The hydra-access-controls gem provides access controls models and functionality for Hydra Heads. See the hydra-head gem and the Hydra Project website for more info.
Add this line to your application's Gemfile:
gem 'hydra-access-controls'
And then execute:
$ bundle
Or install it yourself as:
$ gem install hydra-access-controls
If you have Policy-based enforcement enabled, then objects will inherit extra GRANT permissions from AdminPolicy objects they are linked to with an isGovernedBy RDF relationship (stored in solr as is_governed_by_s field). This allows you to grant discover/read/edit access for a whole set of objects by changing the policy they are governed by.
AdminPolicy objects store their inheritable rightsMetadata in a datastream called defaultRights. This datastream uses the regular Hydra rightsMetadata schema. Each AdminPolicy object also has its own rightsMetadata datasream, like all other Hydra assets, which specifies who is able to edit the Policy or use it (associate it with objects).
Object-level permissions and Policy-level permissions are combined to produce the list of Individuals & Groups who have access to the object. This means that if either the object's rightsMetadata or the Policy's defaultRights grants access to an Individual or Group, that access will be allowed.
- Currently, an asset can have only one Policy associated with it -- you can't associate objects with multiple policies
To turn on Policy-based enforcement,
- include the
Hydra::PolicyAwareAbilitymodule in yourAbilityclass (Make sure to include it afterHydra::Abilitybecause it overrides some of the methods provided by that module.) - include the
Hydra::PolicyAwareAccessControlsEnforcementmodule into any appropriate Controllers (or intoApplicationController)
app/models/ability.rb
# Allows you to use CanCan to control access to Models
require 'cancan'
class Ability
include CanCan::Ability
include Hydra::Ability
include Hydra::PolicyAwareAbility
endapp/controllers/catalog_controller.rb
class CatalogController < ApplicationController
include Blacklight::Catalog
include Hydra::Controller::ControllerBehavior
include Hydra::PolicyAwareAccessControlsEnforcement
# ...
endHydra uses its own set of default solr field names to track rights-related metadata in solr. If you want to use your own field names, you can change them in your Hydra config. You will also have to modify the permissions response handler in your solrconfig.xml to return those fields.
Hydra.configure(:shared) do |config|
# ... other stuff ...
config[:permissions] = {
:catchall => "access_t",
:discover => {:group =>"discover_access_group_t", :individual=>"discover_access_person_t"},
:read => {:group =>"read_access_group_t", :individual=>"read_access_person_t"},
:edit => {:group =>"edit_access_group_t", :individual=>"edit_access_person_t"},
:owner => "depositor_t",
:embargo_release_date => "embargo_release_date_dt"
}
config[:permissions][:inheritable] = {
:catchall => "inheritable_access_t",
:discover => {:group =>"inheritable_discover_access_group_t", :individual=>"inheritable_discover_access_person_t"},
:read => {:group =>"inheritable_read_access_group_t", :individual=>"inheritable_read_access_person_t"},
:edit => {:group =>"inheritable_edit_access_group_t", :individual=>"inheritable_edit_access_person_t"},
:owner => "inheritable_depositor_t",
:embargo_release_date => "inheritable_embargo_release_date_dt"
}
end- Fork it
- Create your feature branch (
git checkout -b my-new-feature) - Commit your changes (
git commit -am 'Added some feature') - Push to the branch (
git push origin my-new-feature) - Create new Pull Request
$ git submodule init
$ git submodule update
$ rake jetty:config
$ rake jetty:start
$ rake spec