Module: Hydra::PolicyAwareAbility

Extended by:
ActiveSupport::Concern, Deprecation
Includes:
Ability
Defined in:
lib/hydra/policy_aware_ability.rb

Overview

Repeats access controls evaluation methods, but checks against a governing “Policy” object (or “Collection” object) that provides inherited access controls.

Instance Attribute Summary

Attributes included from Ability

#cache, #current_user, #session

Instance Method Summary collapse

Methods included from Ability

#create_permissions, #custom_permissions, #default_user_groups, #download_permissions, #edit_permissions, #hydra_default_permissions, #initialize, #read_permissions, user_class, #user_groups

Instance Method Details

#edit_groups_from_policy(policy_pid) ⇒ Object

Returns the list of groups granted edit access by the policy object identified by policy_pid



79
80
81
82
83
84
85
 
# File 'lib/hydra/policy_aware_ability.rb', line 79

def edit_groups_from_policy(policy_pid)
  policy_permissions = policy_permissions_doc(policy_pid)
  edit_group_field = Hydra.config[:permissions][:inheritable][:edit][:group]
  eg = ((policy_permissions == nil || policy_permissions.fetch(edit_group_field,nil) == nil) ? [] : policy_permissions.fetch(edit_group_field,nil))
  logger.debug("[CANCAN] -policy- edit_groups: #{eg.inspect}")
  return eg
end

#edit_persons_from_policy(policy_pid) ⇒ Object 



97
98
99
100
 
# File 'lib/hydra/policy_aware_ability.rb', line 97

def edit_persons_from_policy(policy_pid)
  Deprecation.warn(Hydra::PolicyAwareAbility, "The edit_persons_from_policy method is deprecated and will be removed from Hydra::PolicyAwareAbility in hydra-head 8.0.  Use edit_users_from_policy instead.", caller)
  edit_users_from_policy(policy_pid)
end

#edit_users_from_policy(policy_pid) ⇒ Object

Returns the list of users granted edit access by the policy object identified by policy_pid



103
104
105
106
107
108
109
 
# File 'lib/hydra/policy_aware_ability.rb', line 103

def edit_users_from_policy(policy_pid)
  policy_permissions = policy_permissions_doc(policy_pid)
  edit_user_field = Hydra.config[:permissions][:inheritable][:edit][:individual]
  eu = ((policy_permissions == nil || policy_permissions.fetch(edit_user_field,nil) == nil) ? [] : policy_permissions.fetch(edit_user_field,nil))
  logger.debug("[CANCAN] -policy- edit_users: #{eu.inspect}")
  return eu
end

#policy_permissions_doc(policy_pid) ⇒ Object

Returns the permissions solr document for policy_pid The document is stored in an instance variable, so calling this multiple times will only query solr once. To force reload, set @policy_permissions_solr_cache to {}



45
46
47
48
 
# File 'lib/hydra/policy_aware_ability.rb', line 45

def policy_permissions_doc(policy_pid)
  @policy_permissions_solr_cache ||= {}
  @policy_permissions_solr_cache[policy_pid] ||= get_permissions_solr_response_for_doc_id(policy_pid)
end

#policy_pid_for(object_pid) ⇒ Object

Returns the pid of policy object (is_governed_by) for the specified object Assumes that the policy object is associated by an is_governed_by relationship (which is stored as “is_governed_by_ssim” in object’s solr document) Returns nil if no policy associated with the object



31
32
33
34
35
36
37
38
39
40
 
# File 'lib/hydra/policy_aware_ability.rb', line 31

def policy_pid_for(object_pid)
  policy_pid = policy_pid_cache[object_pid]
  return policy_pid if policy_pid
  solr_result = ActiveFedora::Base.find_with_conditions({:id=>object_pid}, :fl=>ActiveFedora::SolrService.solr_name('is_governed_by', :symbol))
  begin
    policy_pid_cache[object_pid] = policy_pid = value_from_solr_field(solr_result, ActiveFedora::SolrService.solr_name('is_governed_by', :symbol)).first.gsub("info:fedora/", "")
  rescue NoMethodError
  end
  return policy_pid
end

#read_groups_from_policy(policy_pid) ⇒ Object

Returns the list of groups granted read access by the policy object identified by policy_pid Note: edit implies read, so read_groups is the union of edit and read groups



89
90
91
92
93
94
95
 
# File 'lib/hydra/policy_aware_ability.rb', line 89

def read_groups_from_policy(policy_pid)
  policy_permissions = policy_permissions_doc(policy_pid)
  read_group_field = Hydra.config[:permissions][:inheritable][:read][:group]
  rg = edit_groups_from_policy(policy_pid) | ((policy_permissions == nil || policy_permissions.fetch(read_group_field,nil) == nil) ? [] : policy_permissions.fetch(read_group_field,nil))
  logger.debug("[CANCAN] -policy- read_groups: #{rg.inspect}")
  return rg
end

#read_persons_from_policy(policy_pid) ⇒ Object 



111
112
113
114
 
# File 'lib/hydra/policy_aware_ability.rb', line 111

def read_persons_from_policy(policy_pid)
  Deprecation.warn(Hydra::PolicyAwareAbility, "The read_persons_from_policy method is deprecated and will be removed from Hydra::PolicyAwareAbility in hydra-head 8.0.  Use read_users_from_policy instead.", caller)
  read_users_from_policy(policy_pid)
end

#read_users_from_policy(policy_pid) ⇒ Object

Returns the list of users granted read access by the policy object identified by policy_pid Note: edit implies read, so read_users is the union of edit and read users



118
119
120
121
122
123
124
 
# File 'lib/hydra/policy_aware_ability.rb', line 118

def read_users_from_policy(policy_pid)
  policy_permissions = policy_permissions_doc(policy_pid)
  read_user_field = Hydra.config[:permissions][:inheritable][:read][:individual]
  ru = edit_users_from_policy(policy_pid) | ((policy_permissions == nil || policy_permissions.fetch(read_user_field, nil) == nil) ? [] : policy_permissions.fetch(read_user_field, nil))
  logger.debug("[CANCAN] -policy- read_users: #{ru.inspect}")
  return ru
end

#test_edit(pid) ⇒ Object

Extends Hydra::Ability.test_edit to try policy controls if object-level controls deny access



8
9
10
11
12
13
14
15
 
# File 'lib/hydra/policy_aware_ability.rb', line 8

def test_edit(pid)
  result = super
  if result 
    return result
  else
    return test_edit_from_policy(pid)
  end
end

#test_edit_from_policy(object_pid) ⇒ Object

Tests whether the object’s governing policy object grants edit access for the current user



51
52
53
54
55
56
57
58
59
60
61
62
 
# File 'lib/hydra/policy_aware_ability.rb', line 51

def test_edit_from_policy(object_pid)
  policy_pid = policy_pid_for(object_pid)
  if policy_pid.nil?
    return false
  else
    logger.debug("[CANCAN] -policy- Does the POLICY #{policy_pid} provide EDIT permissions for #{current_user.user_key}?")
    group_intersection = user_groups & edit_groups_from_policy( policy_pid )
    result = !group_intersection.empty? || edit_users_from_policy( policy_pid ).include?(current_user.user_key)
    logger.debug("[CANCAN] -policy- decision: #{result}")
    return result
  end
end

#test_read(pid) ⇒ Object

Extends Hydra::Ability.test_read to try policy controls if object-level controls deny access



18
19
20
21
22
23
24
25
 
# File 'lib/hydra/policy_aware_ability.rb', line 18

def test_read(pid)
  result = super
  if result 
    return result
  else
    return test_read_from_policy(pid)
  end
end

#test_read_from_policy(object_pid) ⇒ Object

Tests whether the object’s governing policy object grants read access for the current user



65
66
67
68
69
70
71
72
73
74
75
76
 
# File 'lib/hydra/policy_aware_ability.rb', line 65

def test_read_from_policy(object_pid)
  policy_pid = policy_pid_for(object_pid)
  if policy_pid.nil?
    return false
  else
    logger.debug("[CANCAN] -policy- Does the POLICY #{policy_pid} provide READ permissions for #{current_user.user_key}?")
    group_intersection = user_groups & read_groups_from_policy( policy_pid )
    result = !group_intersection.empty? || read_users_from_policy( policy_pid ).include?(current_user.user_key)
    logger.debug("[CANCAN] -policy- decision: #{result}")
    result
  end
end