Module: Ddr::Auth::RoleBasedAccessControlsEnforcement

Defined in:

lib/ddr/auth/role_based_access_controls_enforcement.rb

Overview

Hydra controller mixin for role-based access control

Overrides Hydra::AccessControlsEnforcement#gated_discovery_filters to apply role filters instead of permissions filters.

Class Method Summary

• .included(controller) ⇒ Object

Instance Method Summary

• #current_ability ⇒ Object
• #enforce_show_permissions ⇒ Object

  Overrides Hydra::AccessControlsEnforcement.

• #gated_discovery_filters ⇒ Object
• #policy_role_filters ⇒ Object
• #policy_role_policies ⇒ Object

  List of URIs for policies on which any of the current user’s agent has a role in policy scope.

• #resource_role_filters ⇒ Object

Class Method Details

.included(controller) ⇒ Object

# File 'lib/ddr/auth/role_based_access_controls_enforcement.rb', line 11

def self.included(controller)
  controller.delegate :authorized_to_act_as_superuser?, to: :current_ability
  controller.helper_method :authorized_to_act_as_superuser?
end

Instance Method Details

#current_ability ⇒ Object

# File 'lib/ddr/auth/role_based_access_controls_enforcement.rb', line 16

def current_ability
  @current_ability ||= AbilityFactory.call(current_user, request.env)
end

#enforce_show_permissions ⇒ Object

Overrides Hydra::AccessControlsEnforcement

# File 'lib/ddr/auth/role_based_access_controls_enforcement.rb', line 50

def enforce_show_permissions
  authorize! :read, params[:id]
end

#gated_discovery_filters ⇒ Object

# File 'lib/ddr/auth/role_based_access_controls_enforcement.rb', line 45

def gated_discovery_filters
  [resource_role_filters, policy_role_filters].compact
end

#policy_role_filters ⇒ Object

# File 'lib/ddr/auth/role_based_access_controls_enforcement.rb', line 32

def policy_role_filters
  if policy_role_policies.present?
    rels = policy_role_policies.map { |pid| [:is_governed_by, pid] }
    ActiveFedora::SolrService.construct_query_for_rel(rels, "OR")
  end
end

#policy_role_policies ⇒ Object

List of URIs for policies on which any of the current user’s agent has a role in policy scope

# File 'lib/ddr/auth/role_based_access_controls_enforcement.rb', line 21

def policy_role_policies
  @policy_role_policies ||= Array.new.tap do |uris|
    filters = current_ability.agents.map do |agent|
      "#{Ddr::Index::Fields::POLICY_ROLE}:\"#{agent}\""
    end.join(" OR ")
    query = "#{Ddr::Index::Fields::ACTIVE_FEDORA_MODEL}:Collection AND (#{filters})"
    results = ActiveFedora::SolrService.query(query, rows: Collection.count, fl: Ddr::Index::Fields::INTERNAL_URI)
    results.each_with_object(uris) { |r, memo| memo << r[Ddr::Index::Fields::INTERNAL_URI] }
  end
end

#resource_role_filters ⇒ Object

# File 'lib/ddr/auth/role_based_access_controls_enforcement.rb', line 39

def resource_role_filters
  current_ability.agents.map do |agent|
    ActiveFedora::SolrService.raw_query(Ddr::Index::Fields::RESOURCE_ROLE, agent)
  end.join(" OR ")
end