hydra-head 4.1.2 → 4.1.3

data/app/controllers/hydra/contributors_controller.rb

@@ -6,8 +6,10 @@ class Hydra::ContributorsController < ApplicationController
   include Hydra::Controller::RepositoryControllerBehavior
   include Hydra::AssetsControllerHelper
   include Hydra::SubmissionWorkflow
-
+  include Hydra::AccessControlsEnforcement
+  
   before_filter :load_document, :only => :update 
+  before_filter :enforce_access_controls
 
   def initialize *args
     Deprecation.warn(Hydra::ContributorsController, "Hydra::ContributorsController is deprecated and will be removed from #{self.class.deprecation_horizon}")
@@ -71,6 +73,7 @@ class Hydra::ContributorsController < ApplicationController
   def destroy
     af_model = retrieve_af_model(params[:content_type], :default=>ModsAsset)
     @document_fedora = af_model.find(params[:asset_id])
+    authorize! :edit, @document_fedora
     @document_fedora.remove_contributor(params[:contributor_type], params[:index])
     result = @document_fedora.save
     if request.xhr?

data/app/controllers/hydra/permissions_controller.rb

@@ -10,6 +10,9 @@ class Hydra::PermissionsController < ApplicationController
 
   include Hydra::AssetsControllerHelper
   include Hydra::SubmissionWorkflow
+  include Hydra::AccessControlsEnforcement
+  
+  before_filter :enforce_access_controls
   
   def index
     @document_fedora=ActiveFedora::Base.find(params[:asset_id], :cast=>true)
@@ -79,7 +82,7 @@ class Hydra::PermissionsController < ApplicationController
     end
     
     @document_fedora=ActiveFedora::Base.find(pid, :cast=>true)
-
+    
     # update the datastream's values
     result = @document_fedora.rightsMetadata.update_permissions(params[:permission])
     

data/lib/hydra-head/version.rb

@@ -1,4 +1,4 @@
 module HydraHead
-  VERSION = "4.1.2"
+  VERSION = "4.1.3"
 end
 

data/lib/hydra/controller/assets_controller_behavior.rb

@@ -99,6 +99,7 @@ module Hydra::Controller::AssetsControllerBehavior
   
   def destroy
     af = ActiveFedora::Base.find(params[:id], :cast=>true)
+    authorize! :destroy, af
     assets = af.destroy_child_assets
     af.delete
     msg = "Deleted #{params[:id]}"

data/lib/hydra/controller/file_assets_behavior.rb

@@ -57,6 +57,7 @@ module Hydra::Controller::FileAssetsBehavior
     elsif params.has_key?(:number_of_files) and params[:number_of_files] == "0"
       return redirect_to next_step(params[:id])
     end
+    authorize! :edit, (params[:container_id] || params[:id])
     
     if params.has_key?(:Filedata)
       notice = process_files
@@ -98,6 +99,7 @@ module Hydra::Controller::FileAssetsBehavior
   
   # Common destroy method for all AssetsControllers 
   def destroy
+    authorize! :destroy, params[:id]
     ActiveFedora::Base.find(params[:id], :cast=>true).delete 
 
     flash[:notice] = "Deleted #{params[:id]} from #{params[:container_id]}."

data/test_support/spec/controllers/contributors_controller_spec.rb

@@ -23,6 +23,8 @@ describe Hydra::ContributorsController do
   describe "create" do
     it "should support adding new person / contributor / organization nodes" do
       mock_document = mock("document")
+      # stub out access controlls enforcement
+      controller.expects(:enforce_access_controls).at_least_once.returns(true)
       ["person","conference","organization"].each do |type|
         mock_document.expects(:insert_contributor).with(type).returns(["foo node",989])
         mock_document.expects(:save)
@@ -33,6 +35,8 @@ describe Hydra::ContributorsController do
     end
     it "should return inline html if format is inline" do
       mock_document = mock("document")
+      # stub out access controlls enforcement
+      controller.expects(:enforce_access_controls).at_least_once.returns(true)
       ["person","conference","organization"].each do |type|
         mock_document.expects(:insert_contributor).with(type).returns(["foo node","foo index"])
         mock_document.expects(:save)
@@ -49,9 +53,15 @@ describe Hydra::ContributorsController do
       mock_dataset.expects(:remove_contributor).with("conference", "3")
       mock_dataset.expects(:save)
       ModsAsset.expects(:find).with("_PID_").returns(mock_dataset)
-      
+      # stub out authorize!
+      controller.expects(:authorize!).with(:edit, mock_dataset)
       delete :destroy, :asset_id=>"_PID_", :content_type => "mods_asset", :contributor_type=>"conference", :index=>"3"
     end
+    it "should now allow non-authed users to destroy contributors" do
+      mock_dataset = mock("Dataset")
+      ModsAsset.expects(:find).with("_PID_").returns(mock_dataset)
+      lambda{delete :destroy, :asset_id=>"_PID_", :content_type => "mods_asset", :contributor_type=>"conference", :index=>"3"}.should raise_error(CanCan::AccessDenied)
+    end
   end
   
 end

data/test_support/spec/controllers/file_assets_controller_spec.rb

@@ -79,13 +79,17 @@ describe Hydra::FileAssetsController do
   
   describe "create" do
     it "should create and save a file asset from the given params" do
+      # stub out authorize! call
+      controller.expects(:authorize!).with(:edit, "example:invalid_object").returns(true)
       mock_fa = mock("FileAsset")
       mock_file = mock("File")
       mock_fa.stubs(:pid).returns("foo:pid")
       controller.expects(:create_and_save_file_assets_from_params).returns([mock_fa])
-      xhr :post, :create, :Filedata=>[mock_file], :Filename=>"Foo File"
+      xhr :post, :create, :Filedata=>[mock_file], :Filename=>"Foo File", :id => "example:invalid_object"
     end
     it "if container_id is provided, should associate the created file asset wtih the container" do
+      # stub out authorize! call
+      controller.expects(:authorize!).with(:edit, "_PID_").returns(true)
       stub_fa = stub("FileAsset", :save)
       stub_fa.stubs(:pid).returns("foo:pid")
       stub_fa.stubs(:label).returns("Foo File")
@@ -95,20 +99,29 @@ describe Hydra::FileAssetsController do
       xhr :post, :create, :Filedata=>[mock_file], :Filename=>"Foo File", :container_id=>"_PID_"
     end
     it "should redirect back to edit view if no Filedata is provided but container_id is provided" do
+      # stub out authorize! call
+      controller.expects(:authorize!).with(:edit, "_PID_").returns(true)
       controller.expects(:model_config).at_least_once.returns(controller.workflow_config[:mods_assets])
       xhr :post, :create, :container_id=>"_PID_", :wf_step=>"files"
       response.should redirect_to edit_catalog_path("_PID_", :wf_step=>"permissions")
       request.flash[:notice].should == "You must specify a file to upload."
     end
     it "should display a message that you need to select a file to upload if no Filedata is provided" do
+      # stub out authorize! call
+      controller.expects(:authorize!).returns(true)
       xhr :post, :create
       request.flash[:notice].include?("You must specify a file to upload.").should be_true
     end
+    it "should throw an error if you don't have the ability to edit the parent object" do
+      lambda{xhr :post, :create, :id => "hydrangea:fixture_mods_dataset1"}.should raise_error(CanCan::AccessDenied)
+    end
     
   end
 
   describe "destroy" do
     it "should delete the asset identified by pid" do
+      # stub out authorize! call
+      controller.expects(:authorize!).returns(true)
       mock_obj = mock("asset", :delete)
       ActiveFedora::Base.expects(:find).with("__PID__", :cast=>true).returns(mock_obj)
       delete(:destroy, :id => "__PID__")
@@ -168,6 +181,8 @@ describe Hydra::FileAssetsController do
       end
 
       it "should set is_part_of relationship on the new File Asset pointing back at the container" do
+        # stub out authorize! call
+        controller.expects(:authorize!).returns(true)
         test_file = fixture_file_upload('/small_file.txt', 'text/plain')
         filename = "My File Name"
         post :create, {:Filedata=>[test_file], :Filename=>filename, :container_id=>@test_container.pid}

data/test_support/spec/controllers/hydra-assets_controller_spec.rb

@@ -116,10 +116,13 @@ describe Hydra::AssetsController do
   
   describe "destroy" do
     it "should delete the asset identified by pid" do
-      mock_obj = mock("asset", :delete)
-      mock_obj.expects(:destroy_child_assets).returns([])
-      ActiveFedora::Base.expects(:find).with("__PID__", :cast=>true).returns(mock_obj)
+      mock_document = mock("asset", :delete)
+      mock_document.expects(:destroy_child_assets).returns([])
+      ActiveFedora::Base.expects(:find).with("__PID__", :cast=>true).returns(mock_document)
+      # stub out authorize!
+      controller.expects(:authorize!).with(:destroy, mock_document)      
       delete(:destroy, :id => "__PID__")
+      response.should redirect_to catalog_index_path
     end
   end
   
@@ -127,10 +130,19 @@ describe Hydra::AssetsController do
   # Currently, the widthdraw method is an alias for destroy, should behave as such
   describe "withdraw" do
     it "should withdraw the asset identified by pid" do
-      mock_obj = mock("asset", :delete)
-      mock_obj.expects(:destroy_child_assets).returns([])
-      ActiveFedora::Base.expects(:find).with("__PID__", :cast=>true).returns(mock_obj)
-      delete(:withdraw, :id => "__PID__")
+      mock_document = mock("asset", :delete)
+      mock_document.stubs(:pid => '_PID_')
+      mock_document.expects(:destroy_child_assets).returns([])
+      ActiveFedora::Base.expects(:find).with("_PID_", :cast => true).returns(mock_document)
+      # stub out authorize!
+      controller.expects(:authorize!).with(:destroy, mock_document)
+      delete :withdraw, :id => "_PID_"
+      response.should redirect_to catalog_index_path
+    end
+    it "should restrict withdrawing to authorized users" do
+      mock_obj = mock("asset")
+      ActiveFedora::Base.expects(:find).with("_PID_", :cast=>true).returns(mock_obj)
+      lambda{get :withdraw, :id => "_PID_"}.should raise_error(CanCan::AccessDenied)
     end
   end
   

data/test_support/spec/controllers/permissions_controller_spec.rb

@@ -11,6 +11,8 @@ describe Hydra::PermissionsController do
   end
   describe "create" do
     it "should create a new permissions entry" do
+      # stub out permissions check
+      controller.expects(:enforce_access_controls).returns(true)
       @asset = ModsAsset.create
       post :create, :asset_id=>@asset.pid, :permission => {"actor_id"=>"_person_id_","actor_type"=>"person","access_level"=>"read"}      
       ModsAsset.find(@asset.pid).rightsMetadata.individuals.should == {"_person_id_" => "read"}
@@ -18,11 +20,20 @@ describe Hydra::PermissionsController do
   end
   describe "update" do
     it "should call Hydra::RightsMetadata properties setter" do
+      # stub out permissions check
+      controller.expects(:enforce_access_controls).returns(true)
       @asset = ModsAsset.new
       @asset.rightsMetadata.permissions({:group=>"students"})
       @asset.save
       post :update, :asset_id=>@asset.pid, :permission => {"group"=>{"_group_id_"=>"discover"}}
       ModsAsset.find(@asset.pid).rightsMetadata.groups.should == {"_group_id_" => "discover"}
     end
+    it "should restrict permissions setting to authenticated users" do
+      ActiveFedora::Base.expects(:find).never
+      post :update, :id => "hydrangea:fixture_mods_dataset1"
+      flash[:alert].should == "You do not have sufficient privileges to edit this document. You have been redirected to the read-only view."
+      flash[:notice].should be_nil
+      response.should be_redirect
+    end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: hydra-head
 version: !ruby/object:Gem::Version
-  version: 4.1.2
+  version: 4.1.3
   prerelease: 
 platform: ruby
 authors:
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-10-23 00:00:00.000000000 Z
+date: 2012-11-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails