Add access control enforcement for Item Record.

Closes #233

app/controllers/catalog_controller.rb

@@ -3,11 +3,12 @@
 
 class CatalogController < ApplicationController
 
-  include Blacklight::Catalog
+  include Hydra::Catalog
   include Hydra::Controller::ControllerBehavior
-  include Hydra::Controller::SearchBuilder
   # This applies appropriate access controls to all solr queries
   self.search_params_logic += [:add_access_controls_to_solr_params]
+  # Apply access controls to show.
+  before_filter :enforce_show_permissions, :only => :show
 
   def blacklight_config
     @blacklight_config ||= config_builder.configuration
@@ -16,4 +17,13 @@ def blacklight_config
   def config_builder
     @config_builder ||= BlacklightConfig.new(GenericAsset, self.class.blacklight_config)
   end
+
+  private
+
+  def enforce_show_permissions
+    permissions = current_ability.permissions_doc(params[:id])
+    unless can? :read, permissions
+      raise Hydra::AccessDenied.new("You do not have sufficient access privileges to read this document, which has been marked private.", :read, params[:id])
+    end
+  end
 end

spec/controllers/catalog_controller_spec.rb

@@ -5,13 +5,24 @@
     context "when given an image" do
       render_views
       it "should render the image show view" do
-        i = Image.create
+        i = Image.create(:read_groups => ["public"])
 
         get 'show', :id => i.id
 
         expect(response).to render_template "catalog/_show_image"
       end
     end
+    describe "permissions" do
+      context "when the user has no permission" do
+        it "should redirect" do
+          i = Image.create
+
+          get 'show', :id => i.id
+
+          expect(response).to be_redirect
+        end
+      end
+    end
     describe "nt" do
       it "should return ntriples" do
         title = ["yo"]