Prevent sharing works and filesets with unintended groups

[davidcam-src]

Fixes

Fixes #6822

Summary

• Non admin users are able to override visibility restrictions for an admin set for works and filesets. By following steps specified in issue Depositors able to override admin set visibility restrictions #6822 works and filesets can be shared with groups that were not intended.

Guidance for testing:

Criteria: Users should not be able to share works to groups outside of the visibility restrictions of the admin set it belongs to

1. As a non admin user, create a new work in Nurax.
2. Select an admin set with exclusive private visibility in the Relations tab.
3. In the sharing settings tab, ensure that "public" or "registered" are not selectable options

Criteria: Users should not be able to share works to groups outside of the visibility restrictions of the admin set it belongs to

1. As a non admin user, create a new work in Nurax.
2. Select an admin set with exclusive private visibility in the Relations tab.
3. Fill out the form as usual and add a file. Check the deposit agreement and click save.
4. Go to the dropdown for the file on the work page and select Edit
5. Click the permissions tab and verify that visibility restrictions for the admin set are being applied to the radio buttons (private should be the only option available)

Changes proposed in this pull request:

• Additional argument for visibility component to pass in an admin set widget in the permissions control javascript
• file_set_admin_set_option function added to retrieve the admin set for any given file
• non-visible admin_set_options partial added to permission.html.erb to ensure the permissions control javascript executes, only renders for non-admins so that admins can still easily override sharing restrictions imposed by admin sets
• replace current_user.groups in permission_form.html.erb with available_user_groups function call
• remove "registered" and "public" groups from groups that can be selected for file sharing if the user is not an admin
  @samvera/hyrax-code-reviewers

[github-actions]

Test Results

    17 files  ±0      17 suites  ±0   2h 18m 10s ⏱️ +53s
 6 706 tests ±0   6 409 ✅ +1  297 💤 ±0  0 ❌  - 1 
13 180 runs  ±0  12 785 ✅ +1  395 💤 ±0  0 ❌  - 1 

Results for commit 3562ca7. ± Comparison against base commit 891cdb5.

This pull request removes 267 and adds 267 tests. Note that renamed tests count towards both.

spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to create #<Hyrax::PermissionTemplate:0x00007f0e3236f3c0>
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to create #<Hyrax::PermissionTemplate:0x00007ff316414108>
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to create #<Hyrax::PermissionTemplateAccess:0x00007f0e34462fa0>
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to create #<Hyrax::PermissionTemplateAccess:0x00007ff315ff2f98>
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to destroy AdminSet: 284f10ef-ed07-4d9e-ae52-9a7119403f71
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to destroy Hyrax::AdministrativeSet: 1b3c6abf-69c1-4a03-8b96-70443cb88c4b
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to edit AdminSet: dd250258-0bb2-4cb3-9328-a269781375ca
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to edit Hyrax::AdministrativeSet: 5d74adcd-f2bb-486c-b411-23623b978a93
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to update AdminSet: ca61a1e8-2de3-40a4-88b8-d9af4f8287eb
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to update Hyrax::AdministrativeSet: 948c3d32-711f-4838-8e4b-d9f1b67f5dff
…

spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to create #<Hyrax::PermissionTemplate:0x00007effc2597590>
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to create #<Hyrax::PermissionTemplate:0x00007ff8f86780d8>
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to create #<Hyrax::PermissionTemplateAccess:0x00007effba6c6400>
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to create #<Hyrax::PermissionTemplateAccess:0x00007ff8f6b7add0>
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to destroy AdminSet: 2d8a6151-f4b2-46ef-bdc9-a4a5b4206742
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to destroy Hyrax::AdministrativeSet: 9acf08f3-c5a9-4cb0-960a-29f9d09c315f
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to edit AdminSet: 36e9f983-20b5-4dc2-a47d-a13a9bd424ea
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to edit Hyrax::AdministrativeSet: bf29ad9f-c01a-4ce4-b897-836dd3492d45
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to update AdminSet: 9fca0c8a-d05b-493c-8975-123cb157e840
spec.abilities.ability_spec ‑ Hyrax::Ability AdminSets and PermissionTemplates a user without edit access is expected not to be able to update Hyrax::AdministrativeSet: 86acf8d1-5257-4cba-9ddc-3629029f1ca2
…

♻️ This comment has been updated with latest results.