Module: Hydra::PolicyAwareAbility
Overview
Repeats access controls evaluation methods, but checks against a governing “Policy” object (or “Collection” object) that provides inherited access controls.
Instance Attribute Summary
Attributes included from Ability
#cache, #current_user, #session
Instance Method Summary collapse
-
#edit_groups_from_policy(policy_pid) ⇒ Object
Returns the list of groups granted edit access by the policy object identified by policy_pid.
-
#edit_persons_from_policy(policy_pid) ⇒ Object
Returns the list of individuals granted edit access by the policy object identified by policy_pid.
-
#policy_permissions_doc(policy_pid) ⇒ Object
Returns the permissions solr document for policy_pid The document is stored in an instance variable, so calling this multiple times will only query solr once.
-
#policy_pid_for(object_pid) ⇒ Object
Returns the pid of policy object (is_governed_by) for the specified object Assumes that the policy object is associated by an is_governed_by relationship (which is stored as “is_governed_by_ssim” in object’s solr document) Returns nil if no policy associated with the object.
-
#read_groups_from_policy(policy_pid) ⇒ Object
Returns the list of groups granted read access by the policy object identified by policy_pid Note: edit implies read, so read_groups is the union of edit and read groups.
-
#read_persons_from_policy(policy_pid) ⇒ Object
Returns the list of individuals granted read access by the policy object identified by policy_pid Noate: edit implies read, so read_persons is the union of edit and read persons.
-
#test_edit(pid) ⇒ Object
Extends Hydra::Ability.test_edit to try policy controls if object-level controls deny access.
-
#test_edit_from_policy(object_pid) ⇒ Object
Tests whether the object’s governing policy object grants edit access for the current user.
-
#test_read(pid) ⇒ Object
Extends Hydra::Ability.test_read to try policy controls if object-level controls deny access.
-
#test_read_from_policy(object_pid) ⇒ Object
Tests whether the object’s governing policy object grants read access for the current user.
Methods included from Ability
#create_permissions, #custom_permissions, #default_user_groups, #edit_permissions, #hydra_default_permissions, #initialize, #read_permissions, user_class, #user_groups
Instance Method Details
#edit_groups_from_policy(policy_pid) ⇒ Object
Returns the list of groups granted edit access by the policy object identified by policy_pid
78 79 80 81 82 83 84 |
# File 'lib/hydra/policy_aware_ability.rb', line 78 def edit_groups_from_policy(policy_pid) = (policy_pid) edit_group_field = Hydra.config[:permissions][:inheritable][:edit][:group] eg = (( == nil || .fetch(edit_group_field,nil) == nil) ? [] : .fetch(edit_group_field,nil)) logger.debug("[CANCAN] -policy- edit_groups: #{eg.inspect}") return eg end |
#edit_persons_from_policy(policy_pid) ⇒ Object
Returns the list of individuals granted edit access by the policy object identified by policy_pid
97 98 99 100 101 102 103 |
# File 'lib/hydra/policy_aware_ability.rb', line 97 def edit_persons_from_policy(policy_pid) = (policy_pid) edit_person_field = Hydra.config[:permissions][:inheritable][:edit][:individual] ep = (( == nil || .fetch(edit_person_field,nil) == nil) ? [] : .fetch(edit_person_field,nil)) logger.debug("[CANCAN] -policy- edit_persons: #{ep.inspect}") return ep end |
#policy_permissions_doc(policy_pid) ⇒ Object
Returns the permissions solr document for policy_pid The document is stored in an instance variable, so calling this multiple times will only query solr once. To force reload, set @policy_permissions_solr_cache to {}
44 45 46 47 |
# File 'lib/hydra/policy_aware_ability.rb', line 44 def (policy_pid) @policy_permissions_solr_cache ||= {} @policy_permissions_solr_cache[policy_pid] ||= (policy_pid) end |
#policy_pid_for(object_pid) ⇒ Object
Returns the pid of policy object (is_governed_by) for the specified object Assumes that the policy object is associated by an is_governed_by relationship (which is stored as “is_governed_by_ssim” in object’s solr document) Returns nil if no policy associated with the object
30 31 32 33 34 35 36 37 38 39 |
# File 'lib/hydra/policy_aware_ability.rb', line 30 def policy_pid_for(object_pid) policy_pid = policy_pid_cache[object_pid] return policy_pid if policy_pid solr_result = ActiveFedora::Base.find_with_conditions({:id=>object_pid}, :fl=>ActiveFedora::SolrService.solr_name('is_governed_by', :symbol)) begin policy_pid_cache[object_pid] = policy_pid = value_from_solr_field(solr_result, ActiveFedora::SolrService.solr_name('is_governed_by', :symbol)).first.gsub("info:fedora/", "") rescue NoMethodError end return policy_pid end |
#read_groups_from_policy(policy_pid) ⇒ Object
Returns the list of groups granted read access by the policy object identified by policy_pid Note: edit implies read, so read_groups is the union of edit and read groups
88 89 90 91 92 93 94 |
# File 'lib/hydra/policy_aware_ability.rb', line 88 def read_groups_from_policy(policy_pid) = (policy_pid) read_group_field = Hydra.config[:permissions][:inheritable][:read][:group] rg = edit_groups_from_policy(policy_pid) | (( == nil || .fetch(read_group_field,nil) == nil) ? [] : .fetch(read_group_field,nil)) logger.debug("[CANCAN] -policy- read_groups: #{rg.inspect}") return rg end |
#read_persons_from_policy(policy_pid) ⇒ Object
Returns the list of individuals granted read access by the policy object identified by policy_pid Noate: edit implies read, so read_persons is the union of edit and read persons
107 108 109 110 111 112 113 |
# File 'lib/hydra/policy_aware_ability.rb', line 107 def read_persons_from_policy(policy_pid) = (policy_pid) read_individual_field = Hydra.config[:permissions][:inheritable][:read][:individual] rp = edit_persons_from_policy(policy_pid) | (( == nil || .fetch(read_individual_field,nil) == nil) ? [] : .fetch(read_individual_field,nil)) logger.debug("[CANCAN] -policy- read_persons: #{rp.inspect}") return rp end |
#test_edit(pid) ⇒ Object
Extends Hydra::Ability.test_edit to try policy controls if object-level controls deny access
7 8 9 10 11 12 13 14 |
# File 'lib/hydra/policy_aware_ability.rb', line 7 def test_edit(pid) result = super if result return result else return test_edit_from_policy(pid) end end |
#test_edit_from_policy(object_pid) ⇒ Object
Tests whether the object’s governing policy object grants edit access for the current user
50 51 52 53 54 55 56 57 58 59 60 61 |
# File 'lib/hydra/policy_aware_ability.rb', line 50 def test_edit_from_policy(object_pid) policy_pid = policy_pid_for(object_pid) if policy_pid.nil? return false else logger.debug("[CANCAN] -policy- Does the POLICY #{policy_pid} provide EDIT permissions for #{current_user.user_key}?") group_intersection = user_groups & edit_groups_from_policy( policy_pid ) result = !group_intersection.empty? || edit_persons_from_policy( policy_pid ).include?(current_user.user_key) logger.debug("[CANCAN] -policy- decision: #{result}") return result end end |
#test_read(pid) ⇒ Object
Extends Hydra::Ability.test_read to try policy controls if object-level controls deny access
17 18 19 20 21 22 23 24 |
# File 'lib/hydra/policy_aware_ability.rb', line 17 def test_read(pid) result = super if result return result else return test_read_from_policy(pid) end end |
#test_read_from_policy(object_pid) ⇒ Object
Tests whether the object’s governing policy object grants read access for the current user
64 65 66 67 68 69 70 71 72 73 74 75 |
# File 'lib/hydra/policy_aware_ability.rb', line 64 def test_read_from_policy(object_pid) policy_pid = policy_pid_for(object_pid) if policy_pid.nil? return false else logger.debug("[CANCAN] -policy- Does the POLICY #{policy_pid} provide READ permissions for #{current_user.user_key}?") group_intersection = user_groups & read_groups_from_policy( policy_pid ) result = !group_intersection.empty? || read_persons_from_policy( policy_pid ).include?(current_user.user_key) logger.debug("[CANCAN] -policy- decision: #{result}") result end end |