Skip to content

Miscellaneous Architecture Notes

Jump to bottom
Dolsy Smith edited this page Feb 5, 2026 · 4 revisions

A place to document pieces of the app when we (finally) figure out how they work.

Embargoes and Permissions

Definitions

  • An Access Control List (ACL) records the permissions granted to users and groups for access to a particular resource. This determines the level of visibility for the resource in the app.
  • An embargo consists of a two-part visibility setting (visibility_during_embargo and visibility_after_embargo), and an embargo_release_date.

Fedora view

Each Hyrax resource container (work, fileset) in Fedora has an attached AccessControl container that records the list of agents that have access to the resource and their permitted modes of access. These agents consist of individual users (depositor, for instance) and/or groups, plus one or more modes of access.

Screenshot 2026-02-05 at 1 45 09 PM Screenshot 2026-02-05 at 1 46 07 PM

For instance, a resource with private visibility in the app will have at most the admin group, in addition to individual user agents. A resource with open visibility will have the public group. These memberships are expressed by strings like the following:

group/admin
group/public
admin@example.com [individual user ID]

A resource under embargo will have a link to an associated embargo object, recording the visibility and release date of the embargo.

Screenshot 2026-02-05 at 1 38 03 PM

Basic Implementation

In a nutshell, for both ACL's and embargoes, there is manager class that is used to apply an instance of an embargo or ACL model class to a resource (instance of a resource class, i.e., inheriting from Hyrax::Resource).

For example, the code below, when run in the console, will remove the (public, :read) permission from a FileSet.

# Find the FileSet object by its ID
fileset = Hyrax.query_service.find_by(id: "117e925e-b59c-4594-b237-3dedae0b5f05")
# View permissions currently associated with it
fileset.permission_manager.acl.permissions
# Create a Permission instance to match the public group's read permission
agent = "group/public"
mode = :read
permission = Hyrax::Permission.new(access_to: fileset.id, mode: mode, agent: agent)
# Invoke the PermissionManager to delete this permission and save the updated ACL
fileset.permission_manager.acl.delete(permission)
fileset.permission_manager.acl.save

The following code adds an embargo to a FileSet (when run in the console).

fileset = Hyrax.query_service.find_by(id: "117e925e-b59c-4594-b237-3dedae0b5f05")
# create a new embargo
embargo = Hyrax::Embargo.new({:visibility_after_embargo=>"open", :visibility_during_embargo=>"restricted", :embargo_release_date=>DateTime.new(2026, 12, 31)}
# Save the embargo object and associate it with the FileSet object
fileset.embargo = Hyrax.persister.save(resource: embargo)
# Update the FileSet resource so that it points to the new embargo object
# This step uses the embargo property of the fileset from the previous step
Hyrax::EmbargoManager.apply_embargo_for(resource: fileset)
# Save the updated FileSet 
fileset = Hyrax.persister.save(resource: fileset)
# Publish the update (?? Are these steps necessary? I'm not sure...??)
user ||= ::User.find_by_user_key("admin@example.com")
Hyrax.publisher.publish('object.metadata.updated', object: fileset, user: user)

App workflows

Clone this wiki locally