require 'cancan' module Blacklight module AccessControls module Ability extend ActiveSupport::Concern included do include CanCan::Ability include Blacklight::AccessControls::PermissionsQuery # Once you include this module, you can add custom # permission methods to ability_logic, like so: # self.ability_logic += [:setup_my_permissions] class_attribute :ability_logic self.ability_logic = [:discover_permissions, :read_permissions, :download_permissions] end def initialize(user, options={}) @current_user = user || guest_user @options = options @cache = Blacklight::AccessControls::PermissionsCache.new grant_permissions end attr_reader :current_user, :options, :cache def self.user_class Blacklight::AccessControls.config.user_model.constantize end # A user who isn't logged in def guest_user Blacklight::AccessControls::Ability.user_class.new end def grant_permissions Rails.logger.debug("Usergroups are " + user_groups.inspect) self.ability_logic.each do |method| send(method) end end def discover_permissions can :discover, String do |id| test_discover(id) end can :discover, SolrDocument do |obj| cache.put(obj.id, obj) test_discover(obj.id) end end def read_permissions can :read, String do |id| test_read(id) end can :read, SolrDocument do |obj| cache.put(obj.id, obj) test_read(obj.id) end end def download_permissions can :download, String do |id| test_download(id) end can :download, SolrDocument do |obj| cache.put(obj.id, obj) test_download(obj.id) end end def test_discover(id) Rails.logger.debug("[CANCAN] Checking discover permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}") group_intersection = user_groups & discover_groups(id) !group_intersection.empty? || discover_users(id).include?(current_user.user_key) end def test_read(id) Rails.logger.debug("[CANCAN] Checking read permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}") group_intersection = user_groups & read_groups(id) !group_intersection.empty? || read_users(id).include?(current_user.user_key) end def test_download(id) Rails.logger.debug("[CANCAN] Checking download permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}") group_intersection = user_groups & download_groups(id) !group_intersection.empty? || download_users(id).include?(current_user.user_key) end # You can override this method if you are using a different AuthZ (such as LDAP) def user_groups return @user_groups if @user_groups @user_groups = default_user_groups @user_groups |= current_user.groups if current_user.respond_to? :groups @user_groups |= ['registered'] unless current_user.new_record? @user_groups end # Everyone is automatically a member of group 'public' def default_user_groups ['public'] end # read implies discover, so discover_groups is the union of read and discover groups def discover_groups(id) doc = permissions_doc(id) return [] if doc.nil? dg = read_groups(id) | (doc[self.class.discover_group_field] || []) Rails.logger.debug("[CANCAN] discover_groups: #{dg.inspect}") dg end # read implies discover, so discover_users is the union of read and discover users def discover_users(id) doc = permissions_doc(id) return [] if doc.nil? dp = read_users(id) | (doc[self.class.discover_user_field] || []) Rails.logger.debug("[CANCAN] discover_users: #{dp.inspect}") dp end # download access implies read access, so read_groups is the union of download and read groups. def read_groups(id) doc = permissions_doc(id) return [] if doc.nil? rg = download_groups(id) | Array(doc[self.class.read_group_field]) Rails.logger.debug("[CANCAN] read_groups: #{rg.inspect}") rg end # download access implies read access, so read_users is the union of download and read users. def read_users(id) doc = permissions_doc(id) return [] if doc.nil? rp = download_users(id) | Array(doc[self.class.read_user_field]) Rails.logger.debug("[CANCAN] read_users: #{rp.inspect}") rp end def download_groups(id) doc = permissions_doc(id) return [] if doc.nil? dg = Array(doc[self.class.download_group_field]) Rails.logger.debug("[CANCAN] download_groups: #{dg.inspect}") dg end def download_users(id) doc = permissions_doc(id) return [] if doc.nil? dp = Array(doc[self.class.download_user_field]) Rails.logger.debug("[CANCAN] download_users: #{dp.inspect}") dp end module ClassMethods def discover_group_field Blacklight::AccessControls.config.discover_group_field end def discover_user_field Blacklight::AccessControls.config.discover_user_field end def read_group_field Blacklight::AccessControls.config.read_group_field end def read_user_field Blacklight::AccessControls.config.read_user_field end def download_group_field Blacklight::AccessControls.config.download_group_field end def download_user_field Blacklight::AccessControls.config.download_user_field end end end end end