avalonmediasystem · cjcolvar · Aug 26, 2022 · Aug 17, 2022 · Aug 18, 2022 · Aug 18, 2022
diff --git a/app/controllers/master_files_controller.rb b/app/controllers/master_files_controller.rb
@@ -1,11 +1,11 @@
 # Copyright 2011-2022, The Trustees of Indiana University and Northwestern
 #   University.  Licensed under the Apache License, Version 2.0 (the "License");
 #   you may not use this file except in compliance with the License.
-# 
+#
 # You may obtain a copy of the License at
-# 
+#
 # http://www.apache.org/licenses/LICENSE-2.0
-# 
+#
 # Unless required by applicable law or agreed to in writing, software distributed
 #   under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
 #   CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -70,7 +70,7 @@ def show
 
   def embed
     if can? :read, @master_file
-      @stream_info = secure_streams(@master_file.stream_details)
+      @stream_info = secure_streams(@master_file.stream_details, @master_file.media_object_id)
       @stream_info['t'] = view_context.parse_media_fragment(params[:t]) # add MediaFragment from params
       @stream_info['link_back_url'] = view_context.share_link_for(@master_file)
     end
@@ -411,14 +411,14 @@ def ensure_readable_filedata
   end
 
   def gather_hls_streams(master_file)
-    stream_info = secure_streams(master_file.stream_details)
+    stream_info = secure_streams(master_file.stream_details, master_file.media_object_id)
     hls_streams = stream_info[:stream_hls].reject { |stream| stream[:quality] == 'auto' }
     hls_streams.each { |stream| unnest_wowza_stream(stream) } if Settings.streaming.server == "wowza"
     hls_streams
   end
 
   def hls_stream(master_file, quality)
-    stream_info = secure_streams(master_file.stream_details)
+    stream_info = secure_streams(master_file.stream_details, master_file.media_object_id)
     hls_stream = stream_info[:stream_hls].select { |stream| stream[:quality] == quality }
     unnest_wowza_stream(hls_stream&.first) if Settings.streaming.server == "wowza"
     hls_stream

diff --git a/app/controllers/media_objects_controller.rb b/app/controllers/media_objects_controller.rb
@@ -1,11 +1,11 @@
 # Copyright 2011-2022, The Trustees of Indiana University and Northwestern
 #   University.  Licensed under the Apache License, Version 2.0 (the "License");
 #   you may not use this file except in compliance with the License.
-# 
+#
 # You may obtain a copy of the License at
-# 
+#
 # http://www.apache.org/licenses/LICENSE-2.0
-# 
+#
 # Unless required by applicable law or agreed to in writing, software distributed
 #   under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
 #   CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -468,7 +468,7 @@ def manifest
 
     master_files = master_file_presenters
     canvas_presenters = master_files.collect do |mf|
-      stream_info = secure_streams(mf.stream_details)
+      stream_info = secure_streams(mf.stream_details, @media_object.id)
       IiifCanvasPresenter.new(master_file: mf, stream_info: stream_info)
     end
     presenter = IiifManifestPresenter.new(media_object: @media_object, master_files: canvas_presenters)
@@ -546,7 +546,11 @@ def set_player_token
   def load_current_stream
     set_active_file
     set_player_token
-    @currentStreamInfo = @currentStream.nil? ? {} : secure_streams(@currentStream.stream_details)
+    @currentStreamInfo = if params[:id]
+                           @currentStream.nil? ? {} : secure_streams(@currentStream.stream_details, params[:id])
+                         else
+                           @currentStream.nil? ? {} : secure_streams(@currentStream.stream_details, @media_object.id)
+                         end
     @currentStreamInfo['t'] = view_context.parse_media_fragment(params[:t]) # add MediaFragment from params
     @currentStreamInfo['lti_share_link'] = view_context.lti_share_url_for(@currentStream)
     @currentStreamInfo['link_back_url'] = view_context.share_link_for(@currentStream)

diff --git a/app/helpers/security_helper.rb b/app/helpers/security_helper.rb
@@ -1,11 +1,11 @@
 # Copyright 2011-2022, The Trustees of Indiana University and Northwestern
 #   University.  Licensed under the Apache License, Version 2.0 (the "License");
 #   you may not use this file except in compliance with the License.
-# 
+#
 # You may obtain a copy of the License at
-# 
+#
 # http://www.apache.org/licenses/LICENSE-2.0
-# 
+#
 # Unless required by applicable law or agreed to in writing, software distributed
 #   under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
 #   CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -19,13 +19,23 @@ def add_stream_cookies(stream_info)
     end
   end
 
-  def secure_streams(stream_info)
+  def secure_streams(stream_info, media_object_id)
+    add_stream_url(stream_info) unless not_checked_out?(media_object_id)
+    stream_info
+  end
+
+  def add_stream_url(stream_info)
     add_stream_cookies(id: stream_info[:id])
     [:stream_hls].each do |protocol|
       stream_info[protocol].each do |quality|
         quality[:url] = SecurityHandler.secure_url(quality[:url], session: session, target: stream_info[:id], protocol: protocol)
       end
     end
-    stream_info
   end
+
+  private
+
+    def not_checked_out?(media_object_id)
+      Avalon::Configuration.controlled_digital_lending_enabled? && Checkout.checked_out_to_user(media_object_id, current_user&.id).empty?
+    end
 end
diff --git a/app/models/checkout.rb b/app/models/checkout.rb
@@ -8,6 +8,7 @@ class Checkout < ApplicationRecord
   scope :active_for_media_object, ->(media_object_id) { where(media_object_id: media_object_id).where("return_time > now()") }
   scope :active_for_user, ->(user_id) { where(user_id: user_id).where("return_time > now()") }
   scope :returned_for_user, ->(user_id) { where(user_id: user_id).where("return_time < now()") }
+  scope :checked_out_to_user, ->(media_object_id, user_id) { where("media_object_id = ? AND user_id = ? AND return_time > now()", media_object_id, user_id) }
 
   def media_object
     MediaObject.find(media_object_id)

diff --git a/app/services/security_service.rb b/app/services/security_service.rb
@@ -1,11 +1,11 @@
 # Copyright 2011-2022, The Trustees of Indiana University and Northwestern
 #   University.  Licensed under the Apache License, Version 2.0 (the "License");
 #   you may not use this file except in compliance with the License.
-# 
+#
 # You may obtain a copy of the License at
-# 
+#
 # http://www.apache.org/licenses/LICENSE-2.0
-# 
+#
 # Unless required by applicable law or agreed to in writing, software distributed
 #   under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
 #   CONDITIONS OF ANY KIND, either express or implied. See the License for the

diff --git a/app/views/playlists/_player.html.erb b/app/views/playlists/_player.html.erb
@@ -17,7 +17,7 @@ Unless required by applicable law or agreed to in writing, software distributed
 <% f_start = @current_clip.start_time / 1000.0 %>
 <% f_end = @current_clip.end_time / 1000.0 %>
 <% @currentStream = @current_masterfile %>
-<% @currentStreamInfo = secure_streams(@currentStream.stream_details) %>
+<% @currentStreamInfo = secure_streams(@currentStream.stream_details, @current_masterfile.media_object_id) %>
 <% @currentStreamInfo['t'] = [f_start,f_end] %>
 
 <% if can? :read, @current_masterfile %>

diff --git a/spec/controllers/master_files_controller_spec.rb b/spec/controllers/master_files_controller_spec.rb
@@ -1,11 +1,11 @@
 # Copyright 2011-2022, The Trustees of Indiana University and Northwestern
 #   University.  Licensed under the Apache License, Version 2.0 (the "License");
 #   you may not use this file except in compliance with the License.
-# 
+#
 # You may obtain a copy of the License at
-# 
+#
 # http://www.apache.org/licenses/LICENSE-2.0
-# 
+#
 # Unless required by applicable law or agreed to in writing, software distributed
 #   under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
 #   CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -664,10 +664,10 @@ class << file
 
   describe "#update" do
     let(:master_file) { FactoryBot.create(:master_file, :with_media_object) }
-    subject { put('update', params: { id: master_file.id, 
-                                      master_file: { title: "New label", 
-                                                    poster_offset: "00:00:03", 
-                                                    date_digitized: "2020-08-27", 
+    subject { put('update', params: { id: master_file.id,
+                                      master_file: { title: "New label",
+                                                    poster_offset: "00:00:03",
+                                                    date_digitized: "2020-08-27",
                                                     permalink: "https://perma.link" }})}
 
     before do

diff --git a/spec/helpers/security_helper_spec.rb b/spec/helpers/security_helper_spec.rb
@@ -1,11 +1,11 @@
 # Copyright 2011-2022, The Trustees of Indiana University and Northwestern
 #   University.  Licensed under the Apache License, Version 2.0 (the "License");
 #   you may not use this file except in compliance with the License.
-# 
+#
 # You may obtain a copy of the License at
-# 
+#
 # http://www.apache.org/licenses/LICENSE-2.0
-# 
+#
 # Unless required by applicable law or agreed to in writing, software distributed
 #   under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
 #   CONDITIONS OF ANY KIND, either express or implied. See the License for the
@@ -19,9 +19,12 @@
     {:id=>"bk1289888", :label=>nil, :is_video=>true, :poster_image=>nil, :embed_code=>"", :stream_hls=>[{:quality=>nil, :mimetype=>nil, :format=>"other", :url=>"http://localhost:3000/6f69c008-06a4-4bad-bb60-26297f0b4c06/35bddaa0-fbb4-404f-ab76-58f22921529c/warning.mp4.m3u8"}], :captions_path=>nil, :captions_format=>nil, :duration=>200.0, :embed_title=>"Fugit veniam numquam harum et adipisci est est. - video.mp4"}
   }
   let(:secure_url) { "http://example.com/secure/id" }
+  let(:media_object) { FactoryBot.create(:media_object) }
+  let(:user) { FactoryBot.create(:user) }
 
   before do
     allow(SecurityHandler).to receive(:secure_url).and_return(secure_url)
+    allow(helper).to receive(:current_user).and_return(user)
   end
 
   context 'when AWS streaming server' do
@@ -38,25 +41,62 @@
 
     describe '#add_stream_cookies' do
       it 'adds security tokens to cookies' do
-	expect { helper.add_stream_cookies(stream_info) }.to change { controller.cookies.sum {|k,v| 1} }.by(1)
-	expect(controller.cookies[secure_cookies.first[0]]).to eq secure_cookies.first[1][:value]
+        expect { helper.add_stream_cookies(stream_info) }.to change { controller.cookies.sum {|k,v| 1} }.by(1)
+        expect(controller.cookies[secure_cookies.first[0]]).to eq secure_cookies.first[1][:value]
       end
     end
 
     describe '#secure_streams' do
-      it 'sets secure cookies' do
-	expect { helper.secure_streams(stream_info) }.to change { controller.cookies.sum {|k,v| 1} }.by(1)
-	expect(controller.cookies[secure_cookies.first[0]]).to eq secure_cookies.first[1][:value]
+      context 'controlled digital lending is disabled' do
+        before { allow(Settings.controlled_digital_lending).to receive(:enable).and_return(false) }
+        it 'sets secure cookies' do
+        	expect { helper.secure_streams(stream_info, media_object.id) }.to change { controller.cookies.sum {|k,v| 1} }.by(1)
+        	expect(controller.cookies[secure_cookies.first[0]]).to eq secure_cookies.first[1][:value]
+        end
+
+        it 'rewrites urls in the stream_info' do
+          expect { helper.secure_streams(stream_info, media_object.id) }.to change { stream_info.slice(:stream_flash, :stream_hls).values.flatten.collect {|v| v[:url]} }
+          [:stream_hls].each do |protocol|
+            stream_info[protocol].each do |quality|
+              expect(quality[:url]).to eq secure_url
+            end
+          end
+        end
       end
+      context 'controlled digital lending is enabled' do
+        before { allow(Settings.controlled_digital_lending).to receive(:enable).and_return(true) }
+        context 'the user has the item checked out' do
+          before { FactoryBot.create(:checkout, media_object_id: media_object.id, user_id: user.id)}
+          it 'sets secure cookies' do
+          	expect { helper.secure_streams(stream_info, media_object.id) }.to change { controller.cookies.sum {|k,v| 1} }.by(1)
+          	expect(controller.cookies[secure_cookies.first[0]]).to eq secure_cookies.first[1][:value]
+          end
 
-       it 'rewrites urls in the stream_info' do
-         expect { helper.secure_streams(stream_info) }.to change { stream_info.slice(:stream_flash, :stream_hls).values.flatten.collect {|v| v[:url]} }
-         [:stream_hls].each do |protocol|
-           stream_info[protocol].each do |quality|
-             expect(quality[:url]).to eq secure_url
-           end
-         end
-       end
+          it 'rewrites urls in the stream_info' do
+            expect { helper.secure_streams(stream_info, media_object.id) }.to change { stream_info.slice(:stream_flash, :stream_hls).values.flatten.collect {|v| v[:url]} }
+            [:stream_hls].each do |protocol|
+              stream_info[protocol].each do |quality|
+                expect(quality[:url]).to eq secure_url
+              end
+            end
+          end
+        end
+        context 'the user does not have the item checked out' do
+          it 'does not set secure cookies' do
+          	expect { helper.secure_streams(stream_info, media_object.id) }.not_to change { controller.cookies.sum {|k,v| 1} }
+          	expect(controller.cookies[secure_cookies.first[0]]).not_to eq secure_cookies.first[1][:value]
+          end
+
+          it 'does not rewrite urls in the stream_info' do
+            expect { helper.secure_streams(stream_info, media_object.id) }.not_to change { stream_info.slice(:stream_flash, :stream_hls).values.flatten.collect {|v| v[:url]} }
+            [:stream_hls].each do |protocol|
+              stream_info[protocol].each do |quality|
+                expect(quality[:url]).not_to eq secure_url
+              end
+            end
+          end
+        end
+      end
     end
   end
 
@@ -68,15 +108,50 @@
     end
 
     describe '#secure_streams' do
-      it 'sets secure cookies' do
-        expect { helper.secure_streams(stream_info) }.not_to change { controller.cookies.sum {|k,v| 1} }
+      context 'controlled digital lending is disabled' do
+        before { allow(Settings.controlled_digital_lending).to receive(:enable).and_return(false) }
+        it 'sets secure cookies' do
+          expect { helper.secure_streams(stream_info, media_object.id) }.not_to change { controller.cookies.sum {|k,v| 1} }
+        end
+
+        it 'rewrites urls in the stream_info' do
+          expect { helper.secure_streams(stream_info, media_object.id) }.to change { stream_info.slice(:stream_flash, :stream_hls).values.flatten.collect {|v| v[:url]} }
+          [:stream_hls].each do |protocol|
+            stream_info[protocol].each do |quality|
+              expect(quality[:url]).to eq secure_url
+            end
+          end
+        end
       end
+      context 'controlled digital lending is enabled' do
+        before { allow(Settings.controlled_digital_lending).to receive(:enable).and_return(true) }
+        context 'the user has the item checked out' do
+          before { FactoryBot.create(:checkout, media_object_id: media_object.id, user_id: user.id)}
+          it 'sets secure cookies' do
+            expect { helper.secure_streams(stream_info, media_object.id) }.not_to change { controller.cookies.sum {|k,v| 1} }
+          end
+
+          it 'rewrites urls in the stream_info' do
+            expect { helper.secure_streams(stream_info, media_object.id) }.to change { stream_info.slice(:stream_flash, :stream_hls).values.flatten.collect {|v| v[:url]} }
+            [:stream_hls].each do |protocol|
+              stream_info[protocol].each do |quality|
+                expect(quality[:url]).to eq secure_url
+              end
+            end
+          end
+        end
+        context 'the user does not have the item checked out' do
+          it 'sets secure cookies' do
+            expect { helper.secure_streams(stream_info, media_object.id) }.not_to change { controller.cookies.sum {|k,v| 1} }
+          end
 
-      it 'rewrites urls in the stream_info' do
-        expect { helper.secure_streams(stream_info) }.to change { stream_info.slice(:stream_flash, :stream_hls).values.flatten.collect {|v| v[:url]} }
-        [:stream_hls].each do |protocol|
-          stream_info[protocol].each do |quality|
-            expect(quality[:url]).to eq secure_url
+          it 'does not rewrite urls in the stream_info' do
+            expect { helper.secure_streams(stream_info, media_object.id) }.not_to change { stream_info.slice(:stream_flash, :stream_hls).values.flatten.collect {|v| v[:url]} }
+            [:stream_hls].each do |protocol|
+              stream_info[protocol].each do |quality|
+                expect(quality[:url]).not_to eq secure_url
+              end
+            end
           end
         end
       end

diff --git a/spec/models/checkout_spec.rb b/spec/models/checkout_spec.rb
@@ -43,6 +43,8 @@
     let(:user) { FactoryBot.create(:user) }
     let(:media_object) { FactoryBot.create(:media_object) }
     let!(:checkout) { FactoryBot.create(:checkout, user: user, media_object_id: media_object.id) }
+    let!(:user_checkout) { FactoryBot.create(:checkout, user: user) }
+    let!(:other_checkout) { FactoryBot.create(:checkout) }
     let!(:expired_checkout) { FactoryBot.create(:checkout, user: user, media_object_id: media_object.id) }
 
     before do
@@ -57,6 +59,10 @@
       it 'does not return inactive checkouts' do
         expect(Checkout.active_for_media_object(media_object.id)).not_to include(expired_checkout)
       end
+
+      it 'does not return other checkouts' do
+        expect(Checkout.active_for_media_object(media_object.id)).not_to include(other_checkout)
+      end
     end
 
     describe 'active_for_user' do
@@ -67,6 +73,10 @@
       it 'does not return inactive checkouts' do
         expect(Checkout.active_for_user(user.id)).not_to include(expired_checkout)
       end
+
+      it 'does not return other checkouts' do
+        expect(Checkout.active_for_media_object(media_object.id)).not_to include(other_checkout)
+      end
     end
 
     describe 'returned_for_user' do
@@ -77,6 +87,20 @@
       it 'does return inactive checkouts' do
         expect(Checkout.returned_for_user(user.id)).to include(expired_checkout)
       end
+
+      it 'does not return other checkouts' do
+        expect(Checkout.active_for_media_object(media_object.id)).not_to include(other_checkout)
+      end
+    end
+
+    describe 'checked_out_to_user' do
+      it 'returns the specified checkout' do
+        expect(Checkout.checked_out_to_user(media_object.id, user.id)).to include(checkout)
+      end
+
+      it "does not return the user's other checkouts" do
+        expect(Checkout.checked_out_to_user(media_object.id, user.id)).not_to include(user_checkout)
+      end
     end
   end