From cb0dc7e44dcc753c8fb428547aa3a8da1dda719e Mon Sep 17 00:00:00 2001 From: Adam Ploshay Date: Fri, 11 Oct 2024 13:47:24 -0400 Subject: [PATCH] [IUS-2503] use depositor permissions for dataset creation --- app/models/ability.rb | 29 +++++++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/app/models/ability.rb b/app/models/ability.rb index ae1f1ed9..61fb180a 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -4,11 +4,13 @@ class Ability include Hydra::Ability include Hyrax::Ability - self.ability_logic += [:everyone_can_create_curation_concerns] + # self.ability_logic += [:everyone_can_create_curation_concerns] self.ability_logic += [:deepblue_abilities] def deepblue_abilities - can [:doi], ActiveFedora::Base + if can_deposit? + can [:doi], ActiveFedora::Base + end alias_action :display_provenance_log, to: :read alias_action :globus_clean_download, to: :delete @@ -36,6 +38,29 @@ def custom_permissions # if user_groups.include? 'special_group' # can [:create], ActiveFedora::Base # end + + # restrict depositing permissions + if can_deposit? + can [:create], DataSet + can [:create], FileSet + else + cannot [:create, :edit, :update, :destroy], DataSet + cannot [:create, :edit, :update, :destroy], FileSet + end end + def can_deposit? + # Short-circuit logic for admins, who should have the ability + # to deposit whether or not they are explicitly + # granted the depositing role in any workflows + # return true if admin? # FIXME: decide + + # Are there any workflows where this user has the "depositing" responsibility + depositing_role = Sipity::Role.find_by(name: Hyrax::RoleRegistry::DEPOSITING) + return false unless depositing_role + Hyrax::Workflow::PermissionQuery.scope_processing_agents_for(user: current_user).any? do |agent| + agent.workflow_responsibilities.joins(:workflow_role) + .where('sipity_workflow_roles.role_id' => depositing_role.id).any? + end + end end