hydra-access-controls 10.3.4 → 10.4.0.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: bf2489122e87b5314a540070ce5a299a8832ba9b
-  data.tar.gz: a66a5afa2fd33ab7df17f4e5a18d595c88f9f3fc
+  metadata.gz: 81f71a1cc06b6a7534f660864351689d42bcf25f
+  data.tar.gz: b5cc13c664f4bfdd5ca77d3033bbfdceb5106dd2
 SHA512:
-  metadata.gz: c8b2e99f21ae1592a5e7bf0fc70e927147071fcf880783a5fc6441052e64f800d066ccaf14984fea765edffdd162ffab61f50a65c35717e45ba1d8e616a4d061
-  data.tar.gz: 516a0af52de9ede95d7e908751dc002ba50d516569248ec1165ddeb10841a229e9387c6f41de9f9d0f0f0eefac5225c8cd77bc3d8a65d1bc6acab1cf1fe005e6
+  metadata.gz: 4b6074c2e8ce4c4db2509118062c76711935285192bcc2c767a8b0fe9b7bc16bec77a1e81836d66585e16210ff3eb855d4a3bde015cc989854fa33db5ac1aa6c
+  data.tar.gz: 138f70c4e3a0cd8f82cf09dfcd31fa9e0a11807971bc58b4e6445d0229d2e062198648300bb546de5e25cb29a991571fbb76e38e0bae964088918f0a3e140ee8

data/app/models/concerns/hydra/access_controls/permissions.rb

@@ -415,10 +415,10 @@ module Hydra
 
       # @param [RDF::URI] mode One of the permissions modes, e.g. ACL.Write, ACL.Read, etc.
       # @yieldparam [Array<ActiveFedora::Base>] agent the agent type assertions
-      # @return [Array<Permission>] list of permissions where the mode is as selected, the block evaluates to true and the target is not marked for delete
+      # @return [Array<Permission>] list of permissions where the mode is as selected, the block evaluates to true
       def search_by_mode(mode)
         permissions.to_a.select do |p|
-          yield(p.agent) && !p.marked_for_destruction? && p.mode.first.rdf_subject == mode
+          yield(p.agent) && p.mode.first.rdf_subject == mode
         end
       end
 

data/app/models/hydra/access_control.rb

@@ -20,11 +20,13 @@ module Hydra
 
     def permissions_attributes=(attribute_list)
       raise ArgumentError unless attribute_list.is_a? Array
+      any_destroyed = false
       attribute_list.each do |attributes|
         if attributes.key?(:id)
           obj = relationship.find(attributes[:id])
           if has_destroy_flag?(attributes)
             obj.destroy
+            any_destroyed = true
           else
             obj.update(attributes.except(:id, '_destroy'))
           end
@@ -32,18 +34,28 @@ module Hydra
           relationship.create(attributes)
         end
       end
+      # Poison the cache
+      relationship.reset if any_destroyed
     end
 
     def relationship
       @relationship ||= CollectionRelationship.new(self, :contains)
     end
 
+    # This is like a has_many :through relationship
     class CollectionRelationship
       def initialize(owner, reflection)
         @owner = owner
         @relationship = @owner.send(reflection)
       end
 
+      # The graph stored in @owner is now stale, so reload it and clear all caches
+      def reset
+        @owner.reload
+        @relationship.proxy_association.reload
+        self
+      end
+
       delegate :to_a, :to_ary, :map, :delete, :first, :last, :size, :count, :[],
                :==, :detect, :empty?, :each, :any?, :all?, :include?, :destroy_all,
                to: :@relationship
@@ -52,7 +64,7 @@ module Hydra
       # delegate find.
       def find(id)
         return to_a.find { |record| record.id == id } if @relationship.loaded?
-        
+
         unless id.start_with?(@owner.id)
           raise ArgumentError, "requested ACL (#{id}) is not a member of #{@owner.id}"
         end

data/lib/hydra/role_mapper_behavior.rb

@@ -1,25 +1,28 @@
 module Hydra::RoleMapperBehavior
   extend ActiveSupport::Concern
+  extend Deprecation
 
   module ClassMethods
     def role_names
       map.keys
     end
 
+    def fetch_groups(user:)
+      _groups(user.user_key)
+    end
+
     ##
     # @param user_or_uid either the User object or user id
     # If you pass in a nil User object (ie. user isn't logged in), or a uid that doesn't exist, it will return an empty array
     def roles(user_or_uid)
-      if user_or_uid.kind_of?(String)
-        user = Hydra::Ability.user_class.find_by_user_key(user_or_uid)
-        user_id = user_or_uid
-      elsif user_or_uid.kind_of?(Hydra::Ability.user_class) && user_or_uid.user_key
-        user = user_or_uid
-        user_id = user.user_key
-      end
-      array = byname[user_id].dup || []
-      array = array << 'registered' unless (user.nil? || user.new_record?)
-      array
+      Deprecation.warn(self, "roles is deprecated and will be removed in Hydra-Head 11.  Use fetch_groups instead")
+      user_id = case user_or_uid
+                  when String
+                    user_or_uid
+                  else
+                    user_or_uid.user_key
+                end
+      _groups(user_id)
     end
 
     def whois(r)
@@ -38,6 +41,14 @@ module Hydra::RoleMapperBehavior
     end
 
     private
+
+      ##
+      # @param user_id [String] the identfying user key
+      # @return [Array<String>] a list of group names. If a nil user id, or a user id that doesn't exist is passed in, it will return an empty array
+      def _groups(user_id)
+        byname[user_id].dup || []
+      end
+
       def load_role_map
         require 'erb'
         require 'yaml'

data/lib/hydra/user.rb

@@ -2,23 +2,24 @@
 # By default, this module assumes you are using the User model created by Blacklight, which uses Devise.
 # To integrate your own User implementation into Hydra, override this Module or define your own User model in app/models/user.rb within your Hydra head.
 module Hydra::User
+  extend ActiveSupport::Concern
   include Blacklight::AccessControls::User
   
-  def self.included(klass)
-    # Other modules to auto-include
-    klass.extend(ClassMethods)
+  included do
+    class_attribute :group_service
+    self.group_service = RoleMapper
   end
 
   def groups
-    RoleMapper.roles(self)
+    group_service.fetch_groups(user: self)
   end
   
   module ClassMethods
-    # This method should find User objects using the user_key you've chosen.
-    # By default, uses the unique identifier specified in by devise authentication_keys (ie. find_by_id, or find_by_email).  
-    # You must have that find method implemented on your user class, or must override find_by_user_key
+    # This method finds User objects using the user_key as specified by the
+    # Devise authentication_keys configuration variable. This method encapsulates
+    # whether we use email or username (or something else) as the identifing user attribute.
     def find_by_user_key(key)
-      self.send("find_by_#{Devise.authentication_keys.first}".to_sym, key)
+      find_by(Devise.authentication_keys.first.to_sym => key)
     end
   end
 end

data/spec/factories.rb

@@ -7,9 +7,7 @@ FactoryGirl.define do
     sequence :uid do |n|
       "person#{n}"
     end
-    email { "#{uid}@example.com" }
     password { uid }
-    new_record false
   end
 
   factory :archivist, :parent=>:user do |u|
@@ -23,52 +21,42 @@ FactoryGirl.define do
   factory :staff, :parent=>:user do |u|
     uid 'staff1'
     password 'staff1'
-    roles { ["staff"] }
   end
   factory :student, :parent=>:user do |u|
     uid 'student1'
     password 'student1'
-    roles { ["student"] }
   end
   factory :joe_creator, :parent=>:user do |u|
     uid 'joe_creator'
     password 'joe_creator'
-    roles { ["faculty"] }
   end
   factory :martia_morocco, :parent=>:user do |u|
     uid 'martia_morocco'
     password 'martia_morocco'
-    roles { ["faculty", "africana-faculty"] }
   end
   factory :ira_instructor, :parent=>:user do |u|
     uid 'ira_instructor'
     password 'ira_instructor'
-    roles { ["faculty", "africana-faculty"] }
   end
   factory :calvin_collaborator, :parent=>:user do |u|
     uid 'calvin_collaborator'
     password 'calvin_collaborator'
-    roles { ["student"] }
   end
   factory :sara_student, :parent=>:user do |u|
     uid 'sara_student'
     password 'sara_student'
-    roles { ["student", "africana-104-students"] }
   end
   factory :louis_librarian, :parent=>:user do |u|
     uid 'louis_librarian'
     password 'louis_librarian'
-    roles { ["library-staff", "repository-admin"] }
   end
   factory :carol_curator, :parent=>:user do |u|
     uid 'carol_curator'
     password 'carol_curator'
-    roles { ["library-staff", "repository-admin"] }
   end
   factory :alice_admin, :parent=>:user do |u|
     uid 'alice_admin'
     password 'alice_admin'
-    roles { ["repository-admin"] }
   end
 
   #

data/spec/support/user.rb

@@ -2,29 +2,11 @@ class User
   
   include Hydra::User
 
-  attr_accessor :uid, :email, :password, :roles, :new_record
+  attr_accessor :uid
 
   def initialize(params={})
-    self.email = params[:email] if params[:email]
-    self.uid = params[:uid] if params[:uid]
-    self.new_record = params[:new_record] if params[:new_record]
-  end
-  
-  def new_record?
-    new_record == true
-  end
-  
-  def self.find_by_uid(uid)
-    nil
-  end
-  
-  def save
-    # do nothing!
-  end
-  
-  def save!
-    save
-    return self
+    self.uid = params.delete(:uid) if params[:uid]
+    super
   end
   
 end

data/spec/unit/ability_spec.rb

@@ -15,13 +15,15 @@ describe Ability do
     its(:discover_user_field) { should == 'discover_access_person_ssim'}
   end
 
+  subject { Ability.new(user) }
+
   context "for a not-signed in user" do
     before do
       allow_any_instance_of(User).to receive(:email).and_return(nil)
       allow_any_instance_of(User).to receive(:new_record?).and_return(true)
     end
-    subject { Ability.new(nil) }
-    it "should call custom_permissions" do
+    let(:user) { nil }
+    it "calls custom_permissions" do
       expect_any_instance_of(Ability).to receive(:custom_permissions)
       subject.can?(:delete, 7)
     end
@@ -29,10 +31,7 @@ describe Ability do
   end
 
   context "for a signed in user" do
-    before do
-      @user = FactoryGirl.build(:registered_user)
-    end
-    subject { Ability.new(@user) }
+    let(:user) { FactoryGirl.build(:registered_user) }
 
     it { should_not be_able_to(:create, ActiveFedora::Base) }
   end
@@ -50,7 +49,7 @@ describe Ability do
     end
 
     context "Then a not-signed-in user" do
-      subject { Ability.new(nil) }
+      let(:user) { nil }
       it { should     be_able_to(:discover, asset) }
       it { should_not be_able_to(:read, asset) }
       it { should_not be_able_to(:edit, asset) }
@@ -59,10 +58,7 @@ describe Ability do
     end
 
     context "Then a registered user" do
-      before do
-        @user = FactoryGirl.build(:registered_user)
-      end
-      subject { Ability.new(@user) }
+      let(:user) { FactoryGirl.build(:registered_user) }
       it { should     be_able_to(:discover, asset) }
       it { should_not be_able_to(:read, asset) }
       it { should_not be_able_to(:edit, asset) }
@@ -80,7 +76,7 @@ describe Ability do
     end
 
     context "Then a not-signed-in user" do
-      subject { Ability.new(nil) }
+      let(:user) { nil }
       it { should     be_able_to(:discover, asset) }
       it { should     be_able_to(:read, asset) }
       it { should_not be_able_to(:edit, asset) }
@@ -89,10 +85,7 @@ describe Ability do
     end
 
     context "Then a registered user" do
-      before do
-        @user = FactoryGirl.build(:registered_user)
-      end
-      subject { Ability.new(@user) }
+      let(:user) { FactoryGirl.build(:registered_user) }
       it { should     be_able_to(:discover, asset) }
       it { should     be_able_to(:read, asset) }
       it { should_not be_able_to(:edit, asset) }
@@ -102,7 +95,6 @@ describe Ability do
   end
 
   describe "Given an asset with no custom access set" do
-    #let(:asset) { FactoryGirl.create(:default_access_asset) }
     let(:asset) { FactoryGirl.create(:asset) }
     before do
       asset.permissions_attributes = [{ name: "joe_creator", access: "edit", type: "person" }]
@@ -110,8 +102,7 @@ describe Ability do
     end
     let(:solr_doc) { SolrDocument.new(asset.to_solr.merge(id: asset.id)) }
     context "Then a not-signed-in user" do
-      let(:user) { User.new.tap {|u| u.new_record = true } }
-      subject { Ability.new(user) }
+      let(:user) { User.new }
       it { should_not be_able_to(:discover, asset) }
       it { should_not be_able_to(:read, asset) }
       it { should_not be_able_to(:edit, asset) }
@@ -119,7 +110,7 @@ describe Ability do
       it { should_not be_able_to(:destroy, asset) }
     end
     context "Then a registered user" do
-      subject { Ability.new(FactoryGirl.build(:registered_user)) }
+      let(:user) { FactoryGirl.build(:registered_user) }
       it { should_not be_able_to(:discover, asset) }
       it { should_not be_able_to(:read, asset) }
       it { should_not be_able_to(:edit, asset) }
@@ -127,7 +118,7 @@ describe Ability do
       it { should_not be_able_to(:destroy, asset) }
     end
     context "Then the Creator" do
-      subject { Ability.new(FactoryGirl.build(:joe_creator)) }
+      let(:user) { FactoryGirl.build(:joe_creator) }
       it { should     be_able_to(:discover, asset) }
       it { should     be_able_to(:read, asset) }
       it { should     be_able_to(:edit, asset) }
@@ -148,10 +139,10 @@ describe Ability do
       asset.save
     end
     context "The a registered user" do
+      let(:user) { FactoryGirl.build(:registered_user) }
       before do
-        @user = FactoryGirl.build(:registered_user)
+        allow(user).to receive(:new_record?).and_return(false)
       end
-      subject { Ability.new(@user) }
 
       it { should     be_able_to(:discover, asset) }
       it { should     be_able_to(:read, asset) }
@@ -163,18 +154,15 @@ describe Ability do
   end
 
   describe "Given an asset with collaborator" do
-    # let(:asset) { FactoryGirl.create(:group_edit_asset) }
     let(:asset) { FactoryGirl.create(:asset) }
     before do
       asset.permissions_attributes = [{ name:"africana-faculty", access: "edit", type: "group" }, {name: "calvin_collaborator", access: "edit", type: "person"}]
       asset.save
     end
     after { asset.destroy }
+
     context "Then a collaborator with edit access (user permision)" do
-      before do
-        @user = FactoryGirl.build(:calvin_collaborator)
-      end
-      subject { Ability.new(@user) }
+      let(:user) { FactoryGirl.build(:calvin_collaborator) }
 
       it { should     be_able_to(:discover, asset) }
       it { should     be_able_to(:read, asset) }
@@ -185,13 +173,12 @@ describe Ability do
     end
 
     context "Then a collaborator with edit access (group permision)" do
+      let(:user) { FactoryGirl.build(:martia_morocco) }
       before do
-        @user = FactoryGirl.build(:martia_morocco)
-        allow(RoleMapper).to receive(:roles).with(@user).and_return(@user.roles)
+        allow(user).to receive(:groups).and_return(["faculty", "africana-faculty"])
       end
-      subject { Ability.new(@user) }
 
-      it { should     be_able_to(:read, asset) }
+      it { should be_able_to(:read, asset) }
     end
   end
 
@@ -203,10 +190,7 @@ describe Ability do
       asset.save
     end
     context "Then a registered user" do
-      before do
-        @user = FactoryGirl.build(:registered_user)
-      end
-      subject { Ability.new(@user) }
+      let(:user) { FactoryGirl.build(:registered_user) }
 
       it { should_not be_able_to(:discover, asset) }
       it { should_not be_able_to(:read, asset) }
@@ -217,11 +201,10 @@ describe Ability do
     end
 
     context "Then someone whose role/group has read access" do
+      let(:user) { FactoryGirl.build(:martia_morocco) }
       before do
-        @user = FactoryGirl.build(:martia_morocco)
-        allow(RoleMapper).to receive(:roles).with(@user).and_return(@user.roles)
+        allow(user).to receive(:groups).and_return(["faculty", "africana-faculty"])
       end
-      subject { Ability.new(@user) }
 
       it { should     be_able_to(:discover, asset) }
       it { should     be_able_to(:read, asset) }
@@ -244,34 +227,33 @@ describe Ability do
           can :accept, ActiveFedora::Base
         end
       end
-      @user = FactoryGirl.create(:staff)
     end
+    let(:user) { FactoryGirl.build(:staff) }
 
     after do
       Object.send(:remove_const, :MyAbility)
     end
 
-    subject { MyAbility.new(@user) }
+    subject { MyAbility.new(user) }
 
     it { should be_able_to(:accept, ActiveFedora::Base) }
 
   end
 
   describe "calling ability on two separate objects" do
-    #asset1 = FactoryGirl.create(:org_read_access_asset)
     let(:asset1) { FactoryGirl.create(:asset) }
     let(:asset2) { FactoryGirl.create(:asset) }
     before do
       asset1.permissions_attributes = [{ name: "registered", access: "read", type: "group" }, { name: "joe_creator", access: "edit", type: "person" }, { name: "calvin_collaborator", access: "edit", type: "person" }]
       asset1.save
-      @user = FactoryGirl.build(:calvin_collaborator) # has access to @asset1, but not @asset2
     end
+    let(:user) { FactoryGirl.build(:calvin_collaborator) } # has access to @asset1, but not @asset2
     after do
       asset1.destroy
       asset2.destroy
     end
-    subject { Ability.new(@user) }
-    it "should be readable in the first instance and not in the second instance" do
+
+    it "is readable in the first instance and not in the second instance" do
       # We had a bug around this where it keeps returning the access for the first object queried
       expect(subject).to be_able_to(:edit, asset1)
       expect(subject).to_not be_able_to(:edit, asset2)
@@ -279,7 +261,6 @@ describe Ability do
   end
 
   describe "download permissions" do
-    subject { Ability.new(user) }
     let(:asset) { FactoryGirl.create(:asset) }
     let(:user) { FactoryGirl.build(:user) }
     let(:file) { ActiveFedora::File.new() }

data/spec/unit/accessible_by_spec.rb

@@ -14,7 +14,7 @@ describe "active_fedora/accessible_by" do
     public_obj.save
     editable_obj.permissions_attributes = [{ name:"africana-faculty", access: "edit", type: "group" }, {name: "calvin_collaborator", access: "edit", type: "person"}]
     editable_obj.save
-    expect(user).to receive(:groups).at_most(:once).and_return(user.roles)
+    expect(user).to receive(:groups).at_most(:once).and_return(["faculty", "africana-faculty"])
   end
 
   after do

data/spec/unit/admin_policy_spec.rb

@@ -120,9 +120,10 @@ describe Hydra::AdminPolicy do
   # Policy-based Access Controls
   #
   describe "When accessing assets with Policies associated" do
+    let(:user) { FactoryGirl.build(:martia_morocco) }
+
     before do
-      @user = FactoryGirl.build(:martia_morocco)
-      allow(RoleMapper).to receive(:roles).with(@user).and_return(@user.roles)
+      allow(user).to receive(:groups).and_return(["faculty", "africana-faculty"])
     end
 
     before(:all) do
@@ -135,7 +136,7 @@ describe Hydra::AdminPolicy do
       Object.send(:remove_const, :TestAbility)
     end
 
-    subject { TestAbility.new(@user) }
+    subject { TestAbility.new(user) }
 
     context "Given a policy grants read access to a group I belong to" do
       before do
@@ -191,7 +192,7 @@ describe Hydra::AdminPolicy do
     	context "And a subscribing asset grants read access to me as an individual" do
     	  before do
           @asset = ModsAsset.new()
-          @asset.read_users = [@user.uid]
+          @asset.read_users = [user.uid]
           @asset.admin_policy = @policy
           @asset.save
         end
@@ -235,7 +236,7 @@ describe Hydra::AdminPolicy do
       context "And a subscribing asset grants read access to me as an individual" do
         before do
           @asset = ModsAsset.new()
-          @asset.read_users = [@user.uid]
+          @asset.read_users = [user.uid]
           @asset.admin_policy = @policy
           @asset.save
         end

data/spec/unit/permission_spec.rb

@@ -62,9 +62,9 @@ describe Hydra::AccessControls::Permission do
 
     context 'with a User instance passed as :name argument' do
       let(:permission) { described_class.new(type: 'person', name: user, access: 'read') }
-      let(:user) { FactoryGirl.create(:archivist) }
+      let(:user) { FactoryGirl.build(:archivist, email: 'archivist1@example.com') }
 
-      it "should use string and escape agent when building" do
+      it "uses string and escape agent when building" do
         expect(permission.agent.first.rdf_subject.to_s).to eq 'http://projecthydra.org/ns/auth/person#archivist1@example.com'
       end
     end

data/spec/unit/permissions_spec.rb

@@ -134,6 +134,7 @@ describe Hydra::AccessControls::Permissions do
             it "removes permissions on existing users" do
               indexed_result = ActiveFedora::SolrService.query("id:#{subject.id}").first['edit_access_person_ssim']
               expect(indexed_result).to eq ['jcoyne']
+              expect(subject.permissions.map(&:to_hash)).to eq [{ name: "jcoyne", type: "person", access: "edit" }]
               expect(reloaded).to eq [{ name: "jcoyne", type: "person", access: "edit" }]
             end
           end
@@ -188,7 +189,7 @@ describe Hydra::AccessControls::Permissions do
               subject.update permissions_attributes: [
                 { id: permissions_id, type: "group", access: "read", name: "group1", _destroy: '1' },
                 { type: "group", access: "edit", name: "group2" },
-                { type: "person", access: "read", name: "joebob" } 
+                { type: "person", access: "read", name: "joebob" }
               ]
             end
 

data/spec/unit/policy_aware_ability_spec.rb

@@ -53,7 +53,7 @@ describe Hydra::PolicyAwareAbility do
     let(:asset2) { ModsAsset.create { |a| a.admin_policy = policy2 } }
     let(:asset3) { ModsAsset.create }
 
-    it "should retrieve the pid doc for the current object's governing policy" do
+    it "retrieves the pid doc for the current object's governing policy" do
       expect(instance.policy_id_for(asset.id)).to eq policy.id
       expect(instance.policy_id_for(asset2.id)).to eq policy2.id
       expect(instance.policy_id_for(asset3.id)).to be_nil
@@ -61,7 +61,7 @@ describe Hydra::PolicyAwareAbility do
   end
 
   describe "policy_permissions_doc" do
-    it "should retrieve the permissions doc for the current object's policy and store for re-use" do
+    it "retrieves the permissions doc for the current object's policy and store for re-use" do
       expect(instance).to receive(:get_permissions_solr_response_for_doc_id).with(policy.id).once.and_return("mock solr doc")
       expect(instance.policy_permissions_doc(policy.id)).to eq "mock solr doc"
       expect(instance.policy_permissions_doc(policy.id)).to eq "mock solr doc"
@@ -71,37 +71,37 @@ describe Hydra::PolicyAwareAbility do
 
   describe "test_edit_from_policy" do
     context "public user" do
-      it "should return false" do
+      it "returns false" do
         allow(instance).to receive(:user_groups).and_return(["public"])
         expect(instance.test_edit_from_policy(asset.id)).to be false
       end
     end
     context "registered user" do
-      it "should return false" do
-        expect(instance.user_groups).to include("registered")
+      it "returns false" do
+        #expect(instance.user_groups).to include("registered")
         expect(instance.test_edit_from_policy(asset.id)).to be false
       end
     end
     context "user with policy read access only" do
-      it "should return false" do
+      it "returns false" do
         allow(instance.current_user).to receive(:user_key).and_return("nero")
         expect(instance.test_edit_from_policy(asset.id)).to be false
       end
     end
     context "user with policy edit access" do
-      it "should return true" do
+      it "returns true" do
         allow(instance.current_user).to receive(:user_key).and_return("julius_caesar")
         expect(instance.test_edit_from_policy(asset.id)).to be true
       end
     end
     context "user in group with policy read access" do
-      it "should return false" do
+      it "returns false" do
         allow(instance).to receive(:user_groups).and_return(["africana-faculty"])
         expect(instance.test_edit_from_policy(asset.id)).to be false
       end
     end
     context "user in group with policy edit access" do
-      it "should return true" do
+      it "returns true" do
         allow(instance).to receive(:user_groups).and_return(["cool_kids"])
         expect(instance.test_edit_from_policy(asset.id)).to be true
       end
@@ -110,37 +110,41 @@ describe Hydra::PolicyAwareAbility do
 
   describe "test_read_from_policy" do
     context "public user" do
-      it "should return false" do
+      it "returns false" do
         allow(instance).to receive(:user_groups).and_return(["public"])
         expect(instance.test_read_from_policy(asset.id)).to be false
       end
     end
+
     context "registered user" do
-      it "should return false" do
-        expect(instance.user_groups).to include("registered")
+      it "returns false" do
         expect(instance.test_read_from_policy(asset.id)).to be false
       end
     end
+
     context "user with policy read access only" do
-      it "should return false" do
+      it "returns false" do
         allow(instance.current_user).to receive(:user_key).and_return("nero")
         expect(instance.test_read_from_policy(asset.id)).to be true
       end
     end
+
     context "user with policy edit access" do
-      it "should return true" do
+      it "returns true" do
         allow(instance.current_user).to receive(:user_key).and_return("julius_caesar")
         expect(instance.test_read_from_policy(asset.id)).to be true
       end
     end
+
     context "user in group with policy read access" do
-      it "should return false" do
+      it "returns false" do
         allow(instance).to receive(:user_groups).and_return(["africana-faculty"])
         expect(instance.test_read_from_policy(asset.id)).to be true
       end
     end
+
     context "user in group with policy edit access" do
-      it "should return true" do
+      it "returns true" do
         allow(instance).to receive(:user_groups).and_return(["cool_kids"])
         expect(instance.test_read_from_policy(asset.id)).to be true
       end
@@ -150,7 +154,7 @@ describe Hydra::PolicyAwareAbility do
   describe "edit_groups_from_policy" do
     subject { instance.edit_groups_from_policy(policy.id) }
 
-    it "should retrieve the list of groups with edit access from the policy" do
+    it "retrieves the list of groups with edit access from the policy" do
       expect(subject).to match_array ["cool_kids", "in_crowd"]
     end
   end
@@ -160,7 +164,7 @@ describe Hydra::PolicyAwareAbility do
       instance.edit_users_from_policy(policy.id)
     end
 
-    it "should retrieve the list of individuals with edit access from the policy" do
+    it "retrieves the list of individuals with edit access from the policy" do
       expect(subject).to eq ["julius_caesar"]
     end
   end
@@ -168,7 +172,7 @@ describe Hydra::PolicyAwareAbility do
   describe "read_groups_from_policy" do
     subject { instance.read_groups_from_policy(policy.id) }
 
-    it "should retrieve the list of groups with read access from the policy" do
+    it "retrieves the list of groups with read access from the policy" do
       expect(subject).to match_array ["cool_kids", "in_crowd", "africana-faculty"]
     end
   end
@@ -176,7 +180,7 @@ describe Hydra::PolicyAwareAbility do
   describe "read_users_from_policy" do
     subject { instance.read_users_from_policy(policy.id) }
 
-    it "should retrieve the list of individuals with read access from the policy" do
+    it "retrieves the list of individuals with read access from the policy" do
       expect(subject).to eq ["julius_caesar", "nero"]
     end
   end

data/spec/unit/policy_aware_access_controls_enforcement_spec.rb

@@ -101,7 +101,7 @@ describe Hydra::PolicyAwareAccessControlsEnforcement do
   describe "policies_with_access" do
     context "Authenticated user" do
       before do
-        allow(RoleMapper).to receive(:roles).with(user).and_return(user.roles)
+        allow(user).to receive(:groups).and_return(["student", "africana-104-students"])
       end
 
       it "should return the policies that provide discover permissions" do
@@ -128,8 +128,9 @@ describe Hydra::PolicyAwareAccessControlsEnforcement do
   describe "apply_gated_discovery" do
     let(:governed_field) { ActiveFedora.index_field_mapper.solr_name('isGovernedBy', :symbol) }
     let(:policy_queries) { @solr_parameters[:fq].first.split(" OR ") }
-
-    before { allow(RoleMapper).to receive(:roles).with(user).and_return(user.roles) }
+    before do
+      allow(user).to receive(:groups).and_return(["student", "africana-104-students"])
+    end
 
     context "when policies are included" do
       before { subject.apply_gated_discovery(@solr_parameters) }
@@ -155,21 +156,28 @@ describe Hydra::PolicyAwareAccessControlsEnforcement do
   end
 
   describe "apply_policy_role_permissions" do
-    it "should escape slashes in the group names" do
-      allow(RoleMapper).to receive(:roles).with(user).and_return(["abc/123","cde/567"])
-      user_access_filters = subject.apply_policy_group_permissions
-      ["edit","discover","read"].each do |type|
-        expect(user_access_filters).to include("inheritable_#{type}_access_group_ssim\:abc\\\/123")
-        expect(user_access_filters).to include("inheritable_#{type}_access_group_ssim\:cde\\\/567")
+    before do
+      allow(user).to receive(:groups).and_return(groups)
+    end
+    context "when there are slashes in the group names" do
+      let(:groups) { ["abc/123","cde/567"] }
+      it "escapes slashes" do
+        user_access_filters = subject.apply_policy_group_permissions
+        ["edit","discover","read"].each do |type|
+          expect(user_access_filters).to include("inheritable_#{type}_access_group_ssim\:abc\\\/123")
+          expect(user_access_filters).to include("inheritable_#{type}_access_group_ssim\:cde\\\/567")
+        end
       end
     end
 
-    it "should escape spaces in the group names" do
-      allow(RoleMapper).to receive(:roles).with(user).and_return(["abc 123","cd/e 567"])
-      user_access_filters = subject.apply_policy_group_permissions
-      ["edit","discover","read"].each do |type|
-        expect(user_access_filters).to include("inheritable_#{type}_access_group_ssim\:abc\\ 123")
-        expect(user_access_filters).to include("inheritable_#{type}_access_group_ssim\:cd\\\/e\\ 567")
+    context "when there are spaces in the group names" do
+      let(:groups) { ["abc 123","cd/e 567"] }
+      it "escapes spaces" do
+        user_access_filters = subject.apply_policy_group_permissions
+        ["edit","discover","read"].each do |type|
+          expect(user_access_filters).to include("inheritable_#{type}_access_group_ssim\:abc\\ 123")
+          expect(user_access_filters).to include("inheritable_#{type}_access_group_ssim\:cd\\\/e\\ 567")
+        end
       end
     end
   end

data/spec/unit/role_mapper_spec.rb

@@ -1,32 +1,66 @@
 require 'spec_helper'
 
 describe RoleMapper do
-  before do
-    allow(Devise).to receive(:authentication_keys).and_return(['uid'])
-  end
-
   it "defines the 4 roles" do
     expect(RoleMapper.role_names.sort).to eq %w(admin_policy_object_editor archivist donor patron researcher)
   end
-  it "is quer[iy]able for roles for a given user" do
-    expect(RoleMapper.roles('leland_himself@example.com').sort).to eq ['archivist', 'donor', 'patron']
-    expect(RoleMapper.roles('archivist2@example.com')).to eq ['archivist']
-  end
 
-  it "doesn't change its response when it's called repeatedly" do
-    u = User.new(:uid=>'leland_himself@example.com')
-    allow(u).to receive(:new_record?).and_return(false)
-    expect(RoleMapper.roles(u).sort).to eq ['archivist', 'donor', 'patron', "registered"]
-    expect(RoleMapper.roles(u).sort).to eq ['archivist', 'donor', 'patron', "registered"]
+  describe "#whois" do
+    it "knows who is what" do
+      expect(RoleMapper.whois('archivist').sort).to eq %w(archivist1@example.com archivist2@example.com leland_himself@example.com)
+      expect(RoleMapper.whois('salesman')).to be_empty
+      expect(RoleMapper.whois('admin_policy_object_editor').sort).to eq %w(archivist1@example.com)
+    end
   end
 
-  it "returns an empty array if there are no roles" do
-    expect(RoleMapper.roles('zeus@olympus.mt')).to be_empty
+  describe "fetch_groups" do
+    let(:user) { instance_double(User, user_key: email, new_record?: false) } 
+    subject { RoleMapper.fetch_groups(user: user) }
+
+    context "for a user with multiple roles" do
+      let(:email) { 'leland_himself@example.com' }
+      it { is_expected.to match_array ['archivist', 'donor', 'patron'] }
+
+      it "doesn't change its response when it's called repeatedly" do
+        expect(subject).to match_array ['archivist', 'donor', 'patron']
+        expect(RoleMapper.fetch_groups(user: user)).to match_array ['archivist', 'donor', 'patron']
+      end
+    end
+      
+    context "for a user with a single role" do
+      let(:email) { 'archivist2@example.com' }
+      it { is_expected.to match_array ['archivist'] }
+    end
+
+    context "for a user with no roles" do
+      let(:email) { 'zeus@olympus.mt' }
+      it { is_expected.to be_empty }
+    end
   end
 
-  it "knows who is what" do
-    expect(RoleMapper.whois('archivist').sort).to eq %w(archivist1@example.com archivist2@example.com leland_himself@example.com)
-    expect(RoleMapper.whois('salesman')).to be_empty
-    expect(RoleMapper.whois('admin_policy_object_editor').sort).to eq %w(archivist1@example.com)
+  describe "roles" do
+    before do
+      allow(Deprecation).to receive(:warn)
+    end
+    it "is quer[iy]able for roles for a given user" do
+      expect(RoleMapper.roles('leland_himself@example.com').sort).to eq ['archivist', 'donor', 'patron']
+      expect(RoleMapper.roles('archivist2@example.com')).to eq ['archivist']
+    end
+
+    context "when called with a user instance" do
+      let(:user) { User.new(email: 'leland_himself@example.com') }
+      before do
+        allow(user).to receive(:new_record?).and_return(false)
+      end
+
+      it "doesn't change its response when it's called repeatedly" do
+        expect(RoleMapper.roles(user).sort).to eq ['archivist', 'donor', 'patron']
+        expect(RoleMapper.roles(user).sort).to eq ['archivist', 'donor', 'patron']
+      end
+    end
+
+    it "returns an empty array if there are no roles" do
+      expect(RoleMapper.roles('zeus@olympus.mt')).to be_empty
+    end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: hydra-access-controls
 version: !ruby/object:Gem::Version
-  version: 10.3.4
+  version: 10.4.0.rc1
 platform: ruby
 authors:
 - Chris Beer
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-11-29 00:00:00.000000000 Z
+date: 2017-01-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -231,12 +231,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 1.9.3
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.2
+rubygems_version: 2.6.8
 signing_key: 
 specification_version: 4
 summary: Access controls for project hydra