hydra-access-controls 9.1.0 → 9.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 53a9ac37f60be38af2c511a423f849ecd9991c0f
-  data.tar.gz: 8ac4de9c1ac17eabc873ed5e0775d252d4e0b77b
+  metadata.gz: 7782c91f12b8adf883784a67f458f3cca644440f
+  data.tar.gz: 2366fd1859fbff67528d71d019cdeb56d9c2adcb
 SHA512:
-  metadata.gz: 61551d7bed4090045e64c9c07b1f38c28edd724e5df26c0e38987a031f72f6bcc12d717f9a538af4c29fded68091da6ec345f5c5503ea234a8e9c1b182d6046a
-  data.tar.gz: adb99e576d8f641be0ef66b7efedde72840f1fe3a859c59f457fe18eb9ce3933bb9ca14a5c9fd00dbca50bc744420c485e6a6cb28d0ce5eb6a5b74014e3c923f
+  metadata.gz: 3acd120d58cc9e4cdf13d8c123f455e7f5811672795887b24c7fa8b5ce3a9dfec33f70c7c2f43608bce6d1410573892455c6f4492efa5eed93e7c2dad4cb9882
+  data.tar.gz: 409e79be0563d2c72e45e6cc97174979b30af36b69bc6bd4d1f68b8a5a3fe4b6eb71afd95e517a2ffb04d3235a37d037ab5184e04cd31beb690b386b88d64be4

data/README.textile

@@ -77,7 +77,7 @@ In config/initializers/hydra_config.rb
 
 h3. Policy-based Enforcement (or Collecton-level enforcement)
 
-If you have Policy-based enforcement enabled, then objects will inherit extra GRANT permissions from AdminPolicy objects (APOs) they are linked to with an isGovernedBy RDF relationship (stored in solr as _is_governed_by_ssim_ field).  This allows you to grant discover/read/edit access for a whole set of objects by changing the policy they are governed by.
+If you have Policy-based enforcement enabled, then objects will inherit extra GRANT permissions from AdminPolicy objects (APOs) they are linked to with an isGovernedBy RDF relationship (stored in solr as _isGovernedBy_ssim_ field).  This allows you to grant discover/read/edit access for a whole set of objects by changing the policy they are governed by.
 
 AdminPolicy objects store their inheritable rightsMetadata in a datastream called defaultRights.  This datastream uses the regular Hydra rightsMetadata schema.  Each AdminPolicy object also has its own rightsMetadata datasream, like all other Hydra assets, which specifies who is able to _edit_ the Policy or _use_ it (associate it with objects).
 

data/lib/hydra/policy_aware_ability.rb

@@ -1,34 +1,30 @@
 # Repeats access controls evaluation methods, but checks against a governing "Policy" object (or "Collection" object) that provides inherited access controls.
 module Hydra::PolicyAwareAbility
   extend ActiveSupport::Concern
-  extend Deprecation
   include Hydra::Ability
 
   IS_GOVERNED_BY_SOLR_FIELD = "isGovernedBy_ssim".freeze
 
   # Extends Hydra::Ability.test_edit to try policy controls if object-level controls deny access
-  def test_edit(pid)
-    super || test_edit_from_policy(pid)
+  def test_edit(id)
+    super || test_edit_from_policy(id)
   end
 
   # Extends Hydra::Ability.test_read to try policy controls if object-level controls deny access
-  def test_read(pid)
-    super || test_read_from_policy(pid)
+  def test_read(id)
+    super || test_read_from_policy(id)
   end
 
-  # Returns the pid of policy object (is_governed_by) for the specified object
-  # Assumes that the policy object is associated by an is_governed_by relationship
-  # (which is stored as "is_governed_by_ssim" in object's solr document)
+  # Returns the id of policy object (isGovernedBy_ssim) for the specified object
+  # Assumes that the policy object is associated by an isGovernedBy relationship
+  # (which is stored as "isGovernedBy_ssim" in object's solr document)
   # Returns nil if no policy associated with the object
-  def policy_pid_for(object_pid)
-    policy_pid = policy_pid_cache[object_pid]
-    return policy_pid if policy_pid
-    solr_result = ActiveFedora::Base.find_with_conditions({id: object_pid}, fl: governed_by_solr_field)
-    begin
-      policy_pid_cache[object_pid] = policy_pid = value_from_solr_field(solr_result, governed_by_solr_field).first.gsub("info:fedora/", "")
-    rescue NoMethodError
-    end
-    return policy_pid
+  def policy_id_for(object_id)
+    policy_id = policy_id_cache[object_id]
+    return policy_id if policy_id
+    solr_result = ActiveFedora::Base.find_with_conditions({ id: object_id }, fl: governed_by_solr_field).first
+    return unless solr_result
+    policy_id_cache[object_id] = policy_id = Array(solr_result[governed_by_solr_field]).first
   end
 
   def governed_by_solr_field
@@ -37,102 +33,78 @@ module Hydra::PolicyAwareAbility
     IS_GOVERNED_BY_SOLR_FIELD
   end
 
-  # Returns the permissions solr document for policy_pid
+  # Returns the permissions solr document for policy_id
   # The document is stored in an instance variable, so calling this multiple times will only query solr once.
   # To force reload, set @policy_permissions_solr_cache to {}
-  def policy_permissions_doc(policy_pid)
+  def policy_permissions_doc(policy_id)
     @policy_permissions_solr_cache ||= {}
-    @policy_permissions_solr_cache[policy_pid] ||= get_permissions_solr_response_for_doc_id(policy_pid)
+    @policy_permissions_solr_cache[policy_id] ||= get_permissions_solr_response_for_doc_id(policy_id)
   end
 
   # Tests whether the object's governing policy object grants edit access for the current user
-  def test_edit_from_policy(object_pid)
-    policy_pid = policy_pid_for(object_pid)
-    return false if policy_pid.nil?
-    Rails.logger.debug("[CANCAN] -policy- Does the POLICY #{policy_pid} provide EDIT permissions for #{current_user.user_key}?")
-    group_intersection = user_groups & edit_groups_from_policy( policy_pid )
-    result = !group_intersection.empty? || edit_users_from_policy( policy_pid ).include?(current_user.user_key)
+  def test_edit_from_policy(object_id)
+    policy_id = policy_id_for(object_id)
+    return false if policy_id.nil?
+    Rails.logger.debug("[CANCAN] -policy- Does the POLICY #{policy_id} provide EDIT permissions for #{current_user.user_key}?")
+    group_intersection = user_groups & edit_groups_from_policy( policy_id )
+    result = !group_intersection.empty? || edit_users_from_policy( policy_id ).include?(current_user.user_key)
     Rails.logger.debug("[CANCAN] -policy- decision: #{result}")
     result
   end
 
   # Tests whether the object's governing policy object grants read access for the current user
-  def test_read_from_policy(object_pid)
-    policy_pid = policy_pid_for(object_pid)
-    return false if policy_pid.nil?
-    Rails.logger.debug("[CANCAN] -policy- Does the POLICY #{policy_pid} provide READ permissions for #{current_user.user_key}?")
-    group_intersection = user_groups & read_groups_from_policy( policy_pid )
-    result = !group_intersection.empty? || read_users_from_policy( policy_pid ).include?(current_user.user_key)
+  def test_read_from_policy(object_id)
+    policy_id = policy_id_for(object_id)
+    return false if policy_id.nil?
+    Rails.logger.debug("[CANCAN] -policy- Does the POLICY #{policy_id} provide READ permissions for #{current_user.user_key}?")
+    group_intersection = user_groups & read_groups_from_policy( policy_id )
+    result = !group_intersection.empty? || read_users_from_policy( policy_id ).include?(current_user.user_key)
     Rails.logger.debug("[CANCAN] -policy- decision: #{result}")
     result
   end
 
-  # Returns the list of groups granted edit access by the policy object identified by policy_pid
-  def edit_groups_from_policy(policy_pid)
-    policy_permissions = policy_permissions_doc(policy_pid)
+  # Returns the list of groups granted edit access by the policy object identified by policy_id
+  def edit_groups_from_policy(policy_id)
+    policy_permissions = policy_permissions_doc(policy_id)
     edit_group_field = Hydra.config.permissions.inheritable[:edit][:group]
     eg = ((policy_permissions == nil || policy_permissions.fetch(edit_group_field,nil) == nil) ? [] : policy_permissions.fetch(edit_group_field,nil))
     Rails.logger.debug("[CANCAN] -policy- edit_groups: #{eg.inspect}")
     return eg
   end
 
-  # Returns the list of groups granted read access by the policy object identified by policy_pid
+  # Returns the list of groups granted read access by the policy object identified by policy_id
   # Note: edit implies read, so read_groups is the union of edit and read groups
-  def read_groups_from_policy(policy_pid)
-    policy_permissions = policy_permissions_doc(policy_pid)
+  def read_groups_from_policy(policy_id)
+    policy_permissions = policy_permissions_doc(policy_id)
     read_group_field = Hydra.config.permissions.inheritable[:read][:group]
-    rg = edit_groups_from_policy(policy_pid) | ((policy_permissions == nil || policy_permissions.fetch(read_group_field,nil) == nil) ? [] : policy_permissions.fetch(read_group_field,nil))
+    rg = edit_groups_from_policy(policy_id) | ((policy_permissions == nil || policy_permissions.fetch(read_group_field,nil) == nil) ? [] : policy_permissions.fetch(read_group_field,nil))
     Rails.logger.debug("[CANCAN] -policy- read_groups: #{rg.inspect}")
     return rg
   end
 
-  def edit_persons_from_policy(policy_pid)
-    Deprecation.warn(Hydra::PolicyAwareAbility, "The edit_persons_from_policy method is deprecated and will be removed from Hydra::PolicyAwareAbility in hydra-head 8.0.  Use edit_users_from_policy instead.", caller)
-    edit_users_from_policy(policy_pid)
-  end
-
-  # Returns the list of users granted edit access by the policy object identified by policy_pid
-  def edit_users_from_policy(policy_pid)
-    policy_permissions = policy_permissions_doc(policy_pid)
+  # Returns the list of users granted edit access by the policy object identified by policy_id
+  def edit_users_from_policy(policy_id)
+    policy_permissions = policy_permissions_doc(policy_id)
     edit_user_field = Hydra.config.permissions.inheritable[:edit][:individual]
     eu = ((policy_permissions == nil || policy_permissions.fetch(edit_user_field,nil) == nil) ? [] : policy_permissions.fetch(edit_user_field,nil))
     Rails.logger.debug("[CANCAN] -policy- edit_users: #{eu.inspect}")
     return eu
   end
 
-  def read_persons_from_policy(policy_pid)
-    Deprecation.warn(Hydra::PolicyAwareAbility, "The read_persons_from_policy method is deprecated and will be removed from Hydra::PolicyAwareAbility in hydra-head 8.0.  Use read_users_from_policy instead.", caller)
-    read_users_from_policy(policy_pid)
-  end
-
-  # Returns the list of users granted read access by the policy object identified by policy_pid
+  # Returns the list of users granted read access by the policy object identified by policy_id
   # Note: edit implies read, so read_users is the union of edit and read users
-  def read_users_from_policy(policy_pid)
-    policy_permissions = policy_permissions_doc(policy_pid)
+  def read_users_from_policy(policy_id)
+    policy_permissions = policy_permissions_doc(policy_id)
     read_user_field = Hydra.config.permissions.inheritable[:read][:individual]
-    ru = edit_users_from_policy(policy_pid) | ((policy_permissions == nil || policy_permissions.fetch(read_user_field, nil) == nil) ? [] : policy_permissions.fetch(read_user_field, nil))
+    ru = edit_users_from_policy(policy_id) | ((policy_permissions == nil || policy_permissions.fetch(read_user_field, nil) == nil) ? [] : policy_permissions.fetch(read_user_field, nil))
     Rails.logger.debug("[CANCAN] -policy- read_users: #{ru.inspect}")
     return ru
   end
 
   private
 
-  # Grabs the value of field_name from solr_result
-  # @example
-  #   solr_result = Multiresimage.find_with_conditions({:id=>object_pid}, :fl=>'is_governed_by_ssim')
-  #   value_from_solr_field(solr_result, 'is_governed_by_ssim')
-  #   => ["info:fedora/changeme:2278"]
-  def value_from_solr_field(solr_result, field_name)
-    field_from_result = solr_result.select {|x| x.has_key?(field_name)}.first
-    if field_from_result.nil?
-      nil
-    else
-      field_from_result[field_name]
-    end
-  end
-
-  def policy_pid_cache
-    @policy_pid_cache ||= {}
+  def policy_id_cache
+    @policy_id_cache ||= {}
   end
 
 end

data/lib/hydra/policy_aware_access_controls_enforcement.rb

@@ -1,22 +1,21 @@
 # Repeats access controls evaluation methods, but checks against a governing "Policy" object (or "Collection" object) that provides inherited access controls.
 module Hydra::PolicyAwareAccessControlsEnforcement
-  extend Deprecation
 
   # Extends Hydra::AccessControlsEnforcement.apply_gated_discovery to reflect policy-provided access
   # appends the result of policy_clauses into the :fq
   # @param solr_parameters the current solr parameters
   # @param user_parameters the current user-subitted parameters
-  def apply_gated_discovery(solr_parameters, user_parameters)
+  def apply_gated_discovery(solr_parameters)
     solr_parameters[:fq] ||= []
-    solr_parameters[:fq] << gated_discovery_filters.join(" OR ")
+    solr_parameters[:fq] << gated_discovery_filters.join(' OR '.freeze)
     logger.debug("POLICY-aware Solr parameters: #{ solr_parameters.inspect }")
   end
 
   # returns solr query for finding all objects whose policies grant discover access to current_user
   def policy_clauses
-    policy_pids = policies_with_access
-    return nil if policy_pids.empty?
-    '(' + policy_pids.map {|pid| ActiveFedora::SolrQueryBuilder.construct_query_for_rel(is_governed_by: "info:fedora/#{pid}")}.join(' OR ') + ')'
+    policy_ids = policies_with_access
+    return nil if policy_ids.empty?
+    '(' + policy_ids.map {|id| ActiveFedora::SolrQueryBuilder.construct_query_for_rel(isGovernedBy: id)}.join(' OR '.freeze) + ')'
   end
 
   # find all the policies that grant discover/read/edit permissions to this user or any of its groups
@@ -31,11 +30,6 @@ module Hydra::PolicyAwareAccessControlsEnforcement
     result.map {|h| h['id']}
   end
 
-  def apply_policy_role_permissions(permission_types = discovery_permissions)
-    Deprecation.warn(Hydra::PolicyAwareAccessControlsEnforcement, "The method apply_policy_role_permissions is deprecated and will be removed from Hydra::PolicyAwareAccessControlsEnforcement in hydra-head 8.0.  Use apply_policy_group_permissions instead.", caller)
-    apply_policy_group_permissions(permission_types)
-  end
-
   def apply_policy_group_permissions(permission_types = discovery_permissions)
       # for groups
       user_access_filters = []
@@ -47,20 +41,13 @@ module Hydra::PolicyAwareAccessControlsEnforcement
       user_access_filters
   end
 
-  def apply_policy_individual_permissions(permission_types = discovery_permissions)
-    Deprecation.warn(Hydra::PolicyAwareAccessControlsEnforcement, "The method apply_policy_individual_permissions is deprecated and will be removed from Hydra::PolicyAwareAccessControlsEnforcement in hydra-head 8.0.  Use apply_policy_user_permissions instead.", caller)
-    apply_policy_user_permissions(permission_types)
-  end
-
   def apply_policy_user_permissions(permission_types = discovery_permissions)
     # for individual user access
-    user_access_filters = []
-    if current_user
-      permission_types.each do |type|
-        user_access_filters << escape_filter(Hydra.config.permissions.inheritable[type.to_sym].individual, current_user.user_key)
-      end
+    user = current_ability.current_user
+    return [] unless user && user.user_key.present?
+    permission_types.map do |type|
+      escape_filter(Hydra.config.permissions.inheritable[type.to_sym].individual, user.user_key)
     end
-    user_access_filters
   end
 
   # Returns the Model used for AdminPolicy objects.

data/spec/unit/policy_aware_ability_spec.rb

@@ -36,7 +36,7 @@ describe Hydra::PolicyAwareAbility do
 
   subject { PolicyAwareClass.new( User.new ) }
 
-  describe "policy_pid_for" do
+  describe "policy_id_for" do
     before do
       @policy2 = Hydra::AdminPolicy.create
       @policy2.default_permissions.create [
@@ -54,9 +54,9 @@ describe Hydra::PolicyAwareAbility do
     end
 
     it "should retrieve the pid doc for the current object's governing policy" do
-      expect(subject.policy_pid_for(@asset.id)).to eq @policy.id
-      expect(subject.policy_pid_for(@asset2.id)).to eq @policy2.id
-      expect(subject.policy_pid_for(@asset3.id)).to be_nil
+      expect(subject.policy_id_for(@asset.id)).to eq @policy.id
+      expect(subject.policy_id_for(@asset2.id)).to eq @policy2.id
+      expect(subject.policy_id_for(@asset3.id)).to be_nil
     end
   end
 

data/spec/unit/policy_aware_access_controls_enforcement_spec.rb

@@ -2,13 +2,17 @@ require 'spec_helper'
 
 describe Hydra::PolicyAwareAccessControlsEnforcement do
   before do
-    class PolicyMockController
+    class PolicyMockSearchBuilder
       include Hydra::AccessControlsEnforcement
       include Hydra::PolicyAwareAccessControlsEnforcement
       attr_accessor :params
 
+      def initialize(current_ability)
+        @current_ability = current_ability
+      end
+
       def current_ability
-        @current_ability ||= Ability.new(current_user)
+        @current_ability
       end
 
       def session
@@ -16,7 +20,6 @@ describe Hydra::PolicyAwareAccessControlsEnforcement do
 
       delegate :logger, to: :Rails
     end
-
     @sample_policies = []
     # user discover
     policy1 = Hydra::AdminPolicy.create("test-policy1")
@@ -84,19 +87,18 @@ describe Hydra::PolicyAwareAccessControlsEnforcement do
     @policies_with_access = @sample_policies.select { |p| p.id != policy_no_access.id }
   end
 
-  subject { PolicyMockController.new }
+  let(:current_ability) { Ability.new(user) }
+  subject { PolicyMockSearchBuilder.new(current_ability) }
+  let(:user) { FactoryGirl.build(:sara_student) }
 
   before do
     @solr_parameters = {}
-    @user_parameters = {}
-    @user = FactoryGirl.build(:sara_student)
   end
 
   describe "policies_with_access" do
     context "Authenticated user" do
       before do
-        allow(RoleMapper).to receive(:roles).with(@user).and_return(@user.roles)
-        allow(subject).to receive(:current_user).and_return(@user)
+        allow(RoleMapper).to receive(:roles).with(user).and_return(user.roles)
       end
       it "should return the policies that provide discover permissions" do
         @policies_with_access.map {|p| p.id }.each do |p|
@@ -111,7 +113,7 @@ describe Hydra::PolicyAwareAccessControlsEnforcement do
       end
     end
     context "Anonymous user" do
-      before { allow(subject).to receive(:current_user).and_return(nil) }
+      let(:user) { nil }
       it "should return the policies that provide discover permissions" do
         expect(subject.policies_with_access).to match_array ["test-policy7", "test-policy8"]
       end
@@ -120,33 +122,28 @@ describe Hydra::PolicyAwareAccessControlsEnforcement do
 
   describe "apply_gated_discovery" do
     before do
-      allow(RoleMapper).to receive(:roles).with(@user).and_return(@user.roles)
-      allow(subject).to receive(:current_user).and_return(@user)
+      allow(RoleMapper).to receive(:roles).with(user).and_return(user.roles)
     end
+    let(:governed_field) { ActiveFedora::SolrQueryBuilder.solr_name('isGovernedBy', :symbol) }
 
     it "should include policy-aware query" do
       # stubbing out policies_with_access because solr doesn't always return them in the same order.
-      policy_ids = (1..8).map {|n| "test:policy#{n}"}
+      policy_ids = (1..8).map {|n| "policies/#{n}"}
       expect(subject).to receive(:policies_with_access).and_return(policy_ids)
-      subject.apply_gated_discovery(@solr_parameters, @user_parameters)
-      governed_field = ActiveFedora::SolrQueryBuilder.solr_name('is_governed_by', :symbol)
-      expect(@solr_parameters[:fq].first).to include(" OR (_query_:\"{!raw f=#{governed_field}}info:fedora/test:policy1\" OR _query_:\"{!raw f=#{governed_field}}info:fedora/test:policy2\" OR _query_:\"{!raw f=#{governed_field}}info:fedora/test:policy3\" OR _query_:\"{!raw f=#{governed_field}}info:fedora/test:policy4\" OR _query_:\"{!raw f=#{governed_field}}info:fedora/test:policy5\" OR _query_:\"{!raw f=#{governed_field}}info:fedora/test:policy6\" OR _query_:\"{!raw f=#{governed_field}}info:fedora/test:policy7\" OR _query_:\"{!raw f=#{governed_field}}info:fedora/test:policy8\")")
+      subject.apply_gated_discovery(@solr_parameters)
+      expect(@solr_parameters[:fq].first).to include(" OR (_query_:\"{!raw f=#{governed_field}}policies/1\" OR _query_:\"{!raw f=#{governed_field}}policies/2\" OR _query_:\"{!raw f=#{governed_field}}policies/3\" OR _query_:\"{!raw f=#{governed_field}}policies/4\" OR _query_:\"{!raw f=#{governed_field}}policies/5\" OR _query_:\"{!raw f=#{governed_field}}policies/6\" OR _query_:\"{!raw f=#{governed_field}}policies/7\" OR _query_:\"{!raw f=#{governed_field}}policies/8\")")
     end
 
     it "should not change anything if there are no clauses to add" do
       allow(subject).to receive(:policy_clauses).and_return(nil)
-      subject.apply_gated_discovery(@solr_parameters, @user_parameters)
-      expect(@solr_parameters[:fq].first).to_not include(" OR (#{ActiveFedora::SolrQueryBuilder.solr_name('is_governed_by', :symbol)}:info\\:fedora\\/test\\:policy1 OR #{ActiveFedora::SolrQueryBuilder.solr_name('is_governed_by', :symbol)}:info\\:fedora\\/test\\:policy2 OR #{ActiveFedora::SolrQueryBuilder.solr_name('is_governed_by', :symbol)}:info\\:fedora\\/test\\:policy3 OR #{ActiveFedora::SolrQueryBuilder.solr_name('is_governed_by', :symbol)}:info\\:fedora\\/test\\:policy4 OR #{ActiveFedora::SolrQueryBuilder.solr_name('is_governed_by', :symbol)}:info\\:fedora\\/test\\:policy5 OR #{ActiveFedora::SolrQueryBuilder.solr_name('is_governed_by', :symbol)}:info\\:fedora\\/test\\:policy6 OR #{ActiveFedora::SolrQueryBuilder.solr_name('is_governed_by', :symbol)}:info\\:fedora\\/test\\:policy7 OR #{ActiveFedora::SolrQueryBuilder.solr_name('is_governed_by', :symbol)}:info\\:fedora\\/test\\:policy8)")
+      subject.apply_gated_discovery(@solr_parameters)
+      expect(@solr_parameters[:fq].first).not_to include(" OR (_query_:\"{!raw f=#{governed_field}}policies/1\" OR _query_:\"{!raw f=#{governed_field}}policies/2\" OR _query_:\"{!raw f=#{governed_field}}policies/3\" OR _query_:\"{!raw f=#{governed_field}}policies/4\" OR _query_:\"{!raw f=#{governed_field}}policies/5\" OR _query_:\"{!raw f=#{governed_field}}policies/6\" OR _query_:\"{!raw f=#{governed_field}}policies/7\" OR _query_:\"{!raw f=#{governed_field}}policies/8\")")
     end
   end
 
   describe "apply_policy_role_permissions" do
-    before do
-      allow(subject).to receive(:current_user).and_return(@user)
-    end
-
     it "should escape slashes in the group names" do
-      allow(RoleMapper).to receive(:roles).with(@user).and_return(["abc/123","cde/567"])
+      allow(RoleMapper).to receive(:roles).with(user).and_return(["abc/123","cde/567"])
       user_access_filters = subject.apply_policy_group_permissions
       ["edit","discover","read"].each do |type|
         expect(user_access_filters).to include("inheritable_#{type}_access_group_ssim\:abc\\\/123")
@@ -155,7 +152,7 @@ describe Hydra::PolicyAwareAccessControlsEnforcement do
     end
 
     it "should escape spaces in the group names" do
-      allow(RoleMapper).to receive(:roles).with(@user).and_return(["abc 123","cd/e 567"])
+      allow(RoleMapper).to receive(:roles).with(user).and_return(["abc 123","cd/e 567"])
       user_access_filters = subject.apply_policy_group_permissions
       ["edit","discover","read"].each do |type|
         expect(user_access_filters).to include("inheritable_#{type}_access_group_ssim\:abc\\ 123")

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: hydra-access-controls
 version: !ruby/object:Gem::Version
-  version: 9.1.0
+  version: 9.1.1
 platform: ruby
 authors:
 - Chris Beer
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-03-06 00:00:00.000000000 Z
+date: 2015-03-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport