module Hydra::PolicyAwareAccessControlsEnforcement

Repeats access controls evaluation methods, but checks against a governing “Policy” object (or “Collection” object) that provides inherited access controls.

Public Instance Methods

apply_gated_discovery(solr_parameters) click to toggle source

Extends Hydra::AccessControlsEnforcement.apply_gated_discovery to reflect policy-provided access. Appends the result of policy_clauses into the :fq @param [Hash] solr_parameters the current solr parameters, to be modified herein!

Calls superclass method
# File lib/hydra/policy_aware_access_controls_enforcement.rb, line 7
def apply_gated_discovery(solr_parameters)
  super
  logger.debug("POLICY-aware Solr parameters: #{ solr_parameters.inspect }")
end
apply_policy_group_permissions(permission_types = discovery_permissions) click to toggle source

for groups @param [Array{String,#to_sym}] permission_types symbols (or equivalent) from Hydra.config.permissions.inheritable

# File lib/hydra/policy_aware_access_controls_enforcement.rb, line 33
def apply_policy_group_permissions(permission_types = discovery_permissions)
    user_access_filters = []
    current_ability.user_groups.each_with_index do |group, i|
      permission_types.each do |type|
        user_access_filters << escape_filter(Hydra.config.permissions.inheritable[type.to_sym].group, group)
      end
    end
    user_access_filters
end
apply_policy_user_permissions(permission_types = discovery_permissions) click to toggle source

for individual user access @param [Array{String,#to_sym}] permission_types

# File lib/hydra/policy_aware_access_controls_enforcement.rb, line 45
def apply_policy_user_permissions(permission_types = discovery_permissions)
  user = current_ability.current_user
  return [] unless user && user.user_key.present?
  permission_types.map do |type|
    escape_filter(Hydra.config.permissions.inheritable[type.to_sym].individual, user.user_key)
  end
end
discovery_permissions() click to toggle source

Override method from blacklight-access_controls

# File lib/hydra/policy_aware_access_controls_enforcement.rb, line 54
def discovery_permissions
  @discovery_permissions ||= ["edit", "discover", "read"]
end
policies_with_access() click to toggle source

Find all the policies that grant discover/read/edit permissions to this user or any of its groups. Grant access based on user id & group

# File lib/hydra/policy_aware_access_controls_enforcement.rb, line 21
def policies_with_access
  #### TODO -- Memoize this and put it in the session?
  user_access_filters = []
  user_access_filters += apply_policy_group_permissions(discovery_permissions)
  user_access_filters += apply_policy_user_permissions(discovery_permissions)
  result = policy_class.search_with_conditions( user_access_filters.join(" OR "), fl: "id", rows: policy_class.count )
  logger.debug "get policies: #{result}\n\n"
  result.map {|h| h['id']}
end
policy_class() click to toggle source

Returns the Model used for AdminPolicy objects. You can set this by overriding this method or setting Hydra.config[:permissions][:policy_class] Defults to Hydra::AdminPolicy

# File lib/hydra/policy_aware_access_controls_enforcement.rb, line 61
def policy_class
  Hydra.config.permissions.policy_class || Hydra::AdminPolicy
end
policy_clauses() click to toggle source

@return [String,nil] solr query for finding all objects whose policies grant discover access to current_user

# File lib/hydra/policy_aware_access_controls_enforcement.rb, line 13
def policy_clauses
  policy_ids = policies_with_access
  return nil if policy_ids.empty?
  '(' + policy_ids.map {|id| ActiveFedora::SolrQueryBuilder.construct_query_for_rel(isGovernedBy: id)}.join(' OR '.freeze) + ')'
end

Protected Instance Methods

gated_discovery_filters() click to toggle source
Calls superclass method
# File lib/hydra/policy_aware_access_controls_enforcement.rb, line 67
def gated_discovery_filters
  filters = super
  additional_clauses = policy_clauses
  unless additional_clauses.blank?
    filters << additional_clauses
  end
  filters
end
solr_field_for(permission_type, permission_category) click to toggle source

Find the name of the solr field for this type of permission. e.g. “read_access_group_ssim” or “discover_access_person_ssim”. Used by blacklight-access_controls gem.

# File lib/hydra/policy_aware_access_controls_enforcement.rb, line 79
def solr_field_for(permission_type, permission_category)
  permissions = Hydra.config.permissions[permission_type.to_sym]
  permission_category == 'group' ? permissions.group : permissions.individual
end