do not return an empty IIIF Auth2 probe response when externally auth…

…orized - likewise publicy accessible content - DLC-1152
cul · Sep 13, 2024 · 84474ea · 84474ea
1 parent 405bcb3
commit 84474ea
Show file tree

Hide file tree

Showing 2 changed files with 73 additions and 3 deletions.
diff --git a/app/models/iiif/authz/v2/probe_service/response.rb b/app/models/iiif/authz/v2/probe_service/response.rb
@@ -34,10 +34,10 @@ def token_authorized?
   def to_h
     probe_response = IIIF_TEMPLATES['v2_probe_response'].deep_dup
     probe_response[:id] = route_helper.bytestream_probe_url(catalog_id: @document.id, bytestream_id: bytestream_id)
-    if @ability_helper.can?(Ability::ACCESS_ASSET, @document) && @ability_helper.reading_room_client?
-      probe_response.merge!(redirect_location_properties)
-    elsif token_authorized?
+    if token_authorized?
       probe_response.merge!(redirect_location_properties(token_authorizer))
+    elsif @ability_helper.can?(Ability::ACCESS_ASSET, @document)
+      probe_response.merge!(redirect_location_properties)
     else
       no_token = @authorization.blank?
       has_id_policy = @document.fetch('access_control_levels_ssim',[]).include?(ACCESS_LEVEL_AFFILIATION)

diff --git a/spec/models/iiif/authz/v2/probe_service/response_spec.rb b/spec/models/iiif/authz/v2/probe_service/response_spec.rb
@@ -0,0 +1,70 @@
+require 'rails_helper'
+
+describe Iiif::Authz::V2::ProbeService::Response do
+  subject(:probe_response) {
+    _pr = described_class.new(
+      document: solr_document,
+      bytestream_id: 'content',
+      ability_helper: controller,
+      route_helper: controller,
+      remote_ip: remote_ip,
+      authorization: authorization_header
+    )
+    _pr.instance_variable_set(:@token_authorizer, token_authorizer)
+    _pr
+  }
+  let(:authorization_header) { "Bearer token.value" }
+  let(:controller) { instance_double(BytestreamsController) }
+  let(:remote_ip) { "127.0.0.1" }
+  let(:solr_document) { SolrDocument.new(solr_hash) }
+  let(:solr_hash) { {} }
+  let(:token_authorizer) { instance_double(Iiif::Authz::V2::ProbeService::Response::TokenAuthorizer) }
+  let(:user) { instance_double(User) }
+  let(:probe_response_status) { probe_response.to_h[:status] }
+
+  before do
+    allow(controller).to receive(:current_user).and_return(user)
+    allow(controller).to receive(:bytestream_probe_url)
+  end
+
+  context "authorized without token" do
+    before do
+      allow(token_authorizer).to receive(:can_access_asset?).and_return(false)
+      allow(controller).to receive(:can?).and_return(true)
+      allow(controller).to receive(:bytestream_content_url)
+    end
+    it { expect(probe_response_status).to eql(302) }
+  end
+  context "token authorized" do
+    before do
+      allow(token_authorizer).to receive(:can_access_asset?).and_return(true)
+      allow(controller).to receive(:bytestream_content_url)
+    end
+    it { expect(probe_response_status).to eql(302) }
+  end
+  context "not authorized" do
+    before do
+      allow(token_authorizer).to receive(:can_access_asset?).and_return(false)
+      allow(controller).to receive(:can?).and_return(false)
+    end
+    context "not logged in" do
+      let(:user) { nil }
+      context "object has id policy" do
+        let(:solr_hash) {
+          {
+            'access_control_levels_ssim' => [Dcv::AccessLevels::ACCESS_LEVEL_AFFILIATION],
+          }
+        }
+        before do
+          allow(probe_response).to receive(:services)
+        end
+        it { expect(probe_response_status).to eql(401) }
+      end
+    end
+    context "no token" do
+      context "object has id policy" do
+        it { expect(probe_response_status).to eql(403) }
+      end
+    end
+  end
+end