Add abilities based on Downloader associations

Author: corylown

app/models/ability.rb

@@ -35,14 +35,22 @@ def user_with_roles_abilities
     return if user.roles.empty?
 
     can :read, :pages_data
-    organization_ability_restrictions
+
+    # record/download access for unrestricted organizations
+    can :read, ActiveStorage::Attachment, { record: { organization: { restrict_downloads: false } } }
+    can :read, MarcRecord, upload: { organization: { restrict_downloads: false } }
+    can :read, Stream, organization: { restrict_downloads: false }
+    can :read, Upload, organization: { restrict_downloads: false }
+
+    # record/download access for restricted organizations where access has been granted
+    can :read, ActiveStorage::Attachment, { record: { organization: { id: permitted_organization_ids } } }
+    can :read, MarcRecord, upload: { organization: { id: permitted_organization_ids } }
+    can :read, Stream, organization: { id: permitted_organization_ids }
+    can :read, Upload, organization: { id: permitted_organization_ids }
   end
 
-  def organization_ability_restrictions(restrictions = { restrict_downloads: false })
-    can :read, ActiveStorage::Attachment, { record: { organization: restrictions } }
-    can :read, MarcRecord, upload: { organization: restrictions }
-    can :read, Stream, organization: restrictions
-    can :read, Upload, organization: restrictions
+  def permitted_organization_ids
+    @permitted_organization_ids ||= user.organizations.flat_map(&:effective_downloadable_organizations).pluck(:id).uniq
   end
 
   def site_admin_user_abilities
@@ -75,7 +83,11 @@ def organization_member_abilities
 
     can %i[create], [Upload], organization: { id: member_organization_ids }
     can :read, AllowlistedJwt, resource_type: 'Organization', resource_id: member_organization_ids
-    organization_ability_restrictions({ id: member_organization_ids })
+    # record/download access for organizations where the user is a member
+    can :read, ActiveStorage::Attachment, { record: { organization: { id: member_organization_ids } } }
+    can :read, MarcRecord, upload: { organization: { id: member_organization_ids } }
+    can :read, Stream, organization: { id: member_organization_ids }
+    can :read, Upload, organization: { id: member_organization_ids }
   end
 
   def member_organization_ids

app/models/organization.rb

@@ -55,4 +55,9 @@ def slug=(slug)
   def latest_upload
     uploads.recent.first
   end
+
+  def effective_downloadable_organizations
+    @effective_downloadable_organizations ||=
+      (downloadable_organizations + groups.flat_map(&:downloadable_organizations)).uniq
+  end
 end

app/models/token_ability.rb

@@ -47,13 +47,21 @@ def token_upload_abilities
   def token_download_abilities
     can :read, Organization
 
-    organization_ability_restrictions
-    organization_ability_restrictions({ allowlisted_jwts: { jti: token_jti } })
+    # record/download access for unrestricted organizations
+    can :read, [Stream, Upload], organization: { restrict_downloads: false }
+    can :read, ActiveStorage::Attachment, { record: { organization: { restrict_downloads: false } } }
+
+    # record/download access for organization linked to the token
+    can :read, [Stream, Upload], organization: { allowlisted_jwts: { jti: token_jti } }
+    can :read, ActiveStorage::Attachment, { record: { organization: { allowlisted_jwts: { jti: token_jti } } } }
+
+    # record/download access for restricted organizations where access has been granted
+    can :read, [Stream, Upload], organization: { id: permitted_organization_ids }
+    can :read, ActiveStorage::Attachment, { record: { organization: { id: permitted_organization_ids } } }
   end
 
-  def organization_ability_restrictions(restrictions = { restrict_downloads: false })
-    can :read, [Stream, Upload], organization: restrictions
-    can :read, ActiveStorage::Attachment, { record: { organization: restrictions } }
+  def permitted_organization_ids
+    @permitted_organization_ids ||= @allowlisted_jwt&.resource&.effective_downloadable_organizations&.pluck(:id)
   end
 
   def token_jti

spec/models/ability_spec.rb

@@ -123,6 +123,22 @@
       it { is_expected.to be_able_to(:read, restricted_other_org) }
       it { is_expected.not_to be_able_to(:read, Upload.new(organization: restricted_other_org)) }
       it { is_expected.not_to be_able_to(:read, Stream.new(organization: restricted_other_org)) }
+      it { is_expected.not_to be_able_to(:read, MarcRecord.new(upload: Upload.new(organization: restricted_other_org))) }
+      it { is_expected.not_to be_able_to(:read, ActiveStorage::Attachment.new(record: Upload.new(organization: restricted_other_org))) }
+    end
+
+    context 'when an organization is restricted but the user belongs to an organization granted access' do
+      let(:user) { create(:user) }
+
+      before do
+        user.add_role :member, organization
+        Downloader.create!(organization: restricted_other_org, resource: organization)
+      end
+
+      it { is_expected.to be_able_to(:read, Upload.new(organization: restricted_other_org)) }
+      it { is_expected.to be_able_to(:read, Stream.new(organization: restricted_other_org)) }
+      it { is_expected.to be_able_to(:read, MarcRecord.new(upload: Upload.new(organization: restricted_other_org))) }
+      it { is_expected.to be_able_to(:read, ActiveStorage::Attachment.new(record: Upload.new(organization: restricted_other_org))) }
     end
   end
 end

spec/models/organization_spec.rb

@@ -101,4 +101,19 @@
       expect(organization.downloadable_organizations).to include(other_organization)
     end
   end
+
+  describe '#effective_downloadable_organizations' do
+    let(:group) { create(:group) }
+    let(:group_org) { create(:organization) }
+
+    before do
+      GroupMembership.create!(group: group, organization: organization)
+      Downloader.create!(resource: organization, organization: other_organization)
+      Downloader.create!(resource: group, organization: group_org)
+    end
+
+    it 'returns all organizations that can be downloaded by this organization via direct access or group membership' do
+      expect(organization.effective_downloadable_organizations).to contain_exactly(other_organization, group_org)
+    end
+  end
 end

spec/models/token_ability_spec.rb

@@ -24,9 +24,31 @@
     it { is_expected.to be_able_to(:read, unrestricted_other_org) }
     it { is_expected.to be_able_to(:read, restricted_other_org) }
 
+    it { is_expected.to be_able_to(:read, create(:upload, :binary_marc, organization: organization)) }
+    it { is_expected.to be_able_to(:read, create(:upload, :binary_marc, organization: unrestricted_other_org)) }
+    it { is_expected.not_to be_able_to(:read, create(:upload, :binary_marc, organization: restricted_other_org)) }
+
+    it { is_expected.to be_able_to(:read, create(:stream, organization: organization)) }
+    it { is_expected.to be_able_to(:read, create(:stream, organization: unrestricted_other_org)) }
+    it { is_expected.not_to be_able_to(:read, create(:stream, organization: restricted_other_org)) }
+
+    it { is_expected.to be_able_to(:read, ActiveStorage::Attachment.new(record: Upload.new(organization: organization))) }
+    it { is_expected.to be_able_to(:read, ActiveStorage::Attachment.new(record: Upload.new(organization: unrestricted_other_org))) }
+    it { is_expected.not_to be_able_to(:read, ActiveStorage::Attachment.new(record: Upload.new(organization: restricted_other_org))) }
+
     it { is_expected.to be_able_to(:create, Upload.new(organization: organization)) }
     it { is_expected.not_to be_able_to(:create, Upload.new(organization: unrestricted_other_org)) }
 
+    context 'when the organization has been granted record/download access to the restricted organization' do
+      before do
+        Downloader.create!(organization: restricted_other_org, resource: organization)
+      end
+
+      it { is_expected.to be_able_to(:read, create(:upload, :binary_marc, organization: restricted_other_org)) }
+      it { is_expected.to be_able_to(:read, create(:stream, organization: restricted_other_org)) }
+      it { is_expected.to be_able_to(:read, ActiveStorage::Attachment.new(record: Upload.new(organization: restricted_other_org))) }
+    end
+
     context 'with a token scoped to reads' do
       let(:token_attributes) { { scope: 'download' } }