hydra-access-controls 5.0.0.pre15 → 5.0.0.rc1

data/lib/hydra/ability.rb

@@ -2,6 +2,7 @@
 module Hydra::Ability
   extend ActiveSupport::Concern
   
+  
   included do
     include Hydra::AccessControlsEnforcement
     include Blacklight::SolrHelper
@@ -12,15 +13,18 @@ module Hydra::Ability
   end
 
   def initialize(user, session=nil)
-    user ||= Hydra::Ability.user_class.new # guest user (not logged in)
-    hydra_default_permissions(user, session)
+    @user = user || Hydra::Ability.user_class.new # guest user (not logged in)
+    @session = session
+    hydra_default_permissions()
   end
 
   ## You can override this method if you are using a different AuthZ (such as LDAP)
-  def user_groups(user, session)
+  def user_groups(user=nil, session=nil)
+    ActiveSupport::Deprecation.warn("No need to pass user or session to user_groups, use the instance_variables", caller()) if user || session
+
     return @user_groups if @user_groups
-    @user_groups = RoleMapper.roles(user_key(user)) + default_user_groups
-    @user_groups << 'registered' unless (user.new_record? || @user_groups.include?('registered'))
+    @user_groups = RoleMapper.roles(@user.user_key) + default_user_groups
+    @user_groups << 'registered' unless (@user.new_record? || @user_groups.include?('registered'))
     @user_groups
   end
 
@@ -30,51 +34,57 @@ module Hydra::Ability
   end
   
 
-  def hydra_default_permissions(user, session)
-    logger.debug("Usergroups are " + user_groups(user, session).inspect)
-    create_permissions(user, session)
-    edit_permissions(user, session)
-    read_permissions(user, session)
-    custom_permissions(user, session)
+  # Requires no arguments, but accepts 2 arguments for backwards compatibility
+  def hydra_default_permissions(user=nil, session=nil)
+    ActiveSupport::Deprecation.warn("No need to pass user or session to hydra_default_permissions, use the instance_variables", caller()) if user || session
+    logger.debug("Usergroups are " + user_groups.inspect)
+    create_permissions()
+    edit_permissions()
+    read_permissions()
+    custom_permissions()
   end
 
-  def create_permissions(user, session)
-    can :create, :all if user_groups(user, session).include? 'registered'
+  def create_permissions(user=nil, session=nil)
+    ActiveSupport::Deprecation.warn("No need to pass user or session to create_permissions, use the instance_variables", caller()) if user || session
+    can :create, :all if user_groups.include? 'registered'
   end
 
-  def edit_permissions(user, session)
+  def edit_permissions(user=nil, session=nil)
+    ActiveSupport::Deprecation.warn("No need to pass user or session to edit_permissions, use the instance_variables", caller()) if user || session
     can [:edit, :update, :destroy], String do |pid|
-      test_edit(pid, user, session)
+      test_edit(pid)
     end 
 
     can [:edit, :update, :destroy], ActiveFedora::Base do |obj|
-      test_edit(obj.pid, user, session)
+      test_edit(obj.pid)
     end
  
     can :edit, SolrDocument do |obj|
       @permissions_solr_document = obj
-      test_edit(obj.id, user, session)
+      test_edit(obj.id)
     end       
   end
 
-  def read_permissions(user, session)
+  def read_permissions(user=nil, session=nil)
+    ActiveSupport::Deprecation.warn("No need to pass user or session to read_permissions, use the instance_variables", caller()) if user || session
     can :read, String do |pid|
-      test_read(pid, user, session)
+      test_read(pid)
     end
 
     can :read, ActiveFedora::Base do |obj|
-      test_read(obj.pid, user, session)
+      test_read(obj.pid)
     end 
     
     can :read, SolrDocument do |obj|
       @permissions_solr_document = obj
-      test_read(obj.id, user, session)
+      test_read(obj.id)
     end 
   end
 
 
   ## Override custom permissions in your own app to add more permissions beyond what is defined by default.
-  def custom_permissions(user, session)
+  def custom_permissions(user=nil, session=nil)
+    ActiveSupport::Deprecation.warn("No need to pass user or session to custom_permissions, use the instance_variables", caller()) if user || session
   end
   
   protected
@@ -86,20 +96,22 @@ module Hydra::Ability
   end
 
 
-  def test_edit(pid, user, session)
+  def test_edit(pid, user=nil, session=nil)
+    ActiveSupport::Deprecation.warn("No need to pass user or session to test_edit, use the instance_variables", caller()) if user || session
     permissions_doc(pid)
-    logger.debug("[CANCAN] Checking edit permissions for user: #{user_key(user)} with groups: #{user_groups(user, session).inspect}")
-    group_intersection = user_groups(user, session) & edit_groups
-    result = !group_intersection.empty? || edit_persons.include?(user_key(user))
+    logger.debug("[CANCAN] Checking edit permissions for user: #{@user.user_key} with groups: #{user_groups.inspect}")
+    group_intersection = user_groups & edit_groups
+    result = !group_intersection.empty? || edit_persons.include?(@user.user_key)
     logger.debug("[CANCAN] decision: #{result}")
     result
   end   
   
-  def test_read(pid, user, session)
+  def test_read(pid, user=nil, session=nil)
+    ActiveSupport::Deprecation.warn("No need to pass user or session to test_read, use the instance_variables", caller()) if user || session
     permissions_doc(pid)
-    logger.debug("[CANCAN] Checking edit permissions for user: #{user_key(user)} with groups: #{user_groups(user, session).inspect}")
-    group_intersection = user_groups(user, session) & read_groups
-    result = !group_intersection.empty? || read_persons.include?(user_key(user))
+    logger.debug("[CANCAN] Checking edit permissions for user: #{@user.user_key} with groups: #{user_groups.inspect}")
+    group_intersection = user_groups & read_groups
+    result = !group_intersection.empty? || read_persons.include?(@user.user_key)
     logger.debug("[CANCAN] decision: #{result}")
     result
   end 
@@ -138,6 +150,7 @@ module Hydra::Ability
   # get the currently configured user identifier.  Can be overridden to return whatever (ie. login, email, etc)
   # defaults to using whatever you have set as the Devise authentication_key
   def user_key(user)
+    ActiveSupport::Deprecation.warn("Ability#user_key is deprecated, call user.user_key instead", caller(1))
     user.send(Devise.authentication_keys.first)
   end
 

data/lib/hydra/access_controls_enforcement.rb

@@ -229,7 +229,7 @@ module Hydra::AccessControlsEnforcement
   def apply_role_permissions(permission_types)
       # for roles
       user_access_filters = []
-      current_ability.user_groups(current_user, session).each_with_index do |role, i|
+      current_ability.user_groups.each_with_index do |role, i|
         permission_types.each do |type|
           user_access_filters << "#{type}_access_group_t:#{role}"
         end
@@ -240,7 +240,7 @@ module Hydra::AccessControlsEnforcement
   def apply_individual_permissions(permission_types)
       # for individual person access
       user_access_filters = []
-      if user_key
+      if user_key.present?
         permission_types.each do |type|
           user_access_filters << "#{type}_access_person_t:#{user_key}"        
         end

data/lib/hydra/datastream/rights_metadata.rb

@@ -192,7 +192,11 @@ module Hydra
         solr_doc
       end
 
-
+      # Completely clear the permissions
+      def clear_permissions!
+        remove_all_permissions({:person=>true})
+        remove_all_permissions({:group=>true})
+      end
 
 
       

data/lib/hydra/policy_aware_ability.rb

@@ -2,7 +2,8 @@
 module Hydra::PolicyAwareAbility
   
   # Extends Hydra::Ability.test_edit to try policy controls if object-level controls deny access
-  def test_edit(pid, user, session)
+  def test_edit(pid, user=nil, session=nil)
+    ActiveSupport::Deprecation.warn("No need to pass user or session to test_edit, use the instance_variables", caller) if user || session
     result = super
     if result 
       return result
@@ -12,7 +13,8 @@ module Hydra::PolicyAwareAbility
   end
   
   # Extends Hydra::Ability.test_read to try policy controls if object-level controls deny access
-  def test_read(pid, user, session)
+  def test_read(pid, user=nil, session=nil)
+    ActiveSupport::Deprecation.warn("No need to pass user or session to test_read, use the instance_variables", caller) if user || session
     result = super
     if result 
       return result
@@ -45,28 +47,30 @@ module Hydra::PolicyAwareAbility
   end
   
   # Tests whether the object's governing policy object grants edit access for the current user
-  def test_edit_from_policy(object_pid, user, session)    
+  def test_edit_from_policy(object_pid, user=nil, session=nil)
+    ActiveSupport::Deprecation.warn("No need to pass user or session to test_edit_from_policy, use the instance_variables", caller) if user || session
     policy_pid = policy_pid_for(object_pid)
     if policy_pid.nil?
       return false
     else
-      logger.debug("[CANCAN] -policy- Does the POLICY #{policy_pid} provide EDIT permissions for #{user_key(user)}?")
-      group_intersection = user_groups(user, session) & edit_groups_from_policy( policy_pid )
-      result = !group_intersection.empty? || edit_persons_from_policy( policy_pid ).include?(user_key(user))
+      logger.debug("[CANCAN] -policy- Does the POLICY #{policy_pid} provide EDIT permissions for #{@user.user_key}?")
+      group_intersection = user_groups & edit_groups_from_policy( policy_pid )
+      result = !group_intersection.empty? || edit_persons_from_policy( policy_pid ).include?(@user.user_key)
       logger.debug("[CANCAN] -policy- decision: #{result}")
       return result
     end
   end   
   
   # Tests whether the object's governing policy object grants read access for the current user
-  def test_read_from_policy(object_pid, user, session)
+  def test_read_from_policy(object_pid, user=nil, session=nil)
+    ActiveSupport::Deprecation.warn("No need to pass user or session to test_read_from_policy, use the instance_variables", caller) if user || session
     policy_pid = policy_pid_for(object_pid)
     if policy_pid.nil?
       return false
     else
-      logger.debug("[CANCAN] -policy- Does the POLICY #{policy_pid} provide READ permissions for #{user_key(user)}?")
-      group_intersection = user_groups(user, session) & read_groups_from_policy( policy_pid )
-      result = !group_intersection.empty? || read_persons_from_policy( policy_pid ).include?(user_key(user))
+      logger.debug("[CANCAN] -policy- Does the POLICY #{policy_pid} provide READ permissions for #{@user.user_key}?")
+      group_intersection = user_groups & read_groups_from_policy( policy_pid )
+      result = !group_intersection.empty? || read_persons_from_policy( policy_pid ).include?(@user.user_key)
       logger.debug("[CANCAN] -policy- decision: #{result}")
       result
     end
@@ -125,4 +129,4 @@ module Hydra::PolicyAwareAbility
       return field_from_result[field_name]
     end
   end
-end
+end

data/lib/hydra/policy_aware_access_controls_enforcement.rb

@@ -37,7 +37,7 @@ module Hydra::PolicyAwareAccessControlsEnforcement
   def apply_policy_role_permissions(permission_types)
       # for roles
       user_access_filters = []
-      current_ability.user_groups(current_user, session).each_with_index do |role, i|
+      current_ability.user_groups.each_with_index do |role, i|
         discovery_permissions.each do |type|
           user_access_filters << "inheritable_#{type}_access_group_t:#{role}"
         end

data/lib/hydra-access-controls.rb

@@ -4,6 +4,7 @@ require 'active_support'
 # This would allow solrizer to load it's config files after the rails logger is up.
 require 'active-fedora'
 require 'cancan'
+require 'rails'
 
 module Hydra
   extend ActiveSupport::Autoload
@@ -16,6 +17,8 @@ module Hydra
   autoload :PolicyAwareAbility
   autoload :AdminPolicy
   autoload :RoleMapperBehavior
+  class Engine < Rails::Engine
+  end
 
   module ModelMixins
     extend ActiveSupport::Autoload
@@ -28,8 +31,3 @@ module Hydra
   class AccessDenied < ::CanCan::AccessDenied; end
 
 end
-
-# Enable the ability/role_mapper classes in the local application to load before the ability/role_mapper classes provided by hydra-access-controls
-autoload :Ability, 'ability'
-autoload :RoleMapper, 'role_mapper'
-

data/spec/spec_helper.rb

@@ -1,4 +1,5 @@
 ENV["environment"] ||= "test"
+
 module Hydra
   # Stubbing Hydra.config[:policy_aware] so Hydra::PolicyAwareAbility will be loaded for tests.
   def self.config
@@ -10,8 +11,6 @@ end
 $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
 $LOAD_PATH.unshift(File.dirname(__FILE__))
 
-
-
 if ENV['COVERAGE'] and RUBY_VERSION =~ /^1.9/
   require 'simplecov'
   require 'simplecov-rcov'
@@ -30,6 +29,13 @@ require "factories"
 
 require 'support/blacklight'
 require 'support/rails'
+Object.logger = Logger.new(File.expand_path('../test.log', __FILE__))
+
+# Since we're not doing a Rails Engine test, we have to load these classes manually:
+require_relative '../app/models/role_mapper'
+require_relative '../app/models/ability'
+
+
 
 RSpec.configure do |config|
 

data/spec/unit/ability_spec.rb

@@ -1,5 +1,4 @@
 require 'spec_helper'
-require 'ability'
 
 describe Ability do
   before do

data/spec/unit/access_controls_enforcement_spec.rb

@@ -1,6 +1,4 @@
 require 'spec_helper'
-# Need way to find way to stub current_user and RoleMapper in order to run these tests
-require 'ability'
 
 describe Hydra::AccessControlsEnforcement do
   before(:all) do
@@ -76,12 +74,14 @@ describe Hydra::AccessControlsEnforcement do
   describe "enforce_access_controls" do
     describe "when the method exists" do
       it "should call the method" do
+        Deprecation.stub(:warn)
         subject.params = {:action => :index}
         subject.enforce_access_controls.should be_true
       end
     end
     describe "when the method doesn't exist" do
       it "should not call the method, but should return true" do
+        Deprecation.stub(:warn)
         subject.params = {:action => :facet}
         subject.enforce_access_controls.should be_true
       end
@@ -158,6 +158,15 @@ describe Hydra::AccessControlsEnforcement do
         subject.send(:apply_individual_permissions, ["edit","discover","read"]).should == []
       end
     end
+    describe "when the user is a guest user (user key empty string)" do
+      before do
+        stub_user = User.new :uid=>''
+        subject.stub(:current_user).and_return(stub_user)
+      end
+      it "should not create filters" do
+        subject.send(:apply_individual_permissions, ["edit","discover","read"]).should == []
+      end
+    end
   end
 end
 

data/spec/unit/admin_policy_spec.rb

@@ -60,7 +60,6 @@ describe Hydra::AdminPolicy do
     describe "to_solr" do
       subject {@policy.to_solr}
       it "should not affect normal solr permissions fields" do    
-      puts subject
         subject.should_not have_key( Hydra.config[:permissions][:discover][:group] ) 
         subject.should_not have_key( Hydra.config[:permissions][:discover][:individual] )
         subject.should_not have_key( Hydra.config[:permissions][:read][:group] )

data/spec/unit/hydra_rights_metadata_spec.rb

@@ -122,6 +122,22 @@ describe Hydra::Datastream::RightsMetadata do
       @sample.update_permissions( {"group"=>{"group1"=>"discover","group2"=>"edit"}, "person"=>{"person1"=>"read","person2"=>"discover"}} )
     end
   end
+
+  describe "clear_permissions!" do
+    before do
+      @sample.permissions({"person"=>"person_123"}, "read")
+      @sample.permissions({"person"=>"person_456"}, "edit")
+      @sample.permissions({"person"=>"person_789"}, "discover")
+      @sample.permissions({"group"=>"group_123"}, "read")
+      @sample.permissions({"group"=>"group_456"}, "edit")
+      @sample.permissions({"group"=>"group_789"}, "discover")
+    end
+    it "clears permissions" do
+      @sample.clear_permissions!
+      @sample.individuals.should == {}
+      @sample.groups.should == {}
+    end
+  end
   
   describe "update_indexed_attributes" do
     it "should update the declared properties" do

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: hydra-access-controls
 version: !ruby/object:Gem::Version
-  version: 5.0.0.pre15
+  version: 5.0.0.rc1
   prerelease: 6
 platform: ruby
 authors:
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-11-29 00:00:00.000000000 Z
+date: 2012-12-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -134,10 +134,11 @@ extra_rdoc_files: []
 files:
 - README.textile
 - Rakefile
+- app/models/ability.rb
+- app/models/role_mapper.rb
 - config/fedora.yml
 - config/solr.yml
 - hydra-access-controls.gemspec
-- lib/ability.rb
 - lib/hydra-access-controls.rb
 - lib/hydra/ability.rb
 - lib/hydra/access_controls_enforcement.rb
@@ -151,7 +152,6 @@ files:
 - lib/hydra/policy_aware_access_controls_enforcement.rb
 - lib/hydra/role_mapper_behavior.rb
 - lib/hydra/user.rb
-- lib/role_mapper.rb
 - lib/tasks/hydra-access-controls.rake
 - lib/tasks/hydra_jetty.rake
 - spec/factories.rb