-
Notifications
You must be signed in to change notification settings - Fork 16
/
ability.rb
150 lines (120 loc) · 5.6 KB
/
ability.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
module Curate
module Ability
extend ActiveSupport::Concern
included do
self.ability_logic += [:curate_permissions, :collection_permissions]
end
def curate_permissions
alias_action :confirm, :copy, :to => :update
if current_user.manager?
can [:discover, :show, :read, :edit, :update, :destroy], :all
end
can :edit, Person do |p|
p.pid == current_user.repository_id
end
can [:show, :read, :update, :destroy], [Curate.configuration.curation_concerns] do |w|
u = ::User.find_by_user_key(w.owner)
u && u.can_receive_deposits_from.include?(current_user)
end
end
def collection_permissions
can :collect, :all
end
# Overriding hydra-access-controls in order to enforce embargo
def edit_permissions
can [:edit, :update, :destroy], String do |pid|
test_edit(pid)
end
can [:edit, :update, :destroy], ActiveFedora::Base do |obj|
test_edit(obj)
end
can :edit, SolrDocument do |obj|
cache.put(obj.id, obj)
test_edit(obj.id)
end
end
# Overriding hydra-access-controls in order to enforce embargo
def read_permissions
can :read, String do |pid|
test_read(pid)
end
# Had to add obj to params because test_read needs to check embargo
can :read, ActiveFedora::Base do |obj|
test_read(obj)
end
can :read, SolrDocument do |obj|
cache.put(obj.id, obj)
test_read(obj.id)
end
end
def test_read(obj)
if obj.is_a? ActiveFedora::Base
test_read_fedora_object(obj)
else
test_read_solr(obj)
end
end
def test_edit(obj)
if obj.is_a? ActiveFedora::Base
test_edit_fedora_object(obj)
else
test_read_solr(obj)
end
end
# Need a custom method to enforce embargo when a Fedora object is input, like on the CanCan authorize checks.
def test_read_fedora_object(fedora_object)
logger.debug("[CANCAN] Checking read permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
# Get the user's groups
group_intersection = user_groups & read_groups(fedora_object.pid)
# Don't use public and registered groups when enforcing embargo
embargo_group_intersection = group_intersection - ["public", "registered"]
# Under embargo and the current user has read permissions
if fedora_object.respond_to?(:under_embargo?) && fedora_object.under_embargo? && (read_persons(fedora_object.pid).include?(current_user.user_key) || !embargo_group_intersection.empty?)
result = true
# Under embargo and the current user doesn't have read permissions
elsif fedora_object.respond_to?(:under_embargo?) && fedora_object.under_embargo? && (!read_persons(fedora_object.pid).include?(current_user.user_key) && embargo_group_intersection.empty?)
result = false
# Not under embargo, using the default hydra-acess-controls check
else
result = !group_intersection.empty? && read_persons(fedora_object.pid).include?(current_user.user_key)
end
logger.debug("[CANCAN] decision: #{result}")
result
end
# Need a custom method to enforce embargo when a Fedora object is input, like on the CanCan authorize checks.
def test_edit_fedora_object(fedora_object)
logger.debug("[CANCAN] Checking edit permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
# Get the user's groups
group_intersection = user_groups & edit_groups(fedora_object.pid)
# Don't use public and registered groups when enforcing embargo
embargo_group_intersection = group_intersection - ["public", "registered"]
# Under embargo and the current user has edit permissions
if fedora_object.respond_to?(:under_embargo?) && fedora_object.under_embargo? && (edit_persons(fedora_object.pid).include?(current_user.user_key) || !embargo_group_intersection.empty?)
result = true
# Under embargo and the current user doesn't have edit permissions
elsif fedora_object.respond_to?(:under_embargo?) && fedora_object.under_embargo? && (!edit_persons(fedora_object.pid).include?(current_user.user_key) && embargo_group_intersection.empty?)
result = false
# Not under embargo, using the default hydra-acess-controls check
else
result = !group_intersection.empty? || edit_persons(fedora_object.pid).include?(current_user.user_key)
end
logger.debug("[CANCAN] decision: #{result}")
result
end
# Copied this method hydra-access-controls ability.rb#test_read. Embargo is already enforced on Solr search so it's not enforced here.
def test_read_solr(pid)
logger.debug("[CANCAN] Checking read permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
group_intersection = user_groups & read_groups(pid)
result = !group_intersection.empty? || read_persons(pid).include?(current_user.user_key)
result
end
# Copied this method hydra-access-controls ability.rb#test_edit. Embargo is already enforced on Solr search so it's not enforced here.
def test_edit_solr(pid)
logger.debug("[CANCAN] Checking edit permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
group_intersection = user_groups & edit_groups(pid)
result = !group_intersection.empty? || edit_persons(pid).include?(current_user.user_key)
logger.debug("[CANCAN] decision: #{result}")
result
end
end
end