Module: Hydra::PolicyAwareAbility

Extended by:
ActiveSupport::Concern, Deprecation
Includes:
Ability
Defined in:
lib/hydra/policy_aware_ability.rb

Overview

Repeats access controls evaluation methods, but checks against a governing “Policy” object (or “Collection” object) that provides inherited access controls.

Constant Summary collapse

IS_GOVERNED_BY_SOLR_FIELD = 
"isGovernedBy_ssim".freeze

Instance Attribute Summary

Attributes included from Ability

#cache, #current_user, #session

Instance Method Summary collapse

Methods included from Ability

#create_permissions, #custom_permissions, #default_user_groups, #download_permissions, #edit_permissions, #hydra_default_permissions, #initialize, #read_permissions, user_class, #user_groups

Instance Method Details

#edit_groups_from_policy(policy_pid) ⇒ Object

Returns the list of groups granted edit access by the policy object identified by policy_pid



71
72
73
74
75
76
77
 
# File 'lib/hydra/policy_aware_ability.rb', line 71

def edit_groups_from_policy(policy_pid)
  policy_permissions = policy_permissions_doc(policy_pid)
  edit_group_field = Hydra.config.permissions.inheritable[:edit][:group]
  eg = ((policy_permissions == nil || policy_permissions.fetch(edit_group_field,nil) == nil) ? [] : policy_permissions.fetch(edit_group_field,nil))
  Rails.logger.debug("[CANCAN] -policy- edit_groups: #{eg.inspect}")
  return eg
end

#edit_persons_from_policy(policy_pid) ⇒ Object 



89
90
91
92
 
# File 'lib/hydra/policy_aware_ability.rb', line 89

def edit_persons_from_policy(policy_pid)
  Deprecation.warn(Hydra::PolicyAwareAbility, "The edit_persons_from_policy method is deprecated and will be removed from Hydra::PolicyAwareAbility in hydra-head 8.0.  Use edit_users_from_policy instead.", caller)
  edit_users_from_policy(policy_pid)
end

#edit_users_from_policy(policy_pid) ⇒ Object

Returns the list of users granted edit access by the policy object identified by policy_pid



95
96
97
98
99
100
101
 
# File 'lib/hydra/policy_aware_ability.rb', line 95

def edit_users_from_policy(policy_pid)
  policy_permissions = policy_permissions_doc(policy_pid)
  edit_user_field = Hydra.config.permissions.inheritable[:edit][:individual]
  eu = ((policy_permissions == nil || policy_permissions.fetch(edit_user_field,nil) == nil) ? [] : policy_permissions.fetch(edit_user_field,nil))
  Rails.logger.debug("[CANCAN] -policy- edit_users: #{eu.inspect}")
  return eu
end

#governed_by_solr_fieldObject 



34
35
36
37
38
 
# File 'lib/hydra/policy_aware_ability.rb', line 34

def governed_by_solr_field
  # TODO the solr key could be derived if we knew the class of the object:
  #   ModsAsset.reflect_on_association(:admin_policy).solr_key
  IS_GOVERNED_BY_SOLR_FIELD
end

#policy_permissions_doc(policy_pid) ⇒ Object

Returns the permissions solr document for policy_pid The document is stored in an instance variable, so calling this multiple times will only query solr once. To force reload, set @policy_permissions_solr_cache to {}



43
44
45
46
 
# File 'lib/hydra/policy_aware_ability.rb', line 43

def policy_permissions_doc(policy_pid)
  @policy_permissions_solr_cache ||= {}
  @policy_permissions_solr_cache[policy_pid] ||= get_permissions_solr_response_for_doc_id(policy_pid)
end

#policy_pid_for(object_pid) ⇒ Object

Returns the pid of policy object (is_governed_by) for the specified object Assumes that the policy object is associated by an is_governed_by relationship (which is stored as “is_governed_by_ssim” in object’s solr document) Returns nil if no policy associated with the object



23
24
25
26
27
28
29
30
31
32
 
# File 'lib/hydra/policy_aware_ability.rb', line 23

def policy_pid_for(object_pid)
  policy_pid = policy_pid_cache[object_pid]
  return policy_pid if policy_pid
  solr_result = ActiveFedora::Base.find_with_conditions({id: object_pid}, fl: governed_by_solr_field)
  begin
    policy_pid_cache[object_pid] = policy_pid = value_from_solr_field(solr_result, governed_by_solr_field).first.gsub("info:fedora/", "")
  rescue NoMethodError
  end
  return policy_pid
end

#read_groups_from_policy(policy_pid) ⇒ Object

Returns the list of groups granted read access by the policy object identified by policy_pid Note: edit implies read, so read_groups is the union of edit and read groups



81
82
83
84
85
86
87
 
# File 'lib/hydra/policy_aware_ability.rb', line 81

def read_groups_from_policy(policy_pid)
  policy_permissions = policy_permissions_doc(policy_pid)
  read_group_field = Hydra.config.permissions.inheritable[:read][:group]
  rg = edit_groups_from_policy(policy_pid) | ((policy_permissions == nil || policy_permissions.fetch(read_group_field,nil) == nil) ? [] : policy_permissions.fetch(read_group_field,nil))
  Rails.logger.debug("[CANCAN] -policy- read_groups: #{rg.inspect}")
  return rg
end

#read_persons_from_policy(policy_pid) ⇒ Object 



103
104
105
106
 
# File 'lib/hydra/policy_aware_ability.rb', line 103

def read_persons_from_policy(policy_pid)
  Deprecation.warn(Hydra::PolicyAwareAbility, "The read_persons_from_policy method is deprecated and will be removed from Hydra::PolicyAwareAbility in hydra-head 8.0.  Use read_users_from_policy instead.", caller)
  read_users_from_policy(policy_pid)
end

#read_users_from_policy(policy_pid) ⇒ Object

Returns the list of users granted read access by the policy object identified by policy_pid Note: edit implies read, so read_users is the union of edit and read users



110
111
112
113
114
115
116
 
# File 'lib/hydra/policy_aware_ability.rb', line 110

def read_users_from_policy(policy_pid)
  policy_permissions = policy_permissions_doc(policy_pid)
  read_user_field = Hydra.config.permissions.inheritable[:read][:individual]
  ru = edit_users_from_policy(policy_pid) | ((policy_permissions == nil || policy_permissions.fetch(read_user_field, nil) == nil) ? [] : policy_permissions.fetch(read_user_field, nil))
  Rails.logger.debug("[CANCAN] -policy- read_users: #{ru.inspect}")
  return ru
end

#test_edit(pid) ⇒ Object

Extends Hydra::Ability.test_edit to try policy controls if object-level controls deny access



10
11
12
 
# File 'lib/hydra/policy_aware_ability.rb', line 10

def test_edit(pid)
  super || test_edit_from_policy(pid)
end

#test_edit_from_policy(object_pid) ⇒ Object

Tests whether the object’s governing policy object grants edit access for the current user



49
50
51
52
53
54
55
56
57
 
# File 'lib/hydra/policy_aware_ability.rb', line 49

def test_edit_from_policy(object_pid)
  policy_pid = policy_pid_for(object_pid)
  return false if policy_pid.nil?
  Rails.logger.debug("[CANCAN] -policy- Does the POLICY #{policy_pid} provide EDIT permissions for #{current_user.user_key}?")
  group_intersection = user_groups & edit_groups_from_policy( policy_pid )
  result = !group_intersection.empty? || edit_users_from_policy( policy_pid ).include?(current_user.user_key)
  Rails.logger.debug("[CANCAN] -policy- decision: #{result}")
  result
end

#test_read(pid) ⇒ Object

Extends Hydra::Ability.test_read to try policy controls if object-level controls deny access



15
16
17
 
# File 'lib/hydra/policy_aware_ability.rb', line 15

def test_read(pid)
  super || test_read_from_policy(pid)
end

#test_read_from_policy(object_pid) ⇒ Object

Tests whether the object’s governing policy object grants read access for the current user



60
61
62
63
64
65
66
67
68
 
# File 'lib/hydra/policy_aware_ability.rb', line 60

def test_read_from_policy(object_pid)
  policy_pid = policy_pid_for(object_pid)
  return false if policy_pid.nil?
  Rails.logger.debug("[CANCAN] -policy- Does the POLICY #{policy_pid} provide READ permissions for #{current_user.user_key}?")
  group_intersection = user_groups & read_groups_from_policy( policy_pid )
  result = !group_intersection.empty? || read_users_from_policy( policy_pid ).include?(current_user.user_key)
  Rails.logger.debug("[CANCAN] -policy- decision: #{result}")
  result
end