hydra-head 4.1.2 → 4.1.3
Sign up to get free protection for your applications and to get access to all the features.
- data/app/controllers/hydra/contributors_controller.rb +4 -1
- data/app/controllers/hydra/permissions_controller.rb +4 -1
- data/lib/hydra-head/version.rb +1 -1
- data/lib/hydra/controller/assets_controller_behavior.rb +1 -0
- data/lib/hydra/controller/file_assets_behavior.rb +2 -0
- data/test_support/spec/controllers/contributors_controller_spec.rb +11 -1
- data/test_support/spec/controllers/file_assets_controller_spec.rb +16 -1
- data/test_support/spec/controllers/hydra-assets_controller_spec.rb +19 -7
- data/test_support/spec/controllers/permissions_controller_spec.rb +11 -0
- metadata +2 -2
@@ -6,8 +6,10 @@ class Hydra::ContributorsController < ApplicationController
|
|
6
6
|
include Hydra::Controller::RepositoryControllerBehavior
|
7
7
|
include Hydra::AssetsControllerHelper
|
8
8
|
include Hydra::SubmissionWorkflow
|
9
|
-
|
9
|
+
include Hydra::AccessControlsEnforcement
|
10
|
+
|
10
11
|
before_filter :load_document, :only => :update
|
12
|
+
before_filter :enforce_access_controls
|
11
13
|
|
12
14
|
def initialize *args
|
13
15
|
Deprecation.warn(Hydra::ContributorsController, "Hydra::ContributorsController is deprecated and will be removed from #{self.class.deprecation_horizon}")
|
@@ -71,6 +73,7 @@ class Hydra::ContributorsController < ApplicationController
|
|
71
73
|
def destroy
|
72
74
|
af_model = retrieve_af_model(params[:content_type], :default=>ModsAsset)
|
73
75
|
@document_fedora = af_model.find(params[:asset_id])
|
76
|
+
authorize! :edit, @document_fedora
|
74
77
|
@document_fedora.remove_contributor(params[:contributor_type], params[:index])
|
75
78
|
result = @document_fedora.save
|
76
79
|
if request.xhr?
|
@@ -10,6 +10,9 @@ class Hydra::PermissionsController < ApplicationController
|
|
10
10
|
|
11
11
|
include Hydra::AssetsControllerHelper
|
12
12
|
include Hydra::SubmissionWorkflow
|
13
|
+
include Hydra::AccessControlsEnforcement
|
14
|
+
|
15
|
+
before_filter :enforce_access_controls
|
13
16
|
|
14
17
|
def index
|
15
18
|
@document_fedora=ActiveFedora::Base.find(params[:asset_id], :cast=>true)
|
@@ -79,7 +82,7 @@ class Hydra::PermissionsController < ApplicationController
|
|
79
82
|
end
|
80
83
|
|
81
84
|
@document_fedora=ActiveFedora::Base.find(pid, :cast=>true)
|
82
|
-
|
85
|
+
|
83
86
|
# update the datastream's values
|
84
87
|
result = @document_fedora.rightsMetadata.update_permissions(params[:permission])
|
85
88
|
|
data/lib/hydra-head/version.rb
CHANGED
@@ -57,6 +57,7 @@ module Hydra::Controller::FileAssetsBehavior
|
|
57
57
|
elsif params.has_key?(:number_of_files) and params[:number_of_files] == "0"
|
58
58
|
return redirect_to next_step(params[:id])
|
59
59
|
end
|
60
|
+
authorize! :edit, (params[:container_id] || params[:id])
|
60
61
|
|
61
62
|
if params.has_key?(:Filedata)
|
62
63
|
notice = process_files
|
@@ -98,6 +99,7 @@ module Hydra::Controller::FileAssetsBehavior
|
|
98
99
|
|
99
100
|
# Common destroy method for all AssetsControllers
|
100
101
|
def destroy
|
102
|
+
authorize! :destroy, params[:id]
|
101
103
|
ActiveFedora::Base.find(params[:id], :cast=>true).delete
|
102
104
|
|
103
105
|
flash[:notice] = "Deleted #{params[:id]} from #{params[:container_id]}."
|
@@ -23,6 +23,8 @@ describe Hydra::ContributorsController do
|
|
23
23
|
describe "create" do
|
24
24
|
it "should support adding new person / contributor / organization nodes" do
|
25
25
|
mock_document = mock("document")
|
26
|
+
# stub out access controlls enforcement
|
27
|
+
controller.expects(:enforce_access_controls).at_least_once.returns(true)
|
26
28
|
["person","conference","organization"].each do |type|
|
27
29
|
mock_document.expects(:insert_contributor).with(type).returns(["foo node",989])
|
28
30
|
mock_document.expects(:save)
|
@@ -33,6 +35,8 @@ describe Hydra::ContributorsController do
|
|
33
35
|
end
|
34
36
|
it "should return inline html if format is inline" do
|
35
37
|
mock_document = mock("document")
|
38
|
+
# stub out access controlls enforcement
|
39
|
+
controller.expects(:enforce_access_controls).at_least_once.returns(true)
|
36
40
|
["person","conference","organization"].each do |type|
|
37
41
|
mock_document.expects(:insert_contributor).with(type).returns(["foo node","foo index"])
|
38
42
|
mock_document.expects(:save)
|
@@ -49,9 +53,15 @@ describe Hydra::ContributorsController do
|
|
49
53
|
mock_dataset.expects(:remove_contributor).with("conference", "3")
|
50
54
|
mock_dataset.expects(:save)
|
51
55
|
ModsAsset.expects(:find).with("_PID_").returns(mock_dataset)
|
52
|
-
|
56
|
+
# stub out authorize!
|
57
|
+
controller.expects(:authorize!).with(:edit, mock_dataset)
|
53
58
|
delete :destroy, :asset_id=>"_PID_", :content_type => "mods_asset", :contributor_type=>"conference", :index=>"3"
|
54
59
|
end
|
60
|
+
it "should now allow non-authed users to destroy contributors" do
|
61
|
+
mock_dataset = mock("Dataset")
|
62
|
+
ModsAsset.expects(:find).with("_PID_").returns(mock_dataset)
|
63
|
+
lambda{delete :destroy, :asset_id=>"_PID_", :content_type => "mods_asset", :contributor_type=>"conference", :index=>"3"}.should raise_error(CanCan::AccessDenied)
|
64
|
+
end
|
55
65
|
end
|
56
66
|
|
57
67
|
end
|
@@ -79,13 +79,17 @@ describe Hydra::FileAssetsController do
|
|
79
79
|
|
80
80
|
describe "create" do
|
81
81
|
it "should create and save a file asset from the given params" do
|
82
|
+
# stub out authorize! call
|
83
|
+
controller.expects(:authorize!).with(:edit, "example:invalid_object").returns(true)
|
82
84
|
mock_fa = mock("FileAsset")
|
83
85
|
mock_file = mock("File")
|
84
86
|
mock_fa.stubs(:pid).returns("foo:pid")
|
85
87
|
controller.expects(:create_and_save_file_assets_from_params).returns([mock_fa])
|
86
|
-
xhr :post, :create, :Filedata=>[mock_file], :Filename=>"Foo File"
|
88
|
+
xhr :post, :create, :Filedata=>[mock_file], :Filename=>"Foo File", :id => "example:invalid_object"
|
87
89
|
end
|
88
90
|
it "if container_id is provided, should associate the created file asset wtih the container" do
|
91
|
+
# stub out authorize! call
|
92
|
+
controller.expects(:authorize!).with(:edit, "_PID_").returns(true)
|
89
93
|
stub_fa = stub("FileAsset", :save)
|
90
94
|
stub_fa.stubs(:pid).returns("foo:pid")
|
91
95
|
stub_fa.stubs(:label).returns("Foo File")
|
@@ -95,20 +99,29 @@ describe Hydra::FileAssetsController do
|
|
95
99
|
xhr :post, :create, :Filedata=>[mock_file], :Filename=>"Foo File", :container_id=>"_PID_"
|
96
100
|
end
|
97
101
|
it "should redirect back to edit view if no Filedata is provided but container_id is provided" do
|
102
|
+
# stub out authorize! call
|
103
|
+
controller.expects(:authorize!).with(:edit, "_PID_").returns(true)
|
98
104
|
controller.expects(:model_config).at_least_once.returns(controller.workflow_config[:mods_assets])
|
99
105
|
xhr :post, :create, :container_id=>"_PID_", :wf_step=>"files"
|
100
106
|
response.should redirect_to edit_catalog_path("_PID_", :wf_step=>"permissions")
|
101
107
|
request.flash[:notice].should == "You must specify a file to upload."
|
102
108
|
end
|
103
109
|
it "should display a message that you need to select a file to upload if no Filedata is provided" do
|
110
|
+
# stub out authorize! call
|
111
|
+
controller.expects(:authorize!).returns(true)
|
104
112
|
xhr :post, :create
|
105
113
|
request.flash[:notice].include?("You must specify a file to upload.").should be_true
|
106
114
|
end
|
115
|
+
it "should throw an error if you don't have the ability to edit the parent object" do
|
116
|
+
lambda{xhr :post, :create, :id => "hydrangea:fixture_mods_dataset1"}.should raise_error(CanCan::AccessDenied)
|
117
|
+
end
|
107
118
|
|
108
119
|
end
|
109
120
|
|
110
121
|
describe "destroy" do
|
111
122
|
it "should delete the asset identified by pid" do
|
123
|
+
# stub out authorize! call
|
124
|
+
controller.expects(:authorize!).returns(true)
|
112
125
|
mock_obj = mock("asset", :delete)
|
113
126
|
ActiveFedora::Base.expects(:find).with("__PID__", :cast=>true).returns(mock_obj)
|
114
127
|
delete(:destroy, :id => "__PID__")
|
@@ -168,6 +181,8 @@ describe Hydra::FileAssetsController do
|
|
168
181
|
end
|
169
182
|
|
170
183
|
it "should set is_part_of relationship on the new File Asset pointing back at the container" do
|
184
|
+
# stub out authorize! call
|
185
|
+
controller.expects(:authorize!).returns(true)
|
171
186
|
test_file = fixture_file_upload('/small_file.txt', 'text/plain')
|
172
187
|
filename = "My File Name"
|
173
188
|
post :create, {:Filedata=>[test_file], :Filename=>filename, :container_id=>@test_container.pid}
|
@@ -116,10 +116,13 @@ describe Hydra::AssetsController do
|
|
116
116
|
|
117
117
|
describe "destroy" do
|
118
118
|
it "should delete the asset identified by pid" do
|
119
|
-
|
120
|
-
|
121
|
-
ActiveFedora::Base.expects(:find).with("__PID__", :cast=>true).returns(
|
119
|
+
mock_document = mock("asset", :delete)
|
120
|
+
mock_document.expects(:destroy_child_assets).returns([])
|
121
|
+
ActiveFedora::Base.expects(:find).with("__PID__", :cast=>true).returns(mock_document)
|
122
|
+
# stub out authorize!
|
123
|
+
controller.expects(:authorize!).with(:destroy, mock_document)
|
122
124
|
delete(:destroy, :id => "__PID__")
|
125
|
+
response.should redirect_to catalog_index_path
|
123
126
|
end
|
124
127
|
end
|
125
128
|
|
@@ -127,10 +130,19 @@ describe Hydra::AssetsController do
|
|
127
130
|
# Currently, the widthdraw method is an alias for destroy, should behave as such
|
128
131
|
describe "withdraw" do
|
129
132
|
it "should withdraw the asset identified by pid" do
|
130
|
-
|
131
|
-
|
132
|
-
|
133
|
-
|
133
|
+
mock_document = mock("asset", :delete)
|
134
|
+
mock_document.stubs(:pid => '_PID_')
|
135
|
+
mock_document.expects(:destroy_child_assets).returns([])
|
136
|
+
ActiveFedora::Base.expects(:find).with("_PID_", :cast => true).returns(mock_document)
|
137
|
+
# stub out authorize!
|
138
|
+
controller.expects(:authorize!).with(:destroy, mock_document)
|
139
|
+
delete :withdraw, :id => "_PID_"
|
140
|
+
response.should redirect_to catalog_index_path
|
141
|
+
end
|
142
|
+
it "should restrict withdrawing to authorized users" do
|
143
|
+
mock_obj = mock("asset")
|
144
|
+
ActiveFedora::Base.expects(:find).with("_PID_", :cast=>true).returns(mock_obj)
|
145
|
+
lambda{get :withdraw, :id => "_PID_"}.should raise_error(CanCan::AccessDenied)
|
134
146
|
end
|
135
147
|
end
|
136
148
|
|
@@ -11,6 +11,8 @@ describe Hydra::PermissionsController do
|
|
11
11
|
end
|
12
12
|
describe "create" do
|
13
13
|
it "should create a new permissions entry" do
|
14
|
+
# stub out permissions check
|
15
|
+
controller.expects(:enforce_access_controls).returns(true)
|
14
16
|
@asset = ModsAsset.create
|
15
17
|
post :create, :asset_id=>@asset.pid, :permission => {"actor_id"=>"_person_id_","actor_type"=>"person","access_level"=>"read"}
|
16
18
|
ModsAsset.find(@asset.pid).rightsMetadata.individuals.should == {"_person_id_" => "read"}
|
@@ -18,11 +20,20 @@ describe Hydra::PermissionsController do
|
|
18
20
|
end
|
19
21
|
describe "update" do
|
20
22
|
it "should call Hydra::RightsMetadata properties setter" do
|
23
|
+
# stub out permissions check
|
24
|
+
controller.expects(:enforce_access_controls).returns(true)
|
21
25
|
@asset = ModsAsset.new
|
22
26
|
@asset.rightsMetadata.permissions({:group=>"students"})
|
23
27
|
@asset.save
|
24
28
|
post :update, :asset_id=>@asset.pid, :permission => {"group"=>{"_group_id_"=>"discover"}}
|
25
29
|
ModsAsset.find(@asset.pid).rightsMetadata.groups.should == {"_group_id_" => "discover"}
|
26
30
|
end
|
31
|
+
it "should restrict permissions setting to authenticated users" do
|
32
|
+
ActiveFedora::Base.expects(:find).never
|
33
|
+
post :update, :id => "hydrangea:fixture_mods_dataset1"
|
34
|
+
flash[:alert].should == "You do not have sufficient privileges to edit this document. You have been redirected to the read-only view."
|
35
|
+
flash[:notice].should be_nil
|
36
|
+
response.should be_redirect
|
37
|
+
end
|
27
38
|
end
|
28
39
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: hydra-head
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.1.
|
4
|
+
version: 4.1.3
|
5
5
|
prerelease:
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
@@ -10,7 +10,7 @@ authors:
|
|
10
10
|
autorequire:
|
11
11
|
bindir: bin
|
12
12
|
cert_chain: []
|
13
|
-
date: 2012-
|
13
|
+
date: 2012-11-08 00:00:00.000000000 Z
|
14
14
|
dependencies:
|
15
15
|
- !ruby/object:Gem::Dependency
|
16
16
|
name: rails
|