lib/hydra/access_controls_enforcement.rb in hydra-access-controls-5.0.0.pre13 vs lib/hydra/access_controls_enforcement.rb in hydra-access-controls-5.0.0.pre14

@@ -1,11 +1,22 @@
-# will move to lib/hydra/access_control folder/namespace in release 5.x
 module Hydra::AccessControlsEnforcement
   extend ActiveSupport::Concern
-  
+  extend Deprecation 
+  self.deprecation_horizon = "hydra-access-controls 6.0"
+
   included do
     include Hydra::AccessControlsEvaluation
+    class_attribute :solr_access_filters_logic
+
+    # Set defaults. Each symbol identifies a _method_ that must be in
+    # this class, taking one parameter (permission_types)
+    # Can be changed in local apps or by plugins, eg:
+    # CatalogController.include ModuleDefiningNewMethod
+    # CatalogController.solr_access_filters_logic += [:new_method]
+    # CatalogController.solr_access_filters_logic.delete(:we_dont_want)
+    self.solr_access_filters_logic = [:apply_role_permissions, :apply_individual_permissions, :apply_superuser_permissions ]
+
   end
   
   #
   #   Access Controls Enforcement Filters
   #
@@ -75,10 +86,11 @@
   protected
 
   # If someone hits the show action while their session's viewing_context is in edit mode, 
   # this will redirect them to the edit action.
   # If they do not have sufficient privileges to edit documents, it will silently switch their session to browse mode.
+  # @deprecated this is a vestige of the old workflow, which is being removed from hydra-head
   def enforce_viewing_context_for_show_requests
     if params[:viewing_context] == "browse"
       session[:viewing_context] = params[:viewing_context]
     elsif session[:viewing_context] == "edit"
       if can? :edit, params[:id]
@@ -91,10 +103,11 @@
       else
         session[:viewing_context] = "browse"
       end
     end
   end
+  deprecation_deprecate :enforce_viewing_context_for_show_requests
   
   #
   # Action-specific enforcement
   #
   
@@ -104,11 +117,11 @@
     load_permissions_from_solr
     unless @permissions_solr_document['access_t'] && (@permissions_solr_document['access_t'].first == "public" || @permissions_solr_document['access_t'].first == "Public")
       if @permissions_solr_document["embargo_release_date_dt"] 
         embargo_date = Date.parse(@permissions_solr_document["embargo_release_date_dt"].split(/T/)[0])
         if embargo_date > Date.parse(Time.now.to_s)
-          unless current_or_guest_user && can?(:edit, params[:id])
+          unless can?(:edit, params[:id])
             raise Hydra::AccessDenied.new("This item is under embargo.  You do not have sufficient access privileges to read this document.", :edit, params[:id])
           end
         end
       end
       unless can? :read, params[:id] 
@@ -199,22 +212,20 @@
     permission_types.each do |type|
       user_access_filters << "#{type}_access_group_t:public"
     end
     
     # Grant access based on user id & role
-    unless current_or_guest_user.nil?
-      user_access_filters += apply_role_permissions(permission_types)
-      user_access_filters += apply_individual_permissions(permission_types)
-      user_access_filters += apply_superuser_permissions(permission_types)
+    solr_access_filters_logic.each do |method_name|
+      user_access_filters += send(method_name, permission_types)
     end
     solr_parameters[:fq] << user_access_filters.join(" OR ")
     logger.debug("Solr parameters: #{ solr_parameters.inspect }")
   end
   
   def apply_role_permissions(permission_types)
       # for roles
       user_access_filters = []
-      ::RoleMapper.roles(user_key).each_with_index do |role, i|
+      current_ability.user_groups(current_user, session).each_with_index do |role, i|
         permission_types.each do |type|
           user_access_filters << "#{type}_access_group_t:#{role}"
         end
       end
       user_access_filters