diff --git a/app/controllers/catalog_controller.rb b/app/controllers/catalog_controller.rb index 82ad4c0..cf7e892 100644 --- a/app/controllers/catalog_controller.rb +++ b/app/controllers/catalog_controller.rb @@ -3,11 +3,12 @@ class CatalogController < ApplicationController - include Blacklight::Catalog + include Hydra::Catalog include Hydra::Controller::ControllerBehavior - include Hydra::Controller::SearchBuilder # This applies appropriate access controls to all solr queries self.search_params_logic += [:add_access_controls_to_solr_params] + # Apply access controls to show. + before_filter :enforce_show_permissions, :only => :show def blacklight_config @blacklight_config ||= config_builder.configuration @@ -16,4 +17,13 @@ def blacklight_config def config_builder @config_builder ||= BlacklightConfig.new(GenericAsset, self.class.blacklight_config) end + + private + + def enforce_show_permissions + permissions = current_ability.permissions_doc(params[:id]) + unless can? :read, permissions + raise Hydra::AccessDenied.new("You do not have sufficient access privileges to read this document, which has been marked private.", :read, params[:id]) + end + end end diff --git a/spec/controllers/catalog_controller_spec.rb b/spec/controllers/catalog_controller_spec.rb index fb16e8e..c55ce6a 100644 --- a/spec/controllers/catalog_controller_spec.rb +++ b/spec/controllers/catalog_controller_spec.rb @@ -5,13 +5,24 @@ context "when given an image" do render_views it "should render the image show view" do - i = Image.create + i = Image.create(:read_groups => ["public"]) get 'show', :id => i.id expect(response).to render_template "catalog/_show_image" end end + describe "permissions" do + context "when the user has no permission" do + it "should redirect" do + i = Image.create + + get 'show', :id => i.id + + expect(response).to be_redirect + end + end + end describe "nt" do it "should return ntriples" do title = ["yo"]