-
Notifications
You must be signed in to change notification settings - Fork 41
Access Controls
NOTICE: This document has not yet been updated for Hydra 9. Please help Hydra by updating this page.
This document is incomplete. You will probably get more info from the Tutorial: Access Controls with Hydra;
Read the Tutorial: Access Controls with Hydra
Developer questions can also be directed to the hydra-tech list or the freenode #projecthydra IRC channel.
See also hydra-access-controls README.
(Tested with hydra-head 6.0.0 on 2013-04-08 by @jcoyne)
If you are using your own custom models, you need to make sure to use the hydra rightsMetadata datastream (see xxx models for examples). The information you put into the rightsMetadata datastream will be indexed and used to enforce access permissions.
class MyModel < ActiveFedora::Base has_metadata "rightsMetadata", type: Hydra::Datastream::RightsMetadata # to use Hydra methods to manage rightsMetadata: include Hydra::ModelMixins::RightsMetadata end
See the Hydra project wiki for more information. You can create APOs with the Hydra::AdminPolicy class or your own subclass. To allow your custom model to be governed by an APO, add this to your class:
class MyModel < ActiveFedora::Base # ... belongs_to :admin_policy, :property=>:is_governed_by end
If you create your own AdminPolicy class (subclassing Hydra::AdminPolicy), configure Hydra to use it instead of the default:
# config/initializers/hydra_config.rb
Hydra.configure(:shared) do |config|
# ... other stuff ...
config[:permissions][:policy_class] = AdminPolicy # replace with your APO class name
endHydra uses its own set of default solr field names to track rights-related metadata in solr. If you want to use your own field names, you can change them in your Hydra config. You will also have to modify the permissions response handler in your solrconfig.xml to return those fields.
# config/initializers/hydra_config.rb
Hydra.configure(:shared) do |config|
# ... other stuff ...
indexer = Solrizer::Descriptor.new(:string, :stored, :indexed, :multivalued)
config[:permissions] = {
:discover => {:group =>ActiveFedora::SolrService.solr_name("discover_access_group", indexer), :individual=>ActiveFedora::SolrService.solr_name("discover_access_person", indexer)},
:read => {:group =>ActiveFedora::SolrService.solr_name("read_access_group", indexer), :individual=>ActiveFedora::SolrService.solr_name("read_access_person", indexer)},
:edit => {:group =>ActiveFedora::SolrService.solr_name("edit_access_group", indexer), :individual=>ActiveFedora::SolrService.solr_name("edit_access_person", indexer)},
:owner => ActiveFedora::SolrService.solr_name("depositor", indexer),
:embargo_release_date => ActiveFedora::SolrService.solr_name("embargo_release_date", Solrizer::Descriptor.new(:date, :stored, :indexed))
}
config[:permissions][:inheritable] = {
:discover => {:group =>ActiveFedora::SolrService.solr_name("inheritable_discover_access_group", indexer), :individual=>ActiveFedora::SolrService.solr_name("inheritable_discover_access_person", indexer)},
:read => {:group =>ActiveFedora::SolrService.solr_name("inheritable_read_access_group", indexer), :individual=>ActiveFedora::SolrService.solr_name("inheritable_read_access_person", indexer)},
:edit => {:group =>ActiveFedora::SolrService.solr_name("inheritable_edit_access_group", indexer), :individual=>ActiveFedora::SolrService.solr_name("inheritable_edit_access_person", indexer)},
:owner => ActiveFedora::SolrService.solr_name("inheritable_depositor", indexer),
:embargo_release_date => ActiveFedora::SolrService.solr_name("inheritable_embargo_release_date", Solrizer::Descriptor.new(:date, :stored, :indexed))
}
endThis check ensures that the rightsMetadata from your objects is being indexed correctly.
start the rails console:
rails consoleclass MyModel < ActiveFedora::Base
has_metadata "rightsMetadata", type: Hydra::Datastream::RightsMetadata
# to use Hydra methods to manage rightsMetadata:
include Hydra::ModelMixins::RightsMetadata
end
a = MyModel.new(pid: 'test:1')
a.read_groups = ['public']
a.save!Now examine the xml returned from this url:
http://localhost:8983/solr/development/select/?q=id:test\:1
(Note: if you’re not using the bundled jetty, or if you’re testing your production Solr instance, you have to replace [http://localhost:8983/solr/development] with the URL for your copy of Solr.
Among many other things, it should include this:
<arr name="read_access_group_ssim"><str>public</str></arr>
If this is not the case, then your objects are not being indexed correctly. This will cause your objects to be “hidden” because Hydra’s access controls default to denying access to objects when the rightsMetadata info is not available in Solr.
In your controllers and views you can test whether the current user has read or edit permissions on the current document by calling
can? :edit, @documentcan? :read, @pidIn order to give permissions to the public (including users who are not logged in), simply grant group permissions for the “public” group. For example, to give the public “read” permissions, add this to the rightsMetadata
<access type="read">
<machine>
<group>public</group>
</machine>
</access>
This will add “public” to read_access_group_ssim in solr.