This repository has been archived by the owner on Jan 5, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
44 changed files
with
1,199 additions
and
103 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
# frozen_string_literal: true | ||
|
||
# Overrides existing methods in Blacklight::AccessControls::Ability and adds new methods to provide edit abilities | ||
# to users and groups. Abilities form a hierarchy such that each success ability encompasses the previous. | ||
# | ||
# @example | ||
# (discover) -> (read) -> (download) -> (edit) | ||
# | ||
# Discover access is the "lowest" ability, where edit is the "highest." An edit ability includes the abilities | ||
# of the previous three: download, read, and discover; a download ability includes the abilities of the previous | ||
# two: read and discover; and a read ability also includes the discover ability. | ||
module AccessControls::EditAbility | ||
extend ActiveSupport::Concern | ||
|
||
def edit_permissions | ||
can :edit, String do |id| | ||
test_edit(id) | ||
end | ||
|
||
can :edit, SolrDocument do |obj| | ||
cache.put(obj.id, obj) | ||
test_edit(obj.id) | ||
end | ||
end | ||
|
||
def test_edit(id) | ||
Rails.logger.debug("[CANCAN] Checking edit permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}") | ||
group_intersection = user_groups & edit_groups(id) | ||
!group_intersection.empty? || edit_users(id).include?(current_user.user_key) | ||
end | ||
|
||
# download and edit access implies read access, so read_groups is the union of download, edit, and read groups. | ||
def read_groups(id) | ||
doc = permissions_doc(id) | ||
return [] if doc.nil? | ||
|
||
rg = download_groups(id) | edit_groups(id) | Array(doc[self.class.read_group_field]) | ||
Rails.logger.debug("[CANCAN] read_groups: #{rg.inspect}") | ||
rg | ||
end | ||
|
||
# download and edit access implies read access, so read_users is the union of download, edit, and read users. | ||
def read_users(id) | ||
doc = permissions_doc(id) | ||
return [] if doc.nil? | ||
|
||
rp = download_users(id) | edit_users(id) | Array(doc[self.class.read_user_field]) | ||
Rails.logger.debug("[CANCAN] read_users: #{rp.inspect}") | ||
rp | ||
end | ||
|
||
# edit access implies download access, so download_groups is the union of edit and download groups | ||
def download_groups(id) | ||
doc = permissions_doc(id) | ||
return [] if doc.nil? | ||
|
||
dg = edit_groups(id) | Array(doc[self.class.download_group_field]) | ||
Rails.logger.debug("[CANCAN] download_groups: #{dg.inspect}") | ||
dg | ||
end | ||
|
||
# edit access implies download access, so download_users is the union of edit and download users | ||
def download_users(id) | ||
doc = permissions_doc(id) | ||
return [] if doc.nil? | ||
|
||
dp = edit_users(id) | Array(doc[self.class.download_user_field]) | ||
Rails.logger.debug("[CANCAN] download_users: #{dp.inspect}") | ||
dp | ||
end | ||
|
||
def edit_groups(id) | ||
doc = permissions_doc(id) | ||
return [] if doc.nil? | ||
|
||
eg = Array(doc[Blacklight::AccessControls.config.edit_group_field]) | ||
Rails.logger.debug("[CANCAN] edit_groups: #{eg.inspect}") | ||
eg | ||
end | ||
|
||
def edit_users(id) | ||
doc = permissions_doc(id) | ||
return [] if doc.nil? | ||
|
||
ep = Array(doc[Blacklight::AccessControls.config.edit_user_field]) | ||
Rails.logger.debug("[CANCAN] edit_users: #{ep.inspect}") | ||
ep | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# frozen_string_literal: true | ||
|
||
# Overrides the search builder provided by Blacklight::AccessControls to add additional filter queries to | ||
# the Solr query build during search results. The field names are defined in AccessControls::WithEditFields | ||
# and are used to restrict search results to items that the user has edit access to, as well as the existing | ||
# fields for read and discover. | ||
module AccessControls | ||
class SearchBuilder < Blacklight::AccessControls::SearchBuilder | ||
def default_permission_types | ||
%w[discover read edit] | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
# frozen_string_literal: true | ||
|
||
# Module designed to be prepended to Blacklight::AccessControls::Config to allow for edit users and groups. | ||
module AccessControls::WithEditFields | ||
attr_writer :edit_group_field, :edit_user_field | ||
|
||
def edit_group_field | ||
@edit_group_field || 'edit_access_group_ssim' | ||
end | ||
|
||
def edit_user_field | ||
@edit_user_field || 'edit_access_person_ssim' | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
# frozen_string_literal: true | ||
|
||
module Repository::Access::ChangeSetBehaviors | ||
extend ActiveSupport::Concern | ||
|
||
included do | ||
property :system_creator, multiple: false, required: true | ||
validates :system_creator, presence: true | ||
|
||
property :current_user, multiple: false, required: false, virtual: true | ||
|
||
property :discover_groups, multiple: true, required: false | ||
property :discover_users, multiple: true, required: false | ||
property :read_groups, multiple: true, required: false | ||
property :read_users, multiple: true, required: false | ||
property :download_groups, multiple: true, required: false | ||
property :download_users, multiple: true, required: false | ||
property :edit_users, multiple: true, required: false | ||
property :edit_groups, multiple: true, required: false | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
17 changes: 17 additions & 0 deletions
17
app/cho/transaction/operations/access_controls/access_level.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
# frozen_string_literal: true | ||
|
||
module Transaction::Operations::AccessControls | ||
class AccessLevel | ||
include Dry::Transaction::Operation | ||
|
||
def call(change_set) | ||
return Success(change_set) if change_set.try(:access_level).blank? | ||
|
||
remaining_groups = change_set.read_groups - Repository::AccessLevel.names | ||
change_set.read_groups = remaining_groups + [change_set.access_level] | ||
Success(change_set) | ||
rescue StandardError => e | ||
Failure(Transaction::Rejection.new('Error applying access level', e)) | ||
end | ||
end | ||
end |
18 changes: 18 additions & 0 deletions
18
app/cho/transaction/operations/access_controls/permissions.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
# frozen_string_literal: true | ||
|
||
module Transaction::Operations::AccessControls | ||
class Permissions | ||
include Dry::Transaction::Operation | ||
|
||
# @return [Valkyrie::ChangeSet] | ||
# @note duplicate members can be removed by the underlying resource model | ||
def call(change_set) | ||
return Success(change_set) unless change_set.class.ancestors.include?(Repository::Access::ChangeSetBehaviors) | ||
|
||
change_set.edit_users += [change_set.system_creator] | ||
Success(change_set) | ||
rescue StandardError => e | ||
Failure(Transaction::Rejection.new('Error applying permissions', e)) | ||
end | ||
end | ||
end |
23 changes: 23 additions & 0 deletions
23
app/cho/transaction/operations/access_controls/system_creator.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
# frozen_string_literal: true | ||
|
||
module Transaction::Operations::AccessControls | ||
class SystemCreator | ||
include Dry::Transaction::Operation | ||
|
||
def call(change_set) | ||
return Success(change_set) if change_set.persisted? | ||
|
||
updated_change_set = add_system_creator(change_set) | ||
Success(updated_change_set) | ||
rescue StandardError => e | ||
Failure(Transaction::Rejection.new('Error applying system creator', e)) | ||
end | ||
|
||
def add_system_creator(change_set) | ||
return change_set unless change_set.try(:current_user) | ||
|
||
change_set.system_creator = change_set.current_user.login | ||
change_set | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
21 changes: 0 additions & 21 deletions
21
app/cho/transaction/operations/shared/apply_access_level.rb
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.