RubyGems - ae_declarative_authorization - Versions diffs - 0.7.1 → 0.8.0 - Mend

ae_declarative_authorization 0.7.1 → 0.8.0

Files changed (56) hide show

checksums.yaml +5 -5
data/Appraisals +31 -21
data/CHANGELOG +189 -189
data/Gemfile +7 -7
data/Gemfile.lock +68 -60
data/LICENSE.txt +20 -20
data/README.md +620 -620
data/README.rdoc +597 -597
data/Rakefile +35 -33
data/authorization_rules.dist.rb +20 -20
data/declarative_authorization.gemspec +24 -24
data/gemfiles/rails4252.gemfile +10 -10
data/gemfiles/rails4252.gemfile.lock +126 -0
data/gemfiles/rails4271.gemfile +10 -10
data/gemfiles/rails4271.gemfile.lock +126 -0
data/gemfiles/rails507.gemfile +11 -11
data/gemfiles/rails507.gemfile.lock +136 -0
data/gemfiles/rails516.gemfile +11 -0
data/gemfiles/rails516.gemfile.lock +136 -0
data/gemfiles/rails521.gemfile +11 -0
data/gemfiles/rails521.gemfile.lock +144 -0
data/init.rb +5 -5
data/lib/declarative_authorization.rb +18 -18
data/lib/declarative_authorization/authorization.rb +821 -821
data/lib/declarative_authorization/helper.rb +78 -78
data/lib/declarative_authorization/in_controller.rb +713 -713
data/lib/declarative_authorization/in_model.rb +156 -156
data/lib/declarative_authorization/maintenance.rb +215 -215
data/lib/declarative_authorization/obligation_scope.rb +348 -345
data/lib/declarative_authorization/railsengine.rb +5 -5
data/lib/declarative_authorization/reader.rb +549 -549
data/lib/declarative_authorization/test/helpers.rb +261 -261
data/lib/declarative_authorization/version.rb +3 -3
data/lib/generators/authorization/install/install_generator.rb +77 -77
data/lib/generators/authorization/rules/rules_generator.rb +13 -13
data/lib/generators/authorization/rules/templates/authorization_rules.rb +27 -27
data/lib/tasks/authorization_tasks.rake +89 -89
data/log/test.log +15246 -0
data/pkg/ae_declarative_authorization-0.7.1.gem +0 -0
data/pkg/ae_declarative_authorization-0.8.0.gem +0 -0
data/test/authorization_test.rb +1121 -1121
data/test/controller_filter_resource_access_test.rb +573 -573
data/test/controller_test.rb +478 -478
data/test/database.yml +3 -3
data/test/dsl_reader_test.rb +178 -178
data/test/functional/filter_access_to_with_id_in_scope_test.rb +88 -88
data/test/functional/no_filter_access_to_test.rb +79 -79
data/test/functional/params_block_arity_test.rb +39 -39
data/test/helper_test.rb +248 -248
data/test/maintenance_test.rb +46 -46
data/test/model_test.rb +1840 -1840
data/test/profiles/access_checking +20 -0
data/test/schema.sql +60 -60
data/test/test_helper.rb +174 -174
data/test/test_support/minitest_compatibility.rb +26 -26
metadata +17 -5

data/pkg/ae_declarative_authorization-0.7.1.gem ADDED

Binary file

data/pkg/ae_declarative_authorization-0.8.0.gem ADDED

Binary file

@@ -1,1121 +1,1121 @@
-require 'test_helper'
-class AuthorizationTest < Test::Unit::TestCase
-  def test_permit
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    assert engine.permit?(:test, :context => :permissions,
-      :user => MockUser.new(:test_role, :test_role_2))
-    assert !engine.permit?(:test_2, :context => :permissions_2,
-      :user => MockUser.new(:test_role))
-    assert !engine.permit?(:test, :context => :permissions,
-      :user => MockUser.new(:test_role_2))
-  end
-  def test_permit_context_people
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :people, :to => :test
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    assert engine.permit?(:test, :context => :people,
-      :user => MockUser.new(:test_role))
-  end
-  def test_permit_with_has_omnipotence
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :admin do
-          has_omnipotence
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    assert engine.permit?(:test, :context => :people,
-      :user => MockUser.new(:admin))
-  end
-  def test_permit_multiple_contexts
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on [:permissions, :permissions_2], :to => :test
-          has_permission_on :permissions_4, :permissions_5, :to => :test
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    assert engine.permit?(:test, :context => :permissions,
-      :user => MockUser.new(:test_role))
-    assert engine.permit?(:test, :context => :permissions_2,
-      :user => MockUser.new(:test_role))
-    assert !engine.permit?(:test, :context => :permissions_3,
-      :user => MockUser.new(:test_role))
-    assert  engine.permit?(:test, :context => :permissions_4, :user => MockUser.new(:test_role))
-    assert  engine.permit?(:test, :context => :permissions_5, :user => MockUser.new(:test_role))
-  end
-  def test_permit_with_frozen_roles
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :other_role do
-          includes :test_role
-        end
-        role :test_role do
-          has_permission_on :permissions, :to => :test
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    roles = [:other_role].freeze
-    assert engine.permit?(:test, :context => :permissions,
-      :user => MockUser.new(:role_symbols => roles))
-  end
-  def test_obligations_without_conditions
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    assert_equal [{}], engine.obligations(:test, :context => :permissions,
-      :user => MockUser.new(:test_role))
-  end
-  def test_obligations_with_conditions
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test do
-            if_attribute :attr => is { user.attr }
-          end
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    assert_equal [{:attr => [:is, 1]}],
-      engine.obligations(:test, :context => :permissions,
-          :user => MockUser.new(:test_role, :attr => 1))
-  end
-  def test_obligations_with_omnipotence
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :admin do
-          has_omnipotence
-        end
-        role :test_role do
-          has_permission_on :permissions, :to => :test do
-            if_attribute :attr => is { user.attr }
-          end
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    assert_equal [],
-      engine.obligations(:test, :context => :permissions,
-          :user => MockUser.new(:test_role, :admin, :attr => 1))
-  end
-  def test_obligations_with_anded_conditions
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test, :join_by => :and do
-            if_attribute :attr => is { user.attr }
-            if_attribute :attr_2 => is { user.attr_2 }
-          end
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    assert_equal [{:attr => [:is, 1], :attr_2 => [:is, 2]}],
-      engine.obligations(:test, :context => :permissions,
-          :user => MockUser.new(:test_role, :attr => 1, :attr_2 => 2))
-  end
-  def test_obligations_with_deep_anded_conditions
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test, :join_by => :and do
-            if_attribute :attr => { :deeper_attr => is { user.deeper_attr }}
-            if_attribute :attr => { :deeper_attr_2 => is { user.deeper_attr_2 }}
-          end
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    assert_equal [{:attr => { :deeper_attr => [:is, 1], :deeper_attr_2 => [:is, 2] } }],
-      engine.obligations(:test, :context => :permissions,
-          :user => MockUser.new(:test_role, :deeper_attr => 1, :deeper_attr_2 => 2))
-  end
-  def test_obligations_with_has_many
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test do
-            if_attribute :attrs => { :deeper_attr => is { user.deeper_attr } }
-          end
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    assert_equal [{:attrs => {:deeper_attr => [:is, 1]}}],
-      engine.obligations(:test, :context => :permissions,
-          :user => MockUser.new(:test_role, :deeper_attr => 1))
-  end
-  def test_obligations_with_conditions_and_empty
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test
-          has_permission_on :permissions, :to => :test do
-            if_attribute :attr => is { user.attr }
-          end
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    assert_equal [{}, {:attr => [:is, 1]}],
-      engine.obligations(:test, :context => :permissions,
-          :user => MockUser.new(:test_role, :attr => 1))
-  end
-  def test_obligations_with_permissions
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test do
-            if_attribute :attr => is { user.attr }
-          end
-          has_permission_on :permission_children, :to => :test do
-            if_permitted_to :test, :permission, :context => :permissions
-          end
-          has_permission_on :permission_children_2, :to => :test do
-            if_permitted_to :test, :permission
-          end
-          has_permission_on :permission_children_children, :to => :test do
-            if_permitted_to :test, :permission_child => :permission,
-                            :context => :permissions
-          end
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    assert_equal [{:permission => {:attr => [:is, 1]}}],
-      engine.obligations(:test, :context => :permission_children,
-          :user => MockUser.new(:test_role, :attr => 1))
-    assert_equal [{:permission => {:attr => [:is, 1]}}],
-      engine.obligations(:test, :context => :permission_children_2,
-          :user => MockUser.new(:test_role, :attr => 1))
-    assert_equal [{:permission_child => {:permission => {:attr => [:is, 1]}}}],
-      engine.obligations(:test, :context => :permission_children_children,
-          :user => MockUser.new(:test_role, :attr => 1))
-  end
-  def test_obligations_with_has_many_permissions
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test do
-            if_attribute :attr => is { user.attr }
-          end
-          has_permission_on :permission_children, :to => :test do
-            if_permitted_to :test, :permissions, :context => :permissions
-          end
-          has_permission_on :permission_children_2, :to => :test do
-            if_permitted_to :test, :permissions
-          end
-          has_permission_on :permission_children_children, :to => :test do
-            if_permitted_to :test, :permission_child => :permissions,
-                            :context => :permissions
-          end
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    assert_equal [{:permissions => {:attr => [:is, 1]}}],
-      engine.obligations(:test, :context => :permission_children,
-          :user => MockUser.new(:test_role, :attr => 1))
-    assert_equal [{:permissions => {:attr => [:is, 1]}}],
-      engine.obligations(:test, :context => :permission_children_2,
-          :user => MockUser.new(:test_role, :attr => 1))
-    assert_equal [{:permission_child => {:permissions => {:attr => [:is, 1]}}}],
-      engine.obligations(:test, :context => :permission_children_children,
-          :user => MockUser.new(:test_role, :attr => 1))
-  end
-  def test_obligations_with_permissions_multiple
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test do
-            if_attribute :attr => is { 1 }
-            if_attribute :attr => is { 2 }
-          end
-          has_permission_on :permission_children_children, :to => :test do
-            if_permitted_to :test, :permission_child => :permission
-          end
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    assert_equal [{:permission_child => {:permission => {:attr => [:is, 1]}}},
-        {:permission_child => {:permission => {:attr => [:is, 2]}}}],
-      engine.obligations(:test, :context => :permission_children_children,
-          :user => MockUser.new(:test_role))
-  end
-  def test_obligations_with_permissions_and_anded_conditions
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :permission_children, :to => :test, :join_by => :and do
-            if_permitted_to :test, :permission
-            if_attribute :test_attr => 1
-          end
-          has_permission_on :permissions, :to => :test do
-            if_attribute :test_attr => 1
-          end
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    assert_equal [{:test_attr => [:is, 1], :permission => {:test_attr => [:is, 1]}}],
-      engine.obligations(:test, :context => :permission_children,
-          :user => MockUser.new(:test_role))
-  end
-  def test_guest_user
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :guest do
-          has_permission_on :permissions, :to => :test
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    Authorization.stub :current_user, MockUser.new do
-      assert engine.permit?(:test, :context => :permissions)
-      assert !engine.permit?(:test, :context => :permissions_2)
-    end
-  end
-  def test_default_role
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :anonymous do
-          has_permission_on :permissions, :to => :test
-        end
-      end
-    }
-    Authorization.stub :default_role, :anonymous do
-      engine = Authorization::Engine.new(reader)
-      Authorization.stub :current_user, MockUser.new do
-        assert engine.permit?(:test, :context => :permissions)
-      end
-      assert !engine.permit?(:test, :context => :permissions,
-      :user => MockUser.new(:guest))
-    end
-  end
-  def test_invalid_user_model
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :guest do
-          has_permission_on :permissions, :to => :test
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    assert_raise(Authorization::AuthorizationUsageError) do
-      engine.permit?(:test, :context => :permissions, :user => MockUser.new(1, 2))
-    end
-    assert_raise(Authorization::AuthorizationUsageError) do
-      engine.permit?(:test, :context => :permissions, :user => MockDataObject.new)
-    end
-  end
-  def test_role_hierarchy
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          includes :lower_role
-          has_permission_on :permissions, :to => :test
-        end
-        role :lower_role do
-          has_permission_on :permissions, :to => :lower
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    assert engine.permit?(:lower, :context => :permissions,
-      :user => MockUser.new(:test_role))
-  end
-  def test_role_hierarchy_infinity
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          includes :lower_role
-          has_permission_on :permissions, :to => :test
-        end
-        role :lower_role do
-          includes :higher_role
-          has_permission_on :permissions, :to => :lower
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    assert engine.permit?(:lower, :context => :permissions,
-      :user => MockUser.new(:test_role))
-  end
-  def test_privilege_hierarchy
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      privileges do
-        privilege :test, :permissions do
-          includes :lower
-        end
-      end
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    assert engine.permit?(:lower, :context => :permissions,
-      :user => MockUser.new(:test_role))
-  end
-  def test_privilege_hierarchy_without_context
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      privileges do
-        privilege :read do
-          includes :list, :show
-        end
-      end
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :read
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    assert engine.permit?(:list, :context => :permissions,
-      :user => MockUser.new(:test_role))
-  end
-  def test_attribute_is
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %|
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test do
-            if_attribute :test_attr => is { user.test_attr }
-            if_attribute :test_attr => 3
-          end
-        end
-      end
-    |
-    engine = Authorization::Engine.new(reader)
-    assert engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role, :test_attr => 1),
-              :object => MockDataObject.new(:test_attr => 1))
-    assert engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role, :test_attr => 2),
-              :object => MockDataObject.new(:test_attr => 3))
-    assert((not(engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role, :test_attr => 2),
-              :object => MockDataObject.new(:test_attr => 1)))))
-  end
-  def test_attribute_is_not
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %|
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test do
-            if_attribute :test_attr => is_not { user.test_attr }
-          end
-        end
-      end
-    |
-    engine = Authorization::Engine.new(reader)
-    assert !engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role, :test_attr => 1),
-              :object => MockDataObject.new(:test_attr => 1))
-    assert engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role, :test_attr => 2),
-              :object => MockDataObject.new(:test_attr => 1))
-  end
-  def test_attribute_contains
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %|
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test do
-            if_attribute :test_attr => contains { user.test_attr }
-          end
-        end
-      end
-    |
-    engine = Authorization::Engine.new(reader)
-    assert engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role, :test_attr => 1),
-              :object => MockDataObject.new(:test_attr => [1,2]))
-    assert !engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role, :test_attr => 3),
-              :object => MockDataObject.new(:test_attr => [1,2]))
-  end
-  def test_attribute_does_not_contain
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %|
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test do
-            if_attribute :test_attr => does_not_contain { user.test_attr }
-          end
-        end
-      end
-    |
-    engine = Authorization::Engine.new(reader)
-    assert !engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role, :test_attr => 1),
-              :object => MockDataObject.new(:test_attr => [1,2]))
-    assert engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role, :test_attr => 3),
-              :object => MockDataObject.new(:test_attr => [1,2]))
-  end
-  def test_attribute_in_array
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %|
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test do
-            if_attribute :test_attr => is_in { [1,2] }
-            if_attribute :test_attr => [2,3]
-          end
-        end
-      end
-    |
-    engine = Authorization::Engine.new(reader)
-    assert engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role),
-              :object => MockDataObject.new(:test_attr => 1))
-    assert engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role),
-              :object => MockDataObject.new(:test_attr => 3))
-    assert !engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role),
-              :object => MockDataObject.new(:test_attr => 4))
-  end
-  def test_attribute_not_in_array
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %|
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test do
-            if_attribute :test_attr => is_not_in { [1,2] }
-          end
-        end
-      end
-    |
-    engine = Authorization::Engine.new(reader)
-    assert !engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role),
-              :object => MockDataObject.new(:test_attr => 1))
-    assert engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role),
-              :object => MockDataObject.new(:test_attr => 4))
-  end
-  def test_attribute_intersects_with
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test do
-            if_attribute :test_attrs => intersects_with { [1,2] }
-          end
-        end
-        role :test_role_2 do
-          has_permission_on :permissions, :to => :test do
-            if_attribute :test_attrs => intersects_with { 1 }
-          end
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    assert_raise Authorization::AuthorizationUsageError do
-      engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role),
-              :object => MockDataObject.new(:test_attrs => 1 ))
-    end
-    assert_raise Authorization::AuthorizationUsageError do
-      engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role_2),
-              :object => MockDataObject.new(:test_attrs => [1, 2] ))
-    end
-    assert engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role),
-              :object => MockDataObject.new(:test_attrs => [1,3] ))
-    assert !engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role),
-              :object => MockDataObject.new(:test_attrs => [3,4] ))
-  end
-  def test_attribute_lte
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %|
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test do
-            if_attribute :test_attr => lte { user.test_attr }
-            if_attribute :test_attr => 3
-          end
-        end
-      end
-    |
-    engine = Authorization::Engine.new(reader)
-    # object < user -> pass
-    assert engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role, :test_attr => 2),
-              :object => MockDataObject.new(:test_attr => 1))
-    # object > user && object = control -> pass
-    assert engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role, :test_attr => 2),
-              :object => MockDataObject.new(:test_attr => 3))
-    # object = user -> pass
-    assert engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role, :test_attr => 1),
-              :object => MockDataObject.new(:test_attr => 1))
-    # object > user -> fail
-    assert((not(engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role, :test_attr => 1),
-              :object => MockDataObject.new(:test_attr => 2)))))
-  end
-  def test_attribute_gt
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %|
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test do
-            if_attribute :test_attr => gt { user.test_attr }
-            if_attribute :test_attr => 3
-          end
-        end
-      end
-    |
-    engine = Authorization::Engine.new(reader)
-    # object > user -> pass
-    assert engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role, :test_attr => 1),
-              :object => MockDataObject.new(:test_attr => 2))
-    # object < user && object = control -> pass
-    assert engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role, :test_attr => 4),
-              :object => MockDataObject.new(:test_attr => 3))
-    # object = user -> fail
-    assert((not(engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role, :test_attr => 1),
-              :object => MockDataObject.new(:test_attr => 1)))))
-    # object < user -> fail
-    assert((not(engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role, :test_attr => 2),
-              :object => MockDataObject.new(:test_attr => 1)))))
-  end
-  def test_attribute_gte
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %|
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test do
-            if_attribute :test_attr => gte { user.test_attr }
-            if_attribute :test_attr => 3
-          end
-        end
-      end
-    |
-    engine = Authorization::Engine.new(reader)
-    # object > user -> pass
-    assert engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role, :test_attr => 1),
-              :object => MockDataObject.new(:test_attr => 2))
-    # object < user && object = control -> pass
-    assert engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role, :test_attr => 4),
-              :object => MockDataObject.new(:test_attr => 3))
-    # object = user -> pass
-    assert engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role, :test_attr => 1),
-              :object => MockDataObject.new(:test_attr => 1))
-    # object < user -> fail
-    assert((not(engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role, :test_attr => 2),
-              :object => MockDataObject.new(:test_attr => 1)))))
-  end
-  def test_attribute_deep
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %|
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test do
-            if_attribute :test_attr_1 => {:test_attr_2 => contains { 1 }}
-          end
-        end
-      end
-    |
-    engine = Authorization::Engine.new(reader)
-    assert engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role),
-              :object => MockDataObject.new(:test_attr_1 =>
-                    MockDataObject.new(:test_attr_2 => [1,2])))
-    assert !engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role),
-              :object => MockDataObject.new(:test_attr_1 =>
-                    MockDataObject.new(:test_attr_2 => [3,4])))
-    assert_equal [{:test_attr_1 => {:test_attr_2 => [:contains, 1]}}],
-      engine.obligations(:test, :context => :permissions,
-          :user => MockUser.new(:test_role))
-  end
-  def test_attribute_has_many
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %|
-      authorization do
-        role :test_role do
-          has_permission_on :companies, :to => :read do
-            if_attribute :branches => {:city => is { user.city } }
-          end
-        end
-      end
-    |
-    engine = Authorization::Engine.new(reader)
-    company = MockDataObject.new(:branches => [
-        MockDataObject.new(:city => 'Barcelona'),
-        MockDataObject.new(:city => 'Paris')
-      ])
-    assert engine.permit!(:read, :context => :companies,
-              :user => MockUser.new(:test_role, :city => 'Paris'),
-              :object => company)
-    assert !engine.permit?(:read, :context => :companies,
-              :user => MockUser.new(:test_role, :city => 'London'),
-              :object => company)
-  end
-  def test_attribute_non_block
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %|
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test do
-            if_attribute :test_attr => 1
-          end
-        end
-      end
-    |
-    engine = Authorization::Engine.new(reader)
-    assert engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role),
-              :object => MockDataObject.new(:test_attr => 1))
-    assert !engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role),
-              :object => MockDataObject.new(:test_attr => 2))
-  end
-  def test_attribute_multiple
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test do
-            if_attribute :test_attr => 1
-            if_attribute :test_attr => 2  # or
-          end
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    assert engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role),
-              :object => MockDataObject.new(:test_attr => 1))
-    assert engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role),
-              :object => MockDataObject.new(:test_attr => 2))
-  end
-  class PermissionMock < MockDataObject
-    def self.name
-      "Permission"
-    end
-  end
-  def test_attribute_with_permissions
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test do
-            if_attribute :test_attr => 1
-          end
-          has_permission_on :permission_children, :to => :test do
-            if_permitted_to :test, :permission
-          end
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
-    perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
-    assert engine.permit?(:test, :context => :permission_children,
-              :user => MockUser.new(:test_role),
-              :object => MockDataObject.new(:permission => perm_data_attr_1))
-    assert !engine.permit?(:test, :context => :permission_children,
-              :user => MockUser.new(:test_role),
-              :object => MockDataObject.new(:permission => perm_data_attr_2))
-  end
-  def test_attribute_with_has_many_permissions
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test do
-            if_attribute :test_attr => 1
-          end
-          has_permission_on :permission_children, :to => :test do
-            if_permitted_to :test, :permissions
-          end
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
-    perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
-    assert engine.permit?(:test, :context => :permission_children,
-              :user => MockUser.new(:test_role),
-              :object => MockDataObject.new(:permissions => [perm_data_attr_1]))
-    assert !engine.permit?(:test, :context => :permission_children,
-              :user => MockUser.new(:test_role),
-              :object => MockDataObject.new(:permissions => [perm_data_attr_2]))
-  end
-  def test_attribute_with_deep_permissions
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test do
-            if_attribute :test_attr => 1
-          end
-          has_permission_on :permission_children, :to => :test do
-            if_permitted_to :test, :shallow_permission => :permission
-          end
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
-    perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
-    assert engine.permit?(:test, :context => :permission_children,
-              :user => MockUser.new(:test_role),
-              :object => MockDataObject.new(:shallow_permission =>
-                MockDataObject.new(:permission => perm_data_attr_1)))
-    assert !engine.permit?(:test, :context => :permission_children,
-              :user => MockUser.new(:test_role),
-              :object => MockDataObject.new(:shallow_permission =>
-                MockDataObject.new(:permission => perm_data_attr_2)))
-  end
-  def test_attribute_with_deep_has_many_permissions
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test do
-            if_attribute :test_attr => 1
-          end
-          has_permission_on :permission_children, :to => :test do
-            if_permitted_to :test, :shallow_permissions => :permission
-          end
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
-    perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
-    assert engine.permit?(:test, :context => :permission_children,
-              :user => MockUser.new(:test_role),
-              :object => MockDataObject.new(:shallow_permissions =>
-                [MockDataObject.new(:permission => perm_data_attr_1)]))
-    assert !engine.permit?(:test, :context => :permission_children,
-              :user => MockUser.new(:test_role),
-              :object => MockDataObject.new(:shallow_permissions =>
-                [MockDataObject.new(:permission => perm_data_attr_2)]))
-  end
-  def test_attribute_with_permissions_nil
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test do
-            if_attribute :test_attr => 1
-          end
-          has_permission_on :permission_children, :to => :test do
-            if_permitted_to :test, :permission
-          end
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    engine.permit?(:test, :context => :permission_children,
-              :user => MockUser.new(:test_role),
-              :object => MockDataObject.new(:permission => nil))
-    assert !engine.permit?(:test, :context => :permission_children,
-              :user => MockUser.new(:test_role),
-              :object => MockDataObject.new(:permission => nil))
-  end
-  def test_attribute_with_permissions_on_self
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test do
-            if_attribute :test_attr => 1
-          end
-          has_permission_on :permissions, :to => :another_test do
-            if_permitted_to :test
-          end
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
-    perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
-    assert engine.permit?(:another_test, :context => :permissions,
-              :user => MockUser.new(:test_role),
-              :object => perm_data_attr_1)
-    assert !engine.permit?(:another_test, :context => :permissions,
-              :user => MockUser.new(:test_role),
-              :object => perm_data_attr_2)
-  end
-  def test_attribute_with_permissions_on_self_with_context
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test do
-            if_attribute :test_attr => 1
-          end
-          has_permission_on :permissions, :to => :another_test do
-            if_permitted_to :test, :context => :permissions
-          end
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
-    perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
-    assert engine.permit?(:another_test, :context => :permissions,
-              :user => MockUser.new(:test_role),
-              :object => perm_data_attr_1)
-    assert !engine.permit?(:another_test, :context => :permissions,
-              :user => MockUser.new(:test_role),
-              :object => perm_data_attr_2)
-  end
-  def test_attribute_with_permissions_and_anded_rules
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test do
-            if_attribute :test_attr => 1
-          end
-          has_permission_on :permission_children, :to => :test, :join_by => :and do
-            if_permitted_to :test, :permission
-            if_attribute :test_attr => 1
-          end
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
-    perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
-    assert engine.permit?(:test, :context => :permission_children,
-              :user => MockUser.new(:test_role),
-              :object => MockDataObject.new(:permission => perm_data_attr_1, :test_attr => 1))
-    assert !engine.permit?(:test, :context => :permission_children,
-              :user => MockUser.new(:test_role),
-              :object => MockDataObject.new(:permission => perm_data_attr_2, :test_attr => 1))
-    assert !engine.permit?(:test, :context => :permission_children,
-              :user => MockUser.new(:test_role),
-              :object => MockDataObject.new(:permission => perm_data_attr_1, :test_attr => 2))
-  end
-  def test_attribute_with_anded_rules
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test, :join_by => :and do
-            if_attribute :test_attr => 1
-            if_attribute :test_attr_2 => 2
-          end
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    assert engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role),
-              :object => MockDataObject.new(:test_attr => 1, :test_attr_2 => 2))
-    assert !engine.permit?(:test, :context => :permissions,
-              :user => MockUser.new(:test_role),
-              :object => MockDataObject.new(:test_attr => 1, :test_attr_2 => 3))
-  end
-  def test_raise_on_if_attribute_hash_on_collection
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test do
-            if_attribute :test_attrs => {:attr => is {1}}
-          end
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    assert_raise Authorization::AuthorizationUsageError do
-      engine.permit?(:test, :context => :permissions,
-                     :user => MockUser.new(:test_role),
-                     :object => MockDataObject.new(:test_attrs => [1, 2, 3]))
-    end
-  end
-  def test_role_title_description
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role, :title => 'Test Role' do
-          description "Test Role Description"
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    assert engine.roles.include?(:test_role)
-    assert_equal "Test Role", engine.role_titles[:test_role]
-    assert_equal "Test Role", engine.title_for(:test_role)
-    assert_nil engine.title_for(:test_role_2)
-    assert_equal "Test Role Description", engine.role_descriptions[:test_role]
-    assert_equal "Test Role Description", engine.description_for(:test_role)
-    assert_nil engine.description_for(:test_role_2)
-  end
-  def test_multithread
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    Authorization.stub :current_user, MockUser.new(:test_role) do
-      assert engine.permit?(:test, :context => :permissions)
-      Thread.new do
-        Authorization.current_user = MockUser.new(:test_role2)
-        assert !engine.permit?(:test, :context => :permissions)
-      end
-      assert engine.permit?(:test, :context => :permissions)
-    end
-  end
-  def test_clone
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test do
-            if_attribute :attr => { :sub_attr => is { user } }
-            if_permitted_to :read, :attr_2 => :attr_3
-            if_permitted_to :read, :attr_2
-          end
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    cloned_engine = engine.clone
-    assert_not_equal engine.auth_rules.first.contexts.object_id,
-        cloned_engine.auth_rules.first.contexts.object_id
-    assert_not_equal engine.auth_rules.first.attributes.first.send(:instance_variable_get, :@conditions_hash)[:attr].object_id,
-        cloned_engine.auth_rules.first.attributes.first.send(:instance_variable_get, :@conditions_hash)[:attr].object_id
-  end
-end
+require 'test_helper'
+class AuthorizationTest < Test::Unit::TestCase
+  def test_permit
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert engine.permit?(:test, :context => :permissions,
+      :user => MockUser.new(:test_role, :test_role_2))
+    assert !engine.permit?(:test_2, :context => :permissions_2,
+      :user => MockUser.new(:test_role))
+    assert !engine.permit?(:test, :context => :permissions,
+      :user => MockUser.new(:test_role_2))
+  end
+  def test_permit_context_people
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :people, :to => :test
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert engine.permit?(:test, :context => :people,
+      :user => MockUser.new(:test_role))
+  end
+  def test_permit_with_has_omnipotence
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :admin do
+          has_omnipotence
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert engine.permit?(:test, :context => :people,
+      :user => MockUser.new(:admin))
+  end
+  def test_permit_multiple_contexts
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on [:permissions, :permissions_2], :to => :test
+          has_permission_on :permissions_4, :permissions_5, :to => :test
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert engine.permit?(:test, :context => :permissions,
+      :user => MockUser.new(:test_role))
+    assert engine.permit?(:test, :context => :permissions_2,
+      :user => MockUser.new(:test_role))
+    assert !engine.permit?(:test, :context => :permissions_3,
+      :user => MockUser.new(:test_role))
+    assert  engine.permit?(:test, :context => :permissions_4, :user => MockUser.new(:test_role))
+    assert  engine.permit?(:test, :context => :permissions_5, :user => MockUser.new(:test_role))
+  end
+  def test_permit_with_frozen_roles
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :other_role do
+          includes :test_role
+        end
+        role :test_role do
+          has_permission_on :permissions, :to => :test
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    roles = [:other_role].freeze
+    assert engine.permit?(:test, :context => :permissions,
+      :user => MockUser.new(:role_symbols => roles))
+  end
+  def test_obligations_without_conditions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert_equal [{}], engine.obligations(:test, :context => :permissions,
+      :user => MockUser.new(:test_role))
+  end
+  def test_obligations_with_conditions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :attr => is { user.attr }
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert_equal [{:attr => [:is, 1]}],
+      engine.obligations(:test, :context => :permissions,
+          :user => MockUser.new(:test_role, :attr => 1))
+  end
+  def test_obligations_with_omnipotence
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :admin do
+          has_omnipotence
+        end
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :attr => is { user.attr }
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert_equal [],
+      engine.obligations(:test, :context => :permissions,
+          :user => MockUser.new(:test_role, :admin, :attr => 1))
+  end
+  def test_obligations_with_anded_conditions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test, :join_by => :and do
+            if_attribute :attr => is { user.attr }
+            if_attribute :attr_2 => is { user.attr_2 }
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert_equal [{:attr => [:is, 1], :attr_2 => [:is, 2]}],
+      engine.obligations(:test, :context => :permissions,
+          :user => MockUser.new(:test_role, :attr => 1, :attr_2 => 2))
+  end
+  def test_obligations_with_deep_anded_conditions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test, :join_by => :and do
+            if_attribute :attr => { :deeper_attr => is { user.deeper_attr }}
+            if_attribute :attr => { :deeper_attr_2 => is { user.deeper_attr_2 }}
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert_equal [{:attr => { :deeper_attr => [:is, 1], :deeper_attr_2 => [:is, 2] } }],
+      engine.obligations(:test, :context => :permissions,
+          :user => MockUser.new(:test_role, :deeper_attr => 1, :deeper_attr_2 => 2))
+  end
+  def test_obligations_with_has_many
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :attrs => { :deeper_attr => is { user.deeper_attr } }
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert_equal [{:attrs => {:deeper_attr => [:is, 1]}}],
+      engine.obligations(:test, :context => :permissions,
+          :user => MockUser.new(:test_role, :deeper_attr => 1))
+  end
+  def test_obligations_with_conditions_and_empty
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test
+          has_permission_on :permissions, :to => :test do
+            if_attribute :attr => is { user.attr }
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert_equal [{}, {:attr => [:is, 1]}],
+      engine.obligations(:test, :context => :permissions,
+          :user => MockUser.new(:test_role, :attr => 1))
+  end
+  def test_obligations_with_permissions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :attr => is { user.attr }
+          end
+          has_permission_on :permission_children, :to => :test do
+            if_permitted_to :test, :permission, :context => :permissions
+          end
+          has_permission_on :permission_children_2, :to => :test do
+            if_permitted_to :test, :permission
+          end
+          has_permission_on :permission_children_children, :to => :test do
+            if_permitted_to :test, :permission_child => :permission,
+                            :context => :permissions
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert_equal [{:permission => {:attr => [:is, 1]}}],
+      engine.obligations(:test, :context => :permission_children,
+          :user => MockUser.new(:test_role, :attr => 1))
+    assert_equal [{:permission => {:attr => [:is, 1]}}],
+      engine.obligations(:test, :context => :permission_children_2,
+          :user => MockUser.new(:test_role, :attr => 1))
+    assert_equal [{:permission_child => {:permission => {:attr => [:is, 1]}}}],
+      engine.obligations(:test, :context => :permission_children_children,
+          :user => MockUser.new(:test_role, :attr => 1))
+  end
+  def test_obligations_with_has_many_permissions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :attr => is { user.attr }
+          end
+          has_permission_on :permission_children, :to => :test do
+            if_permitted_to :test, :permissions, :context => :permissions
+          end
+          has_permission_on :permission_children_2, :to => :test do
+            if_permitted_to :test, :permissions
+          end
+          has_permission_on :permission_children_children, :to => :test do
+            if_permitted_to :test, :permission_child => :permissions,
+                            :context => :permissions
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert_equal [{:permissions => {:attr => [:is, 1]}}],
+      engine.obligations(:test, :context => :permission_children,
+          :user => MockUser.new(:test_role, :attr => 1))
+    assert_equal [{:permissions => {:attr => [:is, 1]}}],
+      engine.obligations(:test, :context => :permission_children_2,
+          :user => MockUser.new(:test_role, :attr => 1))
+    assert_equal [{:permission_child => {:permissions => {:attr => [:is, 1]}}}],
+      engine.obligations(:test, :context => :permission_children_children,
+          :user => MockUser.new(:test_role, :attr => 1))
+  end
+  def test_obligations_with_permissions_multiple
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :attr => is { 1 }
+            if_attribute :attr => is { 2 }
+          end
+          has_permission_on :permission_children_children, :to => :test do
+            if_permitted_to :test, :permission_child => :permission
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert_equal [{:permission_child => {:permission => {:attr => [:is, 1]}}},
+        {:permission_child => {:permission => {:attr => [:is, 2]}}}],
+      engine.obligations(:test, :context => :permission_children_children,
+          :user => MockUser.new(:test_role))
+  end
+  def test_obligations_with_permissions_and_anded_conditions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permission_children, :to => :test, :join_by => :and do
+            if_permitted_to :test, :permission
+            if_attribute :test_attr => 1
+          end
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => 1
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert_equal [{:test_attr => [:is, 1], :permission => {:test_attr => [:is, 1]}}],
+      engine.obligations(:test, :context => :permission_children,
+          :user => MockUser.new(:test_role))
+  end
+  def test_guest_user
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :guest do
+          has_permission_on :permissions, :to => :test
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    Authorization.stub :current_user, MockUser.new do
+      assert engine.permit?(:test, :context => :permissions)
+      assert !engine.permit?(:test, :context => :permissions_2)
+    end
+  end
+  def test_default_role
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :anonymous do
+          has_permission_on :permissions, :to => :test
+        end
+      end
+    }
+    Authorization.stub :default_role, :anonymous do
+      engine = Authorization::Engine.new(reader)
+      Authorization.stub :current_user, MockUser.new do
+        assert engine.permit?(:test, :context => :permissions)
+      end
+      assert !engine.permit?(:test, :context => :permissions,
+      :user => MockUser.new(:guest))
+    end
+  end
+  def test_invalid_user_model
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :guest do
+          has_permission_on :permissions, :to => :test
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert_raise(Authorization::AuthorizationUsageError) do
+      engine.permit?(:test, :context => :permissions, :user => MockUser.new(1, 2))
+    end
+    assert_raise(Authorization::AuthorizationUsageError) do
+      engine.permit?(:test, :context => :permissions, :user => MockDataObject.new)
+    end
+  end
+  def test_role_hierarchy
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          includes :lower_role
+          has_permission_on :permissions, :to => :test
+        end
+        role :lower_role do
+          has_permission_on :permissions, :to => :lower
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert engine.permit?(:lower, :context => :permissions,
+      :user => MockUser.new(:test_role))
+  end
+  def test_role_hierarchy_infinity
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          includes :lower_role
+          has_permission_on :permissions, :to => :test
+        end
+        role :lower_role do
+          includes :higher_role
+          has_permission_on :permissions, :to => :lower
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert engine.permit?(:lower, :context => :permissions,
+      :user => MockUser.new(:test_role))
+  end
+  def test_privilege_hierarchy
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      privileges do
+        privilege :test, :permissions do
+          includes :lower
+        end
+      end
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert engine.permit?(:lower, :context => :permissions,
+      :user => MockUser.new(:test_role))
+  end
+  def test_privilege_hierarchy_without_context
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      privileges do
+        privilege :read do
+          includes :list, :show
+        end
+      end
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :read
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert engine.permit?(:list, :context => :permissions,
+      :user => MockUser.new(:test_role))
+  end
+  def test_attribute_is
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %|
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => is { user.test_attr }
+            if_attribute :test_attr => 3
+          end
+        end
+      end
+    |
+    engine = Authorization::Engine.new(reader)
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 1),
+              :object => MockDataObject.new(:test_attr => 1))
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 2),
+              :object => MockDataObject.new(:test_attr => 3))
+    assert((not(engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 2),
+              :object => MockDataObject.new(:test_attr => 1)))))
+  end
+  def test_attribute_is_not
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %|
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => is_not { user.test_attr }
+          end
+        end
+      end
+    |
+    engine = Authorization::Engine.new(reader)
+    assert !engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 1),
+              :object => MockDataObject.new(:test_attr => 1))
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 2),
+              :object => MockDataObject.new(:test_attr => 1))
+  end
+  def test_attribute_contains
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %|
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => contains { user.test_attr }
+          end
+        end
+      end
+    |
+    engine = Authorization::Engine.new(reader)
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 1),
+              :object => MockDataObject.new(:test_attr => [1,2]))
+    assert !engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 3),
+              :object => MockDataObject.new(:test_attr => [1,2]))
+  end
+  def test_attribute_does_not_contain
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %|
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => does_not_contain { user.test_attr }
+          end
+        end
+      end
+    |
+    engine = Authorization::Engine.new(reader)
+    assert !engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 1),
+              :object => MockDataObject.new(:test_attr => [1,2]))
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 3),
+              :object => MockDataObject.new(:test_attr => [1,2]))
+  end
+  def test_attribute_in_array
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %|
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => is_in { [1,2] }
+            if_attribute :test_attr => [2,3]
+          end
+        end
+      end
+    |
+    engine = Authorization::Engine.new(reader)
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attr => 1))
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attr => 3))
+    assert !engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attr => 4))
+  end
+  def test_attribute_not_in_array
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %|
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => is_not_in { [1,2] }
+          end
+        end
+      end
+    |
+    engine = Authorization::Engine.new(reader)
+    assert !engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attr => 1))
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attr => 4))
+  end
+  def test_attribute_intersects_with
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attrs => intersects_with { [1,2] }
+          end
+        end
+        role :test_role_2 do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attrs => intersects_with { 1 }
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert_raise Authorization::AuthorizationUsageError do
+      engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attrs => 1 ))
+    end
+    assert_raise Authorization::AuthorizationUsageError do
+      engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role_2),
+              :object => MockDataObject.new(:test_attrs => [1, 2] ))
+    end
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attrs => [1,3] ))
+    assert !engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attrs => [3,4] ))
+  end
+  def test_attribute_lte
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %|
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => lte { user.test_attr }
+            if_attribute :test_attr => 3
+          end
+        end
+      end
+    |
+    engine = Authorization::Engine.new(reader)
+    # object < user -> pass
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 2),
+              :object => MockDataObject.new(:test_attr => 1))
+    # object > user && object = control -> pass
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 2),
+              :object => MockDataObject.new(:test_attr => 3))
+    # object = user -> pass
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 1),
+              :object => MockDataObject.new(:test_attr => 1))
+    # object > user -> fail
+    assert((not(engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 1),
+              :object => MockDataObject.new(:test_attr => 2)))))
+  end
+  def test_attribute_gt
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %|
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => gt { user.test_attr }
+            if_attribute :test_attr => 3
+          end
+        end
+      end
+    |
+    engine = Authorization::Engine.new(reader)
+    # object > user -> pass
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 1),
+              :object => MockDataObject.new(:test_attr => 2))
+    # object < user && object = control -> pass
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 4),
+              :object => MockDataObject.new(:test_attr => 3))
+    # object = user -> fail
+    assert((not(engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 1),
+              :object => MockDataObject.new(:test_attr => 1)))))
+    # object < user -> fail
+    assert((not(engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 2),
+              :object => MockDataObject.new(:test_attr => 1)))))
+  end
+  def test_attribute_gte
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %|
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => gte { user.test_attr }
+            if_attribute :test_attr => 3
+          end
+        end
+      end
+    |
+    engine = Authorization::Engine.new(reader)
+    # object > user -> pass
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 1),
+              :object => MockDataObject.new(:test_attr => 2))
+    # object < user && object = control -> pass
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 4),
+              :object => MockDataObject.new(:test_attr => 3))
+    # object = user -> pass
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 1),
+              :object => MockDataObject.new(:test_attr => 1))
+    # object < user -> fail
+    assert((not(engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 2),
+              :object => MockDataObject.new(:test_attr => 1)))))
+  end
+  def test_attribute_deep
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %|
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr_1 => {:test_attr_2 => contains { 1 }}
+          end
+        end
+      end
+    |
+    engine = Authorization::Engine.new(reader)
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attr_1 =>
+                    MockDataObject.new(:test_attr_2 => [1,2])))
+    assert !engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attr_1 =>
+                    MockDataObject.new(:test_attr_2 => [3,4])))
+    assert_equal [{:test_attr_1 => {:test_attr_2 => [:contains, 1]}}],
+      engine.obligations(:test, :context => :permissions,
+          :user => MockUser.new(:test_role))
+  end
+  def test_attribute_has_many
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %|
+      authorization do
+        role :test_role do
+          has_permission_on :companies, :to => :read do
+            if_attribute :branches => {:city => is { user.city } }
+          end
+        end
+      end
+    |
+    engine = Authorization::Engine.new(reader)
+    company = MockDataObject.new(:branches => [
+        MockDataObject.new(:city => 'Barcelona'),
+        MockDataObject.new(:city => 'Paris')
+      ])
+    assert engine.permit!(:read, :context => :companies,
+              :user => MockUser.new(:test_role, :city => 'Paris'),
+              :object => company)
+    assert !engine.permit?(:read, :context => :companies,
+              :user => MockUser.new(:test_role, :city => 'London'),
+              :object => company)
+  end
+  def test_attribute_non_block
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %|
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => 1
+          end
+        end
+      end
+    |
+    engine = Authorization::Engine.new(reader)
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attr => 1))
+    assert !engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attr => 2))
+  end
+  def test_attribute_multiple
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => 1
+            if_attribute :test_attr => 2  # or
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attr => 1))
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attr => 2))
+  end
+  class PermissionMock < MockDataObject
+    def self.name
+      "Permission"
+    end
+  end
+  def test_attribute_with_permissions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => 1
+          end
+          has_permission_on :permission_children, :to => :test do
+            if_permitted_to :test, :permission
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
+    perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
+    assert engine.permit?(:test, :context => :permission_children,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:permission => perm_data_attr_1))
+    assert !engine.permit?(:test, :context => :permission_children,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:permission => perm_data_attr_2))
+  end
+  def test_attribute_with_has_many_permissions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => 1
+          end
+          has_permission_on :permission_children, :to => :test do
+            if_permitted_to :test, :permissions
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
+    perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
+    assert engine.permit?(:test, :context => :permission_children,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:permissions => [perm_data_attr_1]))
+    assert !engine.permit?(:test, :context => :permission_children,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:permissions => [perm_data_attr_2]))
+  end
+  def test_attribute_with_deep_permissions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => 1
+          end
+          has_permission_on :permission_children, :to => :test do
+            if_permitted_to :test, :shallow_permission => :permission
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
+    perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
+    assert engine.permit?(:test, :context => :permission_children,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:shallow_permission =>
+                MockDataObject.new(:permission => perm_data_attr_1)))
+    assert !engine.permit?(:test, :context => :permission_children,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:shallow_permission =>
+                MockDataObject.new(:permission => perm_data_attr_2)))
+  end
+  def test_attribute_with_deep_has_many_permissions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => 1
+          end
+          has_permission_on :permission_children, :to => :test do
+            if_permitted_to :test, :shallow_permissions => :permission
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
+    perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
+    assert engine.permit?(:test, :context => :permission_children,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:shallow_permissions =>
+                [MockDataObject.new(:permission => perm_data_attr_1)]))
+    assert !engine.permit?(:test, :context => :permission_children,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:shallow_permissions =>
+                [MockDataObject.new(:permission => perm_data_attr_2)]))
+  end
+  def test_attribute_with_permissions_nil
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => 1
+          end
+          has_permission_on :permission_children, :to => :test do
+            if_permitted_to :test, :permission
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    engine.permit?(:test, :context => :permission_children,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:permission => nil))
+    assert !engine.permit?(:test, :context => :permission_children,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:permission => nil))
+  end
+  def test_attribute_with_permissions_on_self
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => 1
+          end
+          has_permission_on :permissions, :to => :another_test do
+            if_permitted_to :test
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
+    perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
+    assert engine.permit?(:another_test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => perm_data_attr_1)
+    assert !engine.permit?(:another_test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => perm_data_attr_2)
+  end
+  def test_attribute_with_permissions_on_self_with_context
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => 1
+          end
+          has_permission_on :permissions, :to => :another_test do
+            if_permitted_to :test, :context => :permissions
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
+    perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
+    assert engine.permit?(:another_test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => perm_data_attr_1)
+    assert !engine.permit?(:another_test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => perm_data_attr_2)
+  end
+  def test_attribute_with_permissions_and_anded_rules
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => 1
+          end
+          has_permission_on :permission_children, :to => :test, :join_by => :and do
+            if_permitted_to :test, :permission
+            if_attribute :test_attr => 1
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
+    perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
+    assert engine.permit?(:test, :context => :permission_children,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:permission => perm_data_attr_1, :test_attr => 1))
+    assert !engine.permit?(:test, :context => :permission_children,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:permission => perm_data_attr_2, :test_attr => 1))
+    assert !engine.permit?(:test, :context => :permission_children,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:permission => perm_data_attr_1, :test_attr => 2))
+  end
+  def test_attribute_with_anded_rules
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test, :join_by => :and do
+            if_attribute :test_attr => 1
+            if_attribute :test_attr_2 => 2
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attr => 1, :test_attr_2 => 2))
+    assert !engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attr => 1, :test_attr_2 => 3))
+  end
+  def test_raise_on_if_attribute_hash_on_collection
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attrs => {:attr => is {1}}
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert_raise Authorization::AuthorizationUsageError do
+      engine.permit?(:test, :context => :permissions,
+                     :user => MockUser.new(:test_role),
+                     :object => MockDataObject.new(:test_attrs => [1, 2, 3]))
+    end
+  end
+  def test_role_title_description
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role, :title => 'Test Role' do
+          description "Test Role Description"
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert engine.roles.include?(:test_role)
+    assert_equal "Test Role", engine.role_titles[:test_role]
+    assert_equal "Test Role", engine.title_for(:test_role)
+    assert_nil engine.title_for(:test_role_2)
+    assert_equal "Test Role Description", engine.role_descriptions[:test_role]
+    assert_equal "Test Role Description", engine.description_for(:test_role)
+    assert_nil engine.description_for(:test_role_2)
+  end
+  def test_multithread
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    Authorization.stub :current_user, MockUser.new(:test_role) do
+      assert engine.permit?(:test, :context => :permissions)
+      Thread.new do
+        Authorization.current_user = MockUser.new(:test_role2)
+        assert !engine.permit?(:test, :context => :permissions)
+      end
+      assert engine.permit?(:test, :context => :permissions)
+    end
+  end
+  def test_clone
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :attr => { :sub_attr => is { user } }
+            if_permitted_to :read, :attr_2 => :attr_3
+            if_permitted_to :read, :attr_2
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    cloned_engine = engine.clone
+    assert_not_equal engine.auth_rules.first.contexts.object_id,
+        cloned_engine.auth_rules.first.contexts.object_id
+    assert_not_equal engine.auth_rules.first.attributes.first.send(:instance_variable_get, :@conditions_hash)[:attr].object_id,
+        cloned_engine.auth_rules.first.attributes.first.send(:instance_variable_get, :@conditions_hash)[:attr].object_id
+  end
+end