RubyGems - ae_declarative_authorization - Versions diffs - 0.7.0 → 0.7.1 - Mend

ae_declarative_authorization 0.7.0 → 0.7.1

Files changed (50) hide show

checksums.yaml +4 -4
data/Appraisals +21 -21
data/CHANGELOG +189 -189
data/Gemfile +7 -7
data/Gemfile.lock +45 -45
data/LICENSE.txt +20 -20
data/README.md +620 -620
data/README.rdoc +597 -597
data/Rakefile +33 -33
data/authorization_rules.dist.rb +20 -20
data/declarative_authorization.gemspec +24 -24
data/gemfiles/rails4252.gemfile +10 -10
data/gemfiles/rails4271.gemfile +10 -10
data/gemfiles/rails507.gemfile +11 -11
data/init.rb +5 -5
data/lib/declarative_authorization.rb +18 -18
data/lib/declarative_authorization/authorization.rb +821 -821
data/lib/declarative_authorization/helper.rb +78 -78
data/lib/declarative_authorization/in_controller.rb +713 -713
data/lib/declarative_authorization/in_model.rb +156 -156
data/lib/declarative_authorization/maintenance.rb +215 -215
data/lib/declarative_authorization/obligation_scope.rb +345 -345
data/lib/declarative_authorization/railsengine.rb +5 -5
data/lib/declarative_authorization/reader.rb +549 -549
data/lib/declarative_authorization/test/helpers.rb +261 -261
data/lib/declarative_authorization/version.rb +3 -3
data/lib/generators/authorization/install/install_generator.rb +77 -77
data/lib/generators/authorization/rules/rules_generator.rb +13 -13
data/lib/generators/authorization/rules/templates/authorization_rules.rb +27 -27
data/lib/tasks/authorization_tasks.rake +89 -89
data/test/authorization_test.rb +1121 -1121
data/test/controller_filter_resource_access_test.rb +573 -573
data/test/controller_test.rb +478 -478
data/test/database.yml +3 -3
data/test/dsl_reader_test.rb +178 -178
data/test/functional/filter_access_to_with_id_in_scope_test.rb +88 -88
data/test/functional/no_filter_access_to_test.rb +79 -79
data/test/functional/params_block_arity_test.rb +39 -39
data/test/helper_test.rb +248 -248
data/test/maintenance_test.rb +46 -46
data/test/model_test.rb +1840 -1840
data/test/schema.sql +60 -60
data/test/test_helper.rb +174 -174
data/test/test_support/minitest_compatibility.rb +26 -26
metadata +3 -9
data/gemfiles/rails4252.gemfile.lock +0 -126
data/gemfiles/rails4271.gemfile.lock +0 -126
data/gemfiles/rails507.gemfile.lock +0 -136
data/log/test.log +0 -34715
data/test/profiles/access_checking +0 -46

data/test/controller_filter_resource_access_test.rb CHANGED Viewed

@@ -1,573 +1,573 @@
-require 'test_helper'
-class BasicResource < MockDataObject
-  def self.name
-    "BasicResource"
-  end
-end
-class BasicResourcesController < MocksController
-  filter_resource_access :strong_parameters => false
-  define_resource_actions
-end
-class BasicResourcesControllerTest < ActionController::TestCase
-  def test_basic_filter_index
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :allowed_role do
-          has_permission_on :basic_resources, :to => :index do
-            if_attribute :id => is {"1"}
-          end
-        end
-      end
-    }
-    allowed_user = MockUser.new(:allowed_role)
-    request!(MockUser.new(:another_role), :index, reader)
-    assert !@controller.authorized?
-    request!(allowed_user, :index, reader)
-    assert @controller.authorized?
-  end
-  def test_basic_filter_show_with_id
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :allowed_role do
-          has_permission_on :basic_resources, :to => :show do
-            if_attribute :id => is {"1"}
-          end
-        end
-      end
-    }
-    allowed_user = MockUser.new(:allowed_role)
-    request!(allowed_user, :show, reader, :id => "2")
-    assert !@controller.authorized?
-    request!(allowed_user, :show, reader, :id => "1", :clear => [:@basic_resource])
-    assert @controller.authorized?
-  end
-  def test_basic_filter_new_with_params
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :allowed_role do
-          has_permission_on :basic_resources, :to => :new do
-            if_attribute :id => is {"1"}
-          end
-        end
-      end
-    }
-    allowed_user = MockUser.new(:allowed_role)
-    request!(allowed_user, :new, reader, :basic_resource => {:id => "2"})
-    assert !@controller.authorized?
-    request!(allowed_user, :new, reader, :basic_resource => {:id => "1"},
-        :clear => [:@basic_resource])
-    assert @controller.authorized?
-  end
-end
-class NestedResource < MockDataObject
-  def initialize(attributes = {})
-    if attributes[:id]
-      attributes[:parent_mock] ||= ParentMock.new(:id => attributes[:id])
-    end
-    super(attributes)
-  end
-  def self.name
-    "NestedResource"
-  end
-end
-class ShallowNestedResource < MockDataObject
-  def initialize(attributes = {})
-    if attributes[:id]
-      attributes[:parent_mock] ||= ParentMock.new(:id => attributes[:id])
-    end
-    super(attributes)
-  end
-  def self.name
-    "ShallowNestedResource"
-  end
-end
-class ParentMock < MockDataObject
-  def nested_resources
-    Class.new do
-      def initialize(parent_mock)
-        @parent_mock = parent_mock
-      end
-      def new(attributes = {})
-        NestedResource.new(attributes.merge(:parent_mock => @parent_mock))
-      end
-    end.new(self)
-  end
-  alias :shallow_nested_resources :nested_resources
-  def ==(other)
-    id == other.id
-  end
-  def self.name
-    "ParentMock"
-  end
-end
-class NestedResourcesController < MocksController
-  filter_resource_access :nested_in => :parent_mocks, :strong_parameters => false
-  define_resource_actions
-end
-class NestedResourcesControllerTest < ActionController::TestCase
-  def test_nested_filter_index
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :allowed_role do
-          has_permission_on :nested_resources, :to => :index do
-            if_attribute :parent_mock => is {ParentMock.find("1")}
-          end
-        end
-      end
-    }
-    allowed_user = MockUser.new(:allowed_role)
-    request!(MockUser.new(:another_role), :index, reader, :parent_mock_id => "2")
-    assert !@controller.authorized?
-    request!(allowed_user, :index, reader, :parent_mock_id => "2",
-        :clear => [:@nested_resource, :@parent_mock])
-    assert !@controller.authorized?
-    request!(allowed_user, :index, reader, :parent_mock_id => "1",
-        :clear => [:@nested_resource, :@parent_mock])
-    assert @controller.authorized?
-  end
-  def test_nested_filter_show_with_id
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :allowed_role do
-          has_permission_on :nested_resources, :to => :show do
-            if_attribute :parent_mock => is {ParentMock.find("1")}
-          end
-        end
-      end
-    }
-    allowed_user = MockUser.new(:allowed_role)
-    request!(allowed_user, :show, reader, :id => "2", :parent_mock_id => "2")
-    assert !@controller.authorized?
-    request!(allowed_user, :show, reader, :id => "1", :parent_mock_id => "1",
-        :clear => [:@nested_resource, :@parent_mock])
-    assert @controller.authorized?
-  end
-  def test_nested_filter_new_with_params
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :allowed_role do
-          has_permission_on :nested_resources, :to => :new do
-            if_attribute :parent_mock => is {ParentMock.find("1")}
-          end
-        end
-      end
-    }
-    allowed_user = MockUser.new(:allowed_role)
-    request!(allowed_user, :new, reader, :parent_mock_id => "2",
-        :nested_resource => {:id => "2"})
-    assert !@controller.authorized?
-    request!(allowed_user, :new, reader, :parent_mock_id => "1",
-        :nested_resource => {:id => "1"},
-        :clear => [:@nested_resource, :@parent_mock])
-    assert @controller.authorized?
-  end
-end
-class ShallowNestedResourcesController < MocksController
-  filter_resource_access :nested_in => :parent_mocks,
-                         :shallow => true,
-                         :additional_member => :additional_member_action,
-                         :strong_parameters => false
-  define_resource_actions
-  define_action_methods :additional_member_action
-end
-class ShallowNestedResourcesControllerTest < ActionController::TestCase
-  def test_nested_filter_index
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :allowed_role do
-          has_permission_on :shallow_nested_resources, :to => :index do
-            if_attribute :parent_mock => is {ParentMock.find("1")}
-          end
-        end
-      end
-    }
-    allowed_user = MockUser.new(:allowed_role)
-    request!(MockUser.new(:another_role), :index, reader, :parent_mock_id => "2")
-    assert !@controller.authorized?
-    request!(allowed_user, :index, reader, :parent_mock_id => "2",
-        :clear => [:@shallow_nested_resource, :@parent_mock])
-    assert !@controller.authorized?
-    request!(allowed_user, :index, reader, :parent_mock_id => "1",
-        :clear => [:@shallow_nested_resource, :@parent_mock])
-    assert assigns(:parent_mock)
-    assert @controller.authorized?
-  end
-  def test_nested_filter_show_with_id
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :allowed_role do
-          has_permission_on :shallow_nested_resources, :to => :show do
-            if_attribute :parent_mock => is {ParentMock.find("1")}
-          end
-        end
-      end
-    }
-    allowed_user = MockUser.new(:allowed_role)
-    request!(allowed_user, :show, reader, :id => "2", :parent_mock_id => "2")
-    assert !@controller.authorized?
-    request!(allowed_user, :show, reader, :id => "1",
-        :clear => [:@shallow_nested_resource, :@parent_mock])
-    assert !assigns(:parent_mock)
-    assert assigns(:shallow_nested_resource)
-    assert @controller.authorized?
-  end
-  def test_nested_filter_new_with_params
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :allowed_role do
-          has_permission_on :shallow_nested_resources, :to => :new do
-            if_attribute :parent_mock => is {ParentMock.find("1")}
-          end
-        end
-      end
-    }
-    allowed_user = MockUser.new(:allowed_role)
-    request!(allowed_user, :new, reader, :parent_mock_id => "2",
-        :shallow_nested_resource => {:id => "2"})
-    assert !@controller.authorized?
-    request!(allowed_user, :new, reader, :parent_mock_id => "1",
-        :shallow_nested_resource => {:id => "1"},
-        :clear => [:@shallow_nested_resource, :@parent_mock])
-    assert assigns(:parent_mock)
-    assert assigns(:shallow_nested_resource)
-    assert @controller.authorized?
-  end
-  def test_nested_filter_additional_member_action_with_id
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :allowed_role do
-          has_permission_on :shallow_nested_resources, :to => :additional_member_action do
-            if_attribute :parent_mock => is {ParentMock.find("1")}
-          end
-        end
-      end
-    }
-    allowed_user = MockUser.new(:allowed_role)
-    request!(allowed_user, :additional_member_action, reader, :id => "2", :parent_mock_id => "2")
-    assert !@controller.authorized?
-    request!(allowed_user, :additional_member_action, reader, :id => "1",
-        :clear => [:@shallow_nested_resource, :@parent_mock])
-    assert !assigns(:parent_mock)
-    assert assigns(:shallow_nested_resource)
-    assert @controller.authorized?
-  end
-end
-class CustomMembersCollectionsResourceController < MocksController
-  def self.controller_name
-    "basic_resources"
-  end
-  filter_resource_access :member => [[:other_show, :read]],
-      :collection => {:search => :read}, :new => [:other_new], :strong_parameters => false
-  define_action_methods :other_new, :search, :other_show
-end
-class CustomMembersCollectionsResourceControllerTest < ActionController::TestCase
-  def test_custom_members_filter_search
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :allowed_role do
-          has_permission_on :basic_resources, :to => :read do
-            if_attribute :id => is {"1"}
-          end
-        end
-      end
-    }
-    request!(MockUser.new(:another_role), :search, reader)
-    assert !@controller.authorized?
-    request!(MockUser.new(:allowed_role), :search, reader)
-    assert @controller.authorized?
-  end
-  def test_custom_members_filter_other_show
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :allowed_role do
-          has_permission_on :basic_resources, :to => :read do
-            if_attribute :id => is {"1"}
-          end
-        end
-      end
-    }
-    allowed_user = MockUser.new(:allowed_role)
-    request!(allowed_user, :other_show, reader, :id => "2")
-    assert !@controller.authorized?
-    request!(allowed_user, :other_show, reader, :id => "1", :clear => [:@basic_resource])
-    assert @controller.authorized?
-  end
-  def test_custom_members_filter_other_new
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :allowed_role do
-          has_permission_on :basic_resources, :to => :other_new do
-            if_attribute :id => is {"1"}
-          end
-        end
-      end
-    }
-    allowed_user = MockUser.new(:allowed_role)
-    request!(allowed_user, :other_new, reader, :basic_resource => {:id => "2"})
-    assert !@controller.authorized?
-    request!(allowed_user, :other_new, reader, :basic_resource => {:id => "1"},
-        :clear => [:@basic_resource])
-    assert @controller.authorized?
-  end
-end
-class AdditionalMembersCollectionsResourceController < MocksController
-  def self.controller_name
-    "basic_resources"
-  end
-  filter_resource_access :additional_member => :other_show,
-      :additional_collection => [:search], :additional_new => {:other_new => :new}, :strong_parameters => false
-  define_resource_actions
-  define_action_methods :other_new, :search, :other_show
-end
-class AdditionalMembersCollectionsResourceControllerTest < ActionController::TestCase
-  def test_additional_members_filter_search_index
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :allowed_role do
-          has_permission_on :basic_resources, :to => [:search, :index] do
-            if_attribute :id => is {"1"}
-          end
-        end
-      end
-    }
-    request!(MockUser.new(:another_role), :search, reader)
-    assert !@controller.authorized?
-    request!(MockUser.new(:another_role), :index, reader)
-    assert !@controller.authorized?
-    request!(MockUser.new(:allowed_role), :search, reader)
-    assert @controller.authorized?
-    request!(MockUser.new(:allowed_role), :index, reader)
-    assert @controller.authorized?
-  end
-  def test_additional_members_filter_other_show
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :allowed_role do
-          has_permission_on :basic_resources, :to => [:show, :other_show] do
-            if_attribute :id => is {"1"}
-          end
-        end
-      end
-    }
-    allowed_user = MockUser.new(:allowed_role)
-    request!(allowed_user, :other_show, reader, :id => "2")
-    assert !@controller.authorized?
-    request!(allowed_user, :show, reader, :id => "2", :clear => [:@basic_resource])
-    assert !@controller.authorized?
-    request!(allowed_user, :other_show, reader, :id => "1", :clear => [:@basic_resource])
-    assert @controller.authorized?
-    request!(allowed_user, :show, reader, :id => "1", :clear => [:@basic_resource])
-    assert @controller.authorized?
-  end
-  def test_additional_members_filter_other_new
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :allowed_role do
-          has_permission_on :basic_resources, :to => :new do
-            if_attribute :id => is {"1"}
-          end
-        end
-      end
-    }
-    allowed_user = MockUser.new(:allowed_role)
-    request!(allowed_user, :other_new, reader, :basic_resource => {:id => "2"})
-    assert !@controller.authorized?
-    request!(allowed_user, :new, reader, :basic_resource => {:id => "2"},
-        :clear => [:@basic_resource])
-    assert !@controller.authorized?
-    request!(allowed_user, :other_new, reader, :basic_resource => {:id => "1"},
-        :clear => [:@basic_resource])
-    assert @controller.authorized?
-    request!(allowed_user, :new, reader, :basic_resource => {:id => "1"},
-        :clear => [:@basic_resource])
-    assert @controller.authorized?
-  end
-end
-class CustomMethodsResourceController < MocksController
-  # not implemented yet
-end
-class ExplicitContextResourceController < MocksController
-  filter_resource_access :context => :basic_resources, :strong_parameters => false
-  define_resource_actions
-end
-class ExplicitContextResourceControllerTest < ActionController::TestCase
-  def test_explicit_context_filter_index
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :allowed_role do
-          has_permission_on :basic_resources, :to => :index do
-            if_attribute :id => is {"1"}
-          end
-        end
-      end
-    }
-    allowed_user = MockUser.new(:allowed_role)
-    request!(MockUser.new(:another_role), :index, reader)
-    assert !@controller.authorized?
-    request!(allowed_user, :index, reader)
-    assert @controller.authorized?
-  end
-  def test_explicit_context_filter_show_with_id
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :allowed_role do
-          has_permission_on :basic_resources, :to => :show do
-            if_attribute :id => is {"1"}
-          end
-        end
-      end
-    }
-    allowed_user = MockUser.new(:allowed_role)
-    request!(allowed_user, :show, reader, :id => "2")
-    assert !@controller.authorized?
-    request!(allowed_user, :show, reader, :id => "1", :clear => [:@basic_resource])
-    assert @controller.authorized?
-  end
-  def test_explicit_context_filter_new_with_params
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :allowed_role do
-          has_permission_on :basic_resources, :to => :new do
-            if_attribute :id => is {"1"}
-          end
-        end
-      end
-    }
-    allowed_user = MockUser.new(:allowed_role)
-    request!(allowed_user, :new, reader, :basic_resource => {:id => "2"})
-    assert !@controller.authorized?
-    request!(allowed_user, :new, reader, :basic_resource => {:id => "1"},
-        :clear => [:@basic_resource])
-    assert @controller.authorized?
-  end
-end
-class StrongResource < MockDataObject
-  def self.name
-    "StrongResource"
-  end
-end
-class StrongResourcesController < MocksController
-  def self.controller_name
-    "strong_resources"
-  end
-  filter_resource_access :strong_parameters => true
-  define_resource_actions
-  private
-  def strong_resource_params
-    params.require(:strong_resource).permit(:test_param1, :test_param2)
-  end
-end
-class StrongResourcesControllerTest < ActionController::TestCase
-  def test_still_authorized_with_strong_params
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :allowed_role do
-          has_permission_on :strong_resources, :to => :show do
-            if_attribute :id => "1"
-          end
-        end
-      end
-    }
-    allowed_user = MockUser.new(:allowed_role)
-    request!(allowed_user, :show, reader, :id => "2")
-    assert !@controller.authorized?
-    request!(allowed_user, :show, reader, :id => "1", :clear => [:@strong_resource])
-    assert @controller.authorized?
-  end
-  def test_new_strong_resource
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :allowed_role do
-          has_permission_on :strong_resources, :to => :new
-        end
-      end
-    }
-    allowed_user = MockUser.new(:allowed_role)
-    request!(allowed_user, :new, reader, :strong_resource => {:id => "1"},
-        :clear => [:@strong_resource])
-    assert @controller.authorized?
-    # allowed_user = MockUser.new(:allowed_role)
-    # request!(allowed_user, :new, reader, :strong_resource => {:id => "1"}, :clear => [:@strong_resource])
-    # assert @controller.authorized?
-    # assert assigns :strong_resource
-  end
-end
+require 'test_helper'
+class BasicResource < MockDataObject
+  def self.name
+    "BasicResource"
+  end
+end
+class BasicResourcesController < MocksController
+  filter_resource_access :strong_parameters => false
+  define_resource_actions
+end
+class BasicResourcesControllerTest < ActionController::TestCase
+  def test_basic_filter_index
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :index do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(MockUser.new(:another_role), :index, reader)
+    assert !@controller.authorized?
+    request!(allowed_user, :index, reader)
+    assert @controller.authorized?
+  end
+  def test_basic_filter_show_with_id
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :show do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :show, reader, :id => "2")
+    assert !@controller.authorized?
+    request!(allowed_user, :show, reader, :id => "1", :clear => [:@basic_resource])
+    assert @controller.authorized?
+  end
+  def test_basic_filter_new_with_params
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :new do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :new, reader, :basic_resource => {:id => "2"})
+    assert !@controller.authorized?
+    request!(allowed_user, :new, reader, :basic_resource => {:id => "1"},
+        :clear => [:@basic_resource])
+    assert @controller.authorized?
+  end
+end
+class NestedResource < MockDataObject
+  def initialize(attributes = {})
+    if attributes[:id]
+      attributes[:parent_mock] ||= ParentMock.new(:id => attributes[:id])
+    end
+    super(attributes)
+  end
+  def self.name
+    "NestedResource"
+  end
+end
+class ShallowNestedResource < MockDataObject
+  def initialize(attributes = {})
+    if attributes[:id]
+      attributes[:parent_mock] ||= ParentMock.new(:id => attributes[:id])
+    end
+    super(attributes)
+  end
+  def self.name
+    "ShallowNestedResource"
+  end
+end
+class ParentMock < MockDataObject
+  def nested_resources
+    Class.new do
+      def initialize(parent_mock)
+        @parent_mock = parent_mock
+      end
+      def new(attributes = {})
+        NestedResource.new(attributes.merge(:parent_mock => @parent_mock))
+      end
+    end.new(self)
+  end
+  alias :shallow_nested_resources :nested_resources
+  def ==(other)
+    id == other.id
+  end
+  def self.name
+    "ParentMock"
+  end
+end
+class NestedResourcesController < MocksController
+  filter_resource_access :nested_in => :parent_mocks, :strong_parameters => false
+  define_resource_actions
+end
+class NestedResourcesControllerTest < ActionController::TestCase
+  def test_nested_filter_index
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :nested_resources, :to => :index do
+            if_attribute :parent_mock => is {ParentMock.find("1")}
+          end
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(MockUser.new(:another_role), :index, reader, :parent_mock_id => "2")
+    assert !@controller.authorized?
+    request!(allowed_user, :index, reader, :parent_mock_id => "2",
+        :clear => [:@nested_resource, :@parent_mock])
+    assert !@controller.authorized?
+    request!(allowed_user, :index, reader, :parent_mock_id => "1",
+        :clear => [:@nested_resource, :@parent_mock])
+    assert @controller.authorized?
+  end
+  def test_nested_filter_show_with_id
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :nested_resources, :to => :show do
+            if_attribute :parent_mock => is {ParentMock.find("1")}
+          end
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :show, reader, :id => "2", :parent_mock_id => "2")
+    assert !@controller.authorized?
+    request!(allowed_user, :show, reader, :id => "1", :parent_mock_id => "1",
+        :clear => [:@nested_resource, :@parent_mock])
+    assert @controller.authorized?
+  end
+  def test_nested_filter_new_with_params
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :nested_resources, :to => :new do
+            if_attribute :parent_mock => is {ParentMock.find("1")}
+          end
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :new, reader, :parent_mock_id => "2",
+        :nested_resource => {:id => "2"})
+    assert !@controller.authorized?
+    request!(allowed_user, :new, reader, :parent_mock_id => "1",
+        :nested_resource => {:id => "1"},
+        :clear => [:@nested_resource, :@parent_mock])
+    assert @controller.authorized?
+  end
+end
+class ShallowNestedResourcesController < MocksController
+  filter_resource_access :nested_in => :parent_mocks,
+                         :shallow => true,
+                         :additional_member => :additional_member_action,
+                         :strong_parameters => false
+  define_resource_actions
+  define_action_methods :additional_member_action
+end
+class ShallowNestedResourcesControllerTest < ActionController::TestCase
+  def test_nested_filter_index
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :shallow_nested_resources, :to => :index do
+            if_attribute :parent_mock => is {ParentMock.find("1")}
+          end
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(MockUser.new(:another_role), :index, reader, :parent_mock_id => "2")
+    assert !@controller.authorized?
+    request!(allowed_user, :index, reader, :parent_mock_id => "2",
+        :clear => [:@shallow_nested_resource, :@parent_mock])
+    assert !@controller.authorized?
+    request!(allowed_user, :index, reader, :parent_mock_id => "1",
+        :clear => [:@shallow_nested_resource, :@parent_mock])
+    assert assigns(:parent_mock)
+    assert @controller.authorized?
+  end
+  def test_nested_filter_show_with_id
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :shallow_nested_resources, :to => :show do
+            if_attribute :parent_mock => is {ParentMock.find("1")}
+          end
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :show, reader, :id => "2", :parent_mock_id => "2")
+    assert !@controller.authorized?
+    request!(allowed_user, :show, reader, :id => "1",
+        :clear => [:@shallow_nested_resource, :@parent_mock])
+    assert !assigns(:parent_mock)
+    assert assigns(:shallow_nested_resource)
+    assert @controller.authorized?
+  end
+  def test_nested_filter_new_with_params
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :shallow_nested_resources, :to => :new do
+            if_attribute :parent_mock => is {ParentMock.find("1")}
+          end
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :new, reader, :parent_mock_id => "2",
+        :shallow_nested_resource => {:id => "2"})
+    assert !@controller.authorized?
+    request!(allowed_user, :new, reader, :parent_mock_id => "1",
+        :shallow_nested_resource => {:id => "1"},
+        :clear => [:@shallow_nested_resource, :@parent_mock])
+    assert assigns(:parent_mock)
+    assert assigns(:shallow_nested_resource)
+    assert @controller.authorized?
+  end
+  def test_nested_filter_additional_member_action_with_id
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :shallow_nested_resources, :to => :additional_member_action do
+            if_attribute :parent_mock => is {ParentMock.find("1")}
+          end
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :additional_member_action, reader, :id => "2", :parent_mock_id => "2")
+    assert !@controller.authorized?
+    request!(allowed_user, :additional_member_action, reader, :id => "1",
+        :clear => [:@shallow_nested_resource, :@parent_mock])
+    assert !assigns(:parent_mock)
+    assert assigns(:shallow_nested_resource)
+    assert @controller.authorized?
+  end
+end
+class CustomMembersCollectionsResourceController < MocksController
+  def self.controller_name
+    "basic_resources"
+  end
+  filter_resource_access :member => [[:other_show, :read]],
+      :collection => {:search => :read}, :new => [:other_new], :strong_parameters => false
+  define_action_methods :other_new, :search, :other_show
+end
+class CustomMembersCollectionsResourceControllerTest < ActionController::TestCase
+  def test_custom_members_filter_search
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :read do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+    request!(MockUser.new(:another_role), :search, reader)
+    assert !@controller.authorized?
+    request!(MockUser.new(:allowed_role), :search, reader)
+    assert @controller.authorized?
+  end
+  def test_custom_members_filter_other_show
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :read do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :other_show, reader, :id => "2")
+    assert !@controller.authorized?
+    request!(allowed_user, :other_show, reader, :id => "1", :clear => [:@basic_resource])
+    assert @controller.authorized?
+  end
+  def test_custom_members_filter_other_new
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :other_new do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :other_new, reader, :basic_resource => {:id => "2"})
+    assert !@controller.authorized?
+    request!(allowed_user, :other_new, reader, :basic_resource => {:id => "1"},
+        :clear => [:@basic_resource])
+    assert @controller.authorized?
+  end
+end
+class AdditionalMembersCollectionsResourceController < MocksController
+  def self.controller_name
+    "basic_resources"
+  end
+  filter_resource_access :additional_member => :other_show,
+      :additional_collection => [:search], :additional_new => {:other_new => :new}, :strong_parameters => false
+  define_resource_actions
+  define_action_methods :other_new, :search, :other_show
+end
+class AdditionalMembersCollectionsResourceControllerTest < ActionController::TestCase
+  def test_additional_members_filter_search_index
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => [:search, :index] do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+    request!(MockUser.new(:another_role), :search, reader)
+    assert !@controller.authorized?
+    request!(MockUser.new(:another_role), :index, reader)
+    assert !@controller.authorized?
+    request!(MockUser.new(:allowed_role), :search, reader)
+    assert @controller.authorized?
+    request!(MockUser.new(:allowed_role), :index, reader)
+    assert @controller.authorized?
+  end
+  def test_additional_members_filter_other_show
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => [:show, :other_show] do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :other_show, reader, :id => "2")
+    assert !@controller.authorized?
+    request!(allowed_user, :show, reader, :id => "2", :clear => [:@basic_resource])
+    assert !@controller.authorized?
+    request!(allowed_user, :other_show, reader, :id => "1", :clear => [:@basic_resource])
+    assert @controller.authorized?
+    request!(allowed_user, :show, reader, :id => "1", :clear => [:@basic_resource])
+    assert @controller.authorized?
+  end
+  def test_additional_members_filter_other_new
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :new do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :other_new, reader, :basic_resource => {:id => "2"})
+    assert !@controller.authorized?
+    request!(allowed_user, :new, reader, :basic_resource => {:id => "2"},
+        :clear => [:@basic_resource])
+    assert !@controller.authorized?
+    request!(allowed_user, :other_new, reader, :basic_resource => {:id => "1"},
+        :clear => [:@basic_resource])
+    assert @controller.authorized?
+    request!(allowed_user, :new, reader, :basic_resource => {:id => "1"},
+        :clear => [:@basic_resource])
+    assert @controller.authorized?
+  end
+end
+class CustomMethodsResourceController < MocksController
+  # not implemented yet
+end
+class ExplicitContextResourceController < MocksController
+  filter_resource_access :context => :basic_resources, :strong_parameters => false
+  define_resource_actions
+end
+class ExplicitContextResourceControllerTest < ActionController::TestCase
+  def test_explicit_context_filter_index
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :index do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(MockUser.new(:another_role), :index, reader)
+    assert !@controller.authorized?
+    request!(allowed_user, :index, reader)
+    assert @controller.authorized?
+  end
+  def test_explicit_context_filter_show_with_id
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :show do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :show, reader, :id => "2")
+    assert !@controller.authorized?
+    request!(allowed_user, :show, reader, :id => "1", :clear => [:@basic_resource])
+    assert @controller.authorized?
+  end
+  def test_explicit_context_filter_new_with_params
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :new do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :new, reader, :basic_resource => {:id => "2"})
+    assert !@controller.authorized?
+    request!(allowed_user, :new, reader, :basic_resource => {:id => "1"},
+        :clear => [:@basic_resource])
+    assert @controller.authorized?
+  end
+end
+class StrongResource < MockDataObject
+  def self.name
+    "StrongResource"
+  end
+end
+class StrongResourcesController < MocksController
+  def self.controller_name
+    "strong_resources"
+  end
+  filter_resource_access :strong_parameters => true
+  define_resource_actions
+  private
+  def strong_resource_params
+    params.require(:strong_resource).permit(:test_param1, :test_param2)
+  end
+end
+class StrongResourcesControllerTest < ActionController::TestCase
+  def test_still_authorized_with_strong_params
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :strong_resources, :to => :show do
+            if_attribute :id => "1"
+          end
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :show, reader, :id => "2")
+    assert !@controller.authorized?
+    request!(allowed_user, :show, reader, :id => "1", :clear => [:@strong_resource])
+    assert @controller.authorized?
+  end
+  def test_new_strong_resource
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :strong_resources, :to => :new
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :new, reader, :strong_resource => {:id => "1"},
+        :clear => [:@strong_resource])
+    assert @controller.authorized?
+    # allowed_user = MockUser.new(:allowed_role)
+    # request!(allowed_user, :new, reader, :strong_resource => {:id => "1"}, :clear => [:@strong_resource])
+    # assert @controller.authorized?
+    # assert assigns :strong_resource
+  end
+end