Improved EDS permission handling.

config/vufind/EDS.ini

+; IMPORTANT NOTE: By default, VuFind will block access to certain EDS content
+; unless it knows which users are authorized (by IP, etc.). Please configure the
+; access.EDSExtendedResults permission in permissions.ini to allow users to
+; see this content. You are responsible for complying with your license.
+
 ; This section contains global settings affecting search behavior.
 [General]
 ; This setting controls the default sort order of search results; the selected
@@ -184,8 +189,9 @@ next_prev_navigation = false
 ; If using IP Authentication, then the user_id and password should remain blank
 ; and ip_auth should be set to true.
 [EBSCO_Account]
+; IP authentication for the API
 ip_auth = false
 user_name = [USERNAME]
 password  = [PASSWORD]
 profile   = [PROFILE]
-organization_id =
\ No newline at end of file
+organization_id = "VuFind 2.x from MyUniversity"

config/vufind/permissions.ini

@@ -62,6 +62,7 @@
 ;
 ; access.AdminModule - Controls access to the admin panel (if enabled in config.ini)
 ; access.DebugMode - Allows ?debug=true GET parameter to turn on debug mode
+; access.EDSExtendedResults - Controls visibility of protected EDS results
 ; access.EITModule - Controls access to the EBSCO EIT module (if active)
 ; access.StaffViewTab - Controls access to the staff view tab in record mode
 ; access.SummonExtendedResults - Controls visibility of protected Summon results
@@ -82,6 +83,12 @@ permission = access.StaffViewTab
 ;username[] = admin
 ;permission = access.DebugMode
 
+; Example for EDS
+;[default.EDSModule]
+;ipRange[] = "127.0.0.1"
+;ipRange[] = "192.168.11"
+;permission = access.EDSExtendedResults
+
 ; Examples for Shibboleth
 ;
 ; Only users that have either common-lib-terms and entityid from idp1 or 

module/VuFind/src/VuFind/Controller/EdsrecordController.php

@@ -26,6 +26,7 @@
  * @link     http://vufind.org   Main Site
  */
 namespace VuFind\Controller;
+use VuFind\Exception\Forbidden as ForbiddenException;
 
 /**
  * EDS Record Controller
@@ -60,11 +61,14 @@ class EdsrecordController extends AbstractRecord
     {
         $driver = $this->loadRecord();
         //if the user is a guest, redirect them to the login screen.
-        if (!$this->isAuthenticationIP() && false == $this->getUser()) {
-            return $this->forceLogin();
-        } else {
-            return $this->redirect()->toUrl($driver->getPdfLink());
+        $auth = $this->getAuthorizationService();
+        if (!$auth->isGranted('access.EDSExtendedResults')) {
+            if (!$this->getUser()) {
+                return $this->forceLogin();
+            }
+            throw new ForbiddenException('Access denied.');
         }
+        return $this->redirect()->toUrl($driver->getPdfLink());
     }
 
     /**
@@ -78,16 +82,4 @@ class EdsrecordController extends AbstractRecord
         return (isset($config->Record->next_prev_navigation)
             && $config->Record->next_prev_navigation);
     }
-
-     /**
-     * Is IP Authentication being used?
-     *
-     * @return bool
-     */
-    protected function isAuthenticationIP()
-    {
-        $config = $this->getServiceLocator()->get('VuFind\Config')->get('EDS');
-        return (isset($config->EBSCO_Account->ip_auth)
-            && 'true' ==  $config->EBSCO_Account->ip_auth);
-    }
 }
\ No newline at end of file

module/VuFind/src/VuFind/Search/Factory/EdsBackendFactory.php

@@ -103,10 +103,12 @@ class EdsBackendFactory implements FactoryInterface
      */
     protected function createBackend(Connector $connector)
     {
+        $auth = $this->serviceLocator->get('ZfcRbac\Service\AuthorizationService');
+        $isGuest = !$auth->isGranted('access.EDSExtendedResults');
         $backend = new Backend(
             $connector, $this->createRecordCollectionFactory(),
             $this->serviceLocator->get('VuFind\CacheManager')->getCache('object'),
-            new \Zend\Session\Container('EBSCO'), $this->edsConfig
+            new \Zend\Session\Container('EBSCO'), $this->edsConfig, $isGuest
         );
         $backend->setAuthManager($this->serviceLocator->get('VuFind\AuthManager'));
         $backend->setLogger($this->logger);

module/VuFindSearch/src/VuFindSearch/Backend/EDS/Backend.php

@@ -27,6 +27,8 @@
  */
 namespace VuFindSearch\Backend\EDS;
 
+use Exception;
+
 use VuFindSearch\Backend\EDS\Zend2 as ApiClient;
 
 use VuFindSearch\Query\AbstractQuery;
@@ -132,6 +134,13 @@ class Backend extends AbstractBackend
      */
     protected $session;
 
+    /**
+     * Is the current user a guest?
+     *
+     * @var bool
+     */
+    protected $isGuest;
+
     /**
      * Constructor.
      *
@@ -140,16 +149,18 @@ class Backend extends AbstractBackend
      * @param CacheAdapter                     $cache   Object cache
      * @param SessionContainer                 $session Session container
      * @param Config                           $config  Object representing EDS.ini
+     * @param bool                             $isGuest Is the current user a guest?
      */
     public function __construct(ApiClient $client,
         RecordCollectionFactoryInterface $factory, CacheAdapter $cache,
-        SessionContainer $session, Config $config = null
+        SessionContainer $session, Config $config = null, $isGuest = true
     ) {
-        // Save dependencies:
+        // Save dependencies/incoming parameters:
         $this->client = $client;
         $this->setRecordCollectionFactory($factory);
         $this->cache = $cache;
         $this->session = $session;
+        $this->isGuest = $isGuest;
 
         // Extract key values from configuration:
         if (isset($config->EBSCO_Account->user_name)) {
@@ -297,7 +308,7 @@ class Backend extends AbstractBackend
                         $sessionToken = $this->getSessionToken(true);
                     }
                     $response = $this->client->retrieve(
-                        $an, $dbId,  $authenticationToken, $sessionToken, $hlTerms
+                        $an, $dbId, $authenticationToken, $sessionToken, $hlTerms
                     );
                 } catch(Exception $e) {
                     throw new BackendException($e->getMessage(), $e->getCode(), $e);
@@ -498,23 +509,13 @@ class Backend extends AbstractBackend
     }
 
     /**
-     * Determines whether or not the current user session is identifed as a guest
-     * session
+     * Is the current user a guest? If so, return 'y' else 'n'.
      *
-     * @return string 'y'|'n'
+     * @return string
      */
     protected function isGuest()
     {
-        // If the user is not logged in, then treat them as a guest. Unless they are
-        // using IP Authentication.
-        // If IP Authentication is used, then don't treat them as a guest.
-        if ($this->ipAuth) {
-            return 'n';
-        }
-        if (isset($this->authManager)) {
-            return $this->authManager->isLoggedIn() ? 'n' : 'y';
-        }
-        return 'y';
+        return $this->isGuest ? 'y' : 'n';
     }
 
     /**
@@ -531,7 +532,7 @@ class Backend extends AbstractBackend
     {
         try {
             $authToken = $this->getAuthenticationToken();
-            $results = $this->client->createSession($profile,  $isGuest, $authToken);
+            $results = $this->client->createSession($profile, $isGuest, $authToken);
         } catch(\EbscoEdsApiException $e) {
             $errorCode = $e->getApiErrorCode();
             $desc = $e->getApiErrorDescription();
@@ -543,7 +544,7 @@ class Backend extends AbstractBackend
                 try {
                     $authToken = $this->getAuthenticationToken(true);
                     $results = $this->client
-                        ->createSession($this->profile,  $isGuest, $authToken);
+                        ->createSession($this->profile, $isGuest, $authToken);
                 } catch(Exception $e) {
                     throw new BackendException(
                         $e->getMessage(),