-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathability.rb
121 lines (111 loc) · 4.65 KB
/
ability.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
class Ability
include Hydra::Ability
include Hyrax::Ability
include Hyrax::BatchIngest::Ability
# IMPORTANT! This is a list of methods that modify the Ability's permissions
# and the order matters! Subsequent definitions overwrite previous ones,
# including those that are set in the included modules above.
# Best practice:
# * Use methods for defining permissions that are logically related
# (e.g. permission for a given user group).
# * Start with blanket restrictions, and then seletively enable permissions
# in subsequent methods.
# * It's OK to have redundant permission declarations if it means abilities
# are easier to read and modify without unexpected side effects.
self.ability_logic += [
:ams_base_permissions,
:ams_admin_permissions,
:ams_ingester_permissions,
:ams_aapb_admin_permissions
]
# Sets permissions for all users.
def ams_base_permissions
# Minimal permissions for everybody
can [:show], [ AdminData,
InstantiationAdminData,
Asset,
EssenceTrack,
PhysicalInstantiation,
DigitalInstantiation,
Collection,
Contribution,
AssetResource,
EssenceTrackResource,
PhysicalInstantiationResource,
DigitalInstantiationResource,
Hyrax::PcdmCollection,
ContributionResource,
Annotation ]
# Explicitly forbid these actions.
cannot [:destroy, :update], [ AdminData,
InstantiationAdminData,
Asset,
EssenceTrack,
PhysicalInstantiation,
DigitalInstantiation,
Collection,
Contribution,
AssetResource,
EssenceTrackResource,
PhysicalInstantiationResource,
DigitalInstantiationResource,
Hyrax::PcdmCollection,
ContributionResource,
Annotation ]
end
# Sets permisisons for 'admin' users.
def ams_admin_permissions
return unless current_user.admin?
can :manage, :all
end
# Sets permission for 'ingester' users
def ams_ingester_permissions
return unless user_groups.include? 'ingester'
can [:create, :update], [ Asset,
EssenceTrack,
PhysicalInstantiation,
DigitalInstantiation,
Collection,
Contribution,
AdminData,
InstantiationAdminData,
AssetResource,
EssenceTrackResource,
PhysicalInstantiationResource,
DigitalInstantiationResource,
Hyrax::PcdmCollection,
ContributionResource,
Annotation ]
# Field-level permissions for Admin Data
can [ :update_sonyci_id, :update_hyrax_batch_ingest_batch_id, :update_last_pushed,
:update_last_updated, :update_needs_update ], AdminData
end
# Sets permissions for 'aapb-admin' users.
def ams_aapb_admin_permissions
return unless user_groups.include?('aapb-admin')
can [:create, :update, :destroy], [ AdminData,
InstantiationAdminData,
Asset,
EssenceTrack,
PhysicalInstantiation,
DigitalInstantiation,
Collection,
Contribution,
AssetResource,
EssenceTrackResource,
PhysicalInstantiationResource,
DigitalInstantiationResource,
Hyrax::PcdmCollection,
ContributionResource,
Annotation ]
end
def can_import_works?
can_create_any_work?
end
def can_export_works?
can_create_any_work?
end
def can_create_any_work?
true
end
end