hydra-access-controls 9.2.2 → 9.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: ea7c4aaad5d8b8a2a09302a4e4c72bef6ae4e4e7
-  data.tar.gz: 48ec6139506893bd921326584e649e715806c41e
+  metadata.gz: 48df5495189420a7fcd2badef2493179edcc1560
+  data.tar.gz: 6b69996bbca5b1f33f233c4327fb58678bb118a8
 SHA512:
-  metadata.gz: bbd45858a87ce422b304789f35330de95c6642c68e57ee8a07e2a881af4a7b92495e25a1427ddf6799c6cdb99a889a0666b97d4a2878a9427933755ebeedad1d
-  data.tar.gz: 12ebdbb5cc2916346399453d12efad8cb9f4b78f720924061099624e31eefa66f4ffb112a0d1649fed1784fe45abd2ad187cd0167b068cf29e2cbc95dd737ea3
+  metadata.gz: 77f673207dda70cfc5401f7418cb8af5675cbec3b46afdf896bb04ac2b13cf69954e3b9a3d924ac597d3adb77897d20fb2158f53af085e468430ea37d6c14154
+  data.tar.gz: 8b9f3925485f1a3725815432bff9d63cf4a2cd8335ea59276c716b842b28b47e45e0d117993f7e263c8db44d727982eb8c78ce75dc5ffd8f4694a3eb3ef9f2be

data/README.textile

@@ -23,7 +23,7 @@ The hydra generator handles part of this for you - it sets up the CatalogControl
 Beyond enabling gated discovery, *everything is done using "CanCan":https://github.com/ryanb/cancan*.  For more information on CanCan, how to use it, and how to define access controls policies (aka "abilities":https://github.com/ryanb/cancan/wiki/Defining-Abilities), refer to the "CanCan documentation":https://github.com/ryanb/cancan/blob/master/README.rdoc.
 
 Within your CanCan ability definitions, app/models/ability.rb, the "Hydra::Ability":https://github.com/projecthydra/hydra-head/blob/master/hydra-access-controls/lib/hydra/ability.rb module is already included. This module has
-:read and :edit permissions defined for you, along with some convenience methods that help you evaluate permssions
+:read, :edit, and :discover permissions defined for you, along with some convenience methods that help you evaluate permssions
 against info in the rightsMetadata datastream.
 
 In your custom controllers, you will need to enforce access controls using "CanCan":https://github.com/ryanb/cancan.  There are a number of ways to do this.  The easiest way is to use the cancan "controller action":https://github.com/ryanb/cancan/wiki/Authorizing-Controller-Actions 'load_and_authorize_resource', however on show and edit, this also causes a load the resource from fedora, which you may want to avoid.  If you want to authorize from solr, you ought to be able to call the cancan methods `authorize!` or `can?` which just checks the solr permissions handler. 

data/app/indexers/hydra/access_controls/embargo_indexer.rb

@@ -0,0 +1,11 @@
+module Hydra::AccessControls
+  class EmbargoIndexer
+    def initialize(object)
+      @object = object
+    end
+
+    def generate_solr_document
+      @object.to_hash
+    end
+  end
+end

data/app/indexers/hydra/access_controls/lease_indexer.rb

@@ -0,0 +1,12 @@
+module Hydra::AccessControls
+  class LeaseIndexer
+    def initialize(object)
+      @object = object
+    end
+
+    def generate_solr_document
+      @object.to_hash
+    end
+  end
+end
+

data/app/models/concerns/hydra/access_controls/embargoable.rb

@@ -35,11 +35,19 @@ module Hydra
 
       def to_solr(solr_doc = {})
         super.tap do |doc|
-          doc.merge!(embargo.to_hash) if embargo
-          doc.merge!(lease.to_hash) if lease
+          doc.merge!(embargo_indexer_class.new(embargo).generate_solr_document) if embargo
+          doc.merge!(lease_indexer_class.new(lease).generate_solr_document) if lease
         end
       end
 
+      def embargo_indexer_class
+        EmbargoIndexer
+      end
+
+      def lease_indexer_class
+        LeaseIndexer
+      end
+
       def under_embargo?
         embargo && embargo.active?
       end
@@ -63,7 +71,7 @@ module Hydra
         self.visibility_during_embargo = visibility_during unless visibility_during.nil?
         self.visibility_after_embargo = visibility_after unless visibility_after.nil?
         embargo_visibility!
-        visibility_will_change!
+        visibility_will_change! if embargo.changed?
       end
 
       def deactivate_embargo!
@@ -134,7 +142,7 @@ module Hydra
         self.visibility_during_lease = visibility_during unless visibility_during.nil?
         self.visibility_after_lease = visibility_after unless visibility_after.nil?
         lease_visibility!
-        visibility_will_change!
+        visibility_will_change! if lease.changed?
       end
 
       def deactivate_lease!

data/lib/hydra/ability.rb

@@ -13,7 +13,7 @@ module Hydra
       include Hydra::PermissionsQuery
       include Blacklight::SearchHelper
       class_attribute :ability_logic
-      self.ability_logic = [:create_permissions, :edit_permissions, :read_permissions, :download_permissions, :custom_permissions]
+      self.ability_logic = [:create_permissions, :edit_permissions, :read_permissions, :discover_permissions, :download_permissions, :custom_permissions]
     end
 
     def self.user_class
@@ -87,6 +87,21 @@ module Hydra
       end
     end
 
+    def discover_permissions
+      can :discover, String do |id|
+        test_discover(id)
+      end
+
+      can :discover, ActiveFedora::Base do |obj|
+        test_discover(obj.id)
+      end
+
+      can :discover, SolrDocument do |obj|
+        cache.put(obj.id, obj)
+        test_discover(obj.id)
+      end
+    end
+
     # Download permissions are exercised in Hydra::Controller::DownloadBehavior
     def download_permissions
       can :download, ActiveFedora::File do |file|
@@ -117,6 +132,13 @@ module Hydra
       result
     end
 
+    def test_discover(id)
+      Rails.logger.debug("[CANCAN] Checking discover permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
+      group_intersection = user_groups & discover_groups(id)
+      result = !group_intersection.empty? || discover_users(id).include?(current_user.user_key)
+      result
+    end
+
     def edit_groups(id)
       doc = permissions_doc(id)
       return [] if doc.nil?
@@ -134,6 +156,15 @@ module Hydra
       return rg
     end
 
+    # read implies discover, so discover_groups is the union of read and discover groups
+    def discover_groups(id)
+      doc = permissions_doc(id)
+      return [] if doc.nil?
+      dg = read_groups(id) | (doc[self.class.discover_group_field] || [])
+      Rails.logger.debug("[CANCAN] discover_groups: #{dg.inspect}")
+      dg
+    end
+
     def edit_users(id)
       doc = permissions_doc(id)
       return [] if doc.nil?
@@ -151,6 +182,15 @@ module Hydra
       return rp
     end
 
+    # read implies discover, so discover_users is the union of read and discover users
+    def discover_users(id)
+      doc = permissions_doc(id)
+      return [] if doc.nil?
+      dp = read_users(id) | (doc[self.class.discover_user_field] || [])
+      Rails.logger.debug("[CANCAN] discover_users: #{dp.inspect}")
+      dp
+    end
+
     module ClassMethods
       def read_group_field
         Hydra.config.permissions.read.group
@@ -167,6 +207,14 @@ module Hydra
       def edit_group_field
         Hydra.config.permissions.edit.group
       end
+
+      def discover_group_field
+        Hydra.config.permissions.discover.group
+      end
+
+      def discover_user_field
+        Hydra.config.permissions.discover.individual
+      end
     end
   end
 end

data/lib/hydra/role_mapper_behavior.rb

@@ -5,23 +5,23 @@ module Hydra::RoleMapperBehavior
     def role_names
       map.keys
     end
-    
-    # 
+
+    ##
     # @param user_or_uid either the User object or user id
     # If you pass in a nil User object (ie. user isn't logged in), or a uid that doesn't exist, it will return an empty array
     def roles(user_or_uid)
       if user_or_uid.kind_of?(String)
         user = Hydra::Ability.user_class.find_by_user_key(user_or_uid)
         user_id = user_or_uid
-      elsif user_or_uid.kind_of?(Hydra::Ability.user_class) && user_or_uid.user_key   
+      elsif user_or_uid.kind_of?(Hydra::Ability.user_class) && user_or_uid.user_key
         user = user_or_uid
         user_id = user.user_key
       end
       array = byname[user_id].dup || []
-      array = array << 'registered' unless (user.nil? || user.new_record?) 
+      array = array << 'registered' unless (user.nil? || user.new_record?)
       array
     end
-    
+
     def whois(r)
       map[r] || []
     end
@@ -32,7 +32,7 @@ module Hydra::RoleMapperBehavior
 
 
     def byname
-      @byname ||= map.each_with_object(Hash.new{ |h,k| h[k] = [] }) do |(role, usernames), memo| 
+      @byname ||= map.each_with_object(Hash.new{ |h,k| h[k] = [] }) do |(role, usernames), memo|
         Array(usernames).each { |x| memo[x] << role}
       end
     end
@@ -60,9 +60,12 @@ module Hydra::RoleMapperBehavior
         rescue
           raise("#{filename} was found, but could not be parsed.\n")
         end
-        return yml[Rails.env] if yml.is_a? Hash
+        unless yml.is_a? Hash
+          raise("#{filename} was found, but was blank or malformed.\n")
+        end
+
+        yml.fetch(Rails.env)
 
-        raise("#{filename} was found, but was blank or malformed.\n")
       end
   end
 end

data/spec/indexers/embargo_indexer_spec.rb

@@ -0,0 +1,20 @@
+require 'spec_helper'
+
+describe Hydra::AccessControls::EmbargoIndexer do
+  let(:attrs) do
+    {
+      visibility_during_embargo: Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_AUTHENTICATED,
+      visibility_after_embargo: Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PUBLIC,
+      embargo_release_date: Date.parse('2010-10-10')
+    }
+  end
+  let(:embargo) { Hydra::AccessControls::Embargo.new(attrs) }
+  let(:indexer) { described_class.new(embargo) }
+  subject { indexer.generate_solr_document }
+
+  it "has the fields" do
+    expect(subject['visibility_during_embargo_ssim']).to eq 'authenticated'
+    expect(subject['visibility_after_embargo_ssim']).to eq 'open'
+    expect(subject['embargo_release_date_dtsi']).to eq '2010-10-10T00:00:00Z'
+  end
+end

data/spec/indexers/lease_indexer_spec.rb

@@ -0,0 +1,20 @@
+require 'spec_helper'
+
+describe Hydra::AccessControls::LeaseIndexer do
+  let(:attrs) do
+    {
+      visibility_during_lease: Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PUBLIC,
+      visibility_after_lease: Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_AUTHENTICATED,
+      lease_expiration_date: Date.parse('2010-10-10')
+    }
+  end
+  let(:lease) { Hydra::AccessControls::Lease.new(attrs) }
+  let(:indexer) { described_class.new(lease) }
+  subject { indexer.generate_solr_document }
+
+  it "has the fields" do
+    expect(subject['visibility_during_lease_ssim']).to eq 'open'
+    expect(subject['visibility_after_lease_ssim']).to eq 'authenticated'
+    expect(subject['lease_expiration_date_dtsi']).to eq '2010-10-10T00:00:00Z'
+  end
+end

data/spec/spec_helper.rb

@@ -26,6 +26,8 @@ require_relative '../app/vocabularies/acl'
 require_relative '../app/vocabularies/hydra/acl'
 require_relative '../app/models/role_mapper'
 require_relative '../app/models/ability'
+require_relative '../app/indexers/hydra/access_controls/embargo_indexer'
+require_relative '../app/indexers/hydra/access_controls/lease_indexer'
 require_relative '../app/models/hydra/access_controls/access_control_list'
 require_relative '../app/models/hydra/access_controls/permission'
 require_relative '../app/models/hydra/access_controls/embargo'

data/spec/unit/ability_spec.rb

@@ -8,6 +8,8 @@ describe Ability do
     its(:read_user_field) { should == 'read_access_person_ssim'}
     its(:edit_group_field) { should == 'edit_access_group_ssim'}
     its(:edit_user_field) { should == 'edit_access_person_ssim'}
+    its(:discover_group_field) { should == 'discover_access_group_ssim'}
+    its(:discover_user_field) { should == 'discover_access_person_ssim'}
   end
 
   context "for a not-signed in user" do
@@ -37,6 +39,35 @@ describe Ability do
 #   See spec/requests/... for test coverage describing WHAT should appear on a page based on access permissions
 #   Test coverage for discover permission is in spec/requests/gated_discovery_spec.rb
 
+  describe "Given an asset that has been made publicly discoverable" do
+    let(:asset) { FactoryGirl.create(:asset) }
+    before do
+      asset.permissions_attributes = [{ name: "public", access: "discover", type: "group" }, { name: "joe_creator", access: "edit", type: "person" }, { name: "calvin_collaborator", access: "edit", type: "person" }]
+      asset.save
+    end
+
+    context "Then a not-signed-in user" do
+      subject { Ability.new(nil) }
+      it { should     be_able_to(:discover, asset) }
+      it { should_not be_able_to(:read, asset) }
+      it { should_not be_able_to(:edit, asset) }
+      it { should_not be_able_to(:update, asset) }
+      it { should_not be_able_to(:destroy, asset) }
+    end
+
+    context "Then a registered user" do
+      before do
+        @user = FactoryGirl.build(:registered_user)
+      end
+      subject { Ability.new(@user) }
+      it { should     be_able_to(:discover, asset) }
+      it { should_not be_able_to(:read, asset) }
+      it { should_not be_able_to(:edit, asset) }
+      it { should_not be_able_to(:update, asset) }
+      it { should_not be_able_to(:destroy, asset) }
+    end
+  end
+
   describe "Given an asset that has been made publicly available (ie. open access)" do
     #let(:asset) { FactoryGirl.create(:open_access_asset) }
     let(:asset) { FactoryGirl.create(:asset) }
@@ -47,6 +78,7 @@ describe Ability do
 
     context "Then a not-signed-in user" do
       subject { Ability.new(nil) }
+      it { should     be_able_to(:discover, asset) }
       it { should     be_able_to(:read, asset) }
       it { should_not be_able_to(:edit, asset) }
       it { should_not be_able_to(:update, asset) }
@@ -58,6 +90,7 @@ describe Ability do
         @user = FactoryGirl.build(:registered_user)
       end
       subject { Ability.new(@user) }
+      it { should     be_able_to(:discover, asset) }
       it { should     be_able_to(:read, asset) }
       it { should_not be_able_to(:edit, asset) }
       it { should_not be_able_to(:update, asset) }
@@ -76,6 +109,7 @@ describe Ability do
     context "Then a not-signed-in user" do
       let(:user) { User.new.tap {|u| u.new_record = true } }
       subject { Ability.new(user) }
+      it { should_not be_able_to(:discover, asset) }
       it { should_not be_able_to(:read, asset) }
       it { should_not be_able_to(:edit, asset) }
       it { should_not be_able_to(:update, asset) }
@@ -83,6 +117,7 @@ describe Ability do
     end
     context "Then a registered user" do
       subject { Ability.new(FactoryGirl.build(:registered_user)) }
+      it { should_not be_able_to(:discover, asset) }
       it { should_not be_able_to(:read, asset) }
       it { should_not be_able_to(:edit, asset) }
       it { should_not be_able_to(:update, asset) }
@@ -90,6 +125,7 @@ describe Ability do
     end
     context "Then the Creator" do
       subject { Ability.new(FactoryGirl.build(:joe_creator)) }
+      it { should     be_able_to(:discover, asset) }
       it { should     be_able_to(:read, asset) }
       it { should     be_able_to(:edit, asset) }
       it { should     be_able_to(:edit, solr_doc) }
@@ -114,6 +150,7 @@ describe Ability do
       end
       subject { Ability.new(@user) }
 
+      it { should     be_able_to(:discover, asset) }
       it { should     be_able_to(:read, asset) }
       it { should_not be_able_to(:edit, asset) }
       it { should_not be_able_to(:update, asset) }
@@ -136,6 +173,7 @@ describe Ability do
       end
       subject { Ability.new(@user) }
 
+      it { should     be_able_to(:discover, asset) }
       it { should     be_able_to(:read, asset) }
       it { should     be_able_to(:edit, asset) }
       it { should     be_able_to(:update, asset) }
@@ -167,6 +205,7 @@ describe Ability do
       end
       subject { Ability.new(@user) }
 
+      it { should_not be_able_to(:discover, asset) }
       it { should_not be_able_to(:read, asset) }
       it { should_not be_able_to(:edit, asset) }
       it { should_not be_able_to(:update, asset) }
@@ -181,6 +220,7 @@ describe Ability do
       end
       subject { Ability.new(@user) }
 
+      it { should     be_able_to(:discover, asset) }
       it { should     be_able_to(:read, asset) }
       it { should_not be_able_to(:edit, asset) }
       it { should_not be_able_to(:update, asset) }

data/spec/unit/embargoable_spec.rb

@@ -16,7 +16,18 @@ describe Hydra::AccessControls::Embargoable do
 
   let(:future_date) { Date.today+2 }
   let(:past_date) { Date.today-2 }
-  subject { TestModel.new }
+  let(:model) { TestModel.new }
+  subject { model }
+
+  describe '#embargo_indexer_class' do
+    subject { model.embargo_indexer_class }
+    it { is_expected.to eq Hydra::AccessControls::EmbargoIndexer }
+  end
+
+  describe '#lease_indexer_class' do
+    subject { model.lease_indexer_class }
+    it { is_expected.to eq Hydra::AccessControls::LeaseIndexer }
+  end
 
   describe 'validations' do
     context "with dates" do
@@ -77,7 +88,7 @@ describe Hydra::AccessControls::Embargoable do
     end
   end
 
-  context 'apply_embargo' do
+  describe '#apply_embargo' do
     it "applies appropriate embargo_visibility settings" do
       expect {
         subject.apply_embargo(future_date.to_s, Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PRIVATE, Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PUBLIC)
@@ -87,12 +98,31 @@ describe Hydra::AccessControls::Embargoable do
       expect(subject.embargo_release_date).to eq future_date
       expect(subject.visibility_after_embargo).to eq Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PUBLIC
     end
-    it "relies on default before/after visibility if none provided" do
-      subject.apply_embargo(future_date.to_s)
-      expect(subject).to be_under_embargo
-      expect(subject.visibility).to eq  Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PRIVATE
-      expect(subject.embargo_release_date).to eq future_date
-      expect(subject.visibility_after_embargo).to eq Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_AUTHENTICATED
+
+    context "when no before/after visibility is provided" do
+      it "relies on defaults" do
+        subject.apply_embargo(future_date.to_s)
+        expect(subject).to be_under_embargo
+        expect(subject.visibility).to eq  Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PRIVATE
+        expect(subject.embargo_release_date).to eq future_date
+        expect(subject.visibility_after_embargo).to eq Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_AUTHENTICATED
+      end
+    end
+
+    context "when the same embargo is applied" do
+      before do
+        subject.apply_embargo(future_date.to_s)
+        if ActiveModel.version < Gem::Version.new('4.2.0')
+          subject.embargo.send(:reset_changes)
+        else
+          subject.embargo.send(:clear_changes_information)
+        end
+      end
+
+      it "doesn't call visibility_will_change!" do
+        expect(subject).not_to receive(:visibility_will_change!)
+        subject.apply_embargo(future_date.to_s)
+      end
     end
   end
 
@@ -152,11 +182,30 @@ describe Hydra::AccessControls::Embargoable do
         expect(subject.lease_expiration_date).to eq future_date
         expect(subject.visibility_after_lease).to eq Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PRIVATE
       end
-      it "relies on default before/after visibility if none provided" do
-        subject.apply_lease(future_date.to_s)
-        expect(subject.visibility_during_lease).to eq  Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_AUTHENTICATED
-        expect(subject.lease_expiration_date).to eq future_date
-        expect(subject.visibility_after_lease).to eq Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PRIVATE
+
+      context "when before/after visibility is not provided" do
+        it "sets default values" do
+          subject.apply_lease(future_date.to_s)
+          expect(subject.visibility_during_lease).to eq  Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_AUTHENTICATED
+          expect(subject.lease_expiration_date).to eq future_date
+          expect(subject.visibility_after_lease).to eq Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PRIVATE
+        end
+      end
+
+      context "when the same lease is applied" do
+        before do
+          subject.apply_lease(future_date.to_s)
+          if ActiveModel.version < Gem::Version.new('4.2.0')
+            subject.lease.send(:reset_changes)
+          else
+            subject.lease.send(:clear_changes_information)
+          end
+        end
+
+        it "doesn't call visibility_will_change!" do
+          expect(subject).not_to receive(:visibility_will_change!)
+          subject.apply_lease(future_date.to_s)
+        end
       end
     end
 

data/spec/unit/role_mapper_spec.rb

@@ -2,7 +2,7 @@ require 'spec_helper'
 
 describe RoleMapper do
   it "should define the 4 roles" do
-    expect(RoleMapper.role_names.sort).to eq %w(admin_policy_object_editor archivist donor patron researcher) 
+    expect(RoleMapper.role_names.sort).to eq %w(admin_policy_object_editor archivist donor patron researcher)
   end
   it "should quer[iy]able for roles for a given user" do
     expect(RoleMapper.roles('leland_himself@example.com').sort).to eq ['archivist', 'donor', 'patron']

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: hydra-access-controls
 version: !ruby/object:Gem::Version
-  version: 9.2.2
+  version: 9.3.0
 platform: ruby
 authors:
 - Chris Beer
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-08-03 00:00:00.000000000 Z
+date: 2015-10-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -134,6 +134,8 @@ files:
 - ".rspec"
 - README.textile
 - Rakefile
+- app/indexers/hydra/access_controls/embargo_indexer.rb
+- app/indexers/hydra/access_controls/lease_indexer.rb
 - app/models/ability.rb
 - app/models/concerns/hydra/access_controls.rb
 - app/models/concerns/hydra/access_controls/access_right.rb
@@ -172,6 +174,8 @@ files:
 - lib/hydra/role_mapper_behavior.rb
 - lib/hydra/user.rb
 - spec/factories.rb
+- spec/indexers/embargo_indexer_spec.rb
+- spec/indexers/lease_indexer_spec.rb
 - spec/services/embargo_service_spec.rb
 - spec/services/lease_service_spec.rb
 - spec/spec_helper.rb
@@ -218,12 +222,14 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.6
+rubygems_version: 2.4.5.1
 signing_key: 
 specification_version: 4
 summary: Access controls for project hydra
 test_files:
 - spec/factories.rb
+- spec/indexers/embargo_indexer_spec.rb
+- spec/indexers/lease_indexer_spec.rb
 - spec/services/embargo_service_spec.rb
 - spec/services/lease_service_spec.rb
 - spec/spec_helper.rb