Class: Ddr::Auth::Ability

Inherits:

Object

• Object
• Ddr::Auth::Ability

Includes:

Hydra::PolicyAwareAbility

Defined in:

lib/ddr/auth/ability.rb

Class Method Summary

• .discover_group_field ⇒ Object
• .discover_person_field ⇒ Object

Instance Method Summary

• #action_aliases ⇒ Object
• #attachment_permissions ⇒ Object
• #children_permissions ⇒ Object
• #collection_permissions ⇒ Object
• #discover_groups(pid) ⇒ Object

  Mimics Hydra::Ability#read_groups.

• #discover_groups_from_policy(policy_pid) ⇒ Object

  Mimics Hydra::PolicyAwareAbility#read_groups_from_policy.

• #discover_permissions ⇒ Object

  Mimics Hydra::Ability#read_permissions.

• #discover_persons(pid) ⇒ Object

  Mimics Hydra::Ability#read_persons.

• #discover_persons_from_policy(policy_pid) ⇒ Object
• #download_permissions ⇒ Object
• #edit_permissions ⇒ Object
• #events_permissions ⇒ Object
• #read_permissions ⇒ Object
• #test_discover(pid) ⇒ Object

  Mimics Hydra::Ability#test_read + Hydra::PolicyAwareAbility#test_read in one method.

• #test_discover_from_policy(object_pid) ⇒ Object

  Mimics Hydra::PolicyAwareAbility#test_read_from_policy.

• #upload_permissions ⇒ Object

Class Method Details

.discover_group_field ⇒ Object

# File 'lib/ddr/auth/ability.rb', line 161

def self.discover_group_field
  Hydra.config[:permissions][:discover][:group]
end

.discover_person_field ⇒ Object

# File 'lib/ddr/auth/ability.rb', line 157

def self.discover_person_field 
  Hydra.config[:permissions][:discover][:individual]
end

Instance Method Details

#action_aliases ⇒ Object

# File 'lib/ddr/auth/ability.rb', line 10

def action_aliases
  # read aliases
  alias_action :attachments, :collection_info, :components, :event, :events, :items, :targets, to: :read
  # edit/update aliases
  alias_action :permissions, :default_permissions, to: :update
end

#attachment_permissions ⇒ Object

# File 'lib/ddr/auth/ability.rb', line 94

def attachment_permissions
  can :add_attachment, Ddr::Models::HasAttachments do |obj|
    can?(:edit, obj)
  end
end

#children_permissions ⇒ Object

# File 'lib/ddr/auth/ability.rb', line 72

def children_permissions
  can :add_children, Ddr::Models::HasChildren do |obj|
    can?(:edit, obj)
  end
end

#collection_permissions ⇒ Object

# File 'lib/ddr/auth/ability.rb', line 17

def collection_permissions
  can :create, Collection if current_user.member_of?(Ddr::Auth.collection_creators_group)
end

#discover_groups(pid) ⇒ Object

Mimics Hydra::Ability#read_groups

# File 'lib/ddr/auth/ability.rb', line 123

def discover_groups(pid)
  doc = permissions_doc(pid)
  return [] if doc.nil?
  dg = edit_groups(pid) | read_groups(pid) | (doc[self.class.discover_group_field] || [])
  Rails.logger.debug("[CANCAN] discover_groups: #{dg.inspect}")
  return dg
end

#discover_groups_from_policy(policy_pid) ⇒ Object

Mimics Hydra::PolicyAwareAbility#read_groups_from_policy

# File 'lib/ddr/auth/ability.rb', line 132

def discover_groups_from_policy(policy_pid)
  policy_permissions = policy_permissions_doc(policy_pid)
  discover_group_field = Hydra.config[:permissions][:inheritable][:discover][:group]
  dg = edit_groups_from_policy(policy_pid) | read_groups_from_policy(policy_pid) | ((policy_permissions == nil || policy_permissions.fetch(discover_group_field, nil) == nil) ? [] : policy_permissions.fetch(discover_group_field, nil))
  Rails.logger.debug("[CANCAN] -policy- discover_groups: #{dg.inspect}")
  return dg
end

#discover_permissions ⇒ Object

Mimics Hydra::Ability#read_permissions

# File 'lib/ddr/auth/ability.rb', line 79

def discover_permissions
  can :discover, String do |pid|
    test_discover(pid)
  end

  can :discover, ActiveFedora::Base do |obj|
    test_discover(obj.pid)
  end 
  
  can :discover, SolrDocument do |obj|
    cache.put(obj.id, obj)
    test_discover(obj.id)
  end 
end

#discover_persons(pid) ⇒ Object

Mimics Hydra::Ability#read_persons

# File 'lib/ddr/auth/ability.rb', line 141

def discover_persons(pid)
  doc = permissions_doc(pid)
  return [] if doc.nil?
  dp = edit_users(pid) | read_users(pid) | (doc[self.class.discover_person_field] || [])
  Rails.logger.debug("[CANCAN] discover_persons: #{dp.inspect}")
  return dp
end

#discover_persons_from_policy(policy_pid) ⇒ Object

# File 'lib/ddr/auth/ability.rb', line 149

def discover_persons_from_policy(policy_pid)
  policy_permissions = policy_permissions_doc(policy_pid)
  discover_individual_field = Hydra.config[:permissions][:inheritable][:discover][:individual]
  dp = edit_persons_from_policy(policy_pid) | read_persons_from_policy(policy_pid) | ((policy_permissions == nil || policy_permissions.fetch(discover_individual_field, nil) == nil) ? [] : policy_permissions.fetch(discover_individual_field, nil))
  Rails.logger.debug("[CANCAN] -policy- discover_persons: #{dp.inspect}")
  return dp
end

#download_permissions ⇒ Object

# File 'lib/ddr/auth/ability.rb', line 42

def download_permissions
  can :download, ActiveFedora::Base do |obj|
    if obj.is_a? Component
      can?(:edit, obj) || (can?(:read, obj) && current_user.has_role?(obj, :downloader))
    else
      can? :read, obj
    end
  end
  can :download, SolrDocument do |doc|
    if doc.active_fedora_model == "Component"
      can?(:edit, doc) || (can?(:read, doc) && current_user.has_role?(doc, :downloader))
    else
      can? :read, doc
    end
  end
  can :download, ActiveFedora::Datastream do |ds|
    if ds.dsid == Ddr::Datastreams::CONTENT and ds.digital_object.original_class == Component
      can?(:edit, ds.pid) || (can?(:read, ds.pid) && current_user.has_role?(solr_doc(ds.pid), :downloader))
    else
      can? :read, ds.pid
    end
  end
end

#edit_permissions ⇒ Object

# File 'lib/ddr/auth/ability.rb', line 28

def edit_permissions
  super
  can [:edit, :update, :destroy], ActiveFedora::Datastream do |action, ds|
    can? action, ds.pid
  end
end

#events_permissions ⇒ Object

# File 'lib/ddr/auth/ability.rb', line 35

def events_permissions
  can :read, Ddr::Events::Event, user: current_user
  can :read, Ddr::Events::Event do |e|
    can? :read, e.pid
  end
end

#read_permissions ⇒ Object

# File 'lib/ddr/auth/ability.rb', line 21

def read_permissions
  super
  can :read, ActiveFedora::Datastream do |ds|
    can? :read, ds.pid
  end
end

#test_discover(pid) ⇒ Object

Mimics Hydra::Ability#test_read + Hydra::PolicyAwareAbility#test_read in one method

# File 'lib/ddr/auth/ability.rb', line 101

def test_discover(pid)
  Rails.logger.debug("[CANCAN] Checking discover permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
  group_intersection = user_groups & discover_groups(pid)
  result = !group_intersection.empty? || discover_persons(pid).include?(current_user.user_key)
  result || test_discover_from_policy(pid)
end

#test_discover_from_policy(object_pid) ⇒ Object

Mimics Hydra::PolicyAwareAbility#test_read_from_policy

# File 'lib/ddr/auth/ability.rb', line 109

def test_discover_from_policy(object_pid)
  policy_pid = policy_pid_for(object_pid)
  if policy_pid.nil?
    return false
  else
    Rails.logger.debug("[CANCAN] -policy- Does the POLICY #{policy_pid} provide DISCOVER permissions for #{current_user.user_key}?")
    group_intersection = user_groups & discover_groups_from_policy(policy_pid)
    result = !group_intersection.empty? || discover_persons_from_policy(policy_pid).include?(current_user.user_key)
    Rails.logger.debug("[CANCAN] -policy- decision: #{result}")
    result
  end
end

#upload_permissions ⇒ Object

# File 'lib/ddr/auth/ability.rb', line 66

def upload_permissions
  can :upload, Ddr::Models::HasContent do |obj|
    can?(:edit, obj)
  end
end