module Blacklight::AccessControls::Enforcement

Attributes and methods used to restrict access via Solr.

Note: solr_access_filters_logic is an Array of Symbols. It sets defaults. Each symbol identifies a method that must be in this class, taking two parameters (permission_types, ability). Can be changed in local apps or by plugins, e.g.:

CatalogController.include ModuleDefiningNewMethod
CatalogController.solr_access_filters_logic += [:new_method]
CatalogController.solr_access_filters_logic.delete(:we_dont_want)

Public Instance Methods

discovery_permissions() click to toggle source

Which permission levels (logical OR) will grant you the ability to discover documents in a search. Override this method if you want it to be something other than the default, or hit the setter

# File lib/blacklight/access_controls/enforcement.rb, line 36
def discovery_permissions
  @discovery_permissions ||= %w[discover read]
end

Protected Instance Methods

apply_gated_discovery(solr_parameters) click to toggle source

Controller before_filter that sets up access-controlled lucene query to provide gated discovery behavior. Set solr_parameters to enforce appropriate permissions. @param [Hash{Object}] solr_parameters the current solr parameters, to be modified herein! @note Applies a lucene filter query to the solr :fq parameter for gated discovery.

# File lib/blacklight/access_controls/enforcement.rb, line 54
def apply_gated_discovery(solr_parameters)
  solr_parameters[:fq] ||= []
  solr_parameters[:fq] << gated_discovery_filters.reject(&:blank?).join(' OR ')
  Rails.logger.debug("Solr parameters: #{solr_parameters.inspect}")
end
apply_group_permissions(permission_types, ability = current_ability) click to toggle source

For groups @return [Array{String}] values are lucence syntax term queries suitable for :fq @example

[ "({!terms f=discover_access_group_ssim}public,faculty,africana-faculty,registered)",
  "({!terms f=read_access_group_ssim}public,faculty,africana-faculty,registered)" ]
# File lib/blacklight/access_controls/enforcement.rb, line 65
def apply_group_permissions(permission_types, ability = current_ability)
  groups = ability.user_groups
  return [] if groups.empty?
  permission_types.map do |type|
    field = solr_field_for(type, 'group')
    "({!terms f=#{field}}#{groups.join(',')})" # parens required to properly OR the clauses together.
  end
end
apply_user_permissions(permission_types, ability = current_ability) click to toggle source

For individual user access @return [Array{String}] values are lucence syntax term queries suitable for :fq @example ['discover_access_person_ssim:user_1@abc.com', 'read_access_person_ssim:user_1@abc.com']

# File lib/blacklight/access_controls/enforcement.rb, line 77
def apply_user_permissions(permission_types, ability = current_ability)
  user = ability.current_user
  return [] unless user && user.user_key.present?
  permission_types.map do |type|
    escape_filter(solr_field_for(type, 'user'), user.user_key)
  end
end
escape_filter(key, value) click to toggle source
# File lib/blacklight/access_controls/enforcement.rb, line 94
def escape_filter(key, value)
  [key, escape_value(value)].join(':')
end
escape_value(value) click to toggle source
# File lib/blacklight/access_controls/enforcement.rb, line 98
def escape_value(value)
  RSolr.solr_escape(value).gsub(/ /, '\ ')
end
gated_discovery_filters(permission_types = discovery_permissions, ability = current_ability) click to toggle source

Grant access based on user id & group @return [Array{Array{String}}]

# File lib/blacklight/access_controls/enforcement.rb, line 44
def gated_discovery_filters(permission_types = discovery_permissions, ability = current_ability)
  solr_access_filters_logic.map { |method| send(method, permission_types, ability).reject(&:blank?) }.reject(&:empty?)
end
solr_field_for(permission_type, permission_category) click to toggle source

@param [#to_s] permission_type a single value, e.g. “read” or “discover” @param [#to_s] permission_category a single value, e.g. “group” or “person” @return [String] name of the solr field for this type of permission @example return values: “read_access_group_ssim” or “discover_access_person_ssim”

# File lib/blacklight/access_controls/enforcement.rb, line 89
def solr_field_for(permission_type, permission_category)
  method_name = "#{permission_type}_#{permission_category}_field".to_sym
  Blacklight::AccessControls.config.send(method_name)
end