Module: Hydra::PolicyAwareAbility
- Extended by:
- ActiveSupport::Concern, Deprecation
- Includes:
- Ability
- Defined in:
- lib/hydra/policy_aware_ability.rb
Overview
Repeats access controls evaluation methods, but checks against a governing “Policy” object (or “Collection” object) that provides inherited access controls.
Instance Attribute Summary
Attributes included from Ability
#cache, #current_user, #session
Instance Method Summary collapse
-
#edit_groups_from_policy(policy_pid) ⇒ Object
Returns the list of groups granted edit access by the policy object identified by policy_pid.
- #edit_persons_from_policy(policy_pid) ⇒ Object
-
#edit_users_from_policy(policy_pid) ⇒ Object
Returns the list of users granted edit access by the policy object identified by policy_pid.
-
#policy_permissions_doc(policy_pid) ⇒ Object
Returns the permissions solr document for policy_pid The document is stored in an instance variable, so calling this multiple times will only query solr once.
-
#policy_pid_for(object_pid) ⇒ Object
Returns the pid of policy object (is_governed_by) for the specified object Assumes that the policy object is associated by an is_governed_by relationship (which is stored as “is_governed_by_ssim” in object’s solr document) Returns nil if no policy associated with the object.
-
#read_groups_from_policy(policy_pid) ⇒ Object
Returns the list of groups granted read access by the policy object identified by policy_pid Note: edit implies read, so read_groups is the union of edit and read groups.
- #read_persons_from_policy(policy_pid) ⇒ Object
-
#read_users_from_policy(policy_pid) ⇒ Object
Returns the list of users granted read access by the policy object identified by policy_pid Note: edit implies read, so read_users is the union of edit and read users.
-
#test_edit(pid) ⇒ Object
Extends Hydra::Ability.test_edit to try policy controls if object-level controls deny access.
-
#test_edit_from_policy(object_pid) ⇒ Object
Tests whether the object’s governing policy object grants edit access for the current user.
-
#test_read(pid) ⇒ Object
Extends Hydra::Ability.test_read to try policy controls if object-level controls deny access.
-
#test_read_from_policy(object_pid) ⇒ Object
Tests whether the object’s governing policy object grants read access for the current user.
Methods included from Ability
#create_permissions, #custom_permissions, #default_user_groups, #download_permissions, #edit_permissions, #hydra_default_permissions, #initialize, #read_permissions, user_class, #user_groups
Instance Method Details
#edit_groups_from_policy(policy_pid) ⇒ Object
Returns the list of groups granted edit access by the policy object identified by policy_pid
79 80 81 82 83 84 85 |
# File 'lib/hydra/policy_aware_ability.rb', line 79 def edit_groups_from_policy(policy_pid) = (policy_pid) edit_group_field = Hydra.config[:permissions][:inheritable][:edit][:group] eg = (( == nil || .fetch(edit_group_field,nil) == nil) ? [] : .fetch(edit_group_field,nil)) logger.debug("[CANCAN] -policy- edit_groups: #{eg.inspect}") return eg end |
#edit_persons_from_policy(policy_pid) ⇒ Object
97 98 99 100 |
# File 'lib/hydra/policy_aware_ability.rb', line 97 def edit_persons_from_policy(policy_pid) Deprecation.warn(Hydra::PolicyAwareAbility, "The edit_persons_from_policy method is deprecated and will be removed from Hydra::PolicyAwareAbility in hydra-head 8.0. Use edit_users_from_policy instead.", caller) edit_users_from_policy(policy_pid) end |
#edit_users_from_policy(policy_pid) ⇒ Object
Returns the list of users granted edit access by the policy object identified by policy_pid
103 104 105 106 107 108 109 |
# File 'lib/hydra/policy_aware_ability.rb', line 103 def edit_users_from_policy(policy_pid) = (policy_pid) edit_user_field = Hydra.config[:permissions][:inheritable][:edit][:individual] eu = (( == nil || .fetch(edit_user_field,nil) == nil) ? [] : .fetch(edit_user_field,nil)) logger.debug("[CANCAN] -policy- edit_users: #{eu.inspect}") return eu end |
#policy_permissions_doc(policy_pid) ⇒ Object
Returns the permissions solr document for policy_pid The document is stored in an instance variable, so calling this multiple times will only query solr once. To force reload, set @policy_permissions_solr_cache to {}
45 46 47 48 |
# File 'lib/hydra/policy_aware_ability.rb', line 45 def (policy_pid) @policy_permissions_solr_cache ||= {} @policy_permissions_solr_cache[policy_pid] ||= (policy_pid) end |
#policy_pid_for(object_pid) ⇒ Object
Returns the pid of policy object (is_governed_by) for the specified object Assumes that the policy object is associated by an is_governed_by relationship (which is stored as “is_governed_by_ssim” in object’s solr document) Returns nil if no policy associated with the object
31 32 33 34 35 36 37 38 39 40 |
# File 'lib/hydra/policy_aware_ability.rb', line 31 def policy_pid_for(object_pid) policy_pid = policy_pid_cache[object_pid] return policy_pid if policy_pid solr_result = ActiveFedora::Base.find_with_conditions({:id=>object_pid}, :fl=>ActiveFedora::SolrService.solr_name('is_governed_by', :symbol)) begin policy_pid_cache[object_pid] = policy_pid = value_from_solr_field(solr_result, ActiveFedora::SolrService.solr_name('is_governed_by', :symbol)).first.gsub("info:fedora/", "") rescue NoMethodError end return policy_pid end |
#read_groups_from_policy(policy_pid) ⇒ Object
Returns the list of groups granted read access by the policy object identified by policy_pid Note: edit implies read, so read_groups is the union of edit and read groups
89 90 91 92 93 94 95 |
# File 'lib/hydra/policy_aware_ability.rb', line 89 def read_groups_from_policy(policy_pid) = (policy_pid) read_group_field = Hydra.config[:permissions][:inheritable][:read][:group] rg = edit_groups_from_policy(policy_pid) | (( == nil || .fetch(read_group_field,nil) == nil) ? [] : .fetch(read_group_field,nil)) logger.debug("[CANCAN] -policy- read_groups: #{rg.inspect}") return rg end |
#read_persons_from_policy(policy_pid) ⇒ Object
111 112 113 114 |
# File 'lib/hydra/policy_aware_ability.rb', line 111 def read_persons_from_policy(policy_pid) Deprecation.warn(Hydra::PolicyAwareAbility, "The read_persons_from_policy method is deprecated and will be removed from Hydra::PolicyAwareAbility in hydra-head 8.0. Use read_users_from_policy instead.", caller) read_users_from_policy(policy_pid) end |
#read_users_from_policy(policy_pid) ⇒ Object
Returns the list of users granted read access by the policy object identified by policy_pid Note: edit implies read, so read_users is the union of edit and read users
118 119 120 121 122 123 124 |
# File 'lib/hydra/policy_aware_ability.rb', line 118 def read_users_from_policy(policy_pid) = (policy_pid) read_user_field = Hydra.config[:permissions][:inheritable][:read][:individual] ru = edit_users_from_policy(policy_pid) | (( == nil || .fetch(read_user_field, nil) == nil) ? [] : .fetch(read_user_field, nil)) logger.debug("[CANCAN] -policy- read_users: #{ru.inspect}") return ru end |
#test_edit(pid) ⇒ Object
Extends Hydra::Ability.test_edit to try policy controls if object-level controls deny access
8 9 10 11 12 13 14 15 |
# File 'lib/hydra/policy_aware_ability.rb', line 8 def test_edit(pid) result = super if result return result else return test_edit_from_policy(pid) end end |
#test_edit_from_policy(object_pid) ⇒ Object
Tests whether the object’s governing policy object grants edit access for the current user
51 52 53 54 55 56 57 58 59 60 61 62 |
# File 'lib/hydra/policy_aware_ability.rb', line 51 def test_edit_from_policy(object_pid) policy_pid = policy_pid_for(object_pid) if policy_pid.nil? return false else logger.debug("[CANCAN] -policy- Does the POLICY #{policy_pid} provide EDIT permissions for #{current_user.user_key}?") group_intersection = user_groups & edit_groups_from_policy( policy_pid ) result = !group_intersection.empty? || edit_users_from_policy( policy_pid ).include?(current_user.user_key) logger.debug("[CANCAN] -policy- decision: #{result}") return result end end |
#test_read(pid) ⇒ Object
Extends Hydra::Ability.test_read to try policy controls if object-level controls deny access
18 19 20 21 22 23 24 25 |
# File 'lib/hydra/policy_aware_ability.rb', line 18 def test_read(pid) result = super if result return result else return test_read_from_policy(pid) end end |
#test_read_from_policy(object_pid) ⇒ Object
Tests whether the object’s governing policy object grants read access for the current user
65 66 67 68 69 70 71 72 73 74 75 76 |
# File 'lib/hydra/policy_aware_ability.rb', line 65 def test_read_from_policy(object_pid) policy_pid = policy_pid_for(object_pid) if policy_pid.nil? return false else logger.debug("[CANCAN] -policy- Does the POLICY #{policy_pid} provide READ permissions for #{current_user.user_key}?") group_intersection = user_groups & read_groups_from_policy( policy_pid ) result = !group_intersection.empty? || read_users_from_policy( policy_pid ).include?(current_user.user_key) logger.debug("[CANCAN] -policy- decision: #{result}") result end end |