Merge pull request #77 from pulibrary/roles

Add Plum roles & tests

.rubocop.yml

@@ -25,6 +25,7 @@ Rails/OutputSafety:
     - 'app/decorators/**/*'
 Metrics/BlockLength:
   Exclude:
+    - 'valhalla/app/models/concerns/valhalla/ability.rb'
     - 'app/controllers/catalog_controller.rb'
     - 'app/models/book_workflow.rb'
     - 'config/environments/**/*'

app/change_sets/scanned_resource_change_set.rb

@@ -19,6 +19,7 @@ class ScannedResourceChangeSet < Valkyrie::ChangeSet
   property :member_of_collection_ids, multiple: true, required: false, type: Types::Strict::Array.member(Valkyrie::Types::ID)
   property :logical_structure, multiple: true, required: false, type: Types::Strict::Array.member(Structure), default: [Structure.new(label: "Logical", nodes: [])]
   property :state, multiple: false, required: true, default: BookWorkflow.aasm.initial_state.to_s
+  property :read_groups, multiple: true, required: false
 
   # Virtual Attributes
   property :refresh_remote_metadata, virtual: true, multiple: false
@@ -48,6 +49,19 @@ def primary_terms
     ]
   end
 
+  def visibility=(visibility)
+    super.tap do |_result|
+      case visibility
+      when Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PUBLIC
+        self.read_groups = [Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_PUBLIC]
+      when Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_AUTHENTICATED
+        self.read_groups = [Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_AUTHENTICATED]
+      when Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PRIVATE
+        self.read_groups = []
+      end
+    end
+  end
+
   # Validate that either the source_metadata_identifier or the title is set.
   def source_metadata_identifier_or_title
     return if source_metadata_identifier.present? || Array.wrap(title).first.present?

app/models/ability.rb

@@ -3,8 +3,122 @@ class Ability
   include Valhalla::Ability
   # Define any customized permissions here.
   def custom_permissions
-    return unless current_user.admin?
-    can :manage, Valkyrie::Resource if current_user.admin?
-    can :manage, Role
+    alias_action :show, :manifest, to: :read
+    alias_action :color_pdf, :pdf, :edit, :browse_everything_files, :structure, :file_manager, to: :modify
+    roles.each do |role|
+      send "#{role}_permissions" if current_user.send "#{role}?"
+    end
+  end
+
+  # Abilities that should only be granted to admin users
+  def admin_permissions
+    can [:manage], :all
+  end
+
+  # Abilities that should be granted to technicians
+  def image_editor_permissions
+    can [:read, :create, :modify, :update, :publish], curation_concerns
+    can [:create, :read, :edit, :update, :publish, :download], FileSet
+    can [:create, :read, :edit, :update, :publish], Collection
+
+    # do not allow completing resources
+    cannot [:complete], curation_concerns
+
+    # only allow deleting for own objects, without ARKs
+    can [:destroy], FileSet do |obj|
+      obj.depositor == [current_user.uid]
+    end
+    can [:destroy], curation_concerns do |obj|
+      obj.depositor == [current_user.uid]
+    end
+    cannot [:destroy], curation_concerns do |obj|
+      !obj.identifier.blank?
+    end
+  end
+
+  def completer_permissions
+    can [:read, :modify, :update], curation_concerns
+    can [:read, :edit, :update], FileSet
+    can [:read, :edit, :update], Collection
+
+    # allow completing resources
+    can [:complete], curation_concerns
+
+    curation_concern_read_permissions
+  end
+
+  def editor_permissions
+    can [:read, :modify, :update], curation_concerns
+    can [:read, :edit, :update], FileSet
+    can [:read, :edit, :update], Collection
+
+    # do not allow completing resources
+    cannot [:complete], curation_concerns
+
+    curation_concern_read_permissions
+  end
+
+  def fulfiller_permissions
+    can [:read], curation_concerns
+    can [:read, :download], FileSet
+    can [:read], Collection
+    curation_concern_read_permissions
+  end
+
+  def curator_permissions
+    can [:read], curation_concerns
+    can [:read], FileSet
+    can [:read], Collection
+
+    # do not allow viewing pending resources
+    curation_concern_read_permissions
+  end
+
+  # Abilities that should be granted to patron
+  def campus_patron_permissions
+    anonymous_permissions
+  end
+
+  def anonymous_permissions
+    # do not allow viewing incomplete resources
+    curation_concern_read_permissions
+  end
+
+  def curation_concern_read_permissions
+    cannot [:read], curation_concerns do |curation_concern|
+      !readable_concern?(curation_concern)
+    end
+    can :pdf, curation_concerns do |curation_concern|
+      ["color", "gray"].include?(Array(curation_concern.pdf_type).first)
+    end
+    can :color_pdf, curation_concerns do |curation_concern|
+      curation_concern.pdf_type == ["color"]
+    end
+  end
+
+  def readable_concern?(curation_concern)
+    !unreadable_states.include?(curation_concern.state.first)
+  end
+
+  def unreadable_states
+    if current_user.curator?
+      %w[pending]
+    elsif universal_reader?
+      []
+    else
+      %w[pending metadata_review final_review takedown]
+    end
+  end
+
+  def universal_reader?
+    current_user.curator? || current_user.image_editor? || current_user.completer? || current_user.fulfiller? || current_user.editor? || current_user.admin?
+  end
+
+  def roles
+    ['anonymous', 'campus_patron', 'completer', 'curator', 'fulfiller', 'editor', 'ephemera_editor', 'image_editor', 'admin']
+  end
+
+  def curation_concerns
+    [ScannedResource]
   end
 end

app/models/file_set.rb

@@ -5,6 +5,7 @@ class FileSet < Valhalla::Resource
   attribute :title, Valkyrie::Types::Set
   attribute :member_ids, Valkyrie::Types::Array
   attribute :file_metadata, Valkyrie::Types::Set.member(FileMetadata.optional)
+  attribute :depositor
 
   def thumbnail_id
     id

app/models/scanned_resource.rb

@@ -7,6 +7,7 @@ class ScannedResource < Valhalla::Resource
   attribute :member_of_collection_ids
   attribute :imported_metadata, Valkyrie::Types::Set.member(ImportedMetadata).optional
   attribute :state
+  attribute :depositor
   # Books
   attribute :source_metadata_identifier
   attribute :title

app/models/user.rb

@@ -27,4 +27,36 @@ def to_s
   def admin?
     groups.include?('admin')
   end
+
+  def ephemera_editor?
+    roles.where(name: 'ephemera_editor').exists?
+  end
+
+  def image_editor?
+    roles.where(name: 'image_editor').exists?
+  end
+
+  def completer?
+    roles.where(name: 'completer').exists?
+  end
+
+  def editor?
+    roles.where(name: 'editor').exists?
+  end
+
+  def fulfiller?
+    roles.where(name: 'fulfiller').exists?
+  end
+
+  def curator?
+    roles.where(name: 'curator').exists?
+  end
+
+  def campus_patron?
+    persisted? && provider == "cas"
+  end
+
+  def anonymous?
+    !persisted?
+  end
 end

spec/change_set_persisters/plum_change_set_persister_spec.rb

@@ -150,4 +150,37 @@
       end
     end
   end
+
+  describe "setting visibility" do
+    context "when setting to public" do
+      it "adds the public read_group" do
+        resource = FactoryGirl.build(:scanned_resource, read_groups: [])
+        change_set = change_set_class.new(resource)
+        change_set.validate(visibility: 'open')
+        change_set.sync
+
+        expect(change_set.model.read_groups).to eq [Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_PUBLIC]
+      end
+    end
+    context "when setting to princeton only" do
+      it "adds the authenticated read_group" do
+        resource = FactoryGirl.build(:scanned_resource, read_groups: [])
+        change_set = change_set_class.new(resource)
+        change_set.validate(visibility: Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_AUTHENTICATED)
+        change_set.sync
+
+        expect(change_set.model.read_groups).to eq [Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_AUTHENTICATED]
+      end
+    end
+    context "when setting to private" do
+      it "removes all read groups" do
+        resource = FactoryGirl.build(:scanned_resource, read_groups: ['public'])
+        change_set = change_set_class.new(resource)
+        change_set.validate(visibility: Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PRIVATE)
+        change_set.sync
+
+        expect(change_set.model.read_groups).to eq []
+      end
+    end
+  end
 end

spec/controllers/catalog_controller_spec.rb

@@ -127,7 +127,7 @@
 
     context "when not logged in" do
       it "does not display resources without the `public` read_groups" do
-        persister.save(resource: FactoryGirl.build(:scanned_resource, read_groups: nil))
+        FactoryGirl.create_for_repository(:complete_private_scanned_resource)
 
         get :index, params: { q: "" }
 

spec/factories/collection.rb

@@ -8,5 +8,8 @@
     to_create do |instance|
       Valkyrie.config.metadata_adapter.persister.save(resource: instance)
     end
+    factory :private_collection do
+      visibility 'private'
+    end
   end
 end

spec/factories/file_set.rb

@@ -5,5 +5,11 @@
     to_create do |instance|
       Valkyrie.config.metadata_adapter.persister.save(resource: instance)
     end
+    transient do
+      user nil
+    end
+    after(:build) do |resource, evaluator|
+      resource.depositor = evaluator.user.uid if evaluator.user.present?
+    end
   end
 end

spec/factories/scanned_resource.rb

@@ -3,13 +3,25 @@
   factory :scanned_resource do
     title 'Title'
     rights_statement RDF::URI('http://rightsstatements.org/vocab/NKC/1.0/')
-    visibility 'open'
     read_groups 'public'
+    pdf_type ["gray"]
     to_create do |instance|
       Valkyrie.config.metadata_adapter.persister.save(resource: instance)
     end
     transient do
       files []
+      user nil
+      visibility Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PUBLIC
+    end
+    after(:build) do |resource, evaluator|
+      resource.depositor = evaluator.user.uid if evaluator.user.present?
+      if evaluator.visibility.present?
+        change_set = ScannedResourceChangeSet.new(resource)
+        change_set.validate(visibility: Array(evaluator.visibility).first)
+        change_set.sync
+        resource = change_set.model
+      end
+      resource
     end
     after(:create) do |resource, evaluator|
       if evaluator.files.present?
@@ -19,5 +31,37 @@
         ).save(change_set: ScannedResourceChangeSet.new(resource, files: evaluator.files))
       end
     end
+    factory :open_scanned_resource do
+      visibility Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PUBLIC
+    end
+    factory :complete_open_scanned_resource do
+      state "complete"
+    end
+    factory :complete_private_scanned_resource do
+      state "complete"
+      visibility Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PRIVATE
+    end
+    factory :takedown_scanned_resource do
+      state "takedown"
+    end
+    factory :flagged_scanned_resource do
+      state "flagged"
+    end
+    factory :pending_scanned_resource do
+      state "pending"
+    end
+    factory :complete_campus_only_scanned_resource do
+      state "complete"
+      visibility Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_AUTHENTICATED
+    end
+    factory :metadata_review_scanned_resource do
+      state "metadata_review"
+    end
+    factory :final_review_scanned_resource do
+      state "final_review"
+    end
+    factory :complete_scanned_resource do
+      state "complete"
+    end
   end
 end