Module: Hydra::PolicyAwareAccessControlsEnforcement

Defined in:
lib/hydra/policy_aware_access_controls_enforcement.rb

Overview

Repeats access controls evaluation methods, but checks against a governing “Policy” object (or “Collection” object) that provides inherited access controls.

Instance Method Summary collapse

Instance Method Details

#apply_gated_discovery(solr_parameters, user_parameters) ⇒ Object

Extends Hydra::AccessControlsEnforcement.apply_gated_discovery to reflect policy-provided access appends the result of policy_clauses into the :fq

Parameters:

  • solr_parameters

    the current solr parameters

  • user_parameters

    the current user-subitted parameters



8
9
10
11
12
 
# File 'lib/hydra/policy_aware_access_controls_enforcement.rb', line 8

def apply_gated_discovery(solr_parameters, user_parameters)
  solr_parameters[:fq] ||= []
  solr_parameters[:fq] << gated_discovery_filters.join(" OR ")
  logger.debug("POLICY-aware Solr parameters: #{ solr_parameters.inspect }")
end

#apply_policy_individual_permissions(permission_types) ⇒ Object 



48
49
50
51
52
53
54
55
 
# File 'lib/hydra/policy_aware_access_controls_enforcement.rb', line 48

def apply_policy_individual_permissions(permission_types)
    # for individual person access
    user_access_filters = []
    discovery_permissions.each do |type|
      user_access_filters << ActiveFedora::SolrService.solr_name("inheritable_#{type}_access_person", Hydra::Datastream::RightsMetadata.indexer ) + ":#{current_user.user_key}"        
    end
    user_access_filters
end

#apply_policy_role_permissions(permission_types) ⇒ Object 



37
38
39
40
41
42
43
44
45
46
 
# File 'lib/hydra/policy_aware_access_controls_enforcement.rb', line 37

def apply_policy_role_permissions(permission_types)
    # for roles
    user_access_filters = []
    current_ability.user_groups.each_with_index do |role, i|
      discovery_permissions.each do |type|
        user_access_filters << ActiveFedora::SolrService.solr_name("inheritable_#{type}_access_group", Hydra::Datastream::RightsMetadata.indexer ) + ":#{role}"
      end
    end
    user_access_filters
end

#policies_with_accessObject

find all the policies that grant discover/read/edit permissions to this user or any of it’s groups



24
25
26
27
28
29
30
31
32
33
34
 
# File 'lib/hydra/policy_aware_access_controls_enforcement.rb', line 24

def policies_with_access
  #### TODO -- Memoize this and put it in the session?
  return [] unless current_user
  user_access_filters = []
  # Grant access based on user id & role
  user_access_filters += apply_policy_role_permissions(discovery_permissions)
  user_access_filters += apply_policy_individual_permissions(discovery_permissions)
  result = policy_class.find_with_conditions( user_access_filters.join(" OR "), :fl => "id" )
  logger.debug "get policies: #{result}\n\n"
  result.map {|h| h['id']}
end

#policy_classObject

Returns the Model used for AdminPolicy objects. You can set this by overriding this method or setting Hydra.config[:policy_class] Defults to Hydra::AdminPolicy



60
61
62
63
64
65
66
 
# File 'lib/hydra/policy_aware_access_controls_enforcement.rb', line 60

def policy_class
  if Hydra.config[:permissions][:policy_class].nil?
    return Hydra::AdminPolicy
  else
    return Hydra.config[:permissions][:policy_class]
  end
end

#policy_clausesObject

returns solr query for finding all objects whose policies grant discover access to current_user



16
17
18
19
20
 
# File 'lib/hydra/policy_aware_access_controls_enforcement.rb', line 16

def policy_clauses 
  policy_pids = policies_with_access
  return nil if policy_pids.empty?
  '(' + policy_pids.map {|pid| ActiveFedora::SolrService.solr_name("is_governed_by", :symbol) + ":info\\:fedora/#{pid.gsub(/:/, '\\\\:')}"}.join(' OR ') + ')'
end