RubyGems - hydra-access-controls - Versions diffs - 6.0.0.pre3 → 6.0.0.pre4 - Mend

hydra-access-controls 6.0.0.pre3 → 6.0.0.pre4

Files changed (9) hide show

data/lib/hydra-access-controls.rb +2 -3
data/lib/hydra/ability.rb +2 -9
data/lib/hydra/access_controls_enforcement.rb +8 -162
data/lib/hydra/permissions_query.rb +45 -0
data/lib/hydra/permissions_solr_document.rb +19 -0
data/lib/hydra/policy_aware_ability.rb +1 -3
data/spec/unit/access_controls_enforcement_spec.rb +6 -22
data/spec/unit/policy_aware_ability_spec.rb +1 -1
metadata +21 -19

data/lib/hydra-access-controls.rb CHANGED Viewed

@@ -1,7 +1,4 @@
 require 'active_support'
-# TODO would it be possible to put the require fedora in an after_initialize block like this?
-#ActiveSupport.on_load(:after_initialize) do
-# This would allow solrizer to load it's config files after the rails logger is up.
 require 'active-fedora'
 require 'cancan'
 require 'rails'
@@ -17,6 +14,8 @@ module Hydra
   autoload :PolicyAwareAbility
   autoload :AdminPolicy
   autoload :RoleMapperBehavior
+  autoload :PermissionsQuery
+  autoload :PermissionsSolrDocument
   class Engine < Rails::Engine
   end

data/lib/hydra/ability.rb CHANGED Viewed

@@ -9,7 +9,7 @@ module Hydra::Ability
   included do
     include CanCan::Ability
-    include Hydra::AccessControlsEnforcement
+    include Hydra::PermissionsQuery
     include Blacklight::SolrHelper
     class_attribute :ability_logic
     self.ability_logic = [:create_permissions, :edit_permissions, :read_permissions, :custom_permissions]
@@ -92,13 +92,6 @@ module Hydra::Ability
   protected
-  def permissions_doc(pid)
-    return @permissions_solr_document if @permissions_solr_document
-    response, @permissions_solr_document = get_permissions_solr_response_for_doc_id(pid)
-    @permissions_solr_document
-  end
   def test_edit(pid)
     permissions_doc(pid)
     logger.debug("[CANCAN] Checking edit permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
@@ -116,7 +109,7 @@ module Hydra::Ability
     logger.debug("[CANCAN] decision: #{result}")
     result
   end
   def edit_groups
     edit_group_field = Hydra.config[:permissions][:edit][:group]
     eg = ((@permissions_solr_document == nil || @permissions_solr_document.fetch(edit_group_field,nil) == nil) ? [] : @permissions_solr_document.fetch(edit_group_field,nil))

data/lib/hydra/access_controls_enforcement.rb CHANGED Viewed

@@ -1,11 +1,10 @@
 module Hydra::AccessControlsEnforcement
   extend ActiveSupport::Concern
-  extend Deprecation
-  self.deprecation_horizon = "hydra-access-controls 6.0"
   included do
     include Hydra::AccessControlsEvaluation
     include Blacklight::SolrHelper # for force_to_utf8
+    include Hydra::PermissionsQuery
     class_attribute :solr_access_filters_logic
     # Set defaults. Each symbol identifies a _method_ that must be in
@@ -18,99 +17,9 @@ module Hydra::AccessControlsEnforcement
   end
-  #
-  #   Access Controls Enforcement Filters
-  #
-  # Controller "before" filter that delegates enforcement based on the controller action
-  # Action-specific implementations are enforce_index_permissions, enforce_show_permissions, etc.
-  # @param [Hash] opts (optional, not currently used)
-  #
-  # @example
-  #   class CatalogController < ApplicationController
-  #     before_filter :enforce_access_controls
-  #   end
-  #
-  # @deprecated HYDRA-886 Blacklight is now using Catalog#update to store pagination info, so we don't want to enforce_edit_permissions on it. Instead just call before_filter :enforce_show_permissions, :only=>:show. Move all Edit/Update/Delete methods into non-catalog backed controllers.
-  def enforce_access_controls(opts={})
-    controller_action = params[:action].to_s
-    delegate_method = "enforce_#{controller_action}_permissions"
-    if self.respond_to?(delegate_method.to_sym, true)
-      self.send(delegate_method.to_sym)
-    else
-      true
-    end
-  end
-  deprecation_deprecate :enforce_access_controls
-  #
-  #  Solr integration
-  #
-  # returns a params hash with the permissions info for a single solr document
-  # If the id arg is nil, then the value is fetched from params[:id]
-  # This method is primary called by the get_permissions_solr_response_for_doc_id method.
-  # Modeled on Blacklight::SolrHelper.solr_doc_params
-  # @param [String] id of the documetn to retrieve
-  def permissions_solr_doc_params(id=nil)
-    id ||= params[:id]
-    # just to be consistent with the other solr param methods:
-    {
-      :qt => :permissions,
-      :id => id # this assumes the document request handler will map the 'id' param to the unique key field
-    }
-  end
-  # a solr query method
-  # retrieve a solr document, given the doc id
-  # Modeled on Blacklight::SolrHelper.get_permissions_solr_response_for_doc_id
-  # @param [String] id of the documetn to retrieve
-  # @param [Hash] extra_controller_params (optional)
-  def get_permissions_solr_response_for_doc_id(id=nil, extra_controller_params={})
-    raise Blacklight::Exceptions::InvalidSolrID.new("The application is trying to retrieve permissions without specifying an asset id") if id.nil?
-    #solr_response = Blacklight.solr.get permissions_solr_doc_params(id).merge(extra_controller_params)
-    #path = blacklight_config.solr_path
-    solr_opts = permissions_solr_doc_params(id).merge(extra_controller_params)
-    response = Blacklight.solr.get('select', :params=> solr_opts)
-    solr_response = Blacklight::SolrResponse.new(force_to_utf8(response), solr_opts)
-    raise Blacklight::Exceptions::InvalidSolrID.new("The solr permissions search handler didn't return anything for id \"#{id}\"") if solr_response.docs.empty?
-    document = SolrDocument.new(solr_response.docs.first, solr_response)
-    [solr_response, document]
-  end
-  # Loads permissions info into @permissions_solr_response and @permissions_solr_document
-  def load_permissions_from_solr(id=params[:id], extra_controller_params={})
-    unless !@permissions_solr_document.nil? && !@permissions_solr_response.nil?
-      @permissions_solr_response, @permissions_solr_document = get_permissions_solr_response_for_doc_id(id, extra_controller_params)
-    end
-  end
   protected
-  # If someone hits the show action while their session's viewing_context is in edit mode,
-  # this will redirect them to the edit action.
-  # If they do not have sufficient privileges to edit documents, it will silently switch their session to browse mode.
-  # @deprecated this is a vestige of the old workflow, which is being removed from hydra-head
-  def enforce_viewing_context_for_show_requests
-    if params[:viewing_context] == "browse"
-      session[:viewing_context] = params[:viewing_context]
-    elsif session[:viewing_context] == "edit"
-      if can? :edit, params[:id]
-        logger.debug("enforce_viewing_context_for_show_requests redirecting to edit")
-        if params[:files]
-          redirect_to :action=>:edit, :files=>true
-        else
-          redirect_to :action=>:edit
-        end
-      else
-        session[:viewing_context] = "browse"
-      end
-    end
-  end
-  deprecation_deprecate :enforce_viewing_context_for_show_requests
   #
   # Action-specific enforcement
   #
@@ -118,71 +27,18 @@ module Hydra::AccessControlsEnforcement
   # Controller "before" filter for enforcing access controls on show actions
   # @param [Hash] opts (optional, not currently used)
   def enforce_show_permissions(opts={})
-    load_permissions_from_solr
-    access_key = ActiveFedora::SolrService.solr_name("access", Hydra::Datastream::RightsMetadata.indexer)
-    embargo_key = ActiveFedora::SolrService.solr_name("embargo_release_date", Hydra::Datastream::RightsMetadata.date_indexer)
-    unless @permissions_solr_document[access_key] && (@permissions_solr_document[access_key].first == "public" || @permissions_solr_document[access_key].first == "Public")
-      if @permissions_solr_document[embargo_key]
-        embargo_date = Date.parse(@permissions_solr_document[embargo_key].split(/T/)[0])
-        if embargo_date > Date.parse(Time.now.to_s)
-          unless can?(:edit, params[:id])
-            raise Hydra::AccessDenied.new("This item is under embargo.  You do not have sufficient access privileges to read this document.", :edit, params[:id])
-          end
-        end
+    permissions = permissions_doc(params[:id])
+    unless permissions.is_public?
+      #its not 'public'
+      if permissions.under_embargo? && !can?(:edit, permissions)
+        raise Hydra::AccessDenied.new("This item is under embargo.  You do not have sufficient access privileges to read this document.", :edit, params[:id])
       end
-      unless can? :read, params[:id]
+      unless can? :read, permissions
         raise Hydra::AccessDenied.new("You do not have sufficient access privileges to read this document, which has been marked private.", :read, params[:id])
       end
     end
   end
-  # Controller "before" filter for enforcing access controls on edit actions
-  # @param [Hash] opts (optional, not currently used)
-  def enforce_edit_permissions(opts={})
-    logger.debug("Enforcing edit permissions")
-    load_permissions_from_solr
-    if !can? :edit, params[:id]
-      session[:viewing_context] = "browse"
-      raise Hydra::AccessDenied.new("You do not have sufficient privileges to edit this document. You have been redirected to the read-only view.", :edit, params[:id])
-    else
-      session[:viewing_context] = "edit"
-    end
-  end
-  deprecation_deprecate :enforce_edit_permissions
-  ##  This method is here for you to override
-  def enforce_create_permissions(opts={})
-    logger.debug("Enforcing create permissions")
-    if !can? :create, ActiveFedora::Base.new
-      raise Hydra::AccessDenied.new "You do not have sufficient privileges to create a new document."
-    end
-  end
-  deprecation_deprecate :enforce_create_permissions
-  ## proxies to enforce_edit_permssions.  This method is here for you to override
-  def enforce_update_permissions(opts={})
-    enforce_edit_permissions(opts)
-  end
-  ## proxies to enforce_edit_permssions.  This method is here for you to override
-  def enforce_destroy_permissions(opts={})
-    enforce_edit_permissions(opts)
-  end
-  ## proxies to enforce_edit_permssions.  This method is here for you to override
-  def enforce_new_permissions(opts={})
-    enforce_create_permissions(opts)
-  end
-  # Controller "before" filter for enforcing access controls on index actions
-  # Currently does nothing, instead relies on
-  # @param [Hash] opts (optional, not currently used)
-  def enforce_index_permissions(opts={})
-    # Do nothing. Relies on add_access_controls_to_solr_params being in the Controller's solr_search_params_logic
-    return true
-  end
-  #
   # Solr query modifications
   #
@@ -261,16 +117,6 @@ module Hydra::AccessControlsEnforcement
     []
   end
-  # proxy for {enforce_index_permissions}
-  def enforce_search_permissions
-    enforce_index_permissions
-  end
-  # proxy for {enforce_show_permissions}
-  def enforce_read_permissions
-    enforce_show_permissions
-  end
   # This filters out objects that you want to exclude from search results.  By default it only excludes FileAssets
   # @param solr_parameters the current solr parameters
   # @param user_parameters the current user-subitted parameters

data/lib/hydra/permissions_query.rb ADDED Viewed

@@ -0,0 +1,45 @@
+module Hydra::PermissionsQuery
+  def permissions_doc(pid)
+    @permissions_solr_document ||= get_permissions_solr_response_for_doc_id(pid)
+  end
+  protected
+  # a solr query method
+  # retrieve a solr document, given the doc id
+  # Modeled on Blacklight::SolrHelper.get_permissions_solr_response_for_doc_id
+  # @param [String] id of the documetn to retrieve
+  # @param [Hash] extra_controller_params (optional)
+  def get_permissions_solr_response_for_doc_id(id=nil, extra_controller_params={})
+    raise Blacklight::Exceptions::InvalidSolrID.new("The application is trying to retrieve permissions without specifying an asset id") if id.nil?
+    #solr_response = Blacklight.solr.get permissions_solr_doc_params(id).merge(extra_controller_params)
+    #path = blacklight_config.solr_path
+    solr_opts = permissions_solr_doc_params(id).merge(extra_controller_params)
+    response = Blacklight.solr.get('select', :params=> solr_opts)
+    solr_response = Blacklight::SolrResponse.new(force_to_utf8(response), solr_opts)
+    raise Blacklight::Exceptions::InvalidSolrID.new("The solr permissions search handler didn't return anything for id \"#{id}\"") if solr_response.docs.empty?
+    Hydra::PermissionsSolrDocument.new(solr_response.docs.first, solr_response)
+  end
+  #
+  #  Solr integration
+  #
+  # returns a params hash with the permissions info for a single solr document
+  # If the id arg is nil, then the value is fetched from params[:id]
+  # This method is primary called by the get_permissions_solr_response_for_doc_id method.
+  # Modeled on Blacklight::SolrHelper.solr_doc_params
+  # @param [String] id of the documetn to retrieve
+  def permissions_solr_doc_params(id=nil)
+    id ||= params[:id]
+    # just to be consistent with the other solr param methods:
+    {
+      :qt => :permissions,
+      :id => id # this assumes the document request handler will map the 'id' param to the unique key field
+    }
+  end
+end

data/lib/hydra/permissions_solr_document.rb ADDED Viewed

@@ -0,0 +1,19 @@
+class Hydra::PermissionsSolrDocument < SolrDocument
+  def under_embargo?
+    #permissions = permissions_doc(params[:id])
+    embargo_key = ActiveFedora::SolrService.solr_name("embargo_release_date", Hydra::Datastream::RightsMetadata.date_indexer)
+    if self[embargo_key]
+      embargo_date = Date.parse(self[embargo_key].split(/T/)[0])
+      return embargo_date > Date.parse(Time.now.to_s)
+    end
+    false
+  end
+  def is_public?
+    access_key = ActiveFedora::SolrService.solr_name("access", Hydra::Datastream::RightsMetadata.indexer)
+    self[access_key].present? && self[access_key].first.downcase == "public"
+  end
+end

data/lib/hydra/policy_aware_ability.rb CHANGED Viewed

@@ -40,9 +40,7 @@ module Hydra::PolicyAwareAbility
   # The document is stored in an instance variable, so calling this multiple times will only query solr once.
   # To force reload, set @policy_permissions_solr_document to nil
   def policy_permissions_doc(policy_pid)
-    return @policy_permissions_solr_document if @policy_permissions_solr_document
-    response, @policy_permissions_solr_document = get_permissions_solr_response_for_doc_id(policy_pid)
-    @policy_permissions_solr_document
+    @policy_permissions_solr_document ||= get_permissions_solr_response_for_doc_id(policy_pid)
   end
   # Tests whether the object's governing policy object grants edit access for the current user

data/spec/unit/access_controls_enforcement_spec.rb CHANGED Viewed

@@ -67,44 +67,28 @@ describe Hydra::AccessControlsEnforcement do
     end
   end
-  describe "enforce_access_controls" do
-    describe "when the method exists" do
-      it "should call the method" do
-        Deprecation.stub(:warn)
-        subject.params = {:action => :index}
-        subject.enforce_access_controls.should be_true
-      end
-    end
-    describe "when the method doesn't exist" do
-      it "should not call the method, but should return true" do
-        Deprecation.stub(:warn)
-        subject.params = {:action => :facet}
-        subject.enforce_access_controls.should be_true
-      end
-    end
-  end
   describe "enforce_show_permissions" do
     it "should allow a user w/ edit permissions to view an embargoed object" do
       user = User.new :uid=>'testuser@example.com'
       RoleMapper.stub(:roles).with(user.user_key).and_return(["archivist"])
       subject.stub(:current_user).and_return(user)
-      subject.should_receive(:can?).with(:edit, nil).and_return(true)
       subject.stub(:can?).with(:read, nil).and_return(true)
-      subject.instance_variable_set :@permissions_solr_document, SolrDocument.new({"edit_access_person_tsim"=>["testuser@example.com"], "embargo_release_date_dtsi"=>(Date.parse(Time.now.to_s)+2).to_s})
+      stub_doc = Hydra::PermissionsSolrDocument.new({"edit_access_person_tsim"=>["testuser@example.com"], "embargo_release_date_dtsi"=>(Date.parse(Time.now.to_s)+2).to_s})
       subject.params = {}
-      subject.should_receive(:load_permissions_from_solr) #This is what normally sets @permissions_solr_document
+      subject.should_receive(:can?).with(:edit, stub_doc).and_return(true)
+      subject.should_receive(:get_permissions_solr_response_for_doc_id).and_return(stub_doc)
       lambda {subject.send(:enforce_show_permissions, {}) }.should_not raise_error Hydra::AccessDenied
     end
     it "should prevent a user w/o edit permissions from viewing an embargoed object" do
       user = User.new :uid=>'testuser@example.com'
       RoleMapper.stub(:roles).with(user.user_key).and_return([])
       subject.stub(:current_user).and_return(user)
-      subject.should_receive(:can?).with(:edit, nil).and_return(false)
       subject.stub(:can?).with(:read, nil).and_return(true)
       subject.params = {}
-      subject.instance_variable_set :@permissions_solr_document, SolrDocument.new({"edit_access_person_tsim"=>["testuser@example.com"], "embargo_release_date_dtsi"=>(Date.parse(Time.now.to_s)+2).to_s})
-      subject.should_receive(:load_permissions_from_solr) #This is what normally sets @permissions_solr_document
+      stub_doc = Hydra::PermissionsSolrDocument.new({"edit_access_person_tsim"=>["testuser@example.com"], "embargo_release_date_dtsi"=>(Date.parse(Time.now.to_s)+2).to_s})
+      subject.should_receive(:can?).with(:edit, stub_doc).and_return(false)
+      subject.should_receive(:get_permissions_solr_response_for_doc_id).and_return(stub_doc)
       lambda {subject.send(:enforce_show_permissions, {})}.should raise_error Hydra::AccessDenied, "This item is under embargo.  You do not have sufficient access privileges to read this document."
     end
   end

data/spec/unit/policy_aware_ability_spec.rb CHANGED Viewed

@@ -51,7 +51,7 @@ describe Hydra::PolicyAwareAbility do
   describe "policy_permissions_doc" do
     it "should retrieve the permissions doc for the current object's policy and store for re-use" do
-      subject.should_receive(:get_permissions_solr_response_for_doc_id).with(@policy.pid).once.and_return(["response", "mock solr doc"])
+      subject.should_receive(:get_permissions_solr_response_for_doc_id).with(@policy.pid).once.and_return("mock solr doc")
       subject.policy_permissions_doc(@policy.pid).should == "mock solr doc"
       subject.policy_permissions_doc(@policy.pid).should == "mock solr doc"
       subject.policy_permissions_doc(@policy.pid).should == "mock solr doc"

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: hydra-access-controls
 version: !ruby/object:Gem::Version
-  version: 6.0.0.pre3
+  version: 6.0.0.pre4
   prerelease: 6
 platform: ruby
 authors:
@@ -11,14 +11,14 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-01-25 00:00:00.000000000 Z
+date: 2013-01-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
@@ -26,7 +26,7 @@ dependencies:
   version_requirements: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
@@ -34,7 +34,7 @@ dependencies:
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 6.0.0.pre3
   type: :runtime
@@ -42,7 +42,7 @@ dependencies:
   version_requirements: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 6.0.0.pre3
 - !ruby/object:Gem::Dependency
@@ -50,7 +50,7 @@ dependencies:
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
@@ -58,7 +58,7 @@ dependencies:
   version_requirements: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
@@ -66,7 +66,7 @@ dependencies:
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
@@ -74,7 +74,7 @@ dependencies:
   version_requirements: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
@@ -82,7 +82,7 @@ dependencies:
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
@@ -90,7 +90,7 @@ dependencies:
   version_requirements: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
@@ -98,7 +98,7 @@ dependencies:
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
@@ -106,7 +106,7 @@ dependencies:
   version_requirements: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
@@ -114,7 +114,7 @@ dependencies:
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
@@ -122,7 +122,7 @@ dependencies:
   version_requirements: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 description: Access controls for project hydra
@@ -148,6 +148,8 @@ files:
 - lib/hydra/datastream/inheritable_rights_metadata.rb
 - lib/hydra/datastream/rights_metadata.rb
 - lib/hydra/model_mixins/rights_metadata.rb
+- lib/hydra/permissions_query.rb
+- lib/hydra/permissions_solr_document.rb
 - lib/hydra/policy_aware_ability.rb
 - lib/hydra/policy_aware_access_controls_enforcement.rb
 - lib/hydra/role_mapper_behavior.rb
@@ -180,18 +182,18 @@ require_paths:
 required_ruby_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: 1.9.3
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
-  - - ! '>'
+  - - ">"
     - !ruby/object:Gem::Version
       version: 1.3.1
 requirements: []
 rubyforge_project:
-rubygems_version: 1.8.24
+rubygems_version: 1.8.25
 signing_key:
 specification_version: 3
 summary: Access controls for project hydra