssim'}
|
|
@@ -1,6 +1,9 @@
|
|
|
1
1
|
require 'spec_helper'
|
|
2
2
|
|
|
3
3
|
describe Hydra::AccessControlsEnforcement do
|
|
4
|
+
before do
|
|
5
|
+
allow(Devise).to receive(:authentication_keys).and_return(['uid'])
|
|
6
|
+
end
|
|
4
7
|
let(:controller) { MockController.new }
|
|
5
8
|
let(:method_chain) { MockController.search_params_logic }
|
|
6
9
|
let(:search_builder) { MockSearchBuilder.new(method_chain, controller) }
|
|
@@ -19,11 +19,12 @@ describe Hydra::AccessControls::Permissions do
|
|
|
19
19
|
subject.read_groups=['group1', 'group2']
|
|
20
20
|
subject.edit_users=['user1']
|
|
21
21
|
subject.read_users=['user2', 'user3']
|
|
22
|
-
expect(subject.permissions).to
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
22
|
+
expect(subject.permissions.to_a).to all(be_kind_of(Hydra::AccessControls::Permission))
|
|
23
|
+
expect(subject.permissions.map(&:to_hash)).to match_array [{type: "group", access: "read", name: "group1"},
|
|
24
|
+
{ type: "group", access: "read", name: "group2" },
|
|
25
|
+
{ type: "person", access: "read", name: "user2" },
|
|
26
|
+
{ type: "person", access: "read", name: "user3" },
|
|
27
|
+
{ type: "person", access: "edit", name: "user1" }]
|
|
27
28
|
end
|
|
28
29
|
|
|
29
30
|
describe "building a new permission" do
|
|
@@ -31,9 +32,16 @@ describe Hydra::AccessControls::Permissions do
|
|
|
31
32
|
|
|
32
33
|
it "sets the accessTo association" do
|
|
33
34
|
perm = subject.permissions.build(name: 'user1', type: 'person', access: 'read')
|
|
34
|
-
subject.save
|
|
35
35
|
expect(perm.access_to_id).to eq subject.id
|
|
36
36
|
end
|
|
37
|
+
|
|
38
|
+
it "autosaves the permissions" do
|
|
39
|
+
subject.permissions.build(name: 'user1', type: 'person', access: 'read')
|
|
40
|
+
subject.save!
|
|
41
|
+
subject.reload
|
|
42
|
+
foo = Foo.find(subject.id)
|
|
43
|
+
expect(foo.permissions.to_a).not_to eq []
|
|
44
|
+
end
|
|
37
45
|
end
|
|
38
46
|
|
|
39
47
|
describe "updating permissions" do
|
|
@@ -113,14 +121,14 @@ describe Hydra::AccessControls::Permissions do
|
|
|
113
121
|
end
|
|
114
122
|
|
|
115
123
|
context "when the destroy flag is set" do
|
|
116
|
-
let(:reloaded) { subject.permissions.
|
|
124
|
+
let(:reloaded) { subject.reload.permissions.map(&:to_hash) }
|
|
117
125
|
let(:permissions_id) { ActiveFedora::Base.uri_to_id(subject.permissions.last.rdf_subject.to_s) }
|
|
118
126
|
|
|
119
127
|
context "to a truthy value" do
|
|
120
128
|
context "when updating users" do
|
|
121
129
|
before do
|
|
122
130
|
subject.update permissions_attributes: [{ type: "person", access: "read", name: "user1" }]
|
|
123
|
-
subject.update permissions_attributes: [{ id: permissions_id, type: "person", access: "edit", name: "user1", _destroy: true}]
|
|
131
|
+
subject.update permissions_attributes: [{ id: permissions_id, type: "person", access: "edit", name: "user1", _destroy: 'true' }]
|
|
124
132
|
end
|
|
125
133
|
|
|
126
134
|
it "removes permissions on existing users" do
|
|
@@ -214,7 +222,7 @@ describe Hydra::AccessControls::Permissions do
|
|
|
214
222
|
context "when the original object is destroyed" do
|
|
215
223
|
before do
|
|
216
224
|
subject.save!
|
|
217
|
-
subject.permissions.
|
|
225
|
+
subject.permissions.create(type: 'person', access: 'read', name: 'person1')
|
|
218
226
|
subject.save!
|
|
219
227
|
end
|
|
220
228
|
|
|
@@ -2,6 +2,8 @@ require 'spec_helper'
|
|
|
2
2
|
|
|
3
3
|
describe Hydra::PolicyAwareAccessControlsEnforcement do
|
|
4
4
|
before do
|
|
5
|
+
allow(Devise).to receive(:authentication_keys).and_return(['uid'])
|
|
6
|
+
|
|
5
7
|
class PolicyMockSearchBuilder < Blacklight::SearchBuilder
|
|
6
8
|
include Blacklight::Solr::SearchBuilderBehavior
|
|
7
9
|
include Hydra::AccessControlsEnforcement
|
|
@@ -1,28 +1,32 @@
|
|
|
1
1
|
require 'spec_helper'
|
|
2
2
|
|
|
3
3
|
describe RoleMapper do
|
|
4
|
-
|
|
4
|
+
before do
|
|
5
|
+
allow(Devise).to receive(:authentication_keys).and_return(['uid'])
|
|
6
|
+
end
|
|
7
|
+
|
|
8
|
+
it "defines the 4 roles" do
|
|
5
9
|
expect(RoleMapper.role_names.sort).to eq %w(admin_policy_object_editor archivist donor patron researcher)
|
|
6
10
|
end
|
|
7
|
-
it "
|
|
11
|
+
it "is quer[iy]able for roles for a given user" do
|
|
8
12
|
expect(RoleMapper.roles('leland_himself@example.com').sort).to eq ['archivist', 'donor', 'patron']
|
|
9
13
|
expect(RoleMapper.roles('archivist2@example.com')).to eq ['archivist']
|
|
10
14
|
end
|
|
11
15
|
|
|
12
|
-
it "
|
|
16
|
+
it "doesn't change its response when it's called repeatedly" do
|
|
13
17
|
u = User.new(:uid=>'leland_himself@example.com')
|
|
14
18
|
allow(u).to receive(:new_record?).and_return(false)
|
|
15
19
|
expect(RoleMapper.roles(u).sort).to eq ['archivist', 'donor', 'patron', "registered"]
|
|
16
20
|
expect(RoleMapper.roles(u).sort).to eq ['archivist', 'donor', 'patron', "registered"]
|
|
17
21
|
end
|
|
18
22
|
|
|
19
|
-
it "
|
|
23
|
+
it "returns an empty array if there are no roles" do
|
|
20
24
|
expect(RoleMapper.roles('zeus@olympus.mt')).to be_empty
|
|
21
25
|
end
|
|
22
|
-
|
|
26
|
+
|
|
27
|
+
it "knows who is what" do
|
|
23
28
|
expect(RoleMapper.whois('archivist').sort).to eq %w(archivist1@example.com archivist2@example.com leland_himself@example.com)
|
|
24
29
|
expect(RoleMapper.whois('salesman')).to be_empty
|
|
25
30
|
expect(RoleMapper.whois('admin_policy_object_editor').sort).to eq %w(archivist1@example.com)
|
|
26
31
|
end
|
|
27
|
-
|
|
28
32
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: hydra-access-controls
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version:
|
|
4
|
+
version: 10.0.0.beta1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Chris Beer
|
|
@@ -10,7 +10,7 @@ authors:
|
|
|
10
10
|
autorequire:
|
|
11
11
|
bindir: bin
|
|
12
12
|
cert_chain: []
|
|
13
|
-
date: 2016-
|
|
13
|
+
date: 2016-05-10 00:00:00.000000000 Z
|
|
14
14
|
dependencies:
|
|
15
15
|
- !ruby/object:Gem::Dependency
|
|
16
16
|
name: activesupport
|
|
@@ -30,16 +30,22 @@ dependencies:
|
|
|
30
30
|
name: active-fedora
|
|
31
31
|
requirement: !ruby/object:Gem::Requirement
|
|
32
32
|
requirements:
|
|
33
|
-
- - "
|
|
33
|
+
- - ">="
|
|
34
34
|
- !ruby/object:Gem::Version
|
|
35
|
-
version:
|
|
35
|
+
version: 10.0.0.beta1
|
|
36
|
+
- - "<"
|
|
37
|
+
- !ruby/object:Gem::Version
|
|
38
|
+
version: '11'
|
|
36
39
|
type: :runtime
|
|
37
40
|
prerelease: false
|
|
38
41
|
version_requirements: !ruby/object:Gem::Requirement
|
|
39
42
|
requirements:
|
|
40
|
-
- - "
|
|
43
|
+
- - ">="
|
|
44
|
+
- !ruby/object:Gem::Version
|
|
45
|
+
version: 10.0.0.beta1
|
|
46
|
+
- - "<"
|
|
41
47
|
- !ruby/object:Gem::Version
|
|
42
|
-
version: '
|
|
48
|
+
version: '11'
|
|
43
49
|
- !ruby/object:Gem::Dependency
|
|
44
50
|
name: cancancan
|
|
45
51
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -60,14 +66,14 @@ dependencies:
|
|
|
60
66
|
requirements:
|
|
61
67
|
- - "~>"
|
|
62
68
|
- !ruby/object:Gem::Version
|
|
63
|
-
version: '0
|
|
69
|
+
version: '1.0'
|
|
64
70
|
type: :runtime
|
|
65
71
|
prerelease: false
|
|
66
72
|
version_requirements: !ruby/object:Gem::Requirement
|
|
67
73
|
requirements:
|
|
68
74
|
- - "~>"
|
|
69
75
|
- !ruby/object:Gem::Version
|
|
70
|
-
version: '0
|
|
76
|
+
version: '1.0'
|
|
71
77
|
- !ruby/object:Gem::Dependency
|
|
72
78
|
name: blacklight
|
|
73
79
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -147,6 +153,7 @@ files:
|
|
|
147
153
|
- app/models/concerns/hydra/ip_based_ability.rb
|
|
148
154
|
- app/models/concerns/hydra/rights.rb
|
|
149
155
|
- app/models/concerns/hydra/with_depositor.rb
|
|
156
|
+
- app/models/hydra/access_control.rb
|
|
150
157
|
- app/models/hydra/access_controls/access_control_list.rb
|
|
151
158
|
- app/models/hydra/access_controls/embargo.rb
|
|
152
159
|
- app/models/hydra/access_controls/lease.rb
|
|
@@ -169,7 +176,6 @@ files:
|
|
|
169
176
|
- lib/hydra/admin_policy.rb
|
|
170
177
|
- lib/hydra/config.rb
|
|
171
178
|
- lib/hydra/ip_based_groups.rb
|
|
172
|
-
- lib/hydra/permissions_cache.rb
|
|
173
179
|
- lib/hydra/permissions_query.rb
|
|
174
180
|
- lib/hydra/policy_aware_ability.rb
|
|
175
181
|
- lib/hydra/policy_aware_access_controls_enforcement.rb
|
|
@@ -181,11 +187,8 @@ files:
|
|
|
181
187
|
- spec/services/embargo_service_spec.rb
|
|
182
188
|
- spec/services/lease_service_spec.rb
|
|
183
189
|
- spec/spec_helper.rb
|
|
184
|
-
- spec/support/config/blacklight.yml
|
|
185
|
-
- spec/support/config/hydra_ip_range.yml
|
|
186
190
|
- spec/support/config/role_map.yml
|
|
187
191
|
- spec/support/mods_asset.rb
|
|
188
|
-
- spec/support/rails.rb
|
|
189
192
|
- spec/support/solr_document.rb
|
|
190
193
|
- spec/support/user.rb
|
|
191
194
|
- spec/unit/ability_spec.rb
|
|
@@ -221,12 +224,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
221
224
|
version: 1.9.3
|
|
222
225
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
223
226
|
requirements:
|
|
224
|
-
- - "
|
|
227
|
+
- - ">"
|
|
225
228
|
- !ruby/object:Gem::Version
|
|
226
|
-
version:
|
|
229
|
+
version: 1.3.1
|
|
227
230
|
requirements: []
|
|
228
231
|
rubyforge_project:
|
|
229
|
-
rubygems_version: 2.
|
|
232
|
+
rubygems_version: 2.5.1
|
|
230
233
|
signing_key:
|
|
231
234
|
specification_version: 4
|
|
232
235
|
summary: Access controls for project hydra
|
|
@@ -237,11 +240,8 @@ test_files:
|
|
|
237
240
|
- spec/services/embargo_service_spec.rb
|
|
238
241
|
- spec/services/lease_service_spec.rb
|
|
239
242
|
- spec/spec_helper.rb
|
|
240
|
-
- spec/support/config/blacklight.yml
|
|
241
|
-
- spec/support/config/hydra_ip_range.yml
|
|
242
243
|
- spec/support/config/role_map.yml
|
|
243
244
|
- spec/support/mods_asset.rb
|
|
244
|
-
- spec/support/rails.rb
|
|
245
245
|
- spec/support/solr_document.rb
|
|
246
246
|
- spec/support/user.rb
|
|
247
247
|
- spec/unit/ability_spec.rb
|
|
@@ -1,6 +0,0 @@
|
|
|
1
|
-
class Hydra::PermissionsCache < Blacklight::AccessControls::PermissionsCache
|
|
2
|
-
extend Deprecation
|
|
3
|
-
|
|
4
|
-
Deprecation.warn Hydra::PermissionsCache, "Hydra::PermissionsCache will be removed in Hydra 10. Use Blacklight::AccessControls::PermissionsCache instead (from blacklight-access_controls gem)."
|
|
5
|
-
|
|
6
|
-
end
|
data/spec/support/rails.rb
DELETED
|
@@ -1,23 +0,0 @@
|
|
|
1
|
-
# Rails normally loads the locales of engines for us.
|
|
2
|
-
I18n.load_path << 'config/locales/hydra-access-controls.en.yml'
|
|
3
|
-
|
|
4
|
-
module Rails
|
|
5
|
-
class << self
|
|
6
|
-
def env
|
|
7
|
-
ENV['environment']
|
|
8
|
-
end
|
|
9
|
-
|
|
10
|
-
def version
|
|
11
|
-
"0.0.0"
|
|
12
|
-
#"hydra-access-controls mock rails"
|
|
13
|
-
end
|
|
14
|
-
|
|
15
|
-
def root
|
|
16
|
-
'spec/support'
|
|
17
|
-
end
|
|
18
|
-
|
|
19
|
-
def logger
|
|
20
|
-
@@logger ||= Logger.new(File.expand_path('../../test.log', __FILE__)).tap { |logger| logger.level = Logger::WARN }
|
|
21
|
-
end
|
|
22
|
-
end
|
|
23
|
-
end
|