hydra-access-controls 0.0.2 → 0.0.3
Sign up to get free protection for your applications and to get access to all the features.
- data/.gitignore +1 -0
- data/.gitmodules +3 -0
- data/.rspec +2 -0
- data/Gemfile +6 -0
- data/README.textile +100 -0
- data/Rakefile +6 -3
- data/config/fedora.yml +8 -0
- data/config/jetty.yml +5 -0
- data/config/solr.yml +6 -0
- data/hydra-access-controls.gemspec +3 -2
- data/lib/ability.rb +1 -0
- data/lib/hydra-access-controls.rb +10 -0
- data/lib/hydra-access-controls/version.rb +1 -1
- data/lib/hydra/ability.rb +14 -13
- data/lib/hydra/access_controls_enforcement.rb +27 -16
- data/lib/hydra/admin_policy.rb +81 -0
- data/lib/hydra/datastream.rb +1 -0
- data/lib/hydra/datastream/inheritable_rights_metadata.rb +22 -0
- data/lib/hydra/policy_aware_ability.rb +128 -0
- data/lib/hydra/policy_aware_access_controls_enforcement.rb +70 -0
- data/lib/hydra/role_mapper_behavior.rb +16 -2
- data/lib/hydra/user.rb +42 -0
- data/lib/tasks/hydra-access-controls.rake +18 -0
- data/lib/tasks/hydra_jetty.rake +55 -0
- data/solr_conf/conf/schema.xml +124 -0
- data/solr_conf/conf/solrconfig.xml +329 -0
- data/solr_conf/solr.xml +35 -0
- data/spec/factories.rb +101 -0
- data/spec/spec_helper.rb +28 -0
- data/spec/support/blacklight.rb +7 -0
- data/spec/support/config/solr.yml +4 -0
- data/spec/support/mods_asset.rb +4 -1
- data/spec/support/rails.rb +10 -0
- data/spec/support/solr_document.rb +13 -0
- data/spec/support/user.rb +32 -0
- data/spec/unit/ability_spec.rb +338 -56
- data/spec/unit/access_controls_enforcement_spec.rb +180 -0
- data/spec/unit/admin_policy_spec.rb +89 -0
- data/spec/unit/inheritable_rights_metadata_spec.rb +66 -0
- data/spec/unit/policy_aware_ability_spec.rb +92 -0
- data/spec/unit/policy_aware_access_controls_enforcement_spec.rb +109 -0
- metadata +59 -4
- data/README.md +0 -29
data/.gitignore
CHANGED
data/.gitmodules
ADDED
data/.rspec
ADDED
data/Gemfile
CHANGED
|
@@ -3,9 +3,15 @@ source 'https://rubygems.org'
|
|
|
3
3
|
# Specify your gem's dependencies in hydra-access-controls.gemspec
|
|
4
4
|
gemspec
|
|
5
5
|
|
|
6
|
+
group :development do
|
|
7
|
+
gem 'jettywrapper'
|
|
8
|
+
gem 'debugger', :platform => :mri_19
|
|
9
|
+
end
|
|
10
|
+
|
|
6
11
|
group :test do
|
|
7
12
|
gem 'cucumber-rails', '>=1.2.0', :require=>false
|
|
8
13
|
gem 'rcov', :platform => :mri_18
|
|
9
14
|
gem 'simplecov', :platform => :mri_19
|
|
10
15
|
gem 'simplecov-rcov', :platform => :mri_19
|
|
16
|
+
gem 'factory_girl', '< 3.0.0' # factory girl 3+ doesn't work with ruby 1.8
|
|
11
17
|
end
|
data/README.textile
ADDED
|
@@ -0,0 +1,100 @@
|
|
|
1
|
+
h1. hydra-access-controls
|
|
2
|
+
|
|
3
|
+
The hydra-access-controls gem provides access controls models and functionality for Hydra Heads. See the "hydra-head":http://github.com/projecthydra/hydra-head gem and the "Hydra Project website":http://projecthydra.org for more info.
|
|
4
|
+
|
|
5
|
+
h2. Installation
|
|
6
|
+
|
|
7
|
+
Add this line to your application's Gemfile:
|
|
8
|
+
|
|
9
|
+
gem 'hydra-access-controls'
|
|
10
|
+
|
|
11
|
+
And then execute:
|
|
12
|
+
|
|
13
|
+
$ bundle
|
|
14
|
+
|
|
15
|
+
Or install it yourself as:
|
|
16
|
+
|
|
17
|
+
$ gem install hydra-access-controls
|
|
18
|
+
|
|
19
|
+
h2. Usage
|
|
20
|
+
|
|
21
|
+
h3. Policy-based Enforcement (or Collecton-level enforcement)
|
|
22
|
+
|
|
23
|
+
If you have Policy-based enforcement enabled, then objects will inherit extra GRANT permissions from AdminPolicy objects they are linked to with an isGovernedBy RDF relationship (stored in solr as _is_governed_by_s__ field). This allows you to grant discover/read/edit access for a whole set of objects by changing the policy they are governed by.
|
|
24
|
+
|
|
25
|
+
AdminPolicy objects store their inheritable rightsMetadata in a datastream called defaultRights. This datastream uses the regular Hydra rightsMetadata schema. Each AdminPolicy object also has its own rightsMetadata datasream, like all other Hydra assets, which specifies who is able to _edit_ the Policy or _use_ it (associate it with objects).
|
|
26
|
+
|
|
27
|
+
Object-level permissions and Policy-level permissions are combined to produce the list of Individuals & Groups who have access to the object. This means that if _either_ the object's rightsMetadata or the Policy's defaultRights grants access to an Individual or Group, that access will be allowed.
|
|
28
|
+
|
|
29
|
+
* Currently, an asset can have only one Policy associated with it -- you can't associate objects with multiple policies
|
|
30
|
+
*
|
|
31
|
+
|
|
32
|
+
To turn on Policy-based enforcement,
|
|
33
|
+
|
|
34
|
+
* include the Hydra::PolicyAwareAbility module in your Ability class (Make sure to include it _after_ Hydra::Ability because it overrides some of the methods provided by that module.)
|
|
35
|
+
* include the Hydra::PolicyAwareAccessControlsEnforcement module into any appropriate Controllers (or into ApplicationController)
|
|
36
|
+
|
|
37
|
+
# app/models/ability.rb
|
|
38
|
+
<pre>
|
|
39
|
+
# Allows you to use CanCan to control access to Models
|
|
40
|
+
require 'cancan'
|
|
41
|
+
class Ability
|
|
42
|
+
include CanCan::Ability
|
|
43
|
+
include Hydra::Ability
|
|
44
|
+
include Hydra::PolicyAwareAbility
|
|
45
|
+
end
|
|
46
|
+
</pre>
|
|
47
|
+
|
|
48
|
+
# app/controllers/catalog_controller.rb
|
|
49
|
+
<pre>
|
|
50
|
+
class CatalogController < ApplicationController
|
|
51
|
+
|
|
52
|
+
include Blacklight::Catalog
|
|
53
|
+
include Hydra::Controller::ControllerBehavior
|
|
54
|
+
include Hydra::PolicyAwareAccessControlsEnforcement
|
|
55
|
+
|
|
56
|
+
# ...
|
|
57
|
+
end
|
|
58
|
+
</pre>
|
|
59
|
+
|
|
60
|
+
h3. Modifying solr field names for enforcement
|
|
61
|
+
|
|
62
|
+
Hydra uses its own set of default solr field names to track rights-related metadata in solr. If you want to use your own field names, you can change them in your Hydra config. You will also have to modify the permissions response handler in your solrconfig.xml to return those fields.
|
|
63
|
+
|
|
64
|
+
# config/initializers/hydra_config.rb
|
|
65
|
+
<pre>
|
|
66
|
+
Hydra.configure(:shared) do |config|
|
|
67
|
+
# ... other stuff ...
|
|
68
|
+
config[:permissions] = {
|
|
69
|
+
:catchall => "access_t",
|
|
70
|
+
:discover => {:group =>"discover_access_group_t", :individual=>"discover_access_person_t"},
|
|
71
|
+
:read => {:group =>"read_access_group_t", :individual=>"read_access_person_t"},
|
|
72
|
+
:edit => {:group =>"edit_access_group_t", :individual=>"edit_access_person_t"},
|
|
73
|
+
:owner => "depositor_t",
|
|
74
|
+
:embargo_release_date => "embargo_release_date_dt"
|
|
75
|
+
}
|
|
76
|
+
config[:permissions][:inheritable] = {
|
|
77
|
+
:catchall => "inheritable_access_t",
|
|
78
|
+
:discover => {:group =>"inheritable_discover_access_group_t", :individual=>"inheritable_discover_access_person_t"},
|
|
79
|
+
:read => {:group =>"inheritable_read_access_group_t", :individual=>"inheritable_read_access_person_t"},
|
|
80
|
+
:edit => {:group =>"inheritable_edit_access_group_t", :individual=>"inheritable_edit_access_person_t"},
|
|
81
|
+
:owner => "inheritable_depositor_t",
|
|
82
|
+
:embargo_release_date => "inheritable_embargo_release_date_dt"
|
|
83
|
+
}
|
|
84
|
+
end
|
|
85
|
+
</pre>
|
|
86
|
+
|
|
87
|
+
h2. Contributing
|
|
88
|
+
|
|
89
|
+
1. Fork it
|
|
90
|
+
2. Create your feature branch (`git checkout -b my-new-feature`)
|
|
91
|
+
3. Commit your changes (`git commit -am 'Added some feature'`)
|
|
92
|
+
4. Push to the branch (`git push origin my-new-feature`)
|
|
93
|
+
5. Create new Pull Request
|
|
94
|
+
|
|
95
|
+
h2. Testing
|
|
96
|
+
|
|
97
|
+
$ git submodule init
|
|
98
|
+
$ rake jetty:config
|
|
99
|
+
$ rake jetty:start
|
|
100
|
+
$ rake spec
|
data/Rakefile
CHANGED
|
@@ -1,6 +1,11 @@
|
|
|
1
1
|
#!/usr/bin/env rake
|
|
2
2
|
require "bundler/gem_tasks"
|
|
3
3
|
require 'rspec/core/rake_task'
|
|
4
|
+
APP_ROOT = File.expand_path("#{File.dirname(__FILE__)}")
|
|
5
|
+
require "jettywrapper"
|
|
6
|
+
# re-using hydra_jetty.rake from hydra-head
|
|
7
|
+
import "lib/tasks/hydra_jetty.rake"
|
|
8
|
+
import "lib/tasks/hydra-access-controls.rake"
|
|
4
9
|
|
|
5
10
|
desc 'Default: run specs.'
|
|
6
11
|
task :default => :spec
|
|
@@ -11,6 +16,4 @@ RSpec::Core::RakeTask.new do |t|
|
|
|
11
16
|
t.rcov = true
|
|
12
17
|
t.rcov_opts = %w{--exclude spec\/*,gems\/*,ruby\/* --aggregate coverage.data}
|
|
13
18
|
end
|
|
14
|
-
end
|
|
15
|
-
|
|
16
|
-
|
|
19
|
+
end
|
data/config/fedora.yml
ADDED
data/config/jetty.yml
ADDED
data/config/solr.yml
ADDED
|
@@ -2,8 +2,8 @@
|
|
|
2
2
|
require File.expand_path('../lib/hydra-access-controls/version', __FILE__)
|
|
3
3
|
|
|
4
4
|
Gem::Specification.new do |gem|
|
|
5
|
-
gem.authors = ["Justin Coyne"]
|
|
6
|
-
gem.email = ["
|
|
5
|
+
gem.authors = ["Chris Beer", "Justin Coyne", "Matt Zumwalt"]
|
|
6
|
+
gem.email = ["hydra-tech@googlegroups.com"]
|
|
7
7
|
gem.description = %q{Access controls for project hydra}
|
|
8
8
|
gem.summary = %q{Access controls for project hydra}
|
|
9
9
|
gem.homepage = ""
|
|
@@ -19,6 +19,7 @@ Gem::Specification.new do |gem|
|
|
|
19
19
|
gem.add_dependency 'active-fedora'
|
|
20
20
|
gem.add_dependency 'cancan'
|
|
21
21
|
gem.add_dependency 'deprecation'
|
|
22
|
+
gem.add_dependency 'blacklight'
|
|
22
23
|
|
|
23
24
|
gem.add_development_dependency("rake")
|
|
24
25
|
gem.add_development_dependency 'rspec'
|
data/lib/ability.rb
CHANGED
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
require 'active_support'
|
|
2
2
|
require 'active-fedora'
|
|
3
|
+
require 'cancan'
|
|
3
4
|
require 'deprecation'
|
|
4
5
|
require "hydra-access-controls/version"
|
|
5
6
|
begin
|
|
@@ -10,15 +11,24 @@ require 'hydra/datastream'
|
|
|
10
11
|
|
|
11
12
|
module Hydra
|
|
12
13
|
extend ActiveSupport::Autoload
|
|
14
|
+
autoload :User
|
|
13
15
|
autoload :AccessControlsEnforcement
|
|
16
|
+
autoload :PolicyAwareAccessControlsEnforcement
|
|
14
17
|
autoload :AccessControlsEvaluation
|
|
15
18
|
autoload :Ability
|
|
19
|
+
autoload :PolicyAwareAbility
|
|
20
|
+
autoload :AdminPolicy
|
|
16
21
|
autoload :RoleMapperBehavior
|
|
17
22
|
|
|
18
23
|
module ModelMixins
|
|
19
24
|
autoload :RightsMetadata, 'hydra/model_mixins/rights_metadata'
|
|
20
25
|
end
|
|
21
26
|
|
|
27
|
+
# This error is raised when a user isn't allowed to access a given controller action.
|
|
28
|
+
# This usually happens within a call to AccessControlsEnforcement#enforce_access_controls but can be
|
|
29
|
+
# raised manually.
|
|
30
|
+
class AccessDenied < ::CanCan::AccessDenied; end
|
|
31
|
+
|
|
22
32
|
end
|
|
23
33
|
require 'ability'
|
|
24
34
|
require 'role_mapper'
|
data/lib/hydra/ability.rb
CHANGED
|
@@ -1,5 +1,6 @@
|
|
|
1
|
+
require "blacklight"
|
|
1
2
|
# this code will move to lib/hydra/access_controls/ability.rb (with the appropriate namespace changes) in Hydra 5.0
|
|
2
|
-
# Code for
|
|
3
|
+
# Code for [CANCAN] access to Hydra models
|
|
3
4
|
module Hydra::Ability
|
|
4
5
|
include Hydra::AccessControlsEnforcement
|
|
5
6
|
|
|
@@ -12,7 +13,7 @@ module Hydra::Ability
|
|
|
12
13
|
def user_groups(user, session)
|
|
13
14
|
return @user_groups if @user_groups
|
|
14
15
|
@user_groups = RoleMapper.roles(user_key(user)) + default_user_groups
|
|
15
|
-
@user_groups << 'registered' unless user.new_record?
|
|
16
|
+
@user_groups << 'registered' unless (user.new_record? || @user_groups.include?('registered'))
|
|
16
17
|
@user_groups
|
|
17
18
|
end
|
|
18
19
|
|
|
@@ -24,7 +25,7 @@ module Hydra::Ability
|
|
|
24
25
|
|
|
25
26
|
def hydra_default_permissions(user, session)
|
|
26
27
|
logger.debug("Usergroups are " + user_groups(user, session).inspect)
|
|
27
|
-
if Deprecation.silence(Hydra::SuperuserAttributes) {
|
|
28
|
+
if user.respond_to?(:is_being_superuser?) && Deprecation.silence(Hydra::SuperuserAttributes) {user.is_being_superuser?(session)}
|
|
28
29
|
can :manage, :all
|
|
29
30
|
else
|
|
30
31
|
create_permissions(user, session)
|
|
@@ -39,11 +40,11 @@ module Hydra::Ability
|
|
|
39
40
|
end
|
|
40
41
|
|
|
41
42
|
def edit_permissions(user, session)
|
|
42
|
-
can :edit, String do |pid|
|
|
43
|
+
can [:edit, :update, :destroy], String do |pid|
|
|
43
44
|
test_edit(pid, user, session)
|
|
44
45
|
end
|
|
45
46
|
|
|
46
|
-
can :edit, ActiveFedora::Base do |obj|
|
|
47
|
+
can [:edit, :update, :destroy], ActiveFedora::Base do |obj|
|
|
47
48
|
test_edit(obj.pid, user, session)
|
|
48
49
|
end
|
|
49
50
|
|
|
@@ -84,26 +85,26 @@ module Hydra::Ability
|
|
|
84
85
|
|
|
85
86
|
def test_edit(pid, user, session)
|
|
86
87
|
permissions_doc(pid)
|
|
87
|
-
logger.debug("CANCAN Checking edit permissions for user: #{user}")
|
|
88
|
+
logger.debug("[CANCAN] Checking edit permissions for user: #{user_key(user)} with groups: #{user_groups(user, session).inspect}")
|
|
88
89
|
group_intersection = user_groups(user, session) & edit_groups
|
|
89
90
|
result = !group_intersection.empty? || edit_persons.include?(user_key(user))
|
|
90
|
-
logger.debug("CANCAN decision: #{result}")
|
|
91
|
+
logger.debug("[CANCAN] decision: #{result}")
|
|
91
92
|
result
|
|
92
93
|
end
|
|
93
94
|
|
|
94
95
|
def test_read(pid, user, session)
|
|
95
96
|
permissions_doc(pid)
|
|
96
|
-
logger.debug("CANCAN Checking edit permissions for user: #{user}")
|
|
97
|
+
logger.debug("[CANCAN] Checking edit permissions for user: #{user_key(user)} with groups: #{user_groups(user, session).inspect}")
|
|
97
98
|
group_intersection = user_groups(user, session) & read_groups
|
|
98
99
|
result = !group_intersection.empty? || read_persons.include?(user_key(user))
|
|
99
|
-
logger.debug("CANCAN decision: #{result}")
|
|
100
|
+
logger.debug("[CANCAN] decision: #{result}")
|
|
100
101
|
result
|
|
101
102
|
end
|
|
102
103
|
|
|
103
104
|
def edit_groups
|
|
104
105
|
edit_group_field = Hydra.config[:permissions][:edit][:group]
|
|
105
106
|
eg = ((@permissions_solr_document == nil || @permissions_solr_document.fetch(edit_group_field,nil) == nil) ? [] : @permissions_solr_document.fetch(edit_group_field,nil))
|
|
106
|
-
logger.debug("edit_groups: #{eg.inspect}")
|
|
107
|
+
logger.debug("[CANCAN] edit_groups: #{eg.inspect}")
|
|
107
108
|
return eg
|
|
108
109
|
end
|
|
109
110
|
|
|
@@ -111,14 +112,14 @@ module Hydra::Ability
|
|
|
111
112
|
def read_groups
|
|
112
113
|
read_group_field = Hydra.config[:permissions][:read][:group]
|
|
113
114
|
rg = edit_groups | ((@permissions_solr_document == nil || @permissions_solr_document.fetch(read_group_field,nil) == nil) ? [] : @permissions_solr_document.fetch(read_group_field,nil))
|
|
114
|
-
logger.debug("read_groups: #{rg.inspect}")
|
|
115
|
+
logger.debug("[CANCAN] read_groups: #{rg.inspect}")
|
|
115
116
|
return rg
|
|
116
117
|
end
|
|
117
118
|
|
|
118
119
|
def edit_persons
|
|
119
120
|
edit_person_field = Hydra.config[:permissions][:edit][:individual]
|
|
120
121
|
ep = ((@permissions_solr_document == nil || @permissions_solr_document.fetch(edit_person_field,nil) == nil) ? [] : @permissions_solr_document.fetch(edit_person_field,nil))
|
|
121
|
-
logger.debug("edit_persons: #{ep.inspect}")
|
|
122
|
+
logger.debug("[CANCAN] edit_persons: #{ep.inspect}")
|
|
122
123
|
return ep
|
|
123
124
|
end
|
|
124
125
|
|
|
@@ -126,7 +127,7 @@ module Hydra::Ability
|
|
|
126
127
|
def read_persons
|
|
127
128
|
read_individual_field = Hydra.config[:permissions][:read][:individual]
|
|
128
129
|
rp = edit_persons | ((@permissions_solr_document == nil || @permissions_solr_document.fetch(read_individual_field,nil) == nil) ? [] : @permissions_solr_document.fetch(read_individual_field,nil))
|
|
129
|
-
logger.debug("read_persons: #{rp.inspect}")
|
|
130
|
+
logger.debug("[CANCAN] read_persons: #{rp.inspect}")
|
|
130
131
|
return rp
|
|
131
132
|
end
|
|
132
133
|
|
|
@@ -100,7 +100,6 @@ module Hydra::AccessControlsEnforcement
|
|
|
100
100
|
if @permissions_solr_document["embargo_release_date_dt"]
|
|
101
101
|
embargo_date = Date.parse(@permissions_solr_document["embargo_release_date_dt"].split(/T/)[0])
|
|
102
102
|
if embargo_date > Date.parse(Time.now.to_s)
|
|
103
|
-
### Assuming we're using devise and have only one authentication key
|
|
104
103
|
unless current_user && can?(:edit, params[:id])
|
|
105
104
|
raise Hydra::AccessDenied.new("This item is under embargo. You do not have sufficient access privileges to read this document.", :edit, params[:id])
|
|
106
105
|
end
|
|
@@ -197,35 +196,47 @@ module Hydra::AccessControlsEnforcement
|
|
|
197
196
|
|
|
198
197
|
# Grant access based on user id & role
|
|
199
198
|
unless current_user.nil?
|
|
199
|
+
user_access_filters += apply_role_permissions(permission_types)
|
|
200
|
+
user_access_filters += apply_individual_permissions(permission_types)
|
|
201
|
+
user_access_filters += apply_superuser_permissions(permission_types)
|
|
202
|
+
end
|
|
203
|
+
solr_parameters[:fq] << user_access_filters.join(" OR ")
|
|
204
|
+
logger.debug("Solr parameters: #{ solr_parameters.inspect }")
|
|
205
|
+
end
|
|
206
|
+
|
|
207
|
+
def apply_role_permissions(permission_types)
|
|
200
208
|
# for roles
|
|
209
|
+
user_access_filters = []
|
|
201
210
|
::RoleMapper.roles(user_key).each_with_index do |role, i|
|
|
202
211
|
permission_types.each do |type|
|
|
203
212
|
user_access_filters << "#{type}_access_group_t:#{role}"
|
|
204
213
|
end
|
|
205
214
|
end
|
|
215
|
+
user_access_filters
|
|
216
|
+
end
|
|
217
|
+
|
|
218
|
+
def apply_individual_permissions(permission_types)
|
|
206
219
|
# for individual person access
|
|
220
|
+
user_access_filters = []
|
|
207
221
|
permission_types.each do |type|
|
|
208
222
|
user_access_filters << "#{type}_access_person_t:#{user_key}"
|
|
209
223
|
end
|
|
210
|
-
|
|
211
|
-
|
|
212
|
-
|
|
213
|
-
|
|
224
|
+
user_access_filters
|
|
225
|
+
end
|
|
226
|
+
|
|
227
|
+
|
|
228
|
+
# Even though is_being_superuser? is deprecated, keep this method around (just return empty set)
|
|
229
|
+
# so developers can easily override this behavior in their local app
|
|
230
|
+
def apply_superuser_permissions(permission_types)
|
|
231
|
+
user_access_filters = []
|
|
232
|
+
if current_user.respond_to?(:is_being_superuser?) && current_user.is_being_superuser?(session) ##Deprecated
|
|
233
|
+
permission_types.each do |type|
|
|
234
|
+
user_access_filters << "#{type}_access_person_t:[* TO *]"
|
|
214
235
|
end
|
|
215
|
-
|
|
216
|
-
# Enforcing Embargo at Query time has been disabled.
|
|
217
|
-
# If you want to do this, set up your own solr_search_params before_filter that injects the appropriate :fq constraints for a field that expresses your objects' embargo status.
|
|
218
|
-
#
|
|
219
|
-
# include docs in results if the embargo date is NOT in the future OR if the current user is depositor
|
|
220
|
-
# embargo_query = "(NOT embargo_release_date_dt:[NOW TO *]) OR depositor_t:#{user_key}"
|
|
221
|
-
# embargo_query = "(NOT embargo_release_date_dt:[NOW TO *]) OR (embargo_release_date_dt:[NOW TO *] AND depositor_t:#{user_key}) AND NOT (NOT depositor_t:#{user_key} AND embargo_release_date_dt:[NOW TO *])"
|
|
222
|
-
# solr_parameters[:fq] << embargo_query
|
|
223
236
|
end
|
|
224
|
-
|
|
225
|
-
logger.debug("Solr parameters: #{ solr_parameters.inspect }")
|
|
237
|
+
user_access_filters
|
|
226
238
|
end
|
|
227
239
|
|
|
228
|
-
|
|
229
240
|
# proxy for {enforce_index_permissions}
|
|
230
241
|
def enforce_search_permissions
|
|
231
242
|
enforce_index_permissions
|
|
@@ -0,0 +1,81 @@
|
|
|
1
|
+
class Hydra::AdminPolicy < ActiveFedora::Base
|
|
2
|
+
|
|
3
|
+
# When you subclass Hydra::AdminPolicy, you probably want to include Hydra::ModelMethods so you can call apply_depositor_metadata
|
|
4
|
+
# include Hydra::ModelMethods
|
|
5
|
+
|
|
6
|
+
# Uses the Hydra Rights Metadata Schema for tracking access permissions & copyright
|
|
7
|
+
has_metadata :name => "defaultRights", :type => Hydra::Datastream::InheritableRightsMetadata
|
|
8
|
+
|
|
9
|
+
# Uses the Hydra Rights Metadata Schema for tracking access permissions & copyright
|
|
10
|
+
has_metadata :name => "rightsMetadata", :type => Hydra::Datastream::RightsMetadata
|
|
11
|
+
|
|
12
|
+
has_metadata :name =>'descMetadata', :type => ActiveFedora::QualifiedDublinCoreDatastream do |ds|
|
|
13
|
+
ds.field :license_url
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
delegate_to :descMetadata, [:title, :description], :unique=>true
|
|
17
|
+
delegate :license_title, :to=>'rightsMetadata', :at=>[:license, :title], :unique=>true
|
|
18
|
+
delegate :license_description, :to=>'rightsMetadata', :at=>[:license, :description], :unique=>true
|
|
19
|
+
delegate :license_url, :to=>'rightsMetadata', :at=>[:license, :url], :unique=>true
|
|
20
|
+
|
|
21
|
+
# easy access to edit_groups, etc
|
|
22
|
+
include Hydra::ModelMixins::RightsMetadata
|
|
23
|
+
|
|
24
|
+
def self.readable_by_user(user)
|
|
25
|
+
where_user_has_permissions(user, [:read, :edit])
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
def self.editable_by_user(user)
|
|
29
|
+
where_user_has_permissions(user, [:edit])
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
def self.where_user_has_permissions(user, permissions=[:edit])
|
|
33
|
+
or_query = []
|
|
34
|
+
RoleMapper.roles(user).each do |group|
|
|
35
|
+
permissions.each do |permission|
|
|
36
|
+
or_query << "#{permission}_access_group_t:#{group}"
|
|
37
|
+
end
|
|
38
|
+
end
|
|
39
|
+
permissions.each do |permission|
|
|
40
|
+
or_query << "#{permission}_access_person_t:#{user.user_key}"
|
|
41
|
+
end
|
|
42
|
+
find_with_conditions(or_query.join(" OR "))
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
## Updates those permissions that are provided to it. Does not replace any permissions unless they are provided
|
|
46
|
+
# @example
|
|
47
|
+
# obj.default_permissions= [{:name=>"group1", :access=>"discover", :type=>'group'},
|
|
48
|
+
# {:name=>"group2", :access=>"discover", :type=>'group'}]
|
|
49
|
+
def default_permissions=(params)
|
|
50
|
+
perm_hash = {'person' => defaultRights.individuals, 'group'=> defaultRights.groups}
|
|
51
|
+
|
|
52
|
+
params.each do |row|
|
|
53
|
+
if row[:type] == 'user'
|
|
54
|
+
perm_hash['person'][row[:name]] = row[:access]
|
|
55
|
+
else
|
|
56
|
+
perm_hash['group'][row[:name]] = row[:access]
|
|
57
|
+
end
|
|
58
|
+
end
|
|
59
|
+
|
|
60
|
+
defaultRights.update_permissions(perm_hash)
|
|
61
|
+
end
|
|
62
|
+
|
|
63
|
+
## Returns a list with all the permissions on the object.
|
|
64
|
+
# @example
|
|
65
|
+
# [{:name=>"group1", :access=>"discover", :type=>'group'},
|
|
66
|
+
# {:name=>"group2", :access=>"discover", :type=>'group'},
|
|
67
|
+
# {:name=>"user2", :access=>"read", :type=>'user'},
|
|
68
|
+
# {:name=>"user1", :access=>"edit", :type=>'user'},
|
|
69
|
+
# {:name=>"user3", :access=>"read", :type=>'user'}]
|
|
70
|
+
def default_permissions
|
|
71
|
+
(defaultRights.groups.map {|x| {:type=>'group', :access=>x[1], :name=>x[0] }} +
|
|
72
|
+
defaultRights.individuals.map {|x| {:type=>'user', :access=>x[1], :name=>x[0]}})
|
|
73
|
+
|
|
74
|
+
end
|
|
75
|
+
|
|
76
|
+
def to_solr(solr_doc = {})
|
|
77
|
+
super
|
|
78
|
+
solr_doc['title_display'] = solr_doc['title_t'].first if solr_doc['title_t']
|
|
79
|
+
solr_doc
|
|
80
|
+
end
|
|
81
|
+
end
|