From b1452bdb2e67317101a2c2f42aa7c2f38a4ce512 Mon Sep 17 00:00:00 2001
From: Mason Ballengee <masaball@iu.edu>
Date: Wed, 3 Jun 2026 12:01:47 -0400
Subject: [PATCH 1/2] Expand IP address ranges on retrieval, not storage

Related issue: #5988
---
 app/models/media_object.rb                      | 10 +---------
 .../initializers/policy_aware_modification.rb   | 17 +++++++++++++++++
 2 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/app/models/media_object.rb b/app/models/media_object.rb
index 6276a1c8e3..589d789acc 100644
--- a/app/models/media_object.rb
+++ b/app/models/media_object.rb
@@ -319,7 +319,7 @@ def fill_in_solr_fields_that_need_sections(solr_doc)
 
   def fill_in_solr_fields_needing_leases(solr_doc)
     solr_doc['read_access_virtual_group_ssim'] = virtual_read_groups + leases('external').map(&:inherited_read_groups).flatten
-    solr_doc['read_access_ip_group_ssim'] = collect_ips_for_index(ip_read_groups + leases('ip').map(&:inherited_read_groups).flatten)
+    solr_doc['read_access_ip_group_ssim'] = (ip_read_groups + leases('ip').map(&:inherited_read_groups).flatten).uniq
     solr_doc[Hydra.config.permissions.read.group] ||= []
     solr_doc[Hydra.config.permissions.read.group] += solr_doc['read_access_ip_group_ssim']
   end
@@ -495,14 +495,6 @@ def calculate_duration
       section_solr_docs.collect { |h| h['duration_ssi'].to_i }.compact.sum
     end
 
-    def collect_ips_for_index ip_strings
-      ips = ip_strings.collect do |ip|
-        addr = IPAddr.new(ip) rescue next
-        addr.to_range.map(&:to_s)
-      end
-      ips.flatten.compact.uniq || []
-    end
-
     def sections_with_files(tag: '*')
       # TODO: Optimize this into a single solr query?
       section_ids.select { |m| SpeedyAF::Proxy::MasterFile.find(m).supplemental_files(tag: tag).present? }
diff --git a/config/initializers/policy_aware_modification.rb b/config/initializers/policy_aware_modification.rb
index fcccbeb565..7b325a6109 100644
--- a/config/initializers/policy_aware_modification.rb
+++ b/config/initializers/policy_aware_modification.rb
@@ -113,3 +113,20 @@ def self.count(query, args = {})
     result['response']['numFound'].to_i
   end
 end
+
+# Override to expand IP address ranges
+Blacklight::AccessControls::Ability.class_eval do
+  def read_groups(id)
+    doc = permissions_doc(id)
+    return [] if doc.nil?
+    groups = Array(doc[self.class.read_group_field]).uniq
+    groups = groups.map do |g|
+      ip = IPAddr.new(g)
+      next if ip.blank?
+      ip.to_range.map(&:to_s)
+    end.flatten
+    rg = download_groups(id) | groups
+    Rails.logger.debug("[CANCAN] read_groups: #{rg.inspect}")
+    rg
+  end
+end

From 2def9b19a34e0d686a4d343c64ee3873c66ed132 Mon Sep 17 00:00:00 2001
From: Mason Ballengee <masaball@iu.edu>
Date: Wed, 3 Jun 2026 13:28:00 -0400
Subject: [PATCH 2/2] Add rescue to IP handling

`IPAddr` raises an error when arg is not an IP address. We need to
rescue this error when looping through the read groups instead of
assuming that it would return nil.
---
 config/initializers/policy_aware_modification.rb | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/config/initializers/policy_aware_modification.rb b/config/initializers/policy_aware_modification.rb
index 7b325a6109..af4ccf4563 100644
--- a/config/initializers/policy_aware_modification.rb
+++ b/config/initializers/policy_aware_modification.rb
@@ -121,10 +121,9 @@ def read_groups(id)
     return [] if doc.nil?
     groups = Array(doc[self.class.read_group_field]).uniq
     groups = groups.map do |g|
-      ip = IPAddr.new(g)
-      next if ip.blank?
-      ip.to_range.map(&:to_s)
-    end.flatten
+      ip = IPAddr.new(g) rescue nil
+      ip.present? ? ip.to_range.map(&:to_s) : g
+    end.flatten.compact.uniq
     rg = download_groups(id) | groups
     Rails.logger.debug("[CANCAN] read_groups: #{rg.inspect}")
     rg