hydra-access-controls 9.10.0 → 10.0.0.beta1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.textile +1 -4
- data/Rakefile +0 -1
- data/app/models/concerns/hydra/access_controls/embargoable.rb +0 -11
- data/app/models/concerns/hydra/access_controls/permissions.rb +50 -39
- data/app/models/hydra/access_control.rb +81 -0
- data/app/models/hydra/access_controls/permission.rb +33 -34
- data/app/vocabularies/acl.rb +1 -0
- data/hydra-access-controls.gemspec +2 -2
- data/lib/hydra-access-controls.rb +0 -1
- data/lib/hydra/admin_policy.rb +0 -12
- data/spec/spec_helper.rb +6 -12
- data/spec/unit/ability_spec.rb +3 -0
- data/spec/unit/access_controls_enforcement_spec.rb +3 -0
- data/spec/unit/admin_policy_spec.rb +3 -0
- data/spec/unit/permissions_spec.rb +17 -9
- data/spec/unit/policy_aware_access_controls_enforcement_spec.rb +2 -0
- data/spec/unit/role_mapper_spec.rb +10 -6
- metadata +18 -18
- data/lib/hydra/permissions_cache.rb +0 -6
- data/spec/support/config/blacklight.yml +0 -6
- data/spec/support/config/hydra_ip_range.yml +0 -9
- data/spec/support/rails.rb +0 -23
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e70730aa7b919d1cbf3e4815db314bdf6c7ab61b
|
|
4
|
+
data.tar.gz: be22eb4d9e206a741b8e7543d355bcec3a9342dd
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ebeb634bda7b08ac09e6a4210c87ba55863a6d63ad7d6abe9b6d31f8fd8d313bcd916494f2c5f9f3b50fea52012141b2caf5201593043747dbe451dc0d3b94b3
|
|
7
|
+
data.tar.gz: f13e52899116432172f7bcf87d53b55abf1173c294a70c4c66b28037339807297305ca54b8b1b948bb6ef6cccb57e347b48188e2c85c987bc5ec8b231cbe067b
|
data/README.textile
CHANGED
data/Rakefile
CHANGED
|
@@ -81,12 +81,6 @@ module Hydra
|
|
|
81
81
|
visibility_will_change!
|
|
82
82
|
end
|
|
83
83
|
|
|
84
|
-
# Validate that the current visibility is what is specified in the embargo
|
|
85
|
-
def validate_embargo
|
|
86
|
-
Deprecation.warn Embargoable, "validate_embargo is deprecated and will be removed in hydra-access-controls 9.0.0. Use validate_visibility_complies_with_embargo instead."
|
|
87
|
-
validate_visibility_complies_with_embargo
|
|
88
|
-
end
|
|
89
|
-
|
|
90
84
|
# Validate that the current visibility is what is specified in the embargo
|
|
91
85
|
def validate_visibility_complies_with_embargo
|
|
92
86
|
return true unless embargo_release_date
|
|
@@ -117,11 +111,6 @@ module Hydra
|
|
|
117
111
|
end
|
|
118
112
|
end
|
|
119
113
|
|
|
120
|
-
def validate_lease
|
|
121
|
-
Deprecation.warn Embargoable, "validate_lease is deprecated and will be removed in hydra-access-controls 9.0.0. Use validate_visibility_complies_with_lease instead."
|
|
122
|
-
validate_visibility_complies_with_lease
|
|
123
|
-
end
|
|
124
|
-
|
|
125
114
|
def validate_visibility_complies_with_lease
|
|
126
115
|
return true unless lease_expiration_date
|
|
127
116
|
if active_lease?
|
|
@@ -5,10 +5,24 @@ module Hydra
|
|
|
5
5
|
include Hydra::AccessControls::Visibility
|
|
6
6
|
|
|
7
7
|
included do
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
8
|
+
belongs_to :access_control, predicate: ::ACL.accessControl, class_name: 'Hydra::AccessControl'
|
|
9
|
+
before_destroy do |obj|
|
|
10
|
+
access_control.destroy
|
|
11
|
+
end
|
|
12
|
+
after_save do
|
|
13
|
+
# Only force save if autosave woudn't be called normally
|
|
14
|
+
access_control.save! unless access_control.changed?
|
|
15
|
+
end
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
delegate :permissions, :permissions=, to: :permission_delegate
|
|
19
|
+
|
|
20
|
+
def permissions_attributes_without_uniqueness=(attrs)
|
|
21
|
+
permission_delegate.permissions_attributes = attrs
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
def permission_delegate
|
|
25
|
+
(access_control || create_access_control).tap { |d| d.owner = self }
|
|
12
26
|
end
|
|
13
27
|
|
|
14
28
|
def to_solr(solr_doc = {})
|
|
@@ -23,36 +37,36 @@ module Hydra
|
|
|
23
37
|
end
|
|
24
38
|
|
|
25
39
|
# When chaging a permission for an object/user, ensure an update is done, not a duplicate
|
|
26
|
-
def
|
|
40
|
+
def permissions_attributes=(attributes_collection)
|
|
27
41
|
if attributes_collection.is_a? Hash
|
|
28
42
|
keys = attributes_collection.keys
|
|
29
43
|
attributes_collection = if keys.include?('id') || keys.include?(:id)
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
44
|
+
Array(attributes_collection)
|
|
45
|
+
else
|
|
46
|
+
attributes_collection.sort_by { |i, _| i.to_i }.map { |_, attributes| attributes }
|
|
33
47
|
end
|
|
34
48
|
end
|
|
35
49
|
|
|
50
|
+
attributes_collection = attributes_collection.map(&:with_indifferent_access)
|
|
36
51
|
attributes_collection.each do |prop|
|
|
37
52
|
existing = case prop[:type]
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
53
|
+
when 'group'
|
|
54
|
+
search_by_type(:group)
|
|
55
|
+
when 'person'
|
|
56
|
+
search_by_type(:person)
|
|
42
57
|
end
|
|
43
58
|
|
|
44
|
-
next
|
|
59
|
+
next if existing.blank?
|
|
45
60
|
selected = existing.find { |perm| perm.agent_name == prop[:name] }
|
|
46
61
|
prop['id'] = selected.id if selected
|
|
47
62
|
end
|
|
48
63
|
|
|
49
|
-
self.permissions_attributes_without_uniqueness=attributes_collection
|
|
64
|
+
self.permissions_attributes_without_uniqueness = attributes_collection
|
|
50
65
|
end
|
|
51
66
|
|
|
52
|
-
|
|
53
67
|
# Return a list of groups that have discover permission
|
|
54
68
|
def discover_groups
|
|
55
|
-
search_by_type_and_mode(:group, Hydra::ACL.Discover).map
|
|
69
|
+
search_by_type_and_mode(:group, Hydra::ACL.Discover).map(&:agent_name)
|
|
56
70
|
end
|
|
57
71
|
|
|
58
72
|
# Grant discover permissions to the groups specified. Revokes discover permission for all other groups.
|
|
@@ -74,12 +88,12 @@ module Hydra
|
|
|
74
88
|
# => ['one', 'two', 'three']
|
|
75
89
|
#
|
|
76
90
|
def discover_groups_string=(groups)
|
|
77
|
-
self.discover_groups=groups.split(/[\s,]+/)
|
|
91
|
+
self.discover_groups = groups.split(/[\s,]+/)
|
|
78
92
|
end
|
|
79
93
|
|
|
80
94
|
# Display the groups a comma delimeted string
|
|
81
95
|
def discover_groups_string
|
|
82
|
-
|
|
96
|
+
discover_groups.join(', ')
|
|
83
97
|
end
|
|
84
98
|
|
|
85
99
|
# Grant discover permissions to the groups specified. Revokes discover permission for
|
|
@@ -102,7 +116,7 @@ module Hydra
|
|
|
102
116
|
end
|
|
103
117
|
|
|
104
118
|
def discover_users
|
|
105
|
-
search_by_type_and_mode(:person, Hydra::ACL.Discover).map
|
|
119
|
+
search_by_type_and_mode(:person, Hydra::ACL.Discover).map(&:agent_name)
|
|
106
120
|
end
|
|
107
121
|
|
|
108
122
|
# Grant discover permissions to the users specified. Revokes discover permission for all other users.
|
|
@@ -124,12 +138,12 @@ module Hydra
|
|
|
124
138
|
# => ['one', 'two', 'three']
|
|
125
139
|
#
|
|
126
140
|
def discover_users_string=(users)
|
|
127
|
-
self.discover_users=users.split(/[\s,]+/)
|
|
141
|
+
self.discover_users = users.split(/[\s,]+/)
|
|
128
142
|
end
|
|
129
143
|
|
|
130
144
|
# Display the users as a comma delimeted string
|
|
131
145
|
def discover_users_string
|
|
132
|
-
|
|
146
|
+
discover_users.join(', ')
|
|
133
147
|
end
|
|
134
148
|
|
|
135
149
|
# Grant discover permissions to the users specified. Revokes discover permission for
|
|
@@ -153,7 +167,7 @@ module Hydra
|
|
|
153
167
|
|
|
154
168
|
# Return a list of groups that have discover permission
|
|
155
169
|
def read_groups
|
|
156
|
-
search_by_type_and_mode(:group, ::ACL.Read).map
|
|
170
|
+
search_by_type_and_mode(:group, ::ACL.Read).map(&:agent_name)
|
|
157
171
|
end
|
|
158
172
|
|
|
159
173
|
# Grant read permissions to the groups specified. Revokes read permission for all other groups.
|
|
@@ -175,12 +189,12 @@ module Hydra
|
|
|
175
189
|
# => ['one', 'two', 'three']
|
|
176
190
|
#
|
|
177
191
|
def read_groups_string=(groups)
|
|
178
|
-
self.read_groups=groups.split(/[\s,]+/)
|
|
192
|
+
self.read_groups = groups.split(/[\s,]+/)
|
|
179
193
|
end
|
|
180
194
|
|
|
181
195
|
# Display the groups a comma delimeted string
|
|
182
196
|
def read_groups_string
|
|
183
|
-
|
|
197
|
+
read_groups.join(', ')
|
|
184
198
|
end
|
|
185
199
|
|
|
186
200
|
# Grant read permissions to the groups specified. Revokes read permission for
|
|
@@ -203,7 +217,7 @@ module Hydra
|
|
|
203
217
|
end
|
|
204
218
|
|
|
205
219
|
def read_users
|
|
206
|
-
search_by_type_and_mode(:person, ::ACL.Read).map
|
|
220
|
+
search_by_type_and_mode(:person, ::ACL.Read).map(&:agent_name)
|
|
207
221
|
end
|
|
208
222
|
|
|
209
223
|
# Grant read permissions to the users specified. Revokes read permission for all other users.
|
|
@@ -225,12 +239,12 @@ module Hydra
|
|
|
225
239
|
# => ['one', 'two', 'three']
|
|
226
240
|
#
|
|
227
241
|
def read_users_string=(users)
|
|
228
|
-
self.read_users=users.split(/[\s,]+/)
|
|
242
|
+
self.read_users = users.split(/[\s,]+/)
|
|
229
243
|
end
|
|
230
244
|
|
|
231
245
|
# Display the users as a comma delimeted string
|
|
232
246
|
def read_users_string
|
|
233
|
-
|
|
247
|
+
read_users.join(', ')
|
|
234
248
|
end
|
|
235
249
|
|
|
236
250
|
# Grant read permissions to the users specified. Revokes read permission for
|
|
@@ -252,10 +266,9 @@ module Hydra
|
|
|
252
266
|
set_entities(:read, :person, users, eligible_users)
|
|
253
267
|
end
|
|
254
268
|
|
|
255
|
-
|
|
256
269
|
# Return a list of groups that have edit permission
|
|
257
270
|
def edit_groups
|
|
258
|
-
search_by_type_and_mode(:group, ::ACL.Write).map
|
|
271
|
+
search_by_type_and_mode(:group, ::ACL.Write).map(&:agent_name)
|
|
259
272
|
end
|
|
260
273
|
|
|
261
274
|
# Grant edit permissions to the groups specified. Revokes edit permission for all other groups.
|
|
@@ -277,12 +290,12 @@ module Hydra
|
|
|
277
290
|
# => ['one', 'two', 'three']
|
|
278
291
|
#
|
|
279
292
|
def edit_groups_string=(groups)
|
|
280
|
-
self.edit_groups=groups.split(/[\s,]+/)
|
|
293
|
+
self.edit_groups = groups.split(/[\s,]+/)
|
|
281
294
|
end
|
|
282
295
|
|
|
283
296
|
# Display the groups a comma delimeted string
|
|
284
297
|
def edit_groups_string
|
|
285
|
-
|
|
298
|
+
edit_groups.join(', ')
|
|
286
299
|
end
|
|
287
300
|
|
|
288
301
|
# Grant edit permissions to the groups specified. Revokes edit permission for
|
|
@@ -305,7 +318,7 @@ module Hydra
|
|
|
305
318
|
end
|
|
306
319
|
|
|
307
320
|
def edit_users
|
|
308
|
-
search_by_type_and_mode(:person, ::ACL.Write).map
|
|
321
|
+
search_by_type_and_mode(:person, ::ACL.Write).map(&:agent_name)
|
|
309
322
|
end
|
|
310
323
|
|
|
311
324
|
# Grant edit permissions to the groups specified. Revokes edit permission for all other groups.
|
|
@@ -341,7 +354,7 @@ module Hydra
|
|
|
341
354
|
protected
|
|
342
355
|
|
|
343
356
|
def has_destroy_flag?(hash)
|
|
344
|
-
|
|
357
|
+
%w(1 true).include?(hash['_destroy'].to_s)
|
|
345
358
|
end
|
|
346
359
|
|
|
347
360
|
private
|
|
@@ -358,7 +371,7 @@ module Hydra
|
|
|
358
371
|
|
|
359
372
|
values.each do |agent_name|
|
|
360
373
|
exists = search_by_type_and_mode(type, permission_to_uri(permission)).select { |p| p.agent_name == agent_name }
|
|
361
|
-
permissions.build(name: agent_name, access: permission.to_s, type: type
|
|
374
|
+
permissions.build(name: agent_name, access: permission.to_s, type: type) unless exists.present?
|
|
362
375
|
end
|
|
363
376
|
end
|
|
364
377
|
|
|
@@ -401,7 +414,7 @@ module Hydra
|
|
|
401
414
|
# @param [RDF::URI] mode One of the permissions modes, e.g. ACL.Write, ACL.Read, etc.
|
|
402
415
|
# @yieldparam [Array<ActiveFedora::Base>] agent the agent type assertions
|
|
403
416
|
# @return [Array<Permission>] list of permissions where the mode is as selected, the block evaluates to true and the target is not marked for delete
|
|
404
|
-
def search_by_mode(mode
|
|
417
|
+
def search_by_mode(mode)
|
|
405
418
|
permissions.to_a.select do |p|
|
|
406
419
|
yield(p.agent) && !p.marked_for_destruction? && p.mode.first.rdf_subject == mode
|
|
407
420
|
end
|
|
@@ -416,16 +429,14 @@ module Hydra
|
|
|
416
429
|
end
|
|
417
430
|
|
|
418
431
|
def group_agent?(agent)
|
|
419
|
-
raise
|
|
432
|
+
raise 'no agent' unless agent.present?
|
|
420
433
|
agent.first.rdf_subject.to_s.start_with?(GROUP_AGENT_URL_PREFIX)
|
|
421
|
-
|
|
422
434
|
end
|
|
423
435
|
|
|
424
436
|
def person_agent?(agent)
|
|
425
|
-
raise
|
|
437
|
+
raise 'no agent' unless agent.present?
|
|
426
438
|
agent.first.rdf_subject.to_s.start_with?(PERSON_AGENT_URL_PREFIX)
|
|
427
439
|
end
|
|
428
|
-
|
|
429
440
|
end
|
|
430
441
|
end
|
|
431
442
|
end
|
|
@@ -0,0 +1,81 @@
|
|
|
1
|
+
module Hydra
|
|
2
|
+
class AccessControl < ActiveFedora::Base
|
|
3
|
+
|
|
4
|
+
before_destroy do |obj|
|
|
5
|
+
contains.destroy_all
|
|
6
|
+
end
|
|
7
|
+
|
|
8
|
+
is_a_container class_name: 'Hydra::AccessControls::Permission'
|
|
9
|
+
accepts_nested_attributes_for :contains, allow_destroy: true
|
|
10
|
+
|
|
11
|
+
attr_accessor :owner
|
|
12
|
+
|
|
13
|
+
def permissions
|
|
14
|
+
relationship
|
|
15
|
+
end
|
|
16
|
+
|
|
17
|
+
def permissions=(records)
|
|
18
|
+
relationship.replace(records)
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
def permissions_attributes=(attribute_list)
|
|
22
|
+
raise ArgumentError unless attribute_list.is_a? Array
|
|
23
|
+
attribute_list.each do |attributes|
|
|
24
|
+
if attributes.key?(:id)
|
|
25
|
+
obj = relationship.find(attributes[:id])
|
|
26
|
+
if has_destroy_flag?(attributes)
|
|
27
|
+
obj.destroy
|
|
28
|
+
else
|
|
29
|
+
obj.update(attributes.except(:id, '_destroy'))
|
|
30
|
+
end
|
|
31
|
+
else
|
|
32
|
+
relationship.create(attributes)
|
|
33
|
+
end
|
|
34
|
+
end
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
# def has_destroy_flag?(hash)
|
|
38
|
+
# ActiveFedora::Type::Boolean.new.cast(hash['_destroy'])
|
|
39
|
+
# end
|
|
40
|
+
|
|
41
|
+
def relationship
|
|
42
|
+
@relationship ||= CollectionRelationship.new(self, :contains)
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
class CollectionRelationship
|
|
46
|
+
def initialize(owner, reflection)
|
|
47
|
+
@owner = owner
|
|
48
|
+
@relationship = @owner.send(reflection)
|
|
49
|
+
end
|
|
50
|
+
|
|
51
|
+
delegate :to_a, :to_ary, :map, :delete, :last, :size, :count, :[],
|
|
52
|
+
:==, :detect, to: :@relationship
|
|
53
|
+
|
|
54
|
+
# TODO: if directly_contained relationships supported find, we could just
|
|
55
|
+
# delegate find.
|
|
56
|
+
def find(id)
|
|
57
|
+
return to_a.find { |record| record.id == id } if @relationship.loaded?
|
|
58
|
+
|
|
59
|
+
unless id.start_with?(@owner.id)
|
|
60
|
+
raise ArgumentError, "requested ACL (#{id}) is not a member of #{@owner.id}"
|
|
61
|
+
end
|
|
62
|
+
ActiveFedora::Base.find(id)
|
|
63
|
+
end
|
|
64
|
+
|
|
65
|
+
# adds one to the target.
|
|
66
|
+
def build(attributes)
|
|
67
|
+
@relationship.build(attributes) do |record|
|
|
68
|
+
record.access_to = @owner.owner
|
|
69
|
+
end
|
|
70
|
+
end
|
|
71
|
+
|
|
72
|
+
def create(attributes)
|
|
73
|
+
build(attributes).tap(&:save!)
|
|
74
|
+
end
|
|
75
|
+
|
|
76
|
+
def replace(*args)
|
|
77
|
+
@relationship.replace(*args)
|
|
78
|
+
end
|
|
79
|
+
end
|
|
80
|
+
end
|
|
81
|
+
end
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
module Hydra::AccessControls
|
|
2
|
-
AGENT_URL_PREFIX =
|
|
3
|
-
GROUP_AGENT_URL_PREFIX =
|
|
2
|
+
AGENT_URL_PREFIX = 'http://projecthydra.org/ns/auth/'.freeze
|
|
3
|
+
GROUP_AGENT_URL_PREFIX = 'http://projecthydra.org/ns/auth/group'.freeze
|
|
4
4
|
PERSON_AGENT_URL_PREFIX = 'http://projecthydra.org/ns/auth/person'.freeze
|
|
5
5
|
class Permission < AccessControlList
|
|
6
6
|
has_many :admin_policies, inverse_of: :default_permissions, class_name: 'Hydra::AdminPolicy'
|
|
@@ -21,12 +21,12 @@ module Hydra::AccessControls
|
|
|
21
21
|
"<#{self.class.name} id: #{id} agent: #{agent_value} mode: #{mode_value} access_to: #{access_to_id.inspect}>"
|
|
22
22
|
end
|
|
23
23
|
|
|
24
|
-
def ==
|
|
25
|
-
other.is_a?(Permission) && id == other.id &&
|
|
26
|
-
|
|
24
|
+
def ==(other)
|
|
25
|
+
other.is_a?(Permission) && id == other.id && access_to_id == other.access_to_id &&
|
|
26
|
+
agent.first.rdf_subject == other.agent.first.rdf_subject && mode.first.rdf_subject == other.mode.first.rdf_subject
|
|
27
27
|
end
|
|
28
28
|
|
|
29
|
-
def
|
|
29
|
+
def assign_attributes(attributes)
|
|
30
30
|
attrs = attributes.dup
|
|
31
31
|
name = attrs.delete(:name)
|
|
32
32
|
type = attrs.delete(:type)
|
|
@@ -50,35 +50,34 @@ module Hydra::AccessControls
|
|
|
50
50
|
|
|
51
51
|
protected
|
|
52
52
|
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
def build_agent(name, type)
|
|
58
|
-
raise "Can't build agent #{inspect}" unless name && type
|
|
59
|
-
self.agent = case type
|
|
60
|
-
when "group"
|
|
61
|
-
Agent.new(::RDF::URI.new("#{GROUP_AGENT_URL_PREFIX}##{name}"))
|
|
62
|
-
when "person"
|
|
63
|
-
Agent.new(::RDF::URI.new("#{PERSON_AGENT_URL_PREFIX}##{name}"))
|
|
64
|
-
else
|
|
65
|
-
raise ArgumentError, "Unknown agent type #{type.inspect}"
|
|
66
|
-
end
|
|
67
|
-
end
|
|
53
|
+
def parsed_agent
|
|
54
|
+
@parsed_agent ||= agent.first.rdf_subject.to_s.sub(AGENT_URL_PREFIX, '').split('#')
|
|
55
|
+
end
|
|
68
56
|
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
end
|
|
81
|
-
end
|
|
57
|
+
def build_agent(name, type)
|
|
58
|
+
raise "Can't build agent #{inspect}" unless name && type
|
|
59
|
+
self.agent = case type
|
|
60
|
+
when 'group'
|
|
61
|
+
Agent.new(::RDF::URI.new("#{GROUP_AGENT_URL_PREFIX}##{name}"))
|
|
62
|
+
when 'person'
|
|
63
|
+
Agent.new(::RDF::URI.new("#{PERSON_AGENT_URL_PREFIX}##{name}"))
|
|
64
|
+
else
|
|
65
|
+
raise ArgumentError, "Unknown agent type #{type.inspect}"
|
|
66
|
+
end
|
|
67
|
+
end
|
|
82
68
|
|
|
69
|
+
def build_access(access)
|
|
70
|
+
raise "Can't build access #{inspect}" unless access
|
|
71
|
+
self.mode = case access
|
|
72
|
+
when 'read'
|
|
73
|
+
Mode.new(::ACL.Read)
|
|
74
|
+
when 'edit'
|
|
75
|
+
Mode.new(::ACL.Write)
|
|
76
|
+
when 'discover'
|
|
77
|
+
Mode.new(Hydra::ACL.Discover)
|
|
78
|
+
else
|
|
79
|
+
raise ArgumentError, "Unknown access #{access.inspect}"
|
|
80
|
+
end
|
|
81
|
+
end
|
|
83
82
|
end
|
|
84
83
|
end
|
data/app/vocabularies/acl.rb
CHANGED
|
@@ -19,9 +19,9 @@ Gem::Specification.new do |gem|
|
|
|
19
19
|
gem.required_ruby_version = '>= 1.9.3'
|
|
20
20
|
|
|
21
21
|
gem.add_dependency 'activesupport', '~> 4.0'
|
|
22
|
-
gem.add_dependency "active-fedora", '
|
|
22
|
+
gem.add_dependency "active-fedora", '>= 10.0.0.beta1', '< 11'
|
|
23
23
|
gem.add_dependency 'cancancan', '~> 1.8'
|
|
24
|
-
gem.add_dependency 'deprecation', '~> 0
|
|
24
|
+
gem.add_dependency 'deprecation', '~> 1.0'
|
|
25
25
|
gem.add_dependency "blacklight", '>= 5.16'
|
|
26
26
|
gem.add_dependency "blacklight-access_controls", '~> 0.1'
|
|
27
27
|
|
data/lib/hydra/admin_policy.rb
CHANGED
|
@@ -22,17 +22,5 @@ module Hydra
|
|
|
22
22
|
title_without_first.first
|
|
23
23
|
end
|
|
24
24
|
alias_method_chain :title, :first
|
|
25
|
-
|
|
26
|
-
def license_title=(_)
|
|
27
|
-
Deprecation.warn AdminPolicy, "license_title= has been removed from AdminPolicy. Look at Hydra::Rights instead"
|
|
28
|
-
end
|
|
29
|
-
|
|
30
|
-
def license_description=(_)
|
|
31
|
-
Deprecation.warn AdminPolicy, "license_description= has been removed from AdminPolicy. Look at Hydra::Rights instead"
|
|
32
|
-
end
|
|
33
|
-
|
|
34
|
-
def license_url=(_)
|
|
35
|
-
Deprecation.warn AdminPolicy, "license_url= has been removed from AdminPolicy. Look at Hydra::Rights instead"
|
|
36
|
-
end
|
|
37
25
|
end
|
|
38
26
|
end
|
data/spec/spec_helper.rb
CHANGED
|
@@ -1,7 +1,8 @@
|
|
|
1
|
-
ENV[
|
|
1
|
+
ENV['RAILS_ENV'] ||= 'test'
|
|
2
|
+
require 'engine_cart'
|
|
3
|
+
path = File.expand_path(File.join('..', '..', '..', '.internal_test_app'), __FILE__)
|
|
4
|
+
EngineCart.load_application! path
|
|
2
5
|
|
|
3
|
-
require 'rspec/mocks'
|
|
4
|
-
require 'rspec/its'
|
|
5
6
|
require 'hydra-access-controls'
|
|
6
7
|
|
|
7
8
|
$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
|
|
@@ -18,9 +19,6 @@ if ENV['COVERAGE'] and RUBY_VERSION =~ /^1.9/
|
|
|
18
19
|
SimpleCov.start
|
|
19
20
|
end
|
|
20
21
|
|
|
21
|
-
|
|
22
|
-
require 'support/rails'
|
|
23
|
-
|
|
24
22
|
# Since we're not doing a Rails Engine test, we have to load these classes manually:
|
|
25
23
|
require 'active_support'
|
|
26
24
|
require 'active_support/dependencies'
|
|
@@ -38,6 +36,8 @@ require 'support/mods_asset'
|
|
|
38
36
|
require 'support/solr_document'
|
|
39
37
|
require "support/user"
|
|
40
38
|
require "factory_girl"
|
|
39
|
+
require 'rspec/mocks'
|
|
40
|
+
require 'rspec/its'
|
|
41
41
|
require "factories"
|
|
42
42
|
|
|
43
43
|
# HttpLogger.logger = Logger.new(STDOUT)
|
|
@@ -53,9 +53,3 @@ RSpec.configure do |config|
|
|
|
53
53
|
end
|
|
54
54
|
end
|
|
55
55
|
|
|
56
|
-
# Stubbing Devise
|
|
57
|
-
class Devise
|
|
58
|
-
def self.authentication_keys
|
|
59
|
-
["uid"]
|
|
60
|
-
end
|
|
61
|
-
end
|
data/spec/unit/ability_spec.rb
CHANGED
|
@@ -2,6 +2,9 @@ require 'spec_helper'
|
|
|
2
2
|
require 'cancan/matchers'
|
|
3
3
|
|
|
4
4
|
describe Ability do
|
|
5
|
+
before do
|
|
6
|
+
allow(Devise).to receive(:authentication_keys).and_return(['uid'])
|
|
7
|
+
end
|
|
5
8
|
describe "class methods" do
|
|
6
9
|
subject { Ability }
|
|
7
10
|
its(:read_group_field) { should == 'read_access_group_ssim'}
|
|
@@ -1,6 +1,9 @@
|
|
|
1
1
|
require 'spec_helper'
|
|
2
2
|
|
|
3
3
|
describe Hydra::AccessControlsEnforcement do
|
|
4
|
+
before do
|
|
5
|
+
allow(Devise).to receive(:authentication_keys).and_return(['uid'])
|
|
6
|
+
end
|
|
4
7
|
let(:controller) { MockController.new }
|
|
5
8
|
let(:method_chain) { MockController.search_params_logic }
|
|
6
9
|
let(:search_builder) { MockSearchBuilder.new(method_chain, controller) }
|
|
@@ -19,11 +19,12 @@ describe Hydra::AccessControls::Permissions do
|
|
|
19
19
|
subject.read_groups=['group1', 'group2']
|
|
20
20
|
subject.edit_users=['user1']
|
|
21
21
|
subject.read_users=['user2', 'user3']
|
|
22
|
-
expect(subject.permissions).to
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
22
|
+
expect(subject.permissions.to_a).to all(be_kind_of(Hydra::AccessControls::Permission))
|
|
23
|
+
expect(subject.permissions.map(&:to_hash)).to match_array [{type: "group", access: "read", name: "group1"},
|
|
24
|
+
{ type: "group", access: "read", name: "group2" },
|
|
25
|
+
{ type: "person", access: "read", name: "user2" },
|
|
26
|
+
{ type: "person", access: "read", name: "user3" },
|
|
27
|
+
{ type: "person", access: "edit", name: "user1" }]
|
|
27
28
|
end
|
|
28
29
|
|
|
29
30
|
describe "building a new permission" do
|
|
@@ -31,9 +32,16 @@ describe Hydra::AccessControls::Permissions do
|
|
|
31
32
|
|
|
32
33
|
it "sets the accessTo association" do
|
|
33
34
|
perm = subject.permissions.build(name: 'user1', type: 'person', access: 'read')
|
|
34
|
-
subject.save
|
|
35
35
|
expect(perm.access_to_id).to eq subject.id
|
|
36
36
|
end
|
|
37
|
+
|
|
38
|
+
it "autosaves the permissions" do
|
|
39
|
+
subject.permissions.build(name: 'user1', type: 'person', access: 'read')
|
|
40
|
+
subject.save!
|
|
41
|
+
subject.reload
|
|
42
|
+
foo = Foo.find(subject.id)
|
|
43
|
+
expect(foo.permissions.to_a).not_to eq []
|
|
44
|
+
end
|
|
37
45
|
end
|
|
38
46
|
|
|
39
47
|
describe "updating permissions" do
|
|
@@ -113,14 +121,14 @@ describe Hydra::AccessControls::Permissions do
|
|
|
113
121
|
end
|
|
114
122
|
|
|
115
123
|
context "when the destroy flag is set" do
|
|
116
|
-
let(:reloaded) { subject.permissions.
|
|
124
|
+
let(:reloaded) { subject.reload.permissions.map(&:to_hash) }
|
|
117
125
|
let(:permissions_id) { ActiveFedora::Base.uri_to_id(subject.permissions.last.rdf_subject.to_s) }
|
|
118
126
|
|
|
119
127
|
context "to a truthy value" do
|
|
120
128
|
context "when updating users" do
|
|
121
129
|
before do
|
|
122
130
|
subject.update permissions_attributes: [{ type: "person", access: "read", name: "user1" }]
|
|
123
|
-
subject.update permissions_attributes: [{ id: permissions_id, type: "person", access: "edit", name: "user1", _destroy: true}]
|
|
131
|
+
subject.update permissions_attributes: [{ id: permissions_id, type: "person", access: "edit", name: "user1", _destroy: 'true' }]
|
|
124
132
|
end
|
|
125
133
|
|
|
126
134
|
it "removes permissions on existing users" do
|
|
@@ -214,7 +222,7 @@ describe Hydra::AccessControls::Permissions do
|
|
|
214
222
|
context "when the original object is destroyed" do
|
|
215
223
|
before do
|
|
216
224
|
subject.save!
|
|
217
|
-
subject.permissions.
|
|
225
|
+
subject.permissions.create(type: 'person', access: 'read', name: 'person1')
|
|
218
226
|
subject.save!
|
|
219
227
|
end
|
|
220
228
|
|
|
@@ -2,6 +2,8 @@ require 'spec_helper'
|
|
|
2
2
|
|
|
3
3
|
describe Hydra::PolicyAwareAccessControlsEnforcement do
|
|
4
4
|
before do
|
|
5
|
+
allow(Devise).to receive(:authentication_keys).and_return(['uid'])
|
|
6
|
+
|
|
5
7
|
class PolicyMockSearchBuilder < Blacklight::SearchBuilder
|
|
6
8
|
include Blacklight::Solr::SearchBuilderBehavior
|
|
7
9
|
include Hydra::AccessControlsEnforcement
|
|
@@ -1,28 +1,32 @@
|
|
|
1
1
|
require 'spec_helper'
|
|
2
2
|
|
|
3
3
|
describe RoleMapper do
|
|
4
|
-
|
|
4
|
+
before do
|
|
5
|
+
allow(Devise).to receive(:authentication_keys).and_return(['uid'])
|
|
6
|
+
end
|
|
7
|
+
|
|
8
|
+
it "defines the 4 roles" do
|
|
5
9
|
expect(RoleMapper.role_names.sort).to eq %w(admin_policy_object_editor archivist donor patron researcher)
|
|
6
10
|
end
|
|
7
|
-
it "
|
|
11
|
+
it "is quer[iy]able for roles for a given user" do
|
|
8
12
|
expect(RoleMapper.roles('leland_himself@example.com').sort).to eq ['archivist', 'donor', 'patron']
|
|
9
13
|
expect(RoleMapper.roles('archivist2@example.com')).to eq ['archivist']
|
|
10
14
|
end
|
|
11
15
|
|
|
12
|
-
it "
|
|
16
|
+
it "doesn't change its response when it's called repeatedly" do
|
|
13
17
|
u = User.new(:uid=>'leland_himself@example.com')
|
|
14
18
|
allow(u).to receive(:new_record?).and_return(false)
|
|
15
19
|
expect(RoleMapper.roles(u).sort).to eq ['archivist', 'donor', 'patron', "registered"]
|
|
16
20
|
expect(RoleMapper.roles(u).sort).to eq ['archivist', 'donor', 'patron', "registered"]
|
|
17
21
|
end
|
|
18
22
|
|
|
19
|
-
it "
|
|
23
|
+
it "returns an empty array if there are no roles" do
|
|
20
24
|
expect(RoleMapper.roles('zeus@olympus.mt')).to be_empty
|
|
21
25
|
end
|
|
22
|
-
|
|
26
|
+
|
|
27
|
+
it "knows who is what" do
|
|
23
28
|
expect(RoleMapper.whois('archivist').sort).to eq %w(archivist1@example.com archivist2@example.com leland_himself@example.com)
|
|
24
29
|
expect(RoleMapper.whois('salesman')).to be_empty
|
|
25
30
|
expect(RoleMapper.whois('admin_policy_object_editor').sort).to eq %w(archivist1@example.com)
|
|
26
31
|
end
|
|
27
|
-
|
|
28
32
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: hydra-access-controls
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version:
|
|
4
|
+
version: 10.0.0.beta1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Chris Beer
|
|
@@ -10,7 +10,7 @@ authors:
|
|
|
10
10
|
autorequire:
|
|
11
11
|
bindir: bin
|
|
12
12
|
cert_chain: []
|
|
13
|
-
date: 2016-
|
|
13
|
+
date: 2016-05-10 00:00:00.000000000 Z
|
|
14
14
|
dependencies:
|
|
15
15
|
- !ruby/object:Gem::Dependency
|
|
16
16
|
name: activesupport
|
|
@@ -30,16 +30,22 @@ dependencies:
|
|
|
30
30
|
name: active-fedora
|
|
31
31
|
requirement: !ruby/object:Gem::Requirement
|
|
32
32
|
requirements:
|
|
33
|
-
- - "
|
|
33
|
+
- - ">="
|
|
34
34
|
- !ruby/object:Gem::Version
|
|
35
|
-
version:
|
|
35
|
+
version: 10.0.0.beta1
|
|
36
|
+
- - "<"
|
|
37
|
+
- !ruby/object:Gem::Version
|
|
38
|
+
version: '11'
|
|
36
39
|
type: :runtime
|
|
37
40
|
prerelease: false
|
|
38
41
|
version_requirements: !ruby/object:Gem::Requirement
|
|
39
42
|
requirements:
|
|
40
|
-
- - "
|
|
43
|
+
- - ">="
|
|
44
|
+
- !ruby/object:Gem::Version
|
|
45
|
+
version: 10.0.0.beta1
|
|
46
|
+
- - "<"
|
|
41
47
|
- !ruby/object:Gem::Version
|
|
42
|
-
version: '
|
|
48
|
+
version: '11'
|
|
43
49
|
- !ruby/object:Gem::Dependency
|
|
44
50
|
name: cancancan
|
|
45
51
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -60,14 +66,14 @@ dependencies:
|
|
|
60
66
|
requirements:
|
|
61
67
|
- - "~>"
|
|
62
68
|
- !ruby/object:Gem::Version
|
|
63
|
-
version: '0
|
|
69
|
+
version: '1.0'
|
|
64
70
|
type: :runtime
|
|
65
71
|
prerelease: false
|
|
66
72
|
version_requirements: !ruby/object:Gem::Requirement
|
|
67
73
|
requirements:
|
|
68
74
|
- - "~>"
|
|
69
75
|
- !ruby/object:Gem::Version
|
|
70
|
-
version: '0
|
|
76
|
+
version: '1.0'
|
|
71
77
|
- !ruby/object:Gem::Dependency
|
|
72
78
|
name: blacklight
|
|
73
79
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -147,6 +153,7 @@ files:
|
|
|
147
153
|
- app/models/concerns/hydra/ip_based_ability.rb
|
|
148
154
|
- app/models/concerns/hydra/rights.rb
|
|
149
155
|
- app/models/concerns/hydra/with_depositor.rb
|
|
156
|
+
- app/models/hydra/access_control.rb
|
|
150
157
|
- app/models/hydra/access_controls/access_control_list.rb
|
|
151
158
|
- app/models/hydra/access_controls/embargo.rb
|
|
152
159
|
- app/models/hydra/access_controls/lease.rb
|
|
@@ -169,7 +176,6 @@ files:
|
|
|
169
176
|
- lib/hydra/admin_policy.rb
|
|
170
177
|
- lib/hydra/config.rb
|
|
171
178
|
- lib/hydra/ip_based_groups.rb
|
|
172
|
-
- lib/hydra/permissions_cache.rb
|
|
173
179
|
- lib/hydra/permissions_query.rb
|
|
174
180
|
- lib/hydra/policy_aware_ability.rb
|
|
175
181
|
- lib/hydra/policy_aware_access_controls_enforcement.rb
|
|
@@ -181,11 +187,8 @@ files:
|
|
|
181
187
|
- spec/services/embargo_service_spec.rb
|
|
182
188
|
- spec/services/lease_service_spec.rb
|
|
183
189
|
- spec/spec_helper.rb
|
|
184
|
-
- spec/support/config/blacklight.yml
|
|
185
|
-
- spec/support/config/hydra_ip_range.yml
|
|
186
190
|
- spec/support/config/role_map.yml
|
|
187
191
|
- spec/support/mods_asset.rb
|
|
188
|
-
- spec/support/rails.rb
|
|
189
192
|
- spec/support/solr_document.rb
|
|
190
193
|
- spec/support/user.rb
|
|
191
194
|
- spec/unit/ability_spec.rb
|
|
@@ -221,12 +224,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
221
224
|
version: 1.9.3
|
|
222
225
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
223
226
|
requirements:
|
|
224
|
-
- - "
|
|
227
|
+
- - ">"
|
|
225
228
|
- !ruby/object:Gem::Version
|
|
226
|
-
version:
|
|
229
|
+
version: 1.3.1
|
|
227
230
|
requirements: []
|
|
228
231
|
rubyforge_project:
|
|
229
|
-
rubygems_version: 2.
|
|
232
|
+
rubygems_version: 2.5.1
|
|
230
233
|
signing_key:
|
|
231
234
|
specification_version: 4
|
|
232
235
|
summary: Access controls for project hydra
|
|
@@ -237,11 +240,8 @@ test_files:
|
|
|
237
240
|
- spec/services/embargo_service_spec.rb
|
|
238
241
|
- spec/services/lease_service_spec.rb
|
|
239
242
|
- spec/spec_helper.rb
|
|
240
|
-
- spec/support/config/blacklight.yml
|
|
241
|
-
- spec/support/config/hydra_ip_range.yml
|
|
242
243
|
- spec/support/config/role_map.yml
|
|
243
244
|
- spec/support/mods_asset.rb
|
|
244
|
-
- spec/support/rails.rb
|
|
245
245
|
- spec/support/solr_document.rb
|
|
246
246
|
- spec/support/user.rb
|
|
247
247
|
- spec/unit/ability_spec.rb
|
|
@@ -1,6 +0,0 @@
|
|
|
1
|
-
class Hydra::PermissionsCache < Blacklight::AccessControls::PermissionsCache
|
|
2
|
-
extend Deprecation
|
|
3
|
-
|
|
4
|
-
Deprecation.warn Hydra::PermissionsCache, "Hydra::PermissionsCache will be removed in Hydra 10. Use Blacklight::AccessControls::PermissionsCache instead (from blacklight-access_controls gem)."
|
|
5
|
-
|
|
6
|
-
end
|
data/spec/support/rails.rb
DELETED
|
@@ -1,23 +0,0 @@
|
|
|
1
|
-
# Rails normally loads the locales of engines for us.
|
|
2
|
-
I18n.load_path << 'config/locales/hydra-access-controls.en.yml'
|
|
3
|
-
|
|
4
|
-
module Rails
|
|
5
|
-
class << self
|
|
6
|
-
def env
|
|
7
|
-
ENV['environment']
|
|
8
|
-
end
|
|
9
|
-
|
|
10
|
-
def version
|
|
11
|
-
"0.0.0"
|
|
12
|
-
#"hydra-access-controls mock rails"
|
|
13
|
-
end
|
|
14
|
-
|
|
15
|
-
def root
|
|
16
|
-
'spec/support'
|
|
17
|
-
end
|
|
18
|
-
|
|
19
|
-
def logger
|
|
20
|
-
@@logger ||= Logger.new(File.expand_path('../../test.log', __FILE__)).tap { |logger| logger.level = Logger::WARN }
|
|
21
|
-
end
|
|
22
|
-
end
|
|
23
|
-
end
|