Module: Blacklight::AccessControls::Ability

Extended by:

ActiveSupport::Concern

Included in:

Ability

Defined in:

lib/blacklight/access_controls/ability.rb

Defined Under Namespace

Modules: ClassMethods

Instance Attribute Summary

• #cache ⇒ Object readonly

  Returns the value of attribute cache.

• #current_user ⇒ Object readonly

  Returns the value of attribute current_user.

• #options ⇒ Object readonly

  Returns the value of attribute options.

Class Method Summary

• .user_class ⇒ Object

Instance Method Summary

• #default_user_groups ⇒ Object

  Everyone is automatically a member of group ‘public’.

• #discover_groups(id) ⇒ Object

  read implies discover, so discover_groups is the union of read and discover groups.

• #discover_permissions ⇒ Object
• #discover_users(id) ⇒ Object

  read implies discover, so discover_users is the union of read and discover users.

• #download_groups(id) ⇒ Object
• #download_permissions ⇒ Object
• #download_users(id) ⇒ Object
• #grant_permissions ⇒ Object
• #guest_user ⇒ Object

  A user who isn’t logged in.

• #initialize(user, options = {}) ⇒ Object
• #read_groups(id) ⇒ Object

  download access implies read access, so read_groups is the union of download and read groups.

• #read_permissions ⇒ Object
• #read_users(id) ⇒ Object

  download access implies read access, so read_users is the union of download and read users.

• #test_discover(id) ⇒ Object
• #test_download(id) ⇒ Object
• #test_read(id) ⇒ Object
• #user_groups ⇒ Object

  You can override this method if you are using a different AuthZ (such as LDAP).

Instance Attribute Details

#cache ⇒ Object (readonly)

Returns the value of attribute cache.

# File 'lib/blacklight/access_controls/ability.rb', line 28

def cache
  @cache
end

#current_user ⇒ Object (readonly)

Returns the value of attribute current_user.

# File 'lib/blacklight/access_controls/ability.rb', line 28

def current_user
  @current_user
end

#options ⇒ Object (readonly)

Returns the value of attribute options.

# File 'lib/blacklight/access_controls/ability.rb', line 28

def options
  @options
end

Class Method Details

.user_class ⇒ Object

# File 'lib/blacklight/access_controls/ability.rb', line 30

def self.user_class
  Blacklight::AccessControls.config.user_model.constantize
end

Instance Method Details

#default_user_groups ⇒ Object

Everyone is automatically a member of group ‘public’

# File 'lib/blacklight/access_controls/ability.rb', line 109

def default_user_groups
  ['public']
end

#discover_groups(id) ⇒ Object

read implies discover, so discover_groups is the union of read and discover groups

# File 'lib/blacklight/access_controls/ability.rb', line 114

def discover_groups(id)
  doc = permissions_doc(id)
  return [] if doc.nil?
  dg = read_groups(id) | (doc[self.class.discover_group_field] || [])
  Rails.logger.debug("[CANCAN] discover_groups: #{dg.inspect}")
  dg
end

#discover_permissions ⇒ Object

# File 'lib/blacklight/access_controls/ability.rb', line 46

def discover_permissions
  can :discover, String do |id|
    test_discover(id)
  end

  can :discover, SolrDocument do |obj|
    cache.put(obj.id, obj)
    test_discover(obj.id)
  end
end

#discover_users(id) ⇒ Object

read implies discover, so discover_users is the union of read and discover users

# File 'lib/blacklight/access_controls/ability.rb', line 123

def discover_users(id)
  doc = permissions_doc(id)
  return [] if doc.nil?
  dp = read_users(id) | (doc[self.class.discover_user_field] || [])
  Rails.logger.debug("[CANCAN] discover_users: #{dp.inspect}")
  dp
end

#download_groups(id) ⇒ Object

# File 'lib/blacklight/access_controls/ability.rb', line 149

def download_groups(id)
  doc = permissions_doc(id)
  return [] if doc.nil?
  dg = Array(doc[self.class.download_group_field])
  Rails.logger.debug("[CANCAN] download_groups: #{dg.inspect}")
  dg
end

#download_permissions ⇒ Object

# File 'lib/blacklight/access_controls/ability.rb', line 69

def download_permissions
  can :download, String do |id|
    test_download(id)
  end

  can :download, SolrDocument do |obj|
    cache.put(obj.id, obj)
    test_download(obj.id)
  end
end

#download_users(id) ⇒ Object

# File 'lib/blacklight/access_controls/ability.rb', line 157

def download_users(id)
  doc = permissions_doc(id)
  return [] if doc.nil?
  dp = Array(doc[self.class.download_user_field])
  Rails.logger.debug("[CANCAN] download_users: #{dp.inspect}")
  dp
end

#grant_permissions ⇒ Object

# File 'lib/blacklight/access_controls/ability.rb', line 39

def grant_permissions
  Rails.logger.debug('Usergroups are ' + user_groups.inspect)
  ability_logic.each do |method|
    send(method)
  end
end

#guest_user ⇒ Object

A user who isn’t logged in

# File 'lib/blacklight/access_controls/ability.rb', line 35

def guest_user
  Blacklight::AccessControls::Ability.user_class.new
end

#initialize(user, options = {}) ⇒ Object

# File 'lib/blacklight/access_controls/ability.rb', line 21

def initialize(user, options = {})
  @current_user = user || guest_user
  @options = options
  @cache = Blacklight::AccessControls::PermissionsCache.new
  grant_permissions
end

#read_groups(id) ⇒ Object

download access implies read access, so read_groups is the union of download and read groups.

# File 'lib/blacklight/access_controls/ability.rb', line 132

def read_groups(id)
  doc = permissions_doc(id)
  return [] if doc.nil?
  rg = download_groups(id) | Array(doc[self.class.read_group_field])
  Rails.logger.debug("[CANCAN] read_groups: #{rg.inspect}")
  rg
end

#read_permissions ⇒ Object

# File 'lib/blacklight/access_controls/ability.rb', line 57

def read_permissions
  # Loading an object from your datastore might be slow (e.g. Fedora), so assume that if a string is passed, it's an object id
  can :read, String do |id|
    test_read(id)
  end

  can :read, SolrDocument do |obj|
    cache.put(obj.id, obj)
    test_read(obj.id)
  end
end

#read_users(id) ⇒ Object

download access implies read access, so read_users is the union of download and read users.

# File 'lib/blacklight/access_controls/ability.rb', line 141

def read_users(id)
  doc = permissions_doc(id)
  return [] if doc.nil?
  rp = download_users(id) | Array(doc[self.class.read_user_field])
  Rails.logger.debug("[CANCAN] read_users: #{rp.inspect}")
  rp
end

#test_discover(id) ⇒ Object

# File 'lib/blacklight/access_controls/ability.rb', line 80

def test_discover(id)
  Rails.logger.debug("[CANCAN] Checking discover permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
  group_intersection = user_groups & discover_groups(id)
  !group_intersection.empty? || discover_users(id).include?(current_user.user_key)
end

#test_download(id) ⇒ Object

# File 'lib/blacklight/access_controls/ability.rb', line 92

def test_download(id)
  Rails.logger.debug("[CANCAN] Checking download permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
  group_intersection = user_groups & download_groups(id)
  !group_intersection.empty? || download_users(id).include?(current_user.user_key)
end

#test_read(id) ⇒ Object

# File 'lib/blacklight/access_controls/ability.rb', line 86

def test_read(id)
  Rails.logger.debug("[CANCAN] Checking read permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
  group_intersection = user_groups & read_groups(id)
  !group_intersection.empty? || read_users(id).include?(current_user.user_key)
end

#user_groups ⇒ Object

You can override this method if you are using a different AuthZ (such as LDAP)

# File 'lib/blacklight/access_controls/ability.rb', line 99

def user_groups
  return @user_groups if @user_groups

  @user_groups = default_user_groups
  @user_groups |= current_user.groups if current_user.respond_to? :groups
  @user_groups |= ['registered'] unless current_user.new_record?
  @user_groups
end