hyrax 3.1.0 → 3.2.0

data/app/services/hyrax/collection_types/permissions_service.rb

@@ -159,7 +159,7 @@ module Hyrax
       #   If calling from Abilities, pass the ability.  If you try to get the ability from the user, you end up in an infinit loop.
       def self.access_to_collection_type?(collection_type:, access:, user: nil, ability: nil) # rubocop:disable Metrics/CyclomaticComplexity
         return false unless user.present? || ability.present?
-        return false unless user && collection_type
+        return false unless collection_type
         return true if ([user_id(user, ability)] & agent_ids_for(collection_type: collection_type, agent_type: 'user', access: access)).present?
         return true if (user_groups(user, ability) & agent_ids_for(collection_type: collection_type, agent_type: 'group', access: access)).present?
         false

data/app/services/hyrax/collections/collection_member_service.rb

@@ -110,7 +110,7 @@ module Hyrax
           raise Hyrax::SingleMembershipError, message if message.present?
           new_member.member_of_collection_ids << collection_id # only populate this direction
           new_member = Hyrax.persister.save(resource: new_member)
-          Hyrax.publisher.publish('object.metadata.updated', object: new_member, user: user)
+          publish_metadata_updated(new_member, user)
           new_member
         end
 
@@ -148,9 +148,19 @@ module Hyrax
           return member unless member?(collection_id: collection_id, member: member)
           member.member_of_collection_ids.delete(collection_id)
           member = Hyrax.persister.save(resource: member)
-          Hyrax.publisher.publish('object.metadata.updated', object: member, user: user)
+          publish_metadata_updated(member, user)
           member
         end
+
+        private
+
+        def publish_metadata_updated(member, user)
+          if member.collection?
+            Hyrax.publisher.publish('collection.metadata.updated', collection: member, user: user)
+          else
+            Hyrax.publisher.publish('object.metadata.updated', object: member, user: user)
+          end
+        end
       end
     end
   end

data/app/services/hyrax/collections/permissions_create_service.rb

@@ -2,94 +2,96 @@
 module Hyrax
   module Collections
     class PermissionsCreateService
-      # @api public
-      #
-      # Set the default permissions for a (newly created) collection
-      #
-      # @param collection [::Collection] the collection the new permissions will act on
-      # @param creating_user [User] the user that created the collection
-      # @param grants [Array<Hash>] additional grants to apply to the new collection
-      # @return [Hyrax::PermissionTemplate]
-      def self.create_default(collection:, creating_user:, grants: [])
-        collection_type = Hyrax::CollectionType.find_by_gid!(collection.collection_type_gid)
-        access_grants = access_grants_attributes(collection_type: collection_type, creating_user: creating_user, grants: grants)
-        template = PermissionTemplate.create!(source_id: collection.id,
-                                              access_grants_attributes: access_grants.uniq)
+      class << self
+        # @api public
+        #
+        # Set the default permissions for a (newly created) collection
+        #
+        # @param collection [#collection_type_gid || Hyrax::AdministrativeSet] the collection or admin set the new permissions will act on
+        # @param creating_user [User] the user that created the collection
+        # @param grants [Array<Hash>] additional grants to apply to the new collection
+        # @return [Hyrax::PermissionTemplate]
+        def create_default(collection:, creating_user:, grants: [])
+          collection_type = Hyrax::CollectionType.find_by_gid!(collection.collection_type_gid)
+          access_grants = access_grants_attributes(collection_type: collection_type, creating_user: creating_user, grants: grants)
+          template = Hyrax::PermissionTemplate.create!(source_id: collection.id.to_s,
+                                                       access_grants_attributes: access_grants.uniq)
 
-        template.reset_access_controls_for(collection: collection, interpret_visibility: true)
-      end
-
-      # @api public
-      #
-      # Add access grants to a collection
-      #
-      # @param collection_id [String] id of a collection
-      # @param grants [Array<Hash>] array of grants to add to the collection
-      # @example grants
-      #   [ { agent_type: Hyrax::PermissionTemplateAccess::GROUP,
-      #       agent_id: 'my_group_name',
-      #       access: Hyrax::PermissionTemplateAccess::DEPOSIT } ]
-      # @see Hyrax::PermissionTemplateAccess for valid values for agent_type and access
-      def self.add_access(collection_id:, grants:)
-        collection = ::Collection.find(collection_id)
-        template = Hyrax::PermissionTemplate.find_by!(source_id: collection_id)
-        grants.each do |grant|
-          Hyrax::PermissionTemplateAccess.find_or_create_by(permission_template_id: template.id,
-                                                            agent_type: grant[:agent_type],
-                                                            agent_id: grant[:agent_id],
-                                                            access: grant[:access])
+          template.reset_access_controls_for(collection: collection, interpret_visibility: true)
+          template
         end
 
-        template.reset_access_controls_for(collection: collection, interpret_visibility: true)
-      end
+        # @api public
+        #
+        # Add access grants to a collection
+        #
+        # @param collection_id [String] id of a collection
+        # @param grants [Array<Hash>] array of grants to add to the collection
+        # @example grants
+        #   [ { agent_type: Hyrax::PermissionTemplateAccess::GROUP,
+        #       agent_id: 'my_group_name',
+        #       access: Hyrax::PermissionTemplateAccess::DEPOSIT } ]
+        # @see Hyrax::PermissionTemplateAccess for valid values for agent_type and access
+        def add_access(collection_id:, grants:)
+          collection = Hyrax.query_service.find_by(id: collection_id)
+          template = Hyrax::PermissionTemplate.find_by!(source_id: collection_id.to_s)
+          grants.each do |grant|
+            Hyrax::PermissionTemplateAccess.find_or_create_by(permission_template_id: template.id.to_s,
+                                                              agent_type: grant[:agent_type],
+                                                              agent_id: grant[:agent_id],
+                                                              access: grant[:access])
+          end
 
-      # @api private
-      #
-      # Gather the default permissions needed for a new collection
-      #
-      # @param collection_type [CollectionType] the collection type of the new collection
-      # @param creating_user [User] the user that created the collection
-      # @param grants [Array<Hash>] additional grants to apply to the new collection
-      # @return [Hash] a hash containing permission attributes
-      def self.access_grants_attributes(collection_type:, creating_user:, grants:)
-        [
-          { agent_type: 'group', agent_id: admin_group_name, access: Hyrax::PermissionTemplateAccess::MANAGE }
-        ].tap do |attribute_list|
-          # Grant manage access to the creating_user if it exists
-          attribute_list << { agent_type: 'user', agent_id: creating_user.user_key, access: Hyrax::PermissionTemplateAccess::MANAGE } if creating_user
-        end + managers_of_collection_type(collection_type: collection_type) + grants
-      end
-      private_class_method :access_grants_attributes
+          template.reset_access_controls_for(collection: collection, interpret_visibility: true)
+        end
 
-      # @api private
-      #
-      # Retrieve the users or groups with manage permissions for a collection type
-      #
-      # @param collection_type [CollectionType] the collection type of the new collection
-      # @return [Hash] a hash containing permission attributes
-      def self.managers_of_collection_type(collection_type:)
-        attribute_list = []
-        user_managers = Hyrax::CollectionTypes::PermissionsService.user_edit_grants_for_collection_of_type(collection_type: collection_type)
-        user_managers.each do |user|
-          attribute_list << { agent_type: 'user', agent_id: user, access: Hyrax::PermissionTemplateAccess::MANAGE }
+        private
+
+        # @api private
+        #
+        # Gather the default permissions needed for a new collection
+        #
+        # @param collection_type [CollectionType] the collection type of the new collection
+        # @param creating_user [User] the user that created the collection
+        # @param grants [Array<Hash>] additional grants to apply to the new collection
+        # @return [Array<Hash>] a hash containing permission attributes
+        def access_grants_attributes(collection_type:, creating_user:, grants:)
+          [
+            { agent_type: 'group', agent_id: admin_group_name, access: Hyrax::PermissionTemplateAccess::MANAGE }
+          ].tap do |attribute_list|
+            # Grant manage access to the creating_user if it exists
+            attribute_list << { agent_type: 'user', agent_id: creating_user.user_key, access: Hyrax::PermissionTemplateAccess::MANAGE } if creating_user
+          end + managers_of_collection_type(collection_type: collection_type) + grants
         end
-        group_managers = Hyrax::CollectionTypes::PermissionsService.group_edit_grants_for_collection_of_type(collection_type: collection_type)
-        group_managers.each do |group|
-          attribute_list << { agent_type: 'group', agent_id: group, access: Hyrax::PermissionTemplateAccess::MANAGE }
+
+        # @api private
+        #
+        # Retrieve the users or groups with manage permissions for a collection type
+        #
+        # @param collection_type [CollectionType] the collection type of the new collection
+        # @return [Array<Hash>] a hash containing permission attributes
+        def managers_of_collection_type(collection_type:)
+          attribute_list = []
+          user_managers = Hyrax::CollectionTypes::PermissionsService.user_edit_grants_for_collection_of_type(collection_type: collection_type)
+          user_managers.each do |user|
+            attribute_list << { agent_type: 'user', agent_id: user, access: Hyrax::PermissionTemplateAccess::MANAGE }
+          end
+          group_managers = Hyrax::CollectionTypes::PermissionsService.group_edit_grants_for_collection_of_type(collection_type: collection_type)
+          group_managers.each do |group|
+            attribute_list << { agent_type: 'group', agent_id: group, access: Hyrax::PermissionTemplateAccess::MANAGE }
+          end
+          attribute_list
         end
-        attribute_list
-      end
-      private_class_method :managers_of_collection_type
 
-      # @api private
-      #
-      # The value of the admin group name
-      #
-      # @return [String] a string representation of the admin group name
-      def self.admin_group_name
-        ::Ability.admin_group_name
+        # @api private
+        #
+        # The value of the admin group name
+        #
+        # @return [String] a string representation of the admin group name
+        def admin_group_name
+          ::Ability.admin_group_name
+        end
       end
-      private_class_method :admin_group_name
     end
   end
 end

data/app/services/hyrax/collections/permissions_service.rb

@@ -243,7 +243,7 @@ module Hyrax
       # @note Several checks get the user's groups from the user's ability.  The same values can be retrieved directly from a passed in ability.
       def self.access_to_collection?(collection_id:, access:, ability:, exclude_groups: [])
         return false unless collection_id
-        template = Hyrax::PermissionTemplate.find_by!(source_id: collection_id)
+        template = Hyrax::PermissionTemplate.find_by!(source_id: collection_id.to_s)
         return true if ([ability.current_user.user_key] & template.agent_ids_for(agent_type: 'user', access: access)).present?
         return true if (ability.user_groups & (template.agent_ids_for(agent_type: 'group', access: access) - exclude_groups)).present?
         false

data/app/services/hyrax/curation_concern.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 module Hyrax
   class CurationConcern
+    ##
     # The actor middleware stack can be customized like so:
     #   # Adding a new middleware
     #   Hyrax::CurationConcern.actor_factory.use MyCustomActor
@@ -16,14 +17,35 @@ module Hyrax
     #
     # You can customize the actor stack, so long as you do so before the actor
     # is used.  Once it is used, it becomes immutable.
+    #
     # @return [ActionDispatch::MiddlewareStack]
+    # @see Hyrax::DefaultMiddlewareStack
     def self.actor_factory
       @actor_factory ||= Hyrax::DefaultMiddlewareStack.build_stack
     end
 
-    # A consumer of this method can inject a different factory
-    # into this class in order to change the behavior of this method.
+    ##
+    # Provides the Hyrax "Actor Stack" used during creation of Works when
+    # +ActiveFedora+ models are used by the application
+    #
+    # The "Actor Stack" consists of a series of objects ("Actors"), which
+    # implement +#create+, +#update+ and +#destroy+. Each actor's methods
+    # promise to call the same methods on the next actor in the series, and may
+    # do some work before (on the way down the stack) and/or after (on the
+    # way up) calling to the next actor.
+    #
+    # The normal convention is to call an actor inheriting
+    # {Hyrax::Actors::BaseActor} at or near the bottom of the stack, to handle
+    # the create, update , or destroy action.
+    #
+    # @note this stack, and the Actor classes it calls, is not used when
+    #   +Valkyrie+ models are defined by the application. in that context,
+    #   this behavior is replaced by `Hyrax::Transactions::Container`.
+    #
     # @return [#create, #update] an actor that can create and update the work
+    #
+    # @see Hyrax::DefaultMiddlewareStack
+    # @see https://samvera.github.io/actor_stack.html
     def self.actor
       @work_middleware_stack ||= actor_factory.build(Actors::Terminator.new)
     end

data/app/services/hyrax/default_middleware_stack.rb

@@ -1,5 +1,16 @@
 # frozen_string_literal: true
 module Hyrax
+  ##
+  # Defines the Hyrax "Actor Stack", used in creation of works when using
+  # +ActiveFedora+.
+  #
+  # @note this stack, and the Actor classes it calls, is not used when
+  #   +Valkyrie+ models are defined by the application. in that context,
+  #   this behavior is replaced by `Hyrax::Transactions::Container`.
+  #
+  # @see Hyrax::CurationConcern.actor
+  # @see Hyrax::WorksControllerBehavior#create
+  # @see Hyrax::WorksControllerBehavior#update
   class DefaultMiddlewareStack
     # rubocop:disable Metrics/MethodLength
     def self.build_stack

data/app/services/hyrax/ensure_well_formed_admin_set_service.rb

@@ -14,12 +14,12 @@ module Hyrax
     #
     # @param admin_set_id [String, nil]
     #
-    # @return [String] an admin_set_id; if you provide a "present"
+    # @return [#to_s] an admin_set_id; if you provide a "present"
     #   admin_set_id, this service will return that.
     #
-    # @see AdminSet.find_or_create_default_admin_set_id
+    # @see Hyrax::AdminSetCreateService.find_or_create_default_admin_set
     def self.call(admin_set_id: nil)
-      admin_set_id = admin_set_id.presence || AdminSet.find_or_create_default_admin_set_id
+      admin_set_id = admin_set_id.presence&.to_s || Hyrax::AdminSetCreateService.find_or_create_default_admin_set.id.to_s
       Hyrax::PermissionTemplate.find_or_create_by!(source_id: admin_set_id)
       admin_set_id
     end

data/app/services/hyrax/listeners/active_fedora_acl_index_listener.rb

@@ -13,6 +13,7 @@ module Hyrax
       #
       # @param event [Dry::Event]
       def on_object_acl_updated(event)
+        return if Hyrax.config.disable_wings
         return unless event[:result] == :success # do nothing on failure
 
         if Hyrax.metadata_adapter.is_a?(Wings::Valkyrie::MetadataAdapter)

data/app/services/hyrax/listeners/metadata_index_listener.rb

@@ -15,10 +15,17 @@ module Hyrax
       # Re-index the resource.
       #
       # @param event [Dry::Event]
-      def on_object_metadata_updated(event)
-        log_non_resource(event) && return unless
-          event[:object].is_a?(Valkyrie::Resource)
+      def on_collection_metadata_updated(event)
+        return unless resource? event[:collection]
+        Hyrax.index_adapter.save(resource: event[:collection])
+      end
 
+      ##
+      # Re-index the resource.
+      #
+      # @param event [Dry::Event]
+      def on_object_metadata_updated(event)
+        return unless resource? event[:object]
         Hyrax.index_adapter.save(resource: event[:object])
       end
 
@@ -27,17 +34,26 @@ module Hyrax
       #
       # @param event [Dry::Event]
       def on_object_deleted(event)
-        log_non_resource(event.payload) && return unless
-          event.payload[:object].is_a?(Valkyrie::Resource)
-
+        return unless resource?(event.payload[:object])
         Hyrax.index_adapter.delete(resource: event[:object])
       end
 
       private
 
-      def log_non_resource(event)
-        Hyrax.logger.info('Skipping object reindex because the object ' \
-                          "#{event[:object]} was not a Valkyrie::Resource.")
+      def resource?(resource)
+        return true if resource.is_a? Valkyrie::Resource
+        log_non_resource(resource)
+        false
+      end
+
+      def log_non_resource(resource)
+        generic_type = resource_generic_type(resource)
+        Hyrax.logger.info("Skipping #{generic_type} reindex because the " \
+                          "#{generic_type} #{resource} was not a Valkyrie::Resource.")
+      end
+
+      def resource_generic_type(resource)
+        resource.try(:collection?) ? 'collection' : 'object'
       end
     end
   end

data/app/services/hyrax/permission_manager.rb

@@ -143,7 +143,7 @@ module Hyrax
     def groups_for(mode:)
       Enumerator.new do |yielder|
         acl.permissions.each do |permission|
-          next unless permission.mode == mode
+          next unless permission.mode.to_sym == mode
           next unless permission.agent.starts_with?(Hyrax::Group.name_prefix)
           yielder << permission.agent.gsub(Hyrax::Group.name_prefix, '')
         end
@@ -154,7 +154,7 @@ module Hyrax
       groups = groups.map(&:to_s)
 
       acl.permissions.each do |permission|
-        next unless permission.mode == mode
+        next unless permission.mode.to_sym == mode
         next unless permission.agent.starts_with?(Hyrax::Group.name_prefix)
 
         group_name = permission.agent.gsub(Hyrax::Group.name_prefix, '')
@@ -175,7 +175,7 @@ module Hyrax
       end
 
       acl.permissions.each do |permission|
-        next unless permission.mode == mode
+        next unless permission.mode.to_sym == mode
         next if permission.agent.starts_with?(Hyrax::Group.name_prefix)
         next if users.include? permission.agent
 
@@ -189,7 +189,7 @@ module Hyrax
     def users_for(mode:)
       Enumerator.new do |yielder|
         acl.permissions.each do |permission|
-          next unless permission.mode == mode
+          next unless permission.mode.to_sym == mode
           next if permission.agent.starts_with?(Hyrax::Group.name_prefix)
           yielder << permission.agent
         end

data/app/services/hyrax/solr_service.rb

@@ -140,7 +140,7 @@ module Hyrax
     # valkyrie indexers used here would, at minimum, need to provide a
     # functioning `rsolr` connection.
     def valkyrie_index
-      Valkyrie::IndexingAdapter.find(:solr_index)
+      Hyrax.index_adapter
     end
 
     ##

data/app/services/hyrax/statistics/collections/over_time.rb

@@ -6,7 +6,8 @@ module Hyrax
         private
 
         def relation
-          ::Collection
+          AbstractTypeRelation
+            .new(allowable_types: [Hyrax.config.collection_class])
         end
       end
     end

data/app/services/hyrax/workflow/abstract_notification.rb

@@ -39,9 +39,9 @@ module Hyrax
       # @option recipients [Array<Hyrax::User>] :to a list of users to which to send the notification
       # @option recipients [Array<Hyrax::User>] :cc a list of users to which to copy on the notification
       def initialize(entity, comment, user, recipients)
-        @work_id = entity.proxy_for_global_id.sub(/.*\//, '')
+        @work_id = entity.proxy_for.id
         @title = entity.proxy_for.title.first
-        @comment = comment.respond_to?(:comment) ? comment.comment.to_s : ''
+        @comment = comment&.comment.to_s
         # Convert to hash with indifferent access to allow both string and symbol keys
         @recipients = recipients.with_indifferent_access
         @user = user

data/app/services/hyrax/workflow/action_taken_service.rb

@@ -14,7 +14,14 @@ module Hyrax
       end
 
       def initialize(target:, action:, comment:, user:)
-        @target = target
+        @target =
+          case target
+          when Valkyrie::Resource
+            Hyrax::ChangeSet.for(target)
+          else
+            target
+          end
+
         @action = action
         @comment = comment
         @user = user
@@ -70,10 +77,15 @@ module Hyrax
       # @api private
       def save_target
         case target
-        when ActiveFedora::Base
-          target.save
+        when Valkyrie::ChangeSet
+          return target.model unless target.changed?
+
+          Hyrax::Transactions::Container['change_set.apply']
+            .with_step_args('change_set.save' => { user: user })
+            .call(target)
+            .value!
         else
-          Hyrax.persister.save(resource: target)
+          target.save
         end
       end
     end

data/app/services/hyrax/workflow/activate_object.rb

@@ -3,14 +3,15 @@ module Hyrax
   module Workflow
     module ActivateObject
       ##
-      # This is a built in function for workflow, setting the `#state`
-      # of the target to the Fedora 'active' status URI
+      # This is a built in function for workflow, setting the +#state+
+      # of the target to the Fedora +active+ status URI
       #
-      # @param target [#state] an instance of a model that includes `Hyrax::Suppressible`
+      # @param target [#state] an instance of a model with a +#state+ property;
+      #   e.g. a {Hyrax::Work}
       #
       # @return [RDF::Vocabulary::Term] the Fedora Resource Status 'active' term
       def self.call(target:, **)
-        target.state = Vocab::FedoraResourceStatus.active
+        target.state = Hyrax::ResourceStatus::ACTIVE
       end
     end
   end

data/app/services/hyrax/workflow/changes_required_notification.rb

@@ -9,14 +9,15 @@ module Hyrax
       end
 
       def message
-        I18n.t('hyrax.notifications.workflow.changes_required.message', title: title,
-                                                                        link: (link_to work_id, document_path),
-                                                                        comment: comment)
+        I18n.t('hyrax.notifications.workflow.changes_required.message',
+               title: title,
+               link: (link_to work_id, document_path),
+               comment: comment)
       end
 
       def users_to_notify
         user_key = document.depositor
-        super << ::User.find_by(email: user_key)
+        super << ::User.find_by_user_key(user_key)
       end
     end
   end

data/app/services/hyrax/workflow/deactivate_object.rb

@@ -2,15 +2,17 @@
 module Hyrax
   module Workflow
     ##
-    # This is a built in function for workflow, setting the `#state`
-    # of the target to the Fedora 'inactive' status URI
+    # This is a built in function for workflow, setting the +#state+
+    # of the target to the Fedora +inactive+ status URI
     #
-    # @param target [#state] an instance of a model that includes `Hyrax::Suppressible`
+    # @param target [#state] an instance of a model with a +#state+ property;
+    #   e.g. a {Hyrax::Work}
     #
-    # @return [RDF::Vocabulary::Term] the Fedora Resource Status 'inactive' term
+    # @return [RDF::URI] the Fedora Resource Status 'inactive' term
+    # @see Hyrax::ResourceStatus
     module DeactivateObject
       def self.call(target:, **)
-        target.state = Vocab::FedoraResourceStatus.inactive
+        target.state = Hyrax::ResourceStatus::INACTIVE
       end
     end
   end

data/app/services/hyrax/workflow/deposited_notification.rb

@@ -9,13 +9,17 @@ module Hyrax
       end
 
       def message
-        I18n.t('hyrax.notifications.workflow.deposited.message', title: title, link: (link_to work_id, document_path),
-                                                                 user: user.user_key, comment: comment)
+        I18n.t('hyrax.notifications.workflow.deposited.message',
+               title: title,
+               link: (link_to work_id, document_path),
+               user: user.user_key,
+               comment: comment)
       end
 
       def users_to_notify
-        user_key = Hyrax.query_service.find_by_alternate_identifier(alternate_identifier: work_id).depositor
-        super << ::User.find_by(email: user_key)
+        user_key = @entity.proxy_for.depositor
+
+        super << ::User.find_by_user_key(user_key)
       end
     end
   end

data/app/services/hyrax/workflow/grant_edit_to_depositor.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 module Hyrax
   module Workflow
+    ##
     # This is a built in function for workflow, so that a workflow action can be created that
     # grants the creator the ability to alter it.
     module GrantEditToDepositor
@@ -8,11 +9,14 @@ module Hyrax
       # @return void
       def self.call(target:, **)
         return true unless target.try(:depositor)
-        target.edit_users = target.edit_users.to_a + Array.wrap(target.depositor) # += works in Ruby 2.6+
-        target.try(:permission_manager)&.acl&.save
+
+        model = target.try(:model) || target # get the model if target is a ChangeSet
+        model.edit_users = model.edit_users.to_a + Array.wrap(target.depositor) # += works in Ruby 2.6+
+        model.try(:permission_manager)&.acl&.save
+
         # If there are a lot of members, granting access to each could take a
         # long time. Do this work in the background.
-        GrantEditToMembersJob.perform_later(target, target.depositor)
+        GrantEditToMembersJob.perform_later(model, target.depositor)
       end
     end
   end

data/app/services/hyrax/workflow/grant_read_to_depositor.rb

@@ -1,16 +1,23 @@
 # frozen_string_literal: true
 module Hyrax
   module Workflow
+    ##
     # This is a built in function for workflow, so that a workflow action can be created that
     # grants the creator the ability to view their work.
     module GrantReadToDepositor
-      # @param [#read_users=, #read_users] target (likely an ActiveRecord::Base) to which we are adding read_users for the depositor
+      # @param [#read_users=, #read_users] target to which we are adding read_users
+      #   for the depositor
       # @return void
       def self.call(target:, **)
-        target.read_users += [target.depositor]
+        return true unless target.try(:depositor)
+
+        model = target.try(:model) || target # get the model if target is a ChangeSet
+        model.read_users = model.read_users.to_a + Array.wrap(target.depositor) # += works in Ruby 2.6+
+        model.try(:permission_manager)&.acl&.save
+
         # If there are a lot of members, granting access to each could take a
         # long time. Do this work in the background.
-        GrantReadToMembersJob.perform_later(target, target.depositor)
+        GrantReadToMembersJob.perform_later(model, target.depositor)
       end
     end
   end

data/app/services/hyrax/workflow/revoke_edit_from_depositor.rb

@@ -1,14 +1,20 @@
 # frozen_string_literal: true
 module Hyrax
   module Workflow
+    ##
     # This is a built in function for workflow, so that a workflow action can be created that
     # removes the creators the ability to alter it.
     module RevokeEditFromDepositor
       def self.call(target:, **)
-        target.edit_users -= [target.depositor]
+        return true unless target.try(:depositor)
+
+        model = target.try(:model) || target # get the model if target is a ChangeSet
+        model.edit_users = model.edit_users.to_a - Array.wrap(target.depositor)
+        model.try(:permission_manager)&.acl&.save
+
         # If there are a lot of members, revoking access from each could take a
         # long time. Do this work in the background.
-        RevokeEditFromMembersJob.perform_later(target, target.depositor)
+        RevokeEditFromMembersJob.perform_later(model, target.depositor)
       end
     end
   end