Merge pull request #107 from IUBLibTech/ius-2503_workflow_permissions

[IUS-2503] use depositor permissions for dataset creation
IUBLibTech · Feb 19, 2025 · f0d71c6 · f0d71c6
2 parents 3301fa3 + a23aae0
commit f0d71c6
Show file tree

Hide file tree

Showing 2 changed files with 60 additions and 3 deletions.
diff --git a/app/models/ability.rb b/app/models/ability.rb
@@ -4,12 +4,10 @@ class Ability
   include Hydra::Ability
   include Hyrax::Ability
 
-  self.ability_logic += [:everyone_can_create_curation_concerns]
+  # self.ability_logic += [:everyone_can_create_curation_concerns]
   self.ability_logic += [:deepblue_abilities]
 
   def deepblue_abilities
-    can [:doi], ActiveFedora::Base
-
     alias_action :display_provenance_log,    to: :read
     alias_action :globus_clean_download,     to: :delete
     alias_action :globus_download,           to: :read
@@ -36,6 +34,28 @@ def custom_permissions
     # if user_groups.include? 'special_group'
     #   can [:create], ActiveFedora::Base
     # end
+
+    # restrict depositing permissions
+    if can_deposit?
+      can [:create], DataSet
+      can [:doi], DataSet
+      can [:create], FileSet
+    else
+      cannot [:create, :edit, :update, :destroy], DataSet
+      cannot [:create, :edit, :update, :destroy], FileSet
+    end
   end
 
+  def can_deposit?
+    admin? || depositor?
+  end
+
+  def depositor?
+    depositing_role = Sipity::Role.find_by(name: Hyrax::RoleRegistry::DEPOSITING)
+    return false unless depositing_role
+    Hyrax::Workflow::PermissionQuery.scope_processing_agents_for(user: current_user).any? do |agent|
+      agent.workflow_responsibilities.joins(:workflow_role)
+           .where('sipity_workflow_roles.role_id' => depositing_role.id).any?
+    end
+  end
 end
diff --git a/spec/models/ability_spec.rb b/spec/models/ability_spec.rb
@@ -0,0 +1,37 @@
+require 'rails_helper'
+
+RSpec.describe Ability do
+  let(:user) { FactoryBot.create :user }
+  let(:options) { {} }
+  let(:ability) { described_class.new(user, options) }
+
+  describe '#can_deposit?' do
+    context 'when neither an admin nor depositor' do
+      it 'returns false' do
+        expect(ability.admin?).to be false
+        expect(ability.depositor?).to be false
+        expect(ability.can? :create, DataSet).to be false
+      end
+    end
+    context 'when a depositor' do
+      let(:admin_set) { AdminSet.find(AdminSet.find_or_create_default_admin_set_id) }
+      before do
+        # creates permission template and depositor permissions
+        Hyrax::AdminSetCreateService.new(admin_set: admin_set, creating_user: user).create
+      end
+      it 'returns true' do
+        expect(ability.admin?).to be false
+        expect(ability.depositor?).to be true
+        expect(ability.can? :create, DataSet).to be true
+      end
+    end
+    context 'when an admin' do
+      let(:user) { FactoryBot.create :admin }
+      it 'returns true' do
+        expect(ability.admin?).to be true
+        expect(ability.depositor?).to be false
+        expect(ability.can? :create, DataSet).to be true
+      end
+    end
+  end
+end