module Hydra::PolicyAwareAbility

Repeats access controls evaluation methods, but checks against a governing “Policy” object (or “Collection” object) that provides inherited access controls.

Constants

IS_GOVERNED_BY_SOLR_FIELD

Public Instance Methods

edit_groups_from_policy(policy_id) click to toggle source

Returns the list of groups granted edit access by the policy object identified by policy_id

# File lib/hydra/policy_aware_ability.rb, line 68
def edit_groups_from_policy(policy_id)
  policy_permissions = policy_permissions_doc(policy_id)
  edit_group_field = Hydra.config.permissions.inheritable[:edit][:group]
  eg = ((policy_permissions == nil || policy_permissions.fetch(edit_group_field,nil) == nil) ? [] : policy_permissions.fetch(edit_group_field,nil))
  Rails.logger.debug("[CANCAN] -policy- edit_groups: #{eg.inspect}")
  return eg
end
edit_users_from_policy(policy_id) click to toggle source

Returns the list of users granted edit access by the policy object identified by policy_id

# File lib/hydra/policy_aware_ability.rb, line 87
def edit_users_from_policy(policy_id)
  policy_permissions = policy_permissions_doc(policy_id)
  edit_user_field = Hydra.config.permissions.inheritable[:edit][:individual]
  eu = ((policy_permissions == nil || policy_permissions.fetch(edit_user_field,nil) == nil) ? [] : policy_permissions.fetch(edit_user_field,nil))
  Rails.logger.debug("[CANCAN] -policy- edit_users: #{eu.inspect}")
  return eu
end
governed_by_solr_field() click to toggle source
# File lib/hydra/policy_aware_ability.rb, line 31
def governed_by_solr_field
  # TODO the solr key could be derived if we knew the class of the object:
  #   ModsAsset.reflect_on_association(:admin_policy).solr_key
  IS_GOVERNED_BY_SOLR_FIELD
end
policy_id_for(object_id) click to toggle source

Returns the id of policy object (isGovernedBy_ssim) for the specified object Assumes that the policy object is associated by an isGovernedBy relationship (which is stored as “isGovernedBy_ssim” in object’s solr document) Returns nil if no policy associated with the object

# File lib/hydra/policy_aware_ability.rb, line 23
def policy_id_for(object_id)
  policy_id = policy_id_cache[object_id]
  return policy_id if policy_id
  solr_result = ActiveFedora::Base.search_with_conditions({ id: object_id }, fl: governed_by_solr_field).first
  return unless solr_result
  policy_id_cache[object_id] = policy_id = Array(solr_result[governed_by_solr_field]).first
end
policy_permissions_doc(policy_id) click to toggle source

Returns the permissions solr document for policy_id The document is stored in an instance variable, so calling this multiple times will only query solr once. To force reload, set @policy_permissions_solr_cache to {}

# File lib/hydra/policy_aware_ability.rb, line 40
def policy_permissions_doc(policy_id)
  @policy_permissions_solr_cache ||= {}
  @policy_permissions_solr_cache[policy_id] ||= get_permissions_solr_response_for_doc_id(policy_id)
end
read_groups_from_policy(policy_id) click to toggle source

Returns the list of groups granted read access by the policy object identified by policy_id Note: edit implies read, so read_groups is the union of edit and read groups

# File lib/hydra/policy_aware_ability.rb, line 78
def read_groups_from_policy(policy_id)
  policy_permissions = policy_permissions_doc(policy_id)
  read_group_field = Hydra.config.permissions.inheritable[:read][:group]
  rg = edit_groups_from_policy(policy_id) | ((policy_permissions == nil || policy_permissions.fetch(read_group_field,nil) == nil) ? [] : policy_permissions.fetch(read_group_field,nil))
  Rails.logger.debug("[CANCAN] -policy- read_groups: #{rg.inspect}")
  return rg
end
read_users_from_policy(policy_id) click to toggle source

Returns the list of users granted read access by the policy object identified by policy_id Note: edit implies read, so read_users is the union of edit and read users

# File lib/hydra/policy_aware_ability.rb, line 97
def read_users_from_policy(policy_id)
  policy_permissions = policy_permissions_doc(policy_id)
  read_user_field = Hydra.config.permissions.inheritable[:read][:individual]
  ru = edit_users_from_policy(policy_id) | ((policy_permissions == nil || policy_permissions.fetch(read_user_field, nil) == nil) ? [] : policy_permissions.fetch(read_user_field, nil))
  Rails.logger.debug("[CANCAN] -policy- read_users: #{ru.inspect}")
  return ru
end
test_edit(id) click to toggle source

Extends Hydra::Ability.test_edit to try policy controls if object-level controls deny access

Calls superclass method Hydra::Ability#test_edit
# File lib/hydra/policy_aware_ability.rb, line 10
def test_edit(id)
  super || test_edit_from_policy(id)
end
test_edit_from_policy(object_id) click to toggle source

Tests whether the object’s governing policy object grants edit access for the current user

# File lib/hydra/policy_aware_ability.rb, line 46
def test_edit_from_policy(object_id)
  policy_id = policy_id_for(object_id)
  return false if policy_id.nil?
  Rails.logger.debug("[CANCAN] -policy- Does the POLICY #{policy_id} provide EDIT permissions for #{current_user.user_key}?")
  group_intersection = user_groups & edit_groups_from_policy( policy_id )
  result = !group_intersection.empty? || edit_users_from_policy( policy_id ).include?(current_user.user_key)
  Rails.logger.debug("[CANCAN] -policy- decision: #{result}")
  result
end
test_read(id) click to toggle source

Extends Hydra::Ability.test_read to try policy controls if object-level controls deny access

Calls superclass method
# File lib/hydra/policy_aware_ability.rb, line 15
def test_read(id)
  super || test_read_from_policy(id)
end
test_read_from_policy(object_id) click to toggle source

Tests whether the object’s governing policy object grants read access for the current user

# File lib/hydra/policy_aware_ability.rb, line 57
def test_read_from_policy(object_id)
  policy_id = policy_id_for(object_id)
  return false if policy_id.nil?
  Rails.logger.debug("[CANCAN] -policy- Does the POLICY #{policy_id} provide READ permissions for #{current_user.user_key}?")
  group_intersection = user_groups & read_groups_from_policy( policy_id )
  result = !group_intersection.empty? || read_users_from_policy( policy_id ).include?(current_user.user_key)
  Rails.logger.debug("[CANCAN] -policy- decision: #{result}")
  result
end

Private Instance Methods

policy_id_cache() click to toggle source
# File lib/hydra/policy_aware_ability.rb, line 107
def policy_id_cache
  @policy_id_cache ||= {}
end