hydra-access-controls 6.0.0.pre4 → 6.0.0.pre5

data/hydra-access-controls.gemspec

@@ -18,7 +18,7 @@ Gem::Specification.new do |gem|
   gem.required_ruby_version = '>= 1.9.3'
 
   gem.add_dependency 'activesupport'
-  gem.add_dependency 'active-fedora', '>= 6.0.0.pre3'
+  gem.add_dependency "active-fedora", '>= 6.0.0.pre8'
   gem.add_dependency 'cancan'
   gem.add_dependency 'deprecation'
   gem.add_dependency 'blacklight'

data/lib/hydra/ability.rb

@@ -65,7 +65,7 @@ module Hydra::Ability
     end
  
     can :edit, SolrDocument do |obj|
-      @permissions_solr_document = obj
+      @permission_doc_cache[obj.id] = obj
       test_edit(obj.id)
     end       
   end
@@ -80,7 +80,7 @@ module Hydra::Ability
     end 
     
     can :read, SolrDocument do |obj|
-      @permissions_solr_document = obj
+      @permission_doc_cache[obj.id] = obj
       test_read(obj.id)
     end 
   end
@@ -93,51 +93,70 @@ module Hydra::Ability
   protected
 
   def test_edit(pid)
-    permissions_doc(pid)
     logger.debug("[CANCAN] Checking edit permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
-    group_intersection = user_groups & edit_groups
-    result = !group_intersection.empty? || edit_persons.include?(current_user.user_key)
+    group_intersection = user_groups & edit_groups(pid)
+    result = !group_intersection.empty? || edit_persons(pid).include?(current_user.user_key)
     logger.debug("[CANCAN] decision: #{result}")
     result
   end   
   
   def test_read(pid)
-    permissions_doc(pid)
-    logger.debug("[CANCAN] Checking edit permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
-    group_intersection = user_groups & read_groups
-    result = !group_intersection.empty? || read_persons.include?(current_user.user_key)
-    logger.debug("[CANCAN] decision: #{result}")
+    logger.debug("[CANCAN] Checking read permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
+    group_intersection = user_groups & read_groups(pid)
+    result = !group_intersection.empty? || read_persons(pid).include?(current_user.user_key)
     result
   end 
-
-  def edit_groups
-    edit_group_field = Hydra.config[:permissions][:edit][:group]
-    eg = ((@permissions_solr_document == nil || @permissions_solr_document.fetch(edit_group_field,nil) == nil) ? [] : @permissions_solr_document.fetch(edit_group_field,nil))
+  
+  def edit_groups(pid)
+    doc = permissions_doc(pid)
+    return [] if doc.nil?
+    eg = doc[self.class.edit_group_field] || []
     logger.debug("[CANCAN] edit_groups: #{eg.inspect}")
     return eg
   end
 
   # edit implies read, so read_groups is the union of edit and read groups
-  def read_groups
-    read_group_field = Hydra.config[:permissions][:read][:group]
-    rg = edit_groups | ((@permissions_solr_document == nil || @permissions_solr_document.fetch(read_group_field,nil) == nil) ? [] : @permissions_solr_document.fetch(read_group_field,nil))
+  def read_groups(pid)
+    doc = permissions_doc(pid)
+    return [] if doc.nil?
+    rg = edit_groups(pid) | (doc[self.class.read_group_field] || [])
     logger.debug("[CANCAN] read_groups: #{rg.inspect}")
     return rg
   end
 
-  def edit_persons
-    edit_person_field = Hydra.config[:permissions][:edit][:individual]
-    ep = ((@permissions_solr_document == nil || @permissions_solr_document.fetch(edit_person_field,nil) == nil) ? [] : @permissions_solr_document.fetch(edit_person_field,nil))
+  def edit_persons(pid)
+    doc = permissions_doc(pid)
+    return [] if doc.nil?
+    ep = doc[self.class.edit_person_field] ||  []
     logger.debug("[CANCAN] edit_persons: #{ep.inspect}")
     return ep
   end
 
   # edit implies read, so read_persons is the union of edit and read persons
-  def read_persons
-    read_individual_field = Hydra.config[:permissions][:read][:individual]
-    rp = edit_persons | ((@permissions_solr_document == nil || @permissions_solr_document.fetch(read_individual_field,nil) == nil) ? [] : @permissions_solr_document.fetch(read_individual_field,nil))
+  def read_persons(pid)
+    doc = permissions_doc(pid)
+    return [] if doc.nil?
+    rp = edit_persons(pid) | (doc[self.class.read_person_field] || [])
     logger.debug("[CANCAN] read_persons: #{rp.inspect}")
     return rp
   end
 
+  module ClassMethods
+    def read_group_field 
+      Hydra.config[:permissions][:read][:group]
+    end
+
+    def edit_person_field 
+      Hydra.config[:permissions][:edit][:individual]
+    end
+
+    def read_person_field 
+      Hydra.config[:permissions][:read][:individual]
+    end
+
+    def edit_group_field
+      Hydra.config[:permissions][:edit][:group]
+    end
+  end
+
 end

data/lib/hydra/access_controls_enforcement.rb

@@ -3,7 +3,6 @@ module Hydra::AccessControlsEnforcement
 
   included do
     include Hydra::AccessControlsEvaluation
-    include Blacklight::SolrHelper # for force_to_utf8
     include Hydra::PermissionsQuery
     class_attribute :solr_access_filters_logic
 
@@ -19,6 +18,38 @@ module Hydra::AccessControlsEnforcement
   
   protected
 
+  def gated_discovery_filters
+    # Grant access to public content
+    permission_types = discovery_permissions
+    user_access_filters = []
+    
+    permission_types.each do |type|
+      user_access_filters << ActiveFedora::SolrService.solr_name("#{type}_access_group", Hydra::Datastream::RightsMetadata.indexer) + ":public"
+    end
+    
+    # Grant access based on user id & role
+    solr_access_filters_logic.each do |method_name|
+      user_access_filters += send(method_name, permission_types)
+    end
+    user_access_filters
+  end
+
+  def under_embargo?
+    load_permissions_from_solr
+    embargo_key = ActiveFedora::SolrService.solr_name("embargo_release_date", Hydra::Datastream::RightsMetadata.date_indexer)
+    if @permissions_solr_document[embargo_key] 
+      embargo_date = Date.parse(@permissions_solr_document[embargo_key].split(/T/)[0])
+      return embargo_date > Date.parse(Time.now.to_s)
+    end
+    false
+  end
+
+  def is_public?
+    load_permissions_from_solr
+    access_key = ActiveFedora::SolrService.solr_name("access", Hydra::Datastream::RightsMetadata.indexer)
+    @permissions_solr_document[access_key].present? && @permissions_solr_document[access_key].first.downcase == "public"
+  end
+  
 
   #
   # Action-specific enforcement
@@ -69,21 +100,10 @@ module Hydra::AccessControlsEnforcement
   # @param user_parameters the current user-subitted parameters
   def apply_gated_discovery(solr_parameters, user_parameters)
     solr_parameters[:fq] ||= []
-    # Grant access to public content
-    permission_types = discovery_permissions
-    user_access_filters = []
-    
-    permission_types.each do |type|
-      user_access_filters << ActiveFedora::SolrService.solr_name("#{type}_access_group", Hydra::Datastream::RightsMetadata.indexer) + ":public"
-    end
-    
-    # Grant access based on user id & role
-    solr_access_filters_logic.each do |method_name|
-      user_access_filters += send(method_name, permission_types)
-    end
-    solr_parameters[:fq] << user_access_filters.join(" OR ")
+    solr_parameters[:fq] << gated_discovery_filters.join(" OR ")
     logger.debug("Solr parameters: #{ solr_parameters.inspect }")
   end
+
   
   def apply_role_permissions(permission_types)
       # for roles

data/lib/hydra/permissions_query.rb

@@ -1,7 +1,12 @@
 module Hydra::PermissionsQuery
-  
+  extend ActiveSupport::Concern
+  included do 
+    include Blacklight::SolrHelper # for force_to_utf8
+  end
+
   def permissions_doc(pid)
-    @permissions_solr_document ||= get_permissions_solr_response_for_doc_id(pid)
+    @permission_doc_cache ||= {}
+    @permission_doc_cache[pid] ||= get_permissions_solr_response_for_doc_id(pid)
   end
 
 

data/lib/hydra/policy_aware_ability.rb

@@ -38,9 +38,10 @@ module Hydra::PolicyAwareAbility
   
   # Returns the permissions solr document for policy_pid
   # The document is stored in an instance variable, so calling this multiple times will only query solr once.
-  # To force reload, set @policy_permissions_solr_document to nil
+  # To force reload, set @policy_permissions_solr_cache to {} 
   def policy_permissions_doc(policy_pid)
-    @policy_permissions_solr_document ||= get_permissions_solr_response_for_doc_id(policy_pid)
+    @policy_permissions_solr_cache ||= {}
+    @policy_permissions_solr_cache[policy_pid] ||= get_permissions_solr_response_for_doc_id(policy_pid)
   end
   
   # Tests whether the object's governing policy object grants edit access for the current user

data/lib/hydra/policy_aware_access_controls_enforcement.rb

@@ -3,15 +3,15 @@ module Hydra::PolicyAwareAccessControlsEnforcement
   
   # Extends Hydra::AccessControlsEnforcement.apply_gated_discovery to reflect policy-provided access
   # appends the result of policy_clauses into the :fq
+  # @param solr_parameters the current solr parameters
+  # @param user_parameters the current user-subitted parameters
   def apply_gated_discovery(solr_parameters, user_parameters)
-    super
-    additional_clauses = policy_clauses
-    unless additional_clauses.nil? || additional_clauses.empty?
-      solr_parameters[:fq].first << " OR " + additional_clauses
-      logger.debug("POLICY-aware Solr parameters: #{ solr_parameters.inspect }")
-    end
+    solr_parameters[:fq] ||= []
+    solr_parameters[:fq] << gated_discovery_filters.join(" OR ")
+    logger.debug("POLICY-aware Solr parameters: #{ solr_parameters.inspect }")
   end
-  
+
+
   # returns solr query for finding all objects whose policies grant discover access to current_user
   def policy_clauses 
     policy_pids = policies_with_access
@@ -64,5 +64,16 @@ module Hydra::PolicyAwareAccessControlsEnforcement
       return Hydra.config[:permissions][:policy_class]
     end
   end
+
+  protected 
+
+  def gated_discovery_filters
+    filters = super
+    additional_clauses = policy_clauses
+    unless additional_clauses.blank?
+      filters << additional_clauses
+    end
+    filters
+  end
   
 end

data/spec/factories.rb

@@ -88,6 +88,10 @@ FactoryGirl.define do
   factory :dept_access_asset, :parent=>:asset do |a|
     permissions [{:name=>"africana-faculty", :access=>"read", :type=>"group"}, {:name=>"joe_creator", :access=>"edit", :type=>"user"}]
   end
+
+  factory :group_edit_asset, :parent=>:asset do |a|
+    permissions [{:name=>"africana-faculty", :access=>"edit", :type=>"group"}, {:name=>"calvin_collaborator", :access=>"edit", :type=>"user"}]
+  end
   
   factory :org_read_access_asset, :parent=>:asset do |a|
     permissions [{:name=>"registered", :access=>"read", :type=>"group"}, {:name=>"joe_creator", :access=>"edit", :type=>"user"}, {:name=>"calvin_collaborator", :access=>"edit", :type=>"user"}]

data/spec/unit/ability_spec.rb

@@ -20,6 +20,14 @@ describe Ability do
     }})
   end
 
+  describe "class methods" do
+    subject { Ability }
+    its(:read_group_field) { should == 'read_access_group_tsim'}
+    its(:read_person_field) { should == 'read_access_person_tsim'}
+    its(:edit_group_field) { should == 'edit_access_group_tsim'}
+    its(:edit_person_field) { should == 'edit_access_person_tsim'}
+  end
+
   context "for a not-signed in user" do
     before do
       User.any_instance.stub(:email).and_return(nil)
@@ -166,10 +174,9 @@ describe Ability do
 
   describe "Given an asset with collaborator" do
     before do
-      @asset = FactoryGirl.build(:org_read_access_asset)
-      @asset.save
+      @asset = FactoryGirl.create(:group_edit_asset)
     end
-    context "Then a collaborator with edit access" do
+    context "Then a collaborator with edit access (user permision)" do
       before do
         @user = FactoryGirl.build(:calvin_collaborator)
       end
@@ -187,6 +194,17 @@ describe Ability do
         subject.can?(:admin, @asset).should be_false
       end
     end
+    context "Then a collaborator with edit access (group permision)" do
+      before do
+        @user = FactoryGirl.build(:martia_morocco)
+        RoleMapper.stub(:roles).with(@user.user_key).and_return(@user.roles)
+      end
+      subject { Ability.new(@user) }
+
+      it "should be able to view the asset" do
+        subject.can?(:read, @asset).should be_true
+      end
+    end
   end
 
   describe "Given an asset where dept can read & registered users can discover" do
@@ -269,120 +287,18 @@ describe Ability do
 
   end
 
-  #
-  # Policy-based Access Controls
-  #
-  describe "When accessing assets with Policies associated" do
+  describe "calling ability on two separate objects" do
     before do
-      @user = FactoryGirl.build(:martia_morocco)
-      RoleMapper.stub(:roles).with(@user.user_key).and_return(@user.roles)
+      @asset1 = FactoryGirl.create(:org_read_access_asset)
+      @asset2 = FactoryGirl.create(:asset)
+      @user = FactoryGirl.build(:calvin_collaborator) # has access to @asset1, but not @asset2
     end
     subject { Ability.new(@user) }
-    context "Given a policy grants read access to a group I belong to" do
-      before do
-        @policy = Hydra::AdminPolicy.new
-        @policy.default_permissions = [{:type=>"group", :access=>"read", :name=>"africana-faculty"}]
-        @policy.save
-      end
-      after { @policy.delete }
-    	context "And a subscribing asset does not grant access" do
-    	  before do
-          @asset = ModsAsset.new()
-          @asset.admin_policy = @policy
-          @asset.save
-        end
-        after { @asset.delete }
-    		it "Then I should be able to view the asset" do
-    		  subject.can?(:read, @asset).should be_true
-  		  end
-        it "Then I should not be able to edit, update and destroy the asset" do
-          subject.can?(:edit, @asset).should be_false
-          subject.can?(:update, @asset).should be_false
-          subject.can?(:destroy, @asset).should be_false
-        end
-      end
-    end
-    context "Given a policy grants edit access to a group I belong to" do
-      before do
-        @policy = Hydra::AdminPolicy.new
-        @policy.default_permissions = [{:type=>"group", :access=>"edit", :name=>"africana-faculty"}]
-        @policy.save
-      end
-      after { @policy.delete }
-    	context "And a subscribing asset does not grant access" do
-    	  before do
-          @asset = ModsAsset.new()
-          @asset.admin_policy = @policy
-          @asset.save
-        end
-        after { @asset.delete }
-    		it "Then I should be able to view the asset" do
-    		  subject.can?(:read, @asset).should be_true
-  		  end
-    		it "Then I should be able to edit/update/destroy the asset" do
-          subject.can?(:edit, @asset).should be_true
-          subject.can?(:update, @asset).should be_true
-          subject.can?(:destroy, @asset).should be_true
-        end
-  		end
-    	context "And a subscribing asset grants read access to me as an individual" do
-    	  before do
-          @asset = ModsAsset.new()
-          @asset.read_users = [@user.uid]
-          @asset.admin_policy = @policy
-          @asset.save
-        end
-        after { @asset.delete }
-    		it "Then I should be able to view the asset" do
-    		  subject.can?(:read, @asset).should be_true
-  		  end
-        it "Then I should be able to edit/update/destroy the asset" do
-          subject.can?(:edit, @asset).should be_true
-          subject.can?(:update, @asset).should be_true
-          subject.can?(:destroy, @asset).should be_true
-        end
-      end
-    end
-
-    context "Given a policy does not grant access to any group I belong to" do
-      before do
-        @policy = Hydra::AdminPolicy.new
-        @policy.save
-      end
-      after { @policy.delete }
-      context "And a subscribing asset does not grant access" do
-        before do
-          @asset = ModsAsset.new()
-          @asset.admin_policy = @policy
-          @asset.save
-        end
-        after { @asset.delete }
-  		  it "Then I should not be able to view the asset" do
-    		  subject.can?(:read, @asset).should be_false
-  		  end
-        it "Then I should not be able to edit/update/destroy the asset" do
-          subject.can?(:edit, @asset).should be_false
-          subject.can?(:update, @asset).should be_false
-          subject.can?(:destroy, @asset).should be_false
-        end
-      end
-      context "And a subscribing asset grants read access to me as an individual" do
-        before do
-          @asset = ModsAsset.new()
-          @asset.read_users = [@user.uid]
-          @asset.admin_policy = @policy
-          @asset.save
-        end
-        after { @asset.delete }
-  		  it "Then I should be able to view the asset" do
-    		  subject.can?(:read, @asset).should be_true
-  		  end
-        it "Then I should not be able to edit/update/destroy the asset" do
-          subject.can?(:edit, @asset).should be_false
-          subject.can?(:update, @asset).should be_false
-          subject.can?(:destroy, @asset).should be_false
-        end
-      end
+    it "should be readable in the first instance and not in the second instance" do
+      # We had a bug around this where it keeps returning the access for the first object queried
+      subject.can?(:edit, @asset1).should be_true  
+      subject.can?(:edit, @asset2).should be_false  
     end
   end
+
 end

data/spec/unit/admin_policy_spec.rb

@@ -121,5 +121,121 @@ describe Hydra::AdminPolicy do
 
   end
 
+  #
+  # Policy-based Access Controls
+  #
+  describe "When accessing assets with Policies associated" do
+    before do
+      @user = FactoryGirl.build(:martia_morocco)
+      RoleMapper.stub(:roles).with(@user.user_key).and_return(@user.roles)
+    end
+    subject { Ability.new(@user) }
+    context "Given a policy grants read access to a group I belong to" do
+      before do
+        @policy = Hydra::AdminPolicy.new
+        @policy.default_permissions = [{:type=>"group", :access=>"read", :name=>"africana-faculty"}]
+        @policy.save
+      end
+      after { @policy.delete }
+    	context "And a subscribing asset does not grant access" do
+    	  before do
+          @asset = ModsAsset.new()
+          @asset.admin_policy = @policy
+          @asset.save
+        end
+        after { @asset.delete }
+    		it "Then I should be able to view the asset" do
+    		  subject.can?(:read, @asset).should be_true
+  		  end
+        it "Then I should not be able to edit, update and destroy the asset" do
+          subject.can?(:edit, @asset).should be_false
+          subject.can?(:update, @asset).should be_false
+          subject.can?(:destroy, @asset).should be_false
+        end
+      end
+    end
+    context "Given a policy grants edit access to a group I belong to" do
+      before do
+        @policy = Hydra::AdminPolicy.new
+        @policy.default_permissions = [{:type=>"group", :access=>"edit", :name=>"africana-faculty"}]
+        @policy.save
+      end
+      after { @policy.delete }
+    	context "And a subscribing asset does not grant access" do
+    	  before do
+          @asset = ModsAsset.new()
+          @asset.admin_policy = @policy
+          @asset.save
+        end
+        after { @asset.delete }
+    		it "Then I should be able to view the asset" do
+    		  subject.can?(:read, @asset).should be_true
+  		  end
+    		it "Then I should be able to edit/update/destroy the asset" do
+          subject.can?(:edit, @asset).should be_true
+          subject.can?(:update, @asset).should be_true
+          subject.can?(:destroy, @asset).should be_true
+        end
+  		end
+    	context "And a subscribing asset grants read access to me as an individual" do
+    	  before do
+          @asset = ModsAsset.new()
+          @asset.read_users = [@user.uid]
+          @asset.admin_policy = @policy
+          @asset.save
+        end
+        after { @asset.delete }
+    		it "Then I should be able to view the asset" do
+    		  subject.can?(:read, @asset).should be_true
+  		  end
+        it "Then I should be able to edit/update/destroy the asset" do
+          subject.can?(:edit, @asset).should be_true
+          subject.can?(:update, @asset).should be_true
+          subject.can?(:destroy, @asset).should be_true
+        end
+      end
+    end
+
+    context "Given a policy does not grant access to any group I belong to" do
+      before do
+        @policy = Hydra::AdminPolicy.new
+        @policy.save
+      end
+      after { @policy.delete }
+      context "And a subscribing asset does not grant access" do
+        before do
+          @asset = ModsAsset.new()
+          @asset.admin_policy = @policy
+          @asset.save
+        end
+        after { @asset.delete }
+  		  it "Then I should not be able to view the asset" do
+    		  subject.can?(:read, @asset).should be_false
+  		  end
+        it "Then I should not be able to edit/update/destroy the asset" do
+          subject.can?(:edit, @asset).should be_false
+          subject.can?(:update, @asset).should be_false
+          subject.can?(:destroy, @asset).should be_false
+        end
+      end
+      context "And a subscribing asset grants read access to me as an individual" do
+        before do
+          @asset = ModsAsset.new()
+          @asset.read_users = [@user.uid]
+          @asset.admin_policy = @policy
+          @asset.save
+        end
+        after { @asset.delete }
+  		  it "Then I should be able to view the asset" do
+    		  subject.can?(:read, @asset).should be_true
+  		  end
+        it "Then I should not be able to edit/update/destroy the asset" do
+          subject.can?(:edit, @asset).should be_false
+          subject.can?(:update, @asset).should be_false
+          subject.can?(:destroy, @asset).should be_false
+        end
+      end
+    end
+  end
 
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: hydra-access-controls
 version: !ruby/object:Gem::Version
-  version: 6.0.0.pre4
+  version: 6.0.0.pre5
   prerelease: 6
 platform: ruby
 authors:
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-01-30 00:00:00.000000000 Z
+date: 2013-02-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -36,7 +36,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 6.0.0.pre3
+        version: 6.0.0.pre8
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -44,7 +44,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 6.0.0.pre3
+        version: 6.0.0.pre8
 - !ruby/object:Gem::Dependency
   name: cancan
   requirement: !ruby/object:Gem::Requirement