RubyGems - hydra-access-controls - Versions diffs - 6.0.0.pre8 → 6.0.0.rc1 - Mend

hydra-access-controls 6.0.0.pre8 → 6.0.0.rc1

Files changed (8) hide show

data/hydra-access-controls.gemspec +1 -1
data/lib/hydra-access-controls.rb +1 -0
data/lib/hydra/ability.rb +136 -135
data/lib/hydra/datastream/rights_metadata.rb +1 -1
data/lib/hydra/permissions_cache.rb +16 -0
data/lib/hydra/permissions_query.rb +48 -43
data/spec/unit/access_controls_enforcement_spec.rb +1 -0
metadata +21 -20

data/hydra-access-controls.gemspec CHANGED

@@ -18,7 +18,7 @@ Gem::Specification.new do |gem|
   gem.required_ruby_version = '>= 1.9.3'
   gem.add_dependency 'activesupport'
-  gem.add_dependency "active-fedora", '>= 6.0.0.pre10'
+  gem.add_dependency "active-fedora", '>= 6.0.0.rc2'
   gem.add_dependency 'cancan'
   gem.add_dependency 'deprecation'
   gem.add_dependency 'blacklight'

data/lib/hydra-access-controls.rb CHANGED

@@ -15,6 +15,7 @@ module Hydra
   autoload :AdminPolicy
   autoload :RoleMapperBehavior
   autoload :PermissionsQuery
+  autoload :PermissionsCache
   autoload :PermissionsSolrDocument
   class Engine < Rails::Engine
   end

data/lib/hydra/ability.rb CHANGED

@@ -1,162 +1,163 @@
 # Code for [CANCAN] access to Hydra models
 require 'cancan'
-module Hydra::Ability
-  extend ActiveSupport::Concern
-  # once you include Hydra::Ability you can add custom permission methods by appending to ability_logic like so:
-  #
-  # self.ability_logic +=[:setup_my_permissions]
-  included do
-    include CanCan::Ability
-    include Hydra::PermissionsQuery
-    include Blacklight::SolrHelper
-    class_attribute :ability_logic
-    self.ability_logic = [:create_permissions, :edit_permissions, :read_permissions, :custom_permissions]
-  end
-  def self.user_class
-    Hydra.config[:user_model] ?  Hydra.config[:user_model].constantize : ::User
-  end
-  attr_reader :current_user, :session
-  def initialize(user, session=nil)
-    @current_user = user || Hydra::Ability.user_class.new # guest user (not logged in)
-    @user = @current_user # just in case someone was using this in an override. Just don't.
-    @session = session
-    hydra_default_permissions()
-  end
-  ## You can override this method if you are using a different AuthZ (such as LDAP)
-  def user_groups
-    return @user_groups if @user_groups
+module Hydra
+  module Ability
+    extend ActiveSupport::Concern
-    @user_groups = default_user_groups
-    @user_groups |= current_user.groups if current_user and current_user.respond_to? :groups
-    @user_groups |= ['registered'] unless current_user.new_record?
-    @user_groups
-  end
-  def default_user_groups
-    # # everyone is automatically a member of the group 'public'
-    ['public']
-  end
-  def hydra_default_permissions
-    logger.debug("Usergroups are " + user_groups.inspect)
-    self.ability_logic.each do |method|
-      send(method)
+    # once you include Hydra::Ability you can add custom permission methods by appending to ability_logic like so:
+    #
+    # self.ability_logic +=[:setup_my_permissions]
+    included do
+      include CanCan::Ability
+      include Hydra::PermissionsQuery
+      include Blacklight::SolrHelper
+      class_attribute :ability_logic
+      self.ability_logic = [:create_permissions, :edit_permissions, :read_permissions, :custom_permissions]
     end
-  end
-  def create_permissions
-    can :create, :all if user_groups.include? 'registered'
-  end
+    def self.user_class
+      Hydra.config[:user_model] ?  Hydra.config[:user_model].constantize : ::User
+    end
-  def edit_permissions
-    can [:edit, :update, :destroy], String do |pid|
-      test_edit(pid)
-    end
+    attr_reader :current_user, :session
-    can [:edit, :update, :destroy], ActiveFedora::Base do |obj|
-      test_edit(obj.pid)
+    def initialize(user, session=nil)
+      @current_user = user || Hydra::Ability.user_class.new # guest user (not logged in)
+      @user = @current_user # just in case someone was using this in an override. Just don't.
+      @session = session
+      hydra_default_permissions()
     end
-    can :edit, SolrDocument do |obj|
-      @permission_doc_cache[obj.id] = obj
-      test_edit(obj.id)
-    end
-  end
-  def read_permissions
-    can :read, String do |pid|
-      test_read(pid)
+    ## You can override this method if you are using a different AuthZ (such as LDAP)
+    def user_groups
+      return @user_groups if @user_groups
+      @user_groups = default_user_groups
+      @user_groups |= current_user.groups if current_user and current_user.respond_to? :groups
+      @user_groups |= ['registered'] unless current_user.new_record?
+      @user_groups
     end
-    can :read, ActiveFedora::Base do |obj|
-      test_read(obj.pid)
-    end
+    def default_user_groups
+      # # everyone is automatically a member of the group 'public'
+      ['public']
+    end
-    can :read, SolrDocument do |obj|
-      @permission_doc_cache[obj.id] = obj
-      test_read(obj.id)
-    end
-  end
+    def hydra_default_permissions
+      logger.debug("Usergroups are " + user_groups.inspect)
+      self.ability_logic.each do |method|
+        send(method)
+      end
+    end
-  ## Override custom permissions in your own app to add more permissions beyond what is defined by default.
-  def custom_permissions
-  end
-  protected
-  def test_edit(pid)
-    logger.debug("[CANCAN] Checking edit permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
-    group_intersection = user_groups & edit_groups(pid)
-    result = !group_intersection.empty? || edit_persons(pid).include?(current_user.user_key)
-    logger.debug("[CANCAN] decision: #{result}")
-    result
-  end
-  def test_read(pid)
-    logger.debug("[CANCAN] Checking read permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
-    group_intersection = user_groups & read_groups(pid)
-    result = !group_intersection.empty? || read_persons(pid).include?(current_user.user_key)
-    result
-  end
-  def edit_groups(pid)
-    doc = permissions_doc(pid)
-    return [] if doc.nil?
-    eg = doc[self.class.edit_group_field] || []
-    logger.debug("[CANCAN] edit_groups: #{eg.inspect}")
-    return eg
-  end
+    def create_permissions
+      can :create, :all if user_groups.include? 'registered'
+    end
-  # edit implies read, so read_groups is the union of edit and read groups
-  def read_groups(pid)
-    doc = permissions_doc(pid)
-    return [] if doc.nil?
-    rg = edit_groups(pid) | (doc[self.class.read_group_field] || [])
-    logger.debug("[CANCAN] read_groups: #{rg.inspect}")
-    return rg
-  end
+    def edit_permissions
+      can [:edit, :update, :destroy], String do |pid|
+        test_edit(pid)
+      end
+      can [:edit, :update, :destroy], ActiveFedora::Base do |obj|
+        test_edit(obj.pid)
+      end
+      can :edit, SolrDocument do |obj|
+        PermissionsCache.put(obj.id, obj)
+        test_edit(obj.id)
+      end
+    end
-  def edit_persons(pid)
-    doc = permissions_doc(pid)
-    return [] if doc.nil?
-    ep = doc[self.class.edit_person_field] ||  []
-    logger.debug("[CANCAN] edit_persons: #{ep.inspect}")
-    return ep
-  end
+    def read_permissions
+      can :read, String do |pid|
+        test_read(pid)
+      end
+      can :read, ActiveFedora::Base do |obj|
+        test_read(obj.pid)
+      end
+      can :read, SolrDocument do |obj|
+        PermissionsCache.put(obj.id, obj)
+        test_read(obj.id)
+      end
+    end
-  # edit implies read, so read_persons is the union of edit and read persons
-  def read_persons(pid)
-    doc = permissions_doc(pid)
-    return [] if doc.nil?
-    rp = edit_persons(pid) | (doc[self.class.read_person_field] || [])
-    logger.debug("[CANCAN] read_persons: #{rp.inspect}")
-    return rp
-  end
-  module ClassMethods
-    def read_group_field
-      Hydra.config[:permissions][:read][:group]
+    ## Override custom permissions in your own app to add more permissions beyond what is defined by default.
+    def custom_permissions
+    end
+    protected
+    def test_edit(pid)
+      logger.debug("[CANCAN] Checking edit permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
+      group_intersection = user_groups & edit_groups(pid)
+      result = !group_intersection.empty? || edit_persons(pid).include?(current_user.user_key)
+      logger.debug("[CANCAN] decision: #{result}")
+      result
+    end
+    def test_read(pid)
+      logger.debug("[CANCAN] Checking read permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
+      group_intersection = user_groups & read_groups(pid)
+      result = !group_intersection.empty? || read_persons(pid).include?(current_user.user_key)
+      result
+    end
+    def edit_groups(pid)
+      doc = permissions_doc(pid)
+      return [] if doc.nil?
+      eg = doc[self.class.edit_group_field] || []
+      logger.debug("[CANCAN] edit_groups: #{eg.inspect}")
+      return eg
+    end
+    # edit implies read, so read_groups is the union of edit and read groups
+    def read_groups(pid)
+      doc = permissions_doc(pid)
+      return [] if doc.nil?
+      rg = edit_groups(pid) | (doc[self.class.read_group_field] || [])
+      logger.debug("[CANCAN] read_groups: #{rg.inspect}")
+      return rg
     end
-    def edit_person_field
-      Hydra.config[:permissions][:edit][:individual]
+    def edit_persons(pid)
+      doc = permissions_doc(pid)
+      return [] if doc.nil?
+      ep = doc[self.class.edit_person_field] ||  []
+      logger.debug("[CANCAN] edit_persons: #{ep.inspect}")
+      return ep
     end
-    def read_person_field
-      Hydra.config[:permissions][:read][:individual]
+    # edit implies read, so read_persons is the union of edit and read persons
+    def read_persons(pid)
+      doc = permissions_doc(pid)
+      return [] if doc.nil?
+      rp = edit_persons(pid) | (doc[self.class.read_person_field] || [])
+      logger.debug("[CANCAN] read_persons: #{rp.inspect}")
+      return rp
     end
-    def edit_group_field
-      Hydra.config[:permissions][:edit][:group]
+    module ClassMethods
+      def read_group_field
+        Hydra.config[:permissions][:read][:group]
+      end
+      def edit_person_field
+        Hydra.config[:permissions][:edit][:individual]
+      end
+      def read_person_field
+        Hydra.config[:permissions][:read][:individual]
+      end
+      def edit_group_field
+        Hydra.config[:permissions][:edit][:group]
+      end
     end
   end
 end

data/lib/hydra/datastream/rights_metadata.rb CHANGED

@@ -2,7 +2,7 @@ require 'active_support/core_ext/string'
 module Hydra
   module Datastream
     # Implements Hydra RightsMetadata XML terminology for asserting access permissions
-    class RightsMetadata < ActiveFedora::NokogiriDatastream
+    class RightsMetadata < ActiveFedora::OmDatastream
       set_terminology do |t|
         t.root(:path=>"rightsMetadata", :xmlns=>"http://hydra-collab.stanford.edu/schemas/rightsMetadata/v1", :schema=>"http://github.com/projecthydra/schemas/tree/v1/rightsMetadata.xsd")

data/lib/hydra/permissions_cache.rb ADDED

@@ -0,0 +1,16 @@
+module Hydra::PermissionsCache
+  @@cache = {}
+  def self.get(pid)
+    @@cache[pid]
+  end
+  def self.put(pid, doc)
+    @@cache[pid] = doc
+  end
+  def self.clear
+    @@cache = {}
+  end
+end

data/lib/hydra/permissions_query.rb CHANGED

@@ -1,50 +1,55 @@
-module Hydra::PermissionsQuery
-  extend ActiveSupport::Concern
-  included do
-    include Blacklight::SolrHelper # for force_to_utf8
-  end
+module Hydra
+  module PermissionsQuery
+    extend ActiveSupport::Concern
+    included do
+      include Blacklight::SolrHelper # for force_to_utf8
+    end
-  def permissions_doc(pid)
-    @permission_doc_cache ||= {}
-    @permission_doc_cache[pid] ||= get_permissions_solr_response_for_doc_id(pid)
-  end
+    def permissions_doc(pid)
+      doc = Hydra::PermissionsCache.get(pid)
+      unless doc
+        doc = get_permissions_solr_response_for_doc_id(pid)
+        Hydra::PermissionsCache.put(pid, doc)
+      end
+      doc
+    end
-  protected
+    protected
-  # a solr query method
-  # retrieve a solr document, given the doc id
-  # Modeled on Blacklight::SolrHelper.get_permissions_solr_response_for_doc_id
-  # @param [String] id of the documetn to retrieve
-  # @param [Hash] extra_controller_params (optional)
-  def get_permissions_solr_response_for_doc_id(id=nil, extra_controller_params={})
-    raise Blacklight::Exceptions::InvalidSolrID.new("The application is trying to retrieve permissions without specifying an asset id") if id.nil?
-    #solr_response = Blacklight.solr.get permissions_solr_doc_params(id).merge(extra_controller_params)
-    #path = blacklight_config.solr_path
-    solr_opts = permissions_solr_doc_params(id).merge(extra_controller_params)
-    response = Blacklight.solr.get('select', :params=> solr_opts)
-    solr_response = Blacklight::SolrResponse.new(force_to_utf8(response), solr_opts)
+    # a solr query method
+    # retrieve a solr document, given the doc id
+    # Modeled on Blacklight::SolrHelper.get_permissions_solr_response_for_doc_id
+    # @param [String] id of the documetn to retrieve
+    # @param [Hash] extra_controller_params (optional)
+    def get_permissions_solr_response_for_doc_id(id=nil, extra_controller_params={})
+      raise Blacklight::Exceptions::InvalidSolrID.new("The application is trying to retrieve permissions without specifying an asset id") if id.nil?
+      #solr_response = Blacklight.solr.get permissions_solr_doc_params(id).merge(extra_controller_params)
+      #path = blacklight_config.solr_path
+      solr_opts = permissions_solr_doc_params(id).merge(extra_controller_params)
+      response = Blacklight.solr.get('select', :params=> solr_opts)
+      solr_response = Blacklight::SolrResponse.new(force_to_utf8(response), solr_opts)
-    raise Blacklight::Exceptions::InvalidSolrID.new("The solr permissions search handler didn't return anything for id \"#{id}\"") if solr_response.docs.empty?
-    Hydra::PermissionsSolrDocument.new(solr_response.docs.first, solr_response)
-  end
+      raise Blacklight::Exceptions::InvalidSolrID.new("The solr permissions search handler didn't return anything for id \"#{id}\"") if solr_response.docs.empty?
+      Hydra::PermissionsSolrDocument.new(solr_response.docs.first, solr_response)
+    end
-  #
-  #  Solr integration
-  #
-  # returns a params hash with the permissions info for a single solr document
-  # If the id arg is nil, then the value is fetched from params[:id]
-  # This method is primary called by the get_permissions_solr_response_for_doc_id method.
-  # Modeled on Blacklight::SolrHelper.solr_doc_params
-  # @param [String] id of the documetn to retrieve
-  def permissions_solr_doc_params(id=nil)
-    id ||= params[:id]
-    # just to be consistent with the other solr param methods:
-    {
-      :qt => :permissions,
-      :id => id # this assumes the document request handler will map the 'id' param to the unique key field
-    }
-  end
+    #
+    #  Solr integration
+    #
+    # returns a params hash with the permissions info for a single solr document
+    # If the id arg is nil, then the value is fetched from params[:id]
+    # This method is primary called by the get_permissions_solr_response_for_doc_id method.
+    # Modeled on Blacklight::SolrHelper.solr_doc_params
+    # @param [String] id of the documetn to retrieve
+    def permissions_solr_doc_params(id=nil)
+      id ||= params[:id]
+      # just to be consistent with the other solr param methods:
+      {
+        :qt => :permissions,
+        :id => id # this assumes the document request handler will map the 'id' param to the unique key field
+      }
+    end
+  end
 end

data/spec/unit/access_controls_enforcement_spec.rb CHANGED

@@ -81,6 +81,7 @@ describe Hydra::AccessControlsEnforcement do
       lambda {subject.send(:enforce_show_permissions, {}) }.should_not raise_error Hydra::AccessDenied
     end
     it "should prevent a user w/o edit permissions from viewing an embargoed object" do
+      Hydra::PermissionsCache.clear()
       user = User.new :uid=>'testuser@example.com'
       RoleMapper.stub(:roles).with(user.user_key).and_return([])
       subject.stub(:current_user).and_return(user)

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: hydra-access-controls
 version: !ruby/object:Gem::Version
-  version: 6.0.0.pre8
+  version: 6.0.0.rc1
   prerelease: 6
 platform: ruby
 authors:
@@ -11,14 +11,14 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-02-10 00:00:00.000000000 Z
+date: 2013-02-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
@@ -26,7 +26,7 @@ dependencies:
   version_requirements: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
@@ -34,23 +34,23 @@ dependencies:
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
-        version: 6.0.0.pre10
+        version: 6.0.0.rc2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
-        version: 6.0.0.pre10
+        version: 6.0.0.rc2
 - !ruby/object:Gem::Dependency
   name: cancan
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
@@ -58,7 +58,7 @@ dependencies:
   version_requirements: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
@@ -66,7 +66,7 @@ dependencies:
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
@@ -74,7 +74,7 @@ dependencies:
   version_requirements: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
@@ -82,7 +82,7 @@ dependencies:
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
@@ -90,7 +90,7 @@ dependencies:
   version_requirements: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
@@ -98,7 +98,7 @@ dependencies:
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
@@ -106,7 +106,7 @@ dependencies:
   version_requirements: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
@@ -114,7 +114,7 @@ dependencies:
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
@@ -122,7 +122,7 @@ dependencies:
   version_requirements: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
 description: Access controls for project hydra
@@ -148,6 +148,7 @@ files:
 - lib/hydra/datastream/inheritable_rights_metadata.rb
 - lib/hydra/datastream/rights_metadata.rb
 - lib/hydra/model_mixins/rights_metadata.rb
+- lib/hydra/permissions_cache.rb
 - lib/hydra/permissions_query.rb
 - lib/hydra/permissions_solr_document.rb
 - lib/hydra/policy_aware_ability.rb
@@ -182,13 +183,13 @@ require_paths:
 required_ruby_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
-  - - ">="
+  - - ! '>='
     - !ruby/object:Gem::Version
       version: 1.9.3
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
-  - - ">"
+  - - ! '>'
     - !ruby/object:Gem::Version
       version: 1.3.1
 requirements: []