aclatraz 0.0.1 → 0.1.0

data/lib/aclatraz/helpers.rb

@@ -1,18 +1,26 @@
 module Aclatraz
   module Helpers
-    def pack(prefix, object=nil)
+    # Pack given permission data.
+    #
+    #   pack(10)               # => "10"
+    #   pack(10, "FooClass")   # => "10/FooClass"
+    #   pack(10, FooClass.new) # => "10/FooClass/{foo_object_ID}"
+    def pack(owner, object=nil)
       case object
       when nil
-        "#{prefix}"
+        "#{owner}"
       when Class 
-        "#{prefix}/#{object.name}"
+        "#{owner}/#{object.name}"
       else 
-        "#{prefix}/#{object.class.name}/#{object.id}"
+        "#{owner}/#{object.class.name}/#{object.id}"
       end
     end
     
+    # Given underscored word, returns camelized version of it. 
+    #
+    #   camelize(foo_bar_bla) # => "FooBarBla"
     def camelize(str)
       str.split('_').map {|w| w.capitalize}.join
     end
-  end
-end
+  end # Helpers
+end # Aclatraz

data/lib/aclatraz/store.rb

@@ -1,11 +1,7 @@
 module Aclatraz
   module Store
-    #autoload :Memcached,     'aclatraz/store/memcached'
     autoload :Redis,        'aclatraz/store/redis'
+    #autoload :Memcached,    'aclatraz/store/memcached'
     #autoload :TokyoCabinet, 'aclatraz/store/tokyocabinet'
-  
-    class Base
-      include Aclatraz::Helpers            
-    end
-  end
-end
+  end # Store
+end # Aclatraz

data/lib/aclatraz/store/redis.rb

@@ -1,16 +1,18 @@
 begin
   require 'redis'
 rescue LoadError
-  raise "You must install redis to use the Redis store backend"
+  raise "You must install the redis gem to use the Redis store"
 end
 
 module Aclatraz
   module Store
-    class Redis < Base
+    class Redis
+      include Aclatraz::Helpers
+      
       ROLES_KEY = "aclatraz.roles"
       MEMBER_ROLES_KEY = "member.%s.roles"
       
-      def initialize(*args)
+      def initialize(*args) # :nodoc:
         @backend = ::Redis.new(*args)
       end
 
@@ -24,10 +26,6 @@ module Aclatraz
         end
       end
       
-      def permissions(role)
-        @backend.smembers(role.to_s)
-      end
-      
       def roles(member=nil)
         if member
           @backend.hkeys(MEMBER_ROLES_KEY % member.id.to_s)
@@ -37,7 +35,9 @@ module Aclatraz
       end
       
       def check(role, owner, object=nil)
-        @backend.sismember(role.to_s, pack(owner.id, object))
+        @backend.sismember(role.to_s, pack(owner.id, object)) or begin
+          object && !object.is_a?(Class) ? check(role, owner, object.class) : false
+        end
       end
       
       def delete(role, owner, object=nil)
@@ -47,6 +47,6 @@ module Aclatraz
       def clear
         @backend.flushdb
       end
-    end
-  end
-end
+    end # Redis
+  end # Store
+end # Aclatraz

data/lib/aclatraz/suspect.rb

@@ -1,90 +1,190 @@
 module Aclatraz
   module Suspect
+    class Roles
+      # These suffixes will be ignored while checking permission.
+      ACL_ROLE_SUFFIXES = /(_(of|at|on|by|for|in))?\Z/
+      
+      # Permissions will be checked for this object. 
+      attr_reader :suspect
+  
+      def initialize(suspect) # :nodoc:
+        @suspect = suspect
+      end
+      
+      # Check if current object has assigned given role.
+      #
+      # ==== Examples
+      #
+      #   suspect.roles.assign(:foo)
+      #   suspect.roles.has?(:foo) # => true
+      #   suspect.roles.has?(:bar) # => false
+      def has?(role, object=nil)
+        Aclatraz.store.check(role.to_s.gsub(ACL_ROLE_SUFFIXES, ''), suspect, object)
+      end
+      alias_method :check?, :has?
+      
+      # Assigns given role to current object. 
+      #
+      # ==== Examples
+      #
+      #   suspect.roles.has?(:foo) # => false
+      #   suspect.roles.assign(:foo)
+      #   suspect.roles.has?(:foo) # => true
+      def assign(role, object=nil)
+        Aclatraz.store.set(role.to_s.gsub(ACL_ROLE_SUFFIXES, ''), suspect, object)
+      end 
+      alias_method :add, :assign
+      alias_method :append, :assign
+      
+      # Removes given role from current object.
+      #
+      # ==== Examples
+      #
+      #   suspect.roles.assign(:foo)
+      #   suspect.roles.has?(:foo) # => true
+      #   suspect.roles.delete(:foo)
+      #   suspect.roles.has?(:foo) # => false
+      def delete(role, object=nil)
+        Aclatraz.store.delete(role.to_s.gsub(ACL_ROLE_SUFFIXES, ''), suspect, object)
+      end
+      alias_method :remove, :delete
+      
+      # Returns list of roles assigned to current object. 
+      #
+      # ==== Examples
+      #
+      #   suspect.roles.assign(:foo)
+      #   suspect.roles.assign(:bar)
+      #   suspect.roles.all # => ["foo", "bar"]
+      def all
+        Aclatraz.store.roles(self)
+      end
+      alias_method :list, :all
+    end # Roles
+  
     class SemanticRoles
-      class Base
-        ROLE_SUFFIXES = /(_(of|at|on|by|for|in))?(\?|\!)\Z/
-    
-        attr_reader :suspect
+      class Base < Aclatraz::Suspect::Roles
+        # Role name can have following formats:
+        ROLE_FORMAT = /(_(of|at|on|by|for|in))?(\?|\!)\Z/
     
-        def initialize(suspect)
-          @suspect = suspect
+        # Check if specified suspect have assigned given role. If true, then 
+        # given block will be executed. 
+        def reader(*args, &blk)
+          authorized = has?(*args)
+          blk.call if authorized && block_given?
+          authorized
         end
-      end
-      
-      class Yes < Base
+        
+        # Assigns given role to specified suspect.  
+        def writer(*args)
+          assign(*args)
+        end
+
+        # Provides syntactic sugars for checking and assigning roles. 
+        #
+        # ==== Examples
+        #
+        # checking permissions...
+        #   manager?
+        #   owner_of?(object)
+        #   manager_of?(Class)
+        #   responsible_for?(object)
+        #
+        # writing permissions...   
+        #   responsible_for!(object)
+        #   manager!
+        #   
+        # ==== Accepted method names
+        #
+        # * role_name
+        # * role_name<strong>_of</strong>
+        # * role_name<strong>_at</strong>
+        # * role_name<strong>_by</strong>
+        # * role_name<strong>_in</strong>
+        # * role_name<strong>_on</strong>
+        # * role_name<strong>_for</strong>
+        
         def method_missing(meth, *args, &blk)
           meth = meth.to_s
-          if meth =~ ROLE_SUFFIXES
-            setter = meth[-1].chr == "!" 
-            role = meth.gsub(ROLE_SUFFIXES, '')
-            if setter
-              suspect.assign_role!(*args.unshift(role))
-            else
-              authorized = suspect.has_role?(*args.unshift(role.to_sym))
-              blk.call if authorized && block_given?
-              authorized
-            end
+          if meth =~ ROLE_FORMAT
+            write = meth[-1].chr == "!" 
+            role  = meth.gsub(ROLE_FORMAT, '')
+            args.unshift(role.to_sym)
+            write ? writer(*args) : reader(*args, &blk)
           else
             # super doesn't work here, so...
             raise NoMethodError, "undefined local variable or method method `#{meth}' for #{inspect}:#{self.class.name}"
           end
         end
-      end
+      end # Base
+      
+      class Yes < Base
+        # nothing to do, only syntactic sugar...
+      end # Yes
       
       class Not < Base
-        def method_missing(meth, *args, &blk)
-          meth = meth.to_s
-          if meth =~ ROLE_SUFFIXES
-            deleter = meth[-1].chr == "!"
-            role = meth.gsub(ROLE_SUFFIXES, '')
-            if deleter 
-              suspect.delete_role!(*args.unshift(role))
-            else
-              authorized = suspect.has_role?(*args.unshift(role.to_sym))
-              blk.call if !authorized && block_given?
-              !authorized
-            end
-          else
-            raise NoMethodError, "undefined local variable or method method `#{meth}' for #{inspect}:#{self.class.name}"
-          end
+        # Deletes given role from suspected object.  
+        def writer(*args)
+          delete(*args)
         end
-      end
-    end
+        
+        # Check if specified suspect have assigned given role. If don't, then 
+        # given block will be executed and +true+ returned. 
+        def reader(*args, &blk)
+          authorized = has?(*args)
+          blk.call if !authorized && block_given?
+          !authorized
+        end
+      end # Not
+    end # SemanticRoles
   
-    def self.included(base)
+    def self.included(base) # :nodoc:
       base.send :include, InstanceMethods
     end
     
     module InstanceMethods
-      ACL_ROLE_SUFFIXES = /(_(of|at|on|by|for|in))?\Z/
-    
-      def acl_suspect?
+      def acl_suspect? # :nodoc:
         true
       end
       
-      def has_role?(role, object=nil)
-        Aclatraz.store.check(role.to_s.gsub(ACL_ROLE_SUFFIXES, ''), self, object)
-      end
-      
-      def assign_role!(role, object=nil)
-        Aclatraz.store.set(role.to_s.gsub(ACL_ROLE_SUFFIXES, ''), self, object)
-      end 
-      
-      def delete_role!(role, object=nil)
-        Aclatraz.store.delete(role.to_s.gsub(ACL_ROLE_SUFFIXES, ''), self, object)
-      end
-      
+      # Allows to manage roles assigned to current object.
+      #
+      # ==== Examples
+      #
+      #   roles.assign(:foo)
+      #   roles.has?(:foo) # => true
+      #   roles.delete(:foo)
+      #   roles.has?(:foo) # => false
+      #   roles.assign(:foo, ClassName)
+      #   roles.assign(:foo, object)
       def roles
-        Aclatraz.store.roles(self)
+        @roles ||= Roles.new(self)
       end
       
+      # Port to semantic roles management. 
+      #
+      # ==== Examples
+      #
+      #   roles.is.foo!                   # equivalent to `roles.assign(:foo)`
+      #   roles.is.foo?                   # => true
+      #   roles.is.manager_of!(ClassName) # equivalent to `roles.assign(:manager, ClassName)`
+      #   rikes.is.manager_of?(ClassName) # => true
       def is
         @acl_is ||= SemanticRoles::Yes.new(self)
       end
       
+      # Port to semantic roles management. 
+      #
+      # ==== Examples
+      #
+      #   roles.is_not.foo!               # equivalent to `roles.delete(:foo)`
+      #   roles.is.foo?                   # => false
+      #   roles.is_not.foo?               # => true
+      #   roles.is.manager_of!(ClassName) # equivalent to `roles.delete(:manager, ClassName)`
+      #   roles.is.manager_of?(ClassName) # => flase
       def is_not
         @acl_is_not ||= SemanticRoles::Not.new(self)
       end
-    end
-  end
-end
+    end # InstanceMethods
+  end # Suspect
+end # Aclatraz

data/spec/aclatraz/acl_spec.rb

@@ -1,10 +1,15 @@
 require 'spec_helper'
 
 describe "Aclatraz ACL" do 
-  before(:all) { Aclatraz.store(:redis, "redis://localhost:6379/0") }
+  before(:all) { Aclatraz.init(:redis, "redis://localhost:6379/0") }
+  
+  it "should properly store suspect" do 
+    acl = Aclatraz::ACL.new(:bar) {}
+    acl.suspect.should == :bar
+  end
   
   it "should properly store flat access control lists" do
-    acl = Aclatraz::ACL.new {} 
+    acl = Aclatraz::ACL.new(:foo) {} 
     acl.actions[:_].allow :foo
     acl.permissions[:foo].should be_true
     acl.actions[:_].deny :foo
@@ -14,7 +19,7 @@ describe "Aclatraz ACL" do
   end
   
   it "should allow for define seperated lists which are inherit from main block" do 
-    acl = Aclatraz::ACL.new do 
+    acl = Aclatraz::ACL.new(:foo) do 
       allow :foo
       on(:spam) { allow :spam }
       on(:eggs) { allow :eggs }

data/spec/aclatraz/guard_spec.rb

@@ -1,148 +1,205 @@
 require 'spec_helper'
 
 describe "Aclatraz guard" do 
-  include Aclatraz::Guard
+  before(:all) { Aclatraz.init(:redis, "redis://localhost:6379/0") }
+  let(:suspect) { @foo ||= StubSuspect.new }
   
-  before(:all) { Aclatraz.store(:redis, "redis://localhost:6379/0") }
-  let(:foo) { @foo ||= StubSuspect.new }
-  let(:target) { StubTarget.new }
+  subject { Class.new(StubGuarded) }
+ 
+  it "#acl_guard? should be true" do 
+    subject.acl_guard?.should be_true
+  end
   
-  suspects :foo do 
-    allow :role1
-    deny :role2
-    on :bar do
-      allow :role3
-      deny :role4 => StubTarget
-    end
-    on :bla do 
-      deny :role3
-      allow :role2 => :target
-      allow :role6 => 'bar'
+  it "should properly guard permissions" do
+    guarded_class = subject
+    guarded_class.name = "test1"
+    
+    guarded_class.suspects suspect do 
+      allow :role1
+      deny :role2
+      on :bar do
+        allow :role3
+        deny :role4 => StubTarget
+      end
+      on :bla do 
+        deny :role3
+        allow :role2 => :target
+        allow :role6 => 'bar'
+      end
+      on :deny_all do 
+        deny all
+      end
+      on :allow_all do 
+        allow all
+      end
     end
-    on :deny_all do 
-      deny all
+    guarded_class.suspects do 
+      allow :role5
     end
-    on :allow_all do 
-      allow all
+    
+    guarded_class.class_eval do 
+      def target; @target = StubTarget.new; end
     end
-    allow :role5
-  end
-  
-  it "should properly store name of suspected object" do 
-    self.class.acl_suspect.should == :foo
-  end
-  
-  it "should properly store permissions" do 
-    self.class.acl_permissions.should be_kind_of(Aclatraz::ACL)
-  end
-  
-  it "should properly guard permissions" do
-    access_denied = Aclatraz::AccessDenied
-   
-    lambda { guard! }.should raise_error(access_denied)
-    foo.is.role1!
-    lambda { guard! }.should_not raise_error(access_denied)
-    foo.is.role2!
-    lambda { guard! }.should raise_error(access_denied) 
-    foo.is.role5!
-    lambda { guard! }.should_not raise_error(access_denied)
     
-    lambda { guard!(:bar) }.should_not raise_error(access_denied)
-    foo.is_not.role5!
-    lambda { guard!(:bar) }.should raise_error(access_denied)
-    foo.is_not.role2!
-    lambda { guard!(:bar) }.should_not raise_error(access_denied)
-    foo.is_not.role1!
-    lambda { guard!(:bar) }.should raise_error(access_denied)
-    foo.is.role3!
-    lambda { guard!(:bar) }.should_not raise_error(access_denied)
-    foo.is.role4!(StubTarget)
-    lambda { guard!(:bar) }.should raise_error(access_denied)
+    guarded = guarded_class.new
     
-    lambda { guard!(:bla) }.should raise_error(access_denied)
-    foo.is_not.role3!
-    foo.is.role1!
-    lambda { guard!(:bla) }.should_not raise_error(access_denied)
-    foo.is_not.role1!
-    lambda { guard!(:bla) }.should raise_error(access_denied)
-    foo.is.role2!(target)
-    lambda { guard!(:bla) }.should_not raise_error(access_denied)
-    foo.is_not.role2!(target)
-    @bar = StubTarget.new
-    foo.is.role6!(@bar)
-    lambda { guard!(:bla) }.should_not raise_error(access_denied)
-    foo.is.role3!
-    lambda { guard!(:bla) }.should_not raise_error(access_denied)
-    foo.is_not.role6!(@bar)
-    foo.is.role5!
-    lambda { guard!(:bla) }.should raise_error(access_denied)
-    foo.is_not.role3!
-    lambda { guard!(:bla) }.should_not raise_error(access_denied)
+    lambda { guarded.guard! }.should raise_error(Aclatraz::AccessDenied)
+    suspect.is.role1!
+    lambda { guarded.guard! }.should_not raise_error(Aclatraz::AccessDenied)
+    suspect.is.role2!
+    lambda { guarded.guard! }.should raise_error(Aclatraz::AccessDenied) 
+    suspect.is.role5!
+    lambda { guarded.guard! }.should_not raise_error(Aclatraz::AccessDenied)
     
-    foo.is_not.role5!
-    foo.is_not.role4!(StubTarget)
-    lambda { guard!(:bar, :bla) }.should raise_error(access_denied)
-    foo.is.role1!
-    lambda { guard!(:bar, :bla) }.should_not raise_error(access_denied)
-    foo.is.role4!(StubTarget)
-    lambda { guard!(:bar, :bla) }.should raise_error(access_denied)
-    foo.is.role2!(target)
-    lambda { guard!(:bar, :bla) }.should_not raise_error(access_denied)
+    lambda { guarded.guard!(:bar) }.should_not raise_error(Aclatraz::AccessDenied)
+    suspect.is_not.role5!
+    lambda { guarded.guard!(:bar) }.should raise_error(Aclatraz::AccessDenied)
+    suspect.is_not.role2!
+    lambda { guarded.guard!(:bar) }.should_not raise_error(Aclatraz::AccessDenied)
+    suspect.is_not.role1!
+    lambda { guarded.guard!(:bar) }.should raise_error(Aclatraz::AccessDenied)
+    suspect.is.role3!
+    lambda { guarded.guard!(:bar) }.should_not raise_error(Aclatraz::AccessDenied)
+    suspect.is.role4!(StubTarget)
+    lambda { guarded.guard!(:bar) }.should raise_error(Aclatraz::AccessDenied)
     
-    lambda { guard!(:allow_all) }.should_not raise_error(access_denied)
-    lambda { guard!(:deny_all) }.should raise_error(access_denied)
+    lambda { guarded.guard!(:bla) }.should raise_error(Aclatraz::AccessDenied)
+    suspect.is_not.role3!
+    suspect.is.role1!
+    lambda { guarded.guard!(:bla) }.should_not raise_error(Aclatraz::AccessDenied)
+    suspect.is_not.role1!
+    lambda { guarded.guard!(:bla) }.should raise_error(Aclatraz::AccessDenied)
+    suspect.is.role2!(guarded.target)
+    lambda { guarded.guard!(:bla) }.should_not raise_error(Aclatraz::AccessDenied)
+    suspect.is_not.role2!(guarded.target)
+    bar = StubTarget.new
+    guarded.instance_variable_set('@bar', bar)
+    suspect.is.role6!(bar)
+    lambda { guarded.guard!(:bla) }.should_not raise_error(Aclatraz::AccessDenied)
+    suspect.is.role3!
+    lambda { guarded.guard!(:bla) }.should_not raise_error(Aclatraz::AccessDenied)
+    suspect.is_not.role6!(bar)
+    suspect.is.role5!
+    lambda { guarded.guard!(:bla) }.should raise_error(Aclatraz::AccessDenied)
+    suspect.is_not.role3!
+    lambda { guarded.guard!(:bla) }.should_not raise_error(Aclatraz::AccessDenied)
     
-    lambda { guard!(:bar, :allow_all, :bla) }.should_not raise_error(access_denied)
-    foo.is_not.role2!(target)
-    lambda { guard!(:bar, :allow_all, :bla) }.should_not raise_error(access_denied)
-    foo.is.role3! 
-    lambda { guard!(:bar, :allow_all, :bla) }.should raise_error(access_denied)
+    suspect.is_not.role5!
+    suspect.is_not.role4!(StubTarget)
+    lambda { guarded.guard!(:bar, :bla) }.should raise_error(Aclatraz::AccessDenied)
+    suspect.is.role1!
+    lambda { guarded.guard!(:bar, :bla) }.should_not raise_error(Aclatraz::AccessDenied)
+    suspect.is.role4!(StubTarget)
+    lambda { guarded.guard!(:bar, :bla) }.should raise_error(Aclatraz::AccessDenied)
+    suspect.is.role2!(guarded.target)
+    lambda { guarded.guard!(:bar, :bla) }.should_not raise_error(Aclatraz::AccessDenied)
     
-    foo.is_not.role3!
-    lambda { guard!(:bar, :deny_all, :bla) }.should raise_error(access_denied)
-    foo.is.role2!(target)
-    lambda { guard!(:bar, :deny_all, :bla) }.should_not raise_error(access_denied)
-  end
-  
-  describe "ivalid permission" do 
-    suspects(:foo) { allow Object.new }
+    lambda { guarded.guard!(:allow_all) }.should_not raise_error(Aclatraz::AccessDenied)
+    lambda { guarded.guard!(:deny_all) }.should raise_error(Aclatraz::AccessDenied)
     
-    it "#check_permissions should raise InvalidPermission error" do 
-      lambda { guard! }.should raise_error(Aclatraz::InvalidPermission)
-    end
+    lambda { guarded.guard!(:bar, :allow_all, :bla) }.should_not raise_error(Aclatraz::AccessDenied)
+    suspect.is_not.role2!(guarded.target)
+    lambda { guarded.guard!(:bar, :allow_all, :bla) }.should_not raise_error(Aclatraz::AccessDenied)
+    suspect.is.role3! 
+    lambda { guarded.guard!(:bar, :allow_all, :bla) }.should raise_error(Aclatraz::AccessDenied)
+    
+    suspect.is_not.role3!
+    lambda { guarded.guard!(:bar, :deny_all, :bla) }.should raise_error(Aclatraz::AccessDenied)
+    suspect.is.role2!(guarded.target)
+    lambda { guarded.guard!(:bar, :deny_all, :bla) }.should_not raise_error(Aclatraz::AccessDenied)
+    
+    lambda { guarded.guard! { deny :role2 => :target } }.should raise_error(Aclatraz::AccessDenied)
   end
   
-  describe "invalid suspect" do 
-    suspects('bar') { }
-    
-    it "#guard! should raise InvalidSuspect error" do 
-      lambda { guard! }.should raise_error(Aclatraz::InvalidSuspect)
-    end
+  it "when invalid permission given then #guard! should raise InvalidPermission error" do 
+    guarded_class = subject
+    guarded_class.name = "test2"
+    guarded_class.suspects(suspect) { allow Object.new }
+    guarded = guarded_class.new
+    lambda { guarded.guard! }.should raise_error(Aclatraz::InvalidPermission)
   end
   
-  describe "suspect object is symbol" do
-    suspects(:foo) {}
+  it "when invalid suspect given then #guard! should raise InvalidSuspect error" do 
+    guarded_class = subject
+    guarded_class.name = "test3"
+    guarded_class.suspects('bar') { }
+    guarded = guarded_class.new
+    lambda { guarded.guard! }.should raise_error(Aclatraz::InvalidSuspect)
+  end
 
-    it "#current_suspect" do 
-      current_suspect.should == foo
-    end
+  it "when ACL is not defined then #guard! should raise UndefinedAccessControlList error" do 
+    guarded_class = subject
+    guarded_class.name = "test4"
+    guarded = guarded_class.new
+    lambda { guarded.guard! }.should raise_error(Aclatraz::UndefinedAccessControlList)
   end
-    
-  describe "suspect object is string" do
-    suspects('foo') {}
-    
-    it "#current_suspect" do 
-      @foo = StubSuspect.new
-      current_suspect.should == @foo
-    end
+  
+  it "when given suspect name is symbol then #suspect should reference to instance method" do 
+    guarded_class = subject
+    guarded_class.name = "test5"
+    guarded_class.suspects(:foo) {}
+    guarded = guarded_class.new
+    guarded.class.class_eval { def foo; @foo ||= StubSuspect.new; end } 
+    guarded.suspect.should == guarded.foo
+  end
+
+  it "when given suspect name is string #suspect should reference to instance variable" do 
+    guarded_class = subject
+    guarded_class.name = "test6"
+    guarded_class.suspects('foo') {}
+    guarded = guarded_class.new
+    guarded.instance_variable_set("@foo", StubSuspect.new)
+    guarded.suspect.should == guarded.instance_variable_get("@foo")
   end
   
-  describe "suspect object includes Suspect class" do 
+  it "when given suspect is an object then #suspect should refence to it" do 
     bar = StubSuspect.new
-    suspects(bar) {}
+    guarded_class = subject
+    guarded_class.name = "test7"
+    guarded_class.suspects(bar) {}
+    guarded = guarded_class.new
+    guarded.suspect.should == bar
+  end 
+  
+  describe "inherited guards" do 
+    class FooParent
+      include Aclatraz::Guard
+      
+      suspects :user do
+        allow :nested1
+        deny :nested2
+      end
+      
+      def user; @user ||= StubSuspect.new; end
+    end
     
-    it "#current_suspect" do 
-      current_suspect.should == bar
+    class BarChild < FooParent
+      suspects do
+        deny :nested1
+        allow :nested3
+      end
     end
-  end 
+    
+    it "should work properly" do
+      foo = FooParent.new
+      bar = BarChild.new
+      
+      lambda { foo.guard! }.should raise_error(Aclatraz::AccessDenied)
+      foo.user.is.nested1!
+      lambda { foo.guard! }.should_not raise_error(Aclatraz::AccessDenied)
+      foo.user.is.nested2!
+      lambda { foo.guard! }.should raise_error(Aclatraz::AccessDenied)
+      
+      bar.user.is_not.nested1!
+      bar.user.is_not.nested2!
+      
+      lambda { bar.guard! }.should raise_error(Aclatraz::AccessDenied)
+      bar.user.is.nested1!
+      lambda { bar.guard! }.should raise_error(Aclatraz::AccessDenied)
+      bar.user.is.nested2!
+      lambda { bar.guard! }.should raise_error(Aclatraz::AccessDenied)
+      bar.user.is.nested3!
+      lambda { bar.guard! }.should_not raise_error(Aclatraz::AccessDenied)
+    end
+  end
 end