hydra-access-controls 5.0.0.pre13 → 5.0.0.pre14

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. data/lib/hydra/access_controls_enforcement.rb +19 -8
  2. data/lib/hydra/policy_aware_access_controls_enforcement.rb +5 -7
  3. data/spec/support/user.rb +1 -0
  4. data/spec/unit/access_controls_enforcement_spec.rb +14 -9
  5. data/spec/unit/policy_aware_access_controls_enforcement_spec.rb +2 -2
  6. metadata +2 -2
data/lib/hydra/access_controls_enforcement.rb CHANGED
@@ -1,9 +1,20 @@
1
- # will move to lib/hydra/access_control folder/namespace in release 5.x
2
1
  module Hydra::AccessControlsEnforcement
3
2
  extend ActiveSupport::Concern
4
-
3
+ extend Deprecation
4
+ self.deprecation_horizon = "hydra-access-controls 6.0"
5
+
5
6
  included do
6
7
  include Hydra::AccessControlsEvaluation
8
+ class_attribute :solr_access_filters_logic
9
+
10
+ # Set defaults. Each symbol identifies a _method_ that must be in
11
+ # this class, taking one parameter (permission_types)
12
+ # Can be changed in local apps or by plugins, eg:
13
+ # CatalogController.include ModuleDefiningNewMethod
14
+ # CatalogController.solr_access_filters_logic += [:new_method]
15
+ # CatalogController.solr_access_filters_logic.delete(:we_dont_want)
16
+ self.solr_access_filters_logic = [:apply_role_permissions, :apply_individual_permissions, :apply_superuser_permissions ]
17
+
7
18
  end
8
19
 
9
20
  #
@@ -77,6 +88,7 @@ module Hydra::AccessControlsEnforcement
77
88
  # If someone hits the show action while their session's viewing_context is in edit mode,
78
89
  # this will redirect them to the edit action.
79
90
  # If they do not have sufficient privileges to edit documents, it will silently switch their session to browse mode.
91
+ # @deprecated this is a vestige of the old workflow, which is being removed from hydra-head
80
92
  def enforce_viewing_context_for_show_requests
81
93
  if params[:viewing_context] == "browse"
82
94
  session[:viewing_context] = params[:viewing_context]
@@ -93,6 +105,7 @@ module Hydra::AccessControlsEnforcement
93
105
  end
94
106
  end
95
107
  end
108
+ deprecation_deprecate :enforce_viewing_context_for_show_requests
96
109
 
97
110
  #
98
111
  # Action-specific enforcement
@@ -106,7 +119,7 @@ module Hydra::AccessControlsEnforcement
106
119
  if @permissions_solr_document["embargo_release_date_dt"]
107
120
  embargo_date = Date.parse(@permissions_solr_document["embargo_release_date_dt"].split(/T/)[0])
108
121
  if embargo_date > Date.parse(Time.now.to_s)
109
- unless current_or_guest_user && can?(:edit, params[:id])
122
+ unless can?(:edit, params[:id])
110
123
  raise Hydra::AccessDenied.new("This item is under embargo. You do not have sufficient access privileges to read this document.", :edit, params[:id])
111
124
  end
112
125
  end
@@ -201,10 +214,8 @@ module Hydra::AccessControlsEnforcement
201
214
  end
202
215
 
203
216
  # Grant access based on user id & role
204
- unless current_or_guest_user.nil?
205
- user_access_filters += apply_role_permissions(permission_types)
206
- user_access_filters += apply_individual_permissions(permission_types)
207
- user_access_filters += apply_superuser_permissions(permission_types)
217
+ solr_access_filters_logic.each do |method_name|
218
+ user_access_filters += send(method_name, permission_types)
208
219
  end
209
220
  solr_parameters[:fq] << user_access_filters.join(" OR ")
210
221
  logger.debug("Solr parameters: #{ solr_parameters.inspect }")
@@ -213,7 +224,7 @@ module Hydra::AccessControlsEnforcement
213
224
  def apply_role_permissions(permission_types)
214
225
  # for roles
215
226
  user_access_filters = []
216
- ::RoleMapper.roles(user_key).each_with_index do |role, i|
227
+ current_ability.user_groups(current_user, session).each_with_index do |role, i|
217
228
  permission_types.each do |type|
218
229
  user_access_filters << "#{type}_access_group_t:#{role}"
219
230
  end
data/lib/hydra/policy_aware_access_controls_enforcement.rb CHANGED
@@ -12,7 +12,7 @@ module Hydra::PolicyAwareAccessControlsEnforcement
12
12
  end
13
13
  end
14
14
 
15
- # returns solr query for finding all objects whose policies grant discover access to current_or_guest_user
15
+ # returns solr query for finding all objects whose policies grant discover access to current_user
16
16
  def policy_clauses
17
17
  policy_pids = policies_with_access
18
18
  return nil if policy_pids.empty?
@@ -23,13 +23,11 @@ module Hydra::PolicyAwareAccessControlsEnforcement
23
23
  # find all the policies that grant discover/read/edit permissions to this user or any of it's groups
24
24
  def policies_with_access
25
25
  #### TODO -- Memoize this and put it in the session?
26
- return [] unless current_or_guest_user
26
+ return [] unless current_user
27
27
  user_access_filters = []
28
28
  # Grant access based on user id & role
29
- unless current_or_guest_user.nil?
30
- user_access_filters += apply_policy_role_permissions(discovery_permissions)
31
- user_access_filters += apply_policy_individual_permissions(discovery_permissions)
32
- end
29
+ user_access_filters += apply_policy_role_permissions(discovery_permissions)
30
+ user_access_filters += apply_policy_individual_permissions(discovery_permissions)
33
31
  result = policy_class.find_with_conditions( user_access_filters.join(" OR "), :fl => "id" )
34
32
  logger.debug "get policies: #{result}\n\n"
35
33
  result.map {|h| h['id']}
@@ -39,7 +37,7 @@ module Hydra::PolicyAwareAccessControlsEnforcement
39
37
  def apply_policy_role_permissions(permission_types)
40
38
  # for roles
41
39
  user_access_filters = []
42
- ::RoleMapper.roles(user_key).each_with_index do |role, i|
40
+ current_ability.user_groups(current_user, session).each_with_index do |role, i|
43
41
  discovery_permissions.each do |type|
44
42
  user_access_filters << "inheritable_#{type}_access_group_t:#{role}"
45
43
  end
data/spec/support/user.rb CHANGED
@@ -7,6 +7,7 @@ class User
7
7
  def initialize(params={})
8
8
  self.email = params[:email] if params[:email]
9
9
  self.uid = params[:uid] if params[:uid]
10
+ self.new_record = params[:new_record] if params[:new_record]
10
11
  end
11
12
 
12
13
  def new_record?
data/spec/unit/access_controls_enforcement_spec.rb CHANGED
@@ -1,5 +1,6 @@
1
1
  require 'spec_helper'
2
- # Need way to find way to stub current_or_guest_user and RoleMapper in order to run these tests
2
+ # Need way to find way to stub current_user and RoleMapper in order to run these tests
3
+ require 'ability'
3
4
 
4
5
  describe Hydra::AccessControlsEnforcement do
5
6
  before(:all) do
@@ -7,8 +8,12 @@ describe Hydra::AccessControlsEnforcement do
7
8
  include Hydra::AccessControlsEnforcement
8
9
  attr_accessor :params
9
10
 
11
+ def current_ability
12
+ @current_ability ||= Ability.new(current_user)
13
+ end
14
+
10
15
  def user_key
11
- current_or_guest_user.user_key
16
+ current_user.user_key
12
17
  end
13
18
 
14
19
  def session
@@ -24,7 +29,7 @@ describe Hydra::AccessControlsEnforcement do
24
29
  end
25
30
  context "Given I am not logged in" do
26
31
  before do
27
- subject.stub(:current_or_guest_user).and_return(User.new)
32
+ subject.stub(:current_user).and_return(User.new(:new_record=>true))
28
33
  subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
29
34
  end
30
35
  it "Then I should be treated as a member of the 'public' group" do
@@ -44,7 +49,7 @@ describe Hydra::AccessControlsEnforcement do
44
49
  User.stub(:find_by_user_key).and_return(@user)
45
50
  # This is a pretty fragile way to stub it...
46
51
  RoleMapper.stub(:byname).and_return(@user.user_key=>["faculty", "africana-faculty"])
47
- subject.stub(:current_or_guest_user).and_return(@user)
52
+ subject.stub(:current_user).and_return(@user)
48
53
  subject.send(:apply_gated_discovery, @solr_parameters, @user_parameters)
49
54
  end
50
55
  it "Then I should be treated as a member of the 'public' and 'registered' groups" do
@@ -86,7 +91,7 @@ describe Hydra::AccessControlsEnforcement do
86
91
  it "should allow a user w/ edit permissions to view an embargoed object" do
87
92
  user = User.new :uid=>'testuser@example.com'
88
93
  RoleMapper.stub(:roles).with(user.user_key).and_return(["archivist"])
89
- subject.stub(:current_or_guest_user).and_return(user)
94
+ subject.stub(:current_user).and_return(user)
90
95
  subject.should_receive(:can?).with(:edit, nil).and_return(true)
91
96
  subject.stub(:can?).with(:read, nil).and_return(true)
92
97
  subject.instance_variable_set :@permissions_solr_document, SolrDocument.new({"edit_access_person_t"=>["testuser@example.com"], "embargo_release_date_dt"=>(Date.parse(Time.now.to_s)+2).to_s})
@@ -98,7 +103,7 @@ describe Hydra::AccessControlsEnforcement do
98
103
  it "should prevent a user w/o edit permissions from viewing an embargoed object" do
99
104
  user = User.new :uid=>'testuser@example.com'
100
105
  RoleMapper.stub(:roles).with(user.user_key).and_return([])
101
- subject.stub(:current_or_guest_user).and_return(user)
106
+ subject.stub(:current_user).and_return(user)
102
107
  subject.should_receive(:can?).with(:edit, nil).and_return(false)
103
108
  subject.stub(:can?).with(:read, nil).and_return(true)
104
109
  subject.params = {}
@@ -111,7 +116,7 @@ describe Hydra::AccessControlsEnforcement do
111
116
  before(:each) do
112
117
  @stub_user = User.new :uid=>'archivist1@example.com'
113
118
  RoleMapper.stub(:roles).with(@stub_user.user_key).and_return(["archivist","researcher"])
114
- subject.stub(:current_or_guest_user).and_return(@stub_user)
119
+ subject.stub(:current_user).and_return(@stub_user)
115
120
  @solr_parameters = {}
116
121
  @user_parameters = {}
117
122
  end
@@ -133,7 +138,7 @@ describe Hydra::AccessControlsEnforcement do
133
138
  describe "exclude_unwanted_models" do
134
139
  before(:each) do
135
140
  stub_user = User.new :uid=>'archivist1@example.com'
136
- subject.stub(:current_or_guest_user).and_return(stub_user)
141
+ subject.stub(:current_user).and_return(stub_user)
137
142
  @solr_parameters = {}
138
143
  @user_parameters = {}
139
144
  end
@@ -147,7 +152,7 @@ describe Hydra::AccessControlsEnforcement do
147
152
  describe "when the user is a guest user (user key nil)" do
148
153
  before do
149
154
  stub_user = User.new
150
- subject.stub(:current_or_guest_user).and_return(stub_user)
155
+ subject.stub(:current_user).and_return(stub_user)
151
156
  end
152
157
  it "should not create filters" do
153
158
  subject.send(:apply_individual_permissions, ["edit","discover","read"]).should == []
data/spec/unit/policy_aware_access_controls_enforcement_spec.rb CHANGED
@@ -8,7 +8,7 @@ describe Hydra::PolicyAwareAccessControlsEnforcement do
8
8
  attr_accessor :params
9
9
 
10
10
  def user_key
11
- current_or_guest_user.user_key
11
+ current_user.user_key
12
12
  end
13
13
 
14
14
  def session
@@ -71,7 +71,7 @@ describe Hydra::PolicyAwareAccessControlsEnforcement do
71
71
  @user_parameters = {}
72
72
  @user = FactoryGirl.build(:sara_student)
73
73
  RoleMapper.stub(:roles).with(@user.user_key).and_return(@user.roles)
74
- subject.stub(:current_or_guest_user).and_return(@user)
74
+ subject.stub(:current_user).and_return(@user)
75
75
  end
76
76
 
77
77
  describe "policies_with_access" do
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: hydra-access-controls
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.0.0.pre13
4
+ version: 5.0.0.pre14
5
5
  prerelease: 6
6
6
  platform: ruby
7
7
  authors:
@@ -11,7 +11,7 @@ authors:
11
11
  autorequire:
12
12
  bindir: bin
13
13
  cert_chain: []
14
- date: 2012-11-28 00:00:00.000000000 Z
14
+ date: 2012-11-29 00:00:00.000000000 Z
15
15
  dependencies:
16
16
  - !ruby/object:Gem::Dependency
17
17
  name: activesupport