Module: Hyrax::Workflow::PermissionQuery

Defined in:
app/services/hyrax/workflow/permission_query.rb

Overview

Note:

There is an indication of public or private api. The intent of this is to differentiate what are methods that are the primary entry points as understood as of the commit that has the @api tag. However, these are public methods because they have been tested in isolation and are used to help compose the ‘@api public` methods.

Welcome intrepid developer. You have stumbled into some complex data interactions. There are a lot of data collaborators regarding these tests. I would love this to be more in isolation, but that is not in the cards as there are at least 16 database tables interacting to ultimately answer the following question:

  • What actions can a given user take on an entity?

Could there be more efficient queries? Yes. However, the composition of queries has proven to be a very powerful means of understanding and exploring the problem.

Class Method Summary collapse

Class Method Details

.authorized_for_processing?(user:, entity:, action:) ⇒ Boolean

Is the user authorized to take the processing action on the given entity?

Parameters:

  • user (User)
  • entity

    an object that can be converted into a Sipity::Entity

  • action

    an object that can be converted into a Sipity::WorkflowAction#name

Returns:

  • (Boolean)


149
150
151
152
153
# File 'app/services/hyrax/workflow/permission_query.rb', line 149

def authorized_for_processing?(user:, entity:, action:)
  action_name = PowerConverter.convert_to_sipity_action_name(action)
  scope_permitted_workflow_actions_available_for_current_state(user: user, entity: entity)
    .where(Sipity::WorkflowAction.arel_table[:name].eq(action_name)).count > 0
end

.entity_responsibilitiesObject



23
24
25
# File 'app/services/hyrax/workflow/permission_query.rb', line 23

def entity_responsibilities
  @entity_responsibilities ||= Sipity::EntitySpecificResponsibility.arel_table
end

.scope_agents_associated_with_entity_and_role(entity:, role:) ⇒ ActiveRecord::Relation<Sipity::Agent>

Agents associated with the given :entity and how they are associated with the given.

Parameters:

  • entity (Object)

    that can be converted into a Sipity::Entity

  • role (Object)

    that can be converted into a Sipity::Role

Returns:



68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
# File 'app/services/hyrax/workflow/permission_query.rb', line 68

def scope_agents_associated_with_entity_and_role(entity:, role:)
  entity = PowerConverter.convert_to_sipity_entity(entity)
  role = PowerConverter.convert_to_sipity_role(role)

  agents = Sipity::Agent.arel_table

  agents_select_manager = agents.project(
    :*,
    Arel.sql("'#{Sipity::Agent::ENTITY_LEVEL_AGENT_RELATIONSHIP}'").as('agent_processing_relationship')
  ).where(
    agents[:id].in(
      entity_responsibilities.project(entity_responsibilities[:agent_id]).join(workflow_roles).on(
        workflow_roles[:id].eq(entity_responsibilities[:workflow_role_id])
      ).where(
        entity_responsibilities[:entity_id].eq(entity.id).and(
          workflow_roles[:role_id].eq(role.id)
        )
      )
    )
  ).union(
    agents.project(
      :*,
      Arel.sql("'#{Sipity::Agent::WORKFLOW_LEVEL_AGENT_RELATIONSHIP}'").as('agent_processing_relationship')
    ).where(
      agents[:id].in(
        workflow_responsibilities.project(workflow_responsibilities[:agent_id]).join(workflow_roles).on(
          workflow_roles[:id].eq(workflow_responsibilities[:workflow_role_id])
        ).where(
          workflow_roles[:workflow_id].eq(entity.workflow_id).and(
            workflow_roles[:role_id].eq(role.id)
          )
        )
      )
    )
  )
  # I would love to use the following:
  #  `Agent.find_by_sql(agents_select_manager.to_sql)`
  #
  # However AREL is adding an opening and closing parenthesis to the query
  # statement. So I needed to massage that output, as follows:
  #
  # ```ruby
  #  Agent.find_by_sql(
  #    agents_select_manager.to_sql.sub(/\A\s*\(\s*(.*)\s*\)\s*\Z/,'\1')
  #  )
  # ```
  #
  # Instead I'm taking an example from:
  # https://github.com/danshultz/mastering_active_record_sample_code/blob/a656c60ca7a2e27b5cd1aadbdf3bdc1814c37000/app/models/beer.rb#L77-L81
  #
  # Note, I'm making a dynamic query with a result the same as the table
  # name of the model that I'm using.
  Sipity::Agent.from(agents.create_table_alias(agents_select_manager, agents.table_name)).all
end

.scope_entities_for_the_user(user:) ⇒ ActiveRecord::Relation<Sipity::Entity>

An ActiveRecord::Relation scope that meets the following criteria:

  • Sipity::Entity in a state in which I have access to based on:

    • The entity specific responsibility

      • For which I’ve been assigned a role

    • The workflow specific responsibility

      • For which I’ve been assigned a role

Parameters:

Returns:



189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
# File 'app/services/hyrax/workflow/permission_query.rb', line 189

def scope_entities_for_the_user(user:)
  entities = Sipity::Entity.arel_table
  workflow_state_actions = Sipity::WorkflowStateAction.arel_table
  workflow_states = Sipity::WorkflowState.arel_table
  workflow_state_action_permissions = Sipity::WorkflowStateActionPermission.arel_table

  user_agent_scope = scope_processing_agents_for(user: user)
  user_agent_contraints = user_agent_scope.arel_table.project(
    user_agent_scope.arel_table[:id]
  ).where(user_agent_scope.arel.constraints)

  join_builder = lambda do |responsibility|
    entities.project(
      entities[:id]
    ).join(workflow_state_actions).on(
      workflow_state_actions[:originating_workflow_state_id].eq(entities[:workflow_state_id])
    ).join(workflow_state_action_permissions).on(
      workflow_state_action_permissions[:workflow_state_action_id].eq(workflow_state_actions[:id])
    ).join(workflow_states).on(
      workflow_states[:id].eq(workflow_state_actions[:originating_workflow_state_id])
    ).join(responsibility).on(
      responsibility[:workflow_role_id].eq(workflow_state_action_permissions[:workflow_role_id])
    )
  end

  where_builder = ->(responsibility) { responsibility[:agent_id].in(user_agent_contraints) }

  entity_specific_joins = join_builder.call(entity_responsibilities)
  workflow_specific_joins = join_builder.call(workflow_responsibilities)

  entity_specific_where = where_builder.call(entity_responsibilities).and(
    entities[:id].eq(entity_responsibilities[:entity_id])
  )
  workflow_specific_where = where_builder.call(workflow_responsibilities)

  Sipity::Entity.where(
    entities[:id].in(entity_specific_joins.where(entity_specific_where))
    .or(entities[:id].in(workflow_specific_joins.where(workflow_specific_where)))
  )
end

.scope_permitted_entity_workflow_state_actions(user:, entity:) ⇒ ActiveRecord::Relation<Sipity::WorkflowStateAction>

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

For the given :user and :entity, return an ActiveRecord::Relation, that if resolved, will be collection of Sipity::WorkflowStateAction object to which the user has permission to do something.

An ActiveRecord::Relation scope that meets the following criteria:

  • The actions are available for the given entity’s current state

  • The actions are available for the given user based on their role. Either:

    • Directly via an agent associated with a user

    • Indirectly via an agent associated with a group

Parameters:

  • user (User)
  • entity

    an object that can be converted into a Sipity::Entity

Returns:



375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
# File 'app/services/hyrax/workflow/permission_query.rb', line 375

def scope_permitted_entity_workflow_state_actions(user:, entity:)
  entity = PowerConverter.convert_to_sipity_entity(entity)
  workflow_state_actions = Sipity::WorkflowStateAction
  permissions = Sipity::WorkflowStateActionPermission
  role_scope = scope_processing_workflow_roles_for_user_and_entity(user: user, entity: entity)

  workflow_state_actions.where(
    workflow_state_actions.arel_table[:originating_workflow_state_id].eq(entity.workflow_state_id).and(
      workflow_state_actions.arel_table[:id].in(
        permissions.arel_table.project(
          permissions.arel_table[:workflow_state_action_id]
        ).where(
          permissions.arel_table[:workflow_role_id].in(
            role_scope.arel_table.project(role_scope.arel_table[:id]).where(
              role_scope.arel.constraints.reduce
            )
          )
        )
      )
    )
  )
end

.scope_permitted_workflow_actions_available_for_current_state(user:, entity:) ⇒ ActiveRecord::Relation<Sipity::WorkflowAction>

For the given :user and :entity return only workflow actions that meet all of the following:

  • available for the :entity’s workflow state

  • permitted to be taken by one or more roles in which the user is assigned either at the workflow level or the entity level.

  • Actions to which the user Only actions permitted to the user

Parameters:

  • user (User)
  • entity (#to_sipity_entity)

    an object that can be converted into a Sipity::Entity

Returns:



48
49
50
51
52
53
54
55
56
57
58
# File 'app/services/hyrax/workflow/permission_query.rb', line 48

def scope_permitted_workflow_actions_available_for_current_state(user:, entity:)
  workflow_actions_scope = scope_workflow_actions_available_for_current_state(entity: entity)
  workflow_state_actions_scope = scope_permitted_entity_workflow_state_actions(user: user, entity: entity)
  workflow_actions_scope.where(
    workflow_actions_scope.arel_table[:id].in(
      workflow_state_actions_scope.arel_table.project(
        workflow_state_actions_scope.arel_table[:workflow_action_id]
      ).where(workflow_state_actions_scope.constraints.reduce)
    )
  )
end

.scope_processing_agents_for(user:) ⇒ ActiveRecord::Relation<Sipity::Agent>

An ActiveRecord::Relation scope that meets the following criteria:

  • All of the Processing Agents directly associated with the given :user

Parameters:

Returns:



163
164
165
166
167
168
169
170
171
# File 'app/services/hyrax/workflow/permission_query.rb', line 163

def scope_processing_agents_for(user:)
  return Sipity::Agent.none if user.blank?
  return Sipity::Agent.none unless user.persisted?
  user_agent = PowerConverter.convert_to_sipity_agent(user)
  group_agents = user.groups.map do |g|
    PowerConverter.convert_to_sipity_agent(Hyrax::Group.new(g))
  end
  Sipity::Agent.where(id: group_agents + [user_agent])
end

.scope_processing_workflow_roles_for_user_and_entity(user:, entity:) ⇒ ActiveRecord::Relation<Sipity::WorkflowRole>

For the given :user and :entity, return an ActiveRecord::Relation that, if resolved, will be all of the assocated workflow roles for both the workflow responsibilities and the entity specific responsibilities.

Parameters:

  • user (User)
  • entity

    an object that can be converted into a Sipity::Entity

Returns:



292
293
294
295
296
297
298
299
300
# File 'app/services/hyrax/workflow/permission_query.rb', line 292

def scope_processing_workflow_roles_for_user_and_entity(user:, entity:)
  entity = PowerConverter.convert_to_sipity_entity(entity)
  workflow_scope = scope_processing_workflow_roles_for_user_and_workflow(user: user, workflow: entity.workflow)

  entity_specific_scope = scope_processing_workflow_roles_for_user_and_entity_specific(user: user, entity: entity)
  Sipity::WorkflowRole.where(
    workflow_scope.arel.constraints.reduce.or(entity_specific_scope.arel.constraints.reduce)
  )
end

.scope_processing_workflow_roles_for_user_and_entity_specific(user:, entity:) ⇒ ActiveRecord::Relation<Sipity::WorkflowRole>

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

For the given :user and :entity, return an ActiveRecord::Relation that, if resolved, will be all of the assocated workflow roles that are assigned to specifically to the entity (and not the parent workflow).

Parameters:

  • user (User)
  • entity

    an object that can be converted into a Sipity::Entity

Returns:



337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
# File 'app/services/hyrax/workflow/permission_query.rb', line 337

def scope_processing_workflow_roles_for_user_and_entity_specific(user:, entity:)
  entity = PowerConverter.convert_to_sipity_entity(entity)
  agent_scope = scope_processing_agents_for(user: user)

  Sipity::WorkflowRole.where(
    workflow_roles[:id].in(
      entity_responsibilities.project(entity_responsibilities[:workflow_role_id])
      .where(
        entity_responsibilities[:agent_id].in(
          agent_scope.arel_table.project(
            agent_scope.arel_table[:id]
          ).where(
            agent_scope.arel.constraints.reduce.and(entity_responsibilities[:entity_id].eq(entity.id))
          )
        )
      )
    )
  )
end

.scope_processing_workflow_roles_for_user_and_workflow(user:, workflow:) ⇒ ActiveRecord::Relation<Sipity::WorkflowRole>

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

For the given :user and :workflow, return an ActiveRecord::Relation that, if resolved, will be all of the assocated workflow roles that are assigned to directly to the workflow.

Parameters:

Returns:



311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
# File 'app/services/hyrax/workflow/permission_query.rb', line 311

def scope_processing_workflow_roles_for_user_and_workflow(user:, workflow:)
  agent_constraints = scope_processing_agents_for(user: user)
  workflow_role_subquery = workflow_roles[:id].in(
    workflow_responsibilities.project(workflow_responsibilities[:workflow_role_id])
    .where(
      workflow_responsibilities[:agent_id].in(
        agent_constraints.arel_table.project(
          agent_constraints.arel_table[:id]
        ).where(agent_constraints.arel.constraints)
      )
    )
  )
  Sipity::WorkflowRole.where(
    workflow_roles[:workflow_id].eq(workflow.id).and(workflow_role_subquery)
  )
end

.scope_roles_associated_with_the_given_entity(entity:) ⇒ ActiveRecord::Relation<Sipity::Role>

Roles associated with the given :entity

Parameters:

  • entity (Object)

    that can be converted into a Sipity::Entity

Returns:



128
129
130
131
132
133
134
135
136
137
138
# File 'app/services/hyrax/workflow/permission_query.rb', line 128

def scope_roles_associated_with_the_given_entity(entity:)
  entity = PowerConverter.convert_to_sipity_entity(entity)
  return Sipity::Role.none unless entity
  Sipity::Role.where(
    Sipity::Role.arel_table[:id].in(
      workflow_roles.project(workflow_roles[:role_id]).where(
        workflow_roles[:workflow_id].eq(entity.workflow_id)
      )
    )
  )
end

.scope_users_for_entity_and_roles(entity:, roles:) ⇒ ActiveRecord::Relation<User>

An ActiveRecord::Relation scope that meets the following criteria:

  • Users that are directly associated with the given entity through one or more of the given roles within the entity’s workflow

  • Users that are indirectly associated with the given entity by group and role.

Parameters:

  • roles (Sipity::Role)
  • entity

    an object that can be converted into a Sipity::Entity

Returns:

  • (ActiveRecord::Relation<User>)


242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
# File 'app/services/hyrax/workflow/permission_query.rb', line 242

def scope_users_for_entity_and_roles(entity:, roles:)
  entity = PowerConverter.convert_to_sipity_entity(entity)
  role_ids = Array.wrap(roles).map { |role| PowerConverter.convert_to_sipity_role(role).id }
  user_polymorphic_type = PowerConverter.convert_to_polymorphic_type(::User)

  user_table = ::User.arel_table
  agent_table = Sipity::Agent.arel_table

  workflow_role_id_subquery = workflow_roles.project(workflow_roles[:id]).where(
    workflow_roles[:workflow_id].eq(entity.workflow_id).and(workflow_roles[:role_id].in(role_ids))
  )

  workflow_agent_id_subquery = workflow_responsibilities.project(workflow_responsibilities[:agent_id]).where(
    workflow_responsibilities[:workflow_role_id].in(workflow_role_id_subquery)
  )

  entity_agent_id_subquery = entity_responsibilities.project(entity_responsibilities[:agent_id]).where(
    entity_responsibilities[:workflow_role_id].in(workflow_role_id_subquery)
      .and(entity_responsibilities[:entity_id].eq(entity.id))
  )

  # Default to "integer" for adapters like Postgres and Sqlite, but cast
  # to "signed" for Mysql. The type CAST causes a SQL syntax error for an
  # unsupported type depending on which adapter is being used.
  type = ActiveRecord::Base.connection.adapter_name.casecmp("mysql2").zero? ? "signed" : "integer"
  cast = Arel::Nodes::NamedFunction.new "CAST", [agent_table[:proxy_for_id].as(type)]

  sub_query_for_user = agent_table.project(cast).where(
    agent_table[:id].in(workflow_agent_id_subquery)
      .or(agent_table[:id].in(entity_agent_id_subquery))
  ).where(
    agent_table[:proxy_for_type].eq(user_polymorphic_type)
  )

  ::User.where(user_table[:id].in(sub_query_for_user))
end

.scope_workflow_actions_available_for_current_state(entity:) ⇒ ActiveRecord::Relation<Sipity::WorkflowAction>

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

For the given :entity, return an ActiveRecord::Relation, that if resolved, that lists all of the actions available for the entity and its current state.

  • All actions that are associated with actions that do not have prerequsites

  • All actions that have prerequisites and all of those prerequisites are complete

Parameters:

  • entity

    an object that can be converted into a Sipity::Entity

Returns:



429
430
431
432
# File 'app/services/hyrax/workflow/permission_query.rb', line 429

def scope_workflow_actions_available_for_current_state(entity:)
  workflow_actions_for_current_state = scope_workflow_actions_for_current_state(entity: entity)
  Sipity::WorkflowAction.where(workflow_actions_for_current_state.constraints.reduce)
end

.scope_workflow_actions_for_current_state(entity:) ⇒ ActiveRecord::Relation<Sipity::WorkflowAction>

For the given :entity return an ActiveRecord::Relation that when resolved will be only the workflow actions that:

  • Are available for the entity’s workflow_state

Parameters:

  • entity

    an object that can be converted into a Sipity::Entity

Returns:



407
408
409
410
411
412
413
414
415
416
# File 'app/services/hyrax/workflow/permission_query.rb', line 407

def scope_workflow_actions_for_current_state(entity:)
  entity = PowerConverter.convert_to_sipity_entity(entity)
  state_actions_table = Sipity::WorkflowStateAction.arel_table
  Sipity::WorkflowAction.where(
    Sipity::WorkflowAction.arel_table[:id].in(
      state_actions_table.project(state_actions_table[:workflow_action_id])
        .where(state_actions_table[:originating_workflow_state_id].eq(entity.workflow_state_id))
    )
  )
end

.user_emails_for_entity_and_roles(entity:, roles:) ⇒ Object



279
280
281
# File 'app/services/hyrax/workflow/permission_query.rb', line 279

def user_emails_for_entity_and_roles(entity:, roles:)
  scope_users_for_entity_and_roles(entity: entity, roles: roles).pluck(:email)
end

.workflow_responsibilitiesObject



27
28
29
# File 'app/services/hyrax/workflow/permission_query.rb', line 27

def workflow_responsibilities
  @workflow_responsibilities ||= Sipity::WorkflowResponsibility.arel_table
end

.workflow_rolesObject



31
32
33
# File 'app/services/hyrax/workflow/permission_query.rb', line 31

def workflow_roles
  @workflow_roles ||= Sipity::WorkflowRole.arel_table
end