module Blacklight::AccessControls::Enforcement
Attributes and methods used to restrict access via Solr.
Note: solr_access_filters_logic is an Array of Symbols. It sets defaults. Each symbol identifies a method that must be in this class, taking two parameters (permission_types, ability). Can be changed in local apps or by plugins, e.g.:
CatalogController.include ModuleDefiningNewMethod CatalogController.solr_access_filters_logic += [:new_method] CatalogController.solr_access_filters_logic.delete(:we_dont_want)
Public Instance Methods
Which permission levels (logical OR) will grant you the ability to discover documents in a search. Override this method if you want it to be something other than the default, or hit the setter
# File lib/blacklight/access_controls/enforcement.rb, line 36 def discovery_permissions @discovery_permissions ||= %w[discover read] end
Protected Instance Methods
Controller before_filter that sets up access-controlled lucene query to provide gated discovery behavior. Set solr_parameters to enforce appropriate permissions. @param [Hash{Object}] solr_parameters the current solr parameters, to be modified herein! @note Applies a lucene filter query to the solr :fq parameter for gated discovery.
# File lib/blacklight/access_controls/enforcement.rb, line 54 def apply_gated_discovery(solr_parameters) solr_parameters[:fq] ||= [] solr_parameters[:fq] << gated_discovery_filters.reject(&:blank?).join(' OR ') Rails.logger.debug("Solr parameters: #{solr_parameters.inspect}") end
For groups @return [Array{String}] values are lucence syntax term queries suitable for :fq @example
[ "({!terms f=discover_access_group_ssim}public,faculty,africana-faculty,registered)", "({!terms f=read_access_group_ssim}public,faculty,africana-faculty,registered)" ]
# File lib/blacklight/access_controls/enforcement.rb, line 65 def apply_group_permissions(permission_types, ability = current_ability) groups = ability.user_groups return [] if groups.empty? permission_types.map do |type| field = solr_field_for(type, 'group') "({!terms f=#{field}}#{groups.join(',')})" # parens required to properly OR the clauses together. end end
For individual user access @return [Array{String}] values are lucence syntax term queries suitable for :fq @example ['discover_access_person_ssim:user_1@abc.com', 'read_access_person_ssim:user_1@abc.com']
# File lib/blacklight/access_controls/enforcement.rb, line 77 def apply_user_permissions(permission_types, ability = current_ability) user = ability.current_user return [] unless user && user.user_key.present? permission_types.map do |type| escape_filter(solr_field_for(type, 'user'), user.user_key) end end
# File lib/blacklight/access_controls/enforcement.rb, line 94 def escape_filter(key, value) [key, escape_value(value)].join(':') end
# File lib/blacklight/access_controls/enforcement.rb, line 98 def escape_value(value) RSolr.solr_escape(value).gsub(/ /, '\ ') end
Grant access based on user id & group @return [Array{Array{String}}]
# File lib/blacklight/access_controls/enforcement.rb, line 44 def gated_discovery_filters(permission_types = discovery_permissions, ability = current_ability) solr_access_filters_logic.map { |method| send(method, permission_types, ability).reject(&:blank?) }.reject(&:empty?) end
@param [#to_s] permission_type a single value, e.g. “read” or “discover” @param [#to_s] permission_category a single value, e.g. “group” or “person” @return [String] name of the solr field for this type of permission @example return values: “read_access_group_ssim” or “discover_access_person_ssim”
# File lib/blacklight/access_controls/enforcement.rb, line 89 def solr_field_for(permission_type, permission_category) method_name = "#{permission_type}_#{permission_category}_field".to_sym Blacklight::AccessControls.config.send(method_name) end