module Hydra::Ability

Public Class Methods

new(user, options = {}) click to toggle source
# File lib/hydra/ability.rb, line 23
def initialize(user, options = {})
  @current_user = user || Hydra::Ability.user_class.new # guest user (not logged in)
  @user = @current_user # just in case someone was using this in an override. Just don't.
  @options = options
  @cache = Blacklight::AccessControls::PermissionsCache.new
  hydra_default_permissions()
end
user_class() click to toggle source
# File lib/hydra/ability.rb, line 19
def self.user_class
  Hydra.config[:user_model] ?  Hydra.config[:user_model].constantize : ::User
end

Public Instance Methods

create_permissions() click to toggle source
# File lib/hydra/ability.rb, line 35
def create_permissions
  # no op -- this is automatically run as part of self.ability_logic. Override in your own Ability class to set default create permissions.
end
custom_permissions() click to toggle source

Override custom permissions in your own app to add more permissions beyond what is defined by default.

# File lib/hydra/ability.rb, line 81
def custom_permissions
end
discover_permissions() click to toggle source
Calls superclass method
# File lib/hydra/ability.rb, line 63
def discover_permissions
  super

  can :discover, ActiveFedora::Base do |obj|
    test_discover(obj.id)
  end
end
download_permissions() click to toggle source

Download permissions are exercised in Hydra::Controller::DownloadBehavior

# File lib/hydra/ability.rb, line 72
def download_permissions
  can :download, ActiveFedora::File do |file|
    parent_uri = file.uri.to_s.sub(/\/[^\/]*$/, '')
    parent_id = ActiveFedora::Base.uri_to_id(parent_uri)
    can? :read, parent_id # i.e, can download if can read parent resource
  end
end
edit_permissions() click to toggle source
# File lib/hydra/ability.rb, line 39
def edit_permissions
  # Loading an object from Fedora can be slow, so assume that if a string is passed, it's an object id
  can [:edit, :update, :destroy], String do |id|
    test_edit(id)
  end

  can [:edit, :update, :destroy], ActiveFedora::Base do |obj|
    test_edit(obj.id)
  end

  can [:edit, :update, :destroy], SolrDocument do |obj|
    cache.put(obj.id, obj)
    test_edit(obj.id)
  end
end
hydra_default_permissions() click to toggle source
# File lib/hydra/ability.rb, line 31
def hydra_default_permissions
  grant_permissions
end
read_permissions() click to toggle source
Calls superclass method
# File lib/hydra/ability.rb, line 55
def read_permissions
  super

  can :read, ActiveFedora::Base do |obj|
    test_read(obj.id)
  end
end

Protected Instance Methods

edit_groups(id) click to toggle source
# File lib/hydra/ability.rb, line 94
def edit_groups(id)
  doc = permissions_doc(id)
  return [] if doc.nil?
  eg = doc[self.class.edit_group_field] || []
  Rails.logger.debug("[CANCAN] edit_groups: #{eg.inspect}")
  return eg
end
edit_users(id) click to toggle source
# File lib/hydra/ability.rb, line 110
def edit_users(id)
  doc = permissions_doc(id)
  return [] if doc.nil?
  ep = doc[self.class.edit_user_field] ||  []
  Rails.logger.debug("[CANCAN] edit_users: #{ep.inspect}")
  return ep
end
read_groups(id) click to toggle source

edit implies read, so read_groups is the union of edit and read groups

Calls superclass method
# File lib/hydra/ability.rb, line 103
def read_groups(id)
  rg = super
  rg |= edit_groups(id)
  Rails.logger.debug("[CANCAN] read_groups: #{rg.inspect}")
  rg
end
read_users(id) click to toggle source

edit implies read, so read_users is the union of edit and read users

Calls superclass method
# File lib/hydra/ability.rb, line 119
def read_users(id)
  rp = super
  rp |= edit_users(id)
  Rails.logger.debug("[CANCAN] read_users: #{rp.inspect}")
  rp
end
test_edit(id) click to toggle source
# File lib/hydra/ability.rb, line 86
def test_edit(id)
  Rails.logger.debug("[CANCAN] Checking edit permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
  group_intersection = user_groups & edit_groups(id)
  result = !group_intersection.empty? || edit_users(id).include?(current_user.user_key)
  Rails.logger.debug("[CANCAN] decision: #{result}")
  result
end