module Ddr module Auth class Ability include Hydra::PolicyAwareAbility self.ability_logic.insert(self.ability_logic.index(:custom_permissions), :action_aliases, :collection_permissions, :discover_permissions, :events_permissions, :attachment_permissions, :children_permissions, :upload_permissions) def action_aliases # read aliases alias_action :attachments, :collection_info, :components, :event, :events, :items, :targets, to: :read # edit/update aliases alias_action :permissions, :default_permissions, to: :update end def collection_permissions can :create, Collection if current_user.member_of?(Ddr::Auth.collection_creators_group) end def read_permissions super can :read, ActiveFedora::Datastream do |ds| can? :read, ds.pid end end def edit_permissions super can [:edit, :update, :destroy], ActiveFedora::Datastream do |action, ds| can? action, ds.pid end end def events_permissions can :read, Ddr::Events::Event do |e| can? :read, e.pid end end def download_permissions can :download, ActiveFedora::Base do |obj| if obj.is_a? Component can?(:edit, obj) || (can?(:read, obj) && current_user.has_role?(obj, :downloader)) else can? :read, obj end end can :download, SolrDocument do |doc| if doc.active_fedora_model == "Component" can?(:edit, doc) || (can?(:read, doc) && current_user.has_role?(doc, :downloader)) else can? :read, doc end end can :download, ActiveFedora::Datastream do |ds| if ds.dsid == Ddr::Datastreams::CONTENT and ds.digital_object.original_class == Component can?(:edit, ds.pid) || (can?(:read, ds.pid) && current_user.has_role?(solr_doc(ds.pid), :downloader)) else can? :read, ds.pid end end end def upload_permissions can :upload, Ddr::Models::HasContent do |obj| can?(:edit, obj) end end def children_permissions can :add_children, Ddr::Models::HasChildren do |obj| can?(:edit, obj) end end # Mimics Hydra::Ability#read_permissions def discover_permissions can :discover, String do |pid| test_discover(pid) end can :discover, ActiveFedora::Base do |obj| test_discover(obj.pid) end can :discover, SolrDocument do |obj| cache.put(obj.id, obj) test_discover(obj.id) end end def attachment_permissions can :add_attachment, Ddr::Models::HasAttachments do |obj| can?(:edit, obj) end end # Mimics Hydra::Ability#test_read + Hydra::PolicyAwareAbility#test_read in one method def test_discover(pid) Rails.logger.debug("[CANCAN] Checking discover permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}") group_intersection = user_groups & discover_groups(pid) result = !group_intersection.empty? || discover_persons(pid).include?(current_user.user_key) result || test_discover_from_policy(pid) end # Mimics Hydra::PolicyAwareAbility#test_read_from_policy def test_discover_from_policy(object_pid) policy_pid = policy_pid_for(object_pid) if policy_pid.nil? return false else Rails.logger.debug("[CANCAN] -policy- Does the POLICY #{policy_pid} provide DISCOVER permissions for #{current_user.user_key}?") group_intersection = user_groups & discover_groups_from_policy(policy_pid) result = !group_intersection.empty? || discover_persons_from_policy(policy_pid).include?(current_user.user_key) Rails.logger.debug("[CANCAN] -policy- decision: #{result}") result end end # Mimics Hydra::Ability#read_groups def discover_groups(pid) doc = permissions_doc(pid) return [] if doc.nil? dg = edit_groups(pid) | read_groups(pid) | (doc[self.class.discover_group_field] || []) Rails.logger.debug("[CANCAN] discover_groups: #{dg.inspect}") return dg end # Mimics Hydra::PolicyAwareAbility#read_groups_from_policy def discover_groups_from_policy(policy_pid) policy_permissions = policy_permissions_doc(policy_pid) discover_group_field = Hydra.config[:permissions][:inheritable][:discover][:group] dg = edit_groups_from_policy(policy_pid) | read_groups_from_policy(policy_pid) | ((policy_permissions == nil || policy_permissions.fetch(discover_group_field, nil) == nil) ? [] : policy_permissions.fetch(discover_group_field, nil)) Rails.logger.debug("[CANCAN] -policy- discover_groups: #{dg.inspect}") return dg end # Mimics Hydra::Ability#read_persons def discover_persons(pid) doc = permissions_doc(pid) return [] if doc.nil? dp = edit_users(pid) | read_users(pid) | (doc[self.class.discover_person_field] || []) Rails.logger.debug("[CANCAN] discover_persons: #{dp.inspect}") return dp end def discover_persons_from_policy(policy_pid) policy_permissions = policy_permissions_doc(policy_pid) discover_individual_field = Hydra.config[:permissions][:inheritable][:discover][:individual] dp = edit_persons_from_policy(policy_pid) | read_persons_from_policy(policy_pid) | ((policy_permissions == nil || policy_permissions.fetch(discover_individual_field, nil) == nil) ? [] : policy_permissions.fetch(discover_individual_field, nil)) Rails.logger.debug("[CANCAN] -policy- discover_persons: #{dp.inspect}") return dp end def self.discover_person_field Hydra.config[:permissions][:discover][:individual] end def self.discover_group_field Hydra.config[:permissions][:discover][:group] end private def authenticated_user? current_user.persisted? end def solr_doc(pid) SolrDocument.new(ActiveFedora::SolrService.query("id:\"#{pid}\"", rows: 1).first) end end end end