RubyGems - ae_declarative_authorization - Versions diffs - 0.7.1 → 0.8.0 - Mend

ae_declarative_authorization 0.7.1 → 0.8.0

Files changed (56) hide show

checksums.yaml +5 -5
data/Appraisals +31 -21
data/CHANGELOG +189 -189
data/Gemfile +7 -7
data/Gemfile.lock +68 -60
data/LICENSE.txt +20 -20
data/README.md +620 -620
data/README.rdoc +597 -597
data/Rakefile +35 -33
data/authorization_rules.dist.rb +20 -20
data/declarative_authorization.gemspec +24 -24
data/gemfiles/rails4252.gemfile +10 -10
data/gemfiles/rails4252.gemfile.lock +126 -0
data/gemfiles/rails4271.gemfile +10 -10
data/gemfiles/rails4271.gemfile.lock +126 -0
data/gemfiles/rails507.gemfile +11 -11
data/gemfiles/rails507.gemfile.lock +136 -0
data/gemfiles/rails516.gemfile +11 -0
data/gemfiles/rails516.gemfile.lock +136 -0
data/gemfiles/rails521.gemfile +11 -0
data/gemfiles/rails521.gemfile.lock +144 -0
data/init.rb +5 -5
data/lib/declarative_authorization.rb +18 -18
data/lib/declarative_authorization/authorization.rb +821 -821
data/lib/declarative_authorization/helper.rb +78 -78
data/lib/declarative_authorization/in_controller.rb +713 -713
data/lib/declarative_authorization/in_model.rb +156 -156
data/lib/declarative_authorization/maintenance.rb +215 -215
data/lib/declarative_authorization/obligation_scope.rb +348 -345
data/lib/declarative_authorization/railsengine.rb +5 -5
data/lib/declarative_authorization/reader.rb +549 -549
data/lib/declarative_authorization/test/helpers.rb +261 -261
data/lib/declarative_authorization/version.rb +3 -3
data/lib/generators/authorization/install/install_generator.rb +77 -77
data/lib/generators/authorization/rules/rules_generator.rb +13 -13
data/lib/generators/authorization/rules/templates/authorization_rules.rb +27 -27
data/lib/tasks/authorization_tasks.rake +89 -89
data/log/test.log +15246 -0
data/pkg/ae_declarative_authorization-0.7.1.gem +0 -0
data/pkg/ae_declarative_authorization-0.8.0.gem +0 -0
data/test/authorization_test.rb +1121 -1121
data/test/controller_filter_resource_access_test.rb +573 -573
data/test/controller_test.rb +478 -478
data/test/database.yml +3 -3
data/test/dsl_reader_test.rb +178 -178
data/test/functional/filter_access_to_with_id_in_scope_test.rb +88 -88
data/test/functional/no_filter_access_to_test.rb +79 -79
data/test/functional/params_block_arity_test.rb +39 -39
data/test/helper_test.rb +248 -248
data/test/maintenance_test.rb +46 -46
data/test/model_test.rb +1840 -1840
data/test/profiles/access_checking +20 -0
data/test/schema.sql +60 -60
data/test/test_helper.rb +174 -174
data/test/test_support/minitest_compatibility.rb +26 -26
metadata +17 -5

data/lib/declarative_authorization/helper.rb CHANGED

@@ -1,78 +1,78 @@
-# Authorization::AuthorizationHelper
-require File.dirname(__FILE__) + '/authorization.rb'
-module Authorization
-  module AuthorizationHelper
-    # If the current user meets the given privilege, permitted_to? returns true
-    # and yields to the optional block.  The attribute checks that are defined
-    # in the authorization rules are only evaluated if an object is given
-    # for context.
-    #
-    # Examples:
-    #     <% permitted_to? :create, :users do %>
-    #     <%= link_to 'New', new_user_path %>
-    #     <% end %>
-    #     ...
-    #     <% if permitted_to? :create, :users %>
-    #     <%= link_to 'New', new_user_path %>
-    #     <% else %>
-    #     You are not allowed to create new users!
-    #     <% end %>
-    #     ...
-    #     <% for user in @users %>
-    #     <%= link_to 'Edit', edit_user_path(user) if permitted_to? :update, user %>
-    #     <% end %>
-    #
-    # To pass in an object and override the context, you can use the optional
-    # options:
-    #     permitted_to? :update, user, :context => :account
-    #
-    def permitted_to?(privilege, object_or_sym = nil, options = {})
-      controller.permitted_to?(privilege, object_or_sym, options) do
-        yield if block_given?
-      end
-    end
-    # While permitted_to? is used for authorization in views, in some cases
-    # content should only be shown to some users without being concerned
-    # with authorization.  E.g. to only show the most relevant menu options
-    # to a certain group of users.  That is what has_role? should be used for.
-    #
-    # Examples:
-    #     <% has_role?(:sales) do %>
-    #     <%= link_to 'All contacts', contacts_path %>
-    #     <% end %>
-    #     ...
-    #     <% if has_role?(:sales) %>
-    #     <%= link_to 'Customer contacts', contacts_path %>
-    #     <% else %>
-    #     ...
-    #     <% end %>
-    #
-    def has_role?(*roles)
-      controller.has_role?(*roles) do
-        yield if block_given?
-      end
-    end
-    # As has_role? except checks all roles included in the role hierarchy
-    def has_role_with_hierarchy?(*roles)
-      controller.has_role_with_hierarchy?(*roles) do
-        yield if block_given?
-      end
-    end
-    def has_any_role?(*roles)
-      controller.has_any_role?(*roles) do
-        yield if block_given?
-      end
-    end
-    def has_any_role_with_hierarchy?(*roles)
-      controller.has_any_role_with_hierarchy?(*roles) do
-        yield if block_given?
-      end
-    end
-  end
-end
+# Authorization::AuthorizationHelper
+require File.dirname(__FILE__) + '/authorization.rb'
+module Authorization
+  module AuthorizationHelper
+    # If the current user meets the given privilege, permitted_to? returns true
+    # and yields to the optional block.  The attribute checks that are defined
+    # in the authorization rules are only evaluated if an object is given
+    # for context.
+    #
+    # Examples:
+    #     <% permitted_to? :create, :users do %>
+    #     <%= link_to 'New', new_user_path %>
+    #     <% end %>
+    #     ...
+    #     <% if permitted_to? :create, :users %>
+    #     <%= link_to 'New', new_user_path %>
+    #     <% else %>
+    #     You are not allowed to create new users!
+    #     <% end %>
+    #     ...
+    #     <% for user in @users %>
+    #     <%= link_to 'Edit', edit_user_path(user) if permitted_to? :update, user %>
+    #     <% end %>
+    #
+    # To pass in an object and override the context, you can use the optional
+    # options:
+    #     permitted_to? :update, user, :context => :account
+    #
+    def permitted_to?(privilege, object_or_sym = nil, options = {})
+      controller.permitted_to?(privilege, object_or_sym, options) do
+        yield if block_given?
+      end
+    end
+    # While permitted_to? is used for authorization in views, in some cases
+    # content should only be shown to some users without being concerned
+    # with authorization.  E.g. to only show the most relevant menu options
+    # to a certain group of users.  That is what has_role? should be used for.
+    #
+    # Examples:
+    #     <% has_role?(:sales) do %>
+    #     <%= link_to 'All contacts', contacts_path %>
+    #     <% end %>
+    #     ...
+    #     <% if has_role?(:sales) %>
+    #     <%= link_to 'Customer contacts', contacts_path %>
+    #     <% else %>
+    #     ...
+    #     <% end %>
+    #
+    def has_role?(*roles)
+      controller.has_role?(*roles) do
+        yield if block_given?
+      end
+    end
+    # As has_role? except checks all roles included in the role hierarchy
+    def has_role_with_hierarchy?(*roles)
+      controller.has_role_with_hierarchy?(*roles) do
+        yield if block_given?
+      end
+    end
+    def has_any_role?(*roles)
+      controller.has_any_role?(*roles) do
+        yield if block_given?
+      end
+    end
+    def has_any_role_with_hierarchy?(*roles)
+      controller.has_any_role_with_hierarchy?(*roles) do
+        yield if block_given?
+      end
+    end
+  end
+end

data/lib/declarative_authorization/in_controller.rb CHANGED

@@ -1,713 +1,713 @@
-# Authorization::AuthorizationInController
-require File.dirname(__FILE__) + '/authorization.rb'
-module Authorization
-  module AuthorizationInController
-    def self.included(base) # :nodoc:
-      base.extend(ClassMethods)
-      base.module_eval do
-        before_action(:filter_access_filter) if method_defined?(:filter_access_filter)
-      end
-    end
-    DEFAULT_DENY = false
-    # If attribute_check is set for filter_access_to, decl_auth_context will try to
-    # load the appropriate object from the current controller's model with
-    # the id from params[:id].  If that fails, a 404 Not Found is often the
-    # right way to handle the error.  If you have additional measures in place
-    # that restricts the find scope, handling this error as a permission denied
-    # might be a better way.  Set failed_auto_loading_is_not_found to false
-    # for the latter behavior.
-    @@failed_auto_loading_is_not_found = true
-    def self.failed_auto_loading_is_not_found?
-      @@failed_auto_loading_is_not_found
-    end
-    def self.failed_auto_loading_is_not_found=(new_value)
-      @@failed_auto_loading_is_not_found = new_value
-    end
-    # Returns the Authorization::Engine for the current controller.
-    def authorization_engine
-      @authorization_engine ||= Authorization::Engine.instance
-    end
-    # If the current user meets the given privilege, permitted_to? returns true
-    # and yields to the optional block.  The attribute checks that are defined
-    # in the authorization rules are only evaluated if an object is given
-    # for context.
-    #
-    # See examples for Authorization::AuthorizationHelper #permitted_to?
-    #
-    # If no object or context is specified, the controller_name is used as
-    # context.
-    #
-    def permitted_to?(privilege, object_or_sym = nil, options = {})
-      if authorization_engine.permit!(privilege, options_for_permit(object_or_sym, options, false))
-        yield if block_given?
-        true
-      else
-        false
-      end
-    end
-    # Works similar to the permitted_to? method, but
-    # throws the authorization exceptions, just like Engine#permit!
-    def permitted_to!(privilege, object_or_sym = nil, options = {})
-      authorization_engine.permit!(privilege, options_for_permit(object_or_sym, options, true))
-    end
-    # While permitted_to? is used for authorization, in some cases
-    # content should only be shown to some users without being concerned
-    # with authorization.  E.g. to only show the most relevant menu options
-    # to a certain group of users.  That is what has_role? should be used for.
-    def has_role?(*roles)
-      user_roles = authorization_engine.roles_for(current_user)
-      result = roles.all? do |role|
-        user_roles.include?(role)
-      end
-      yield if result and block_given?
-      result
-    end
-    # Intended to be used where you want to allow users with any single listed role to view
-    # the content in question
-    def has_any_role?(*roles)
-      user_roles = authorization_engine.roles_for(current_user)
-      result = roles.any? do |role|
-        user_roles.include?(role)
-      end
-      yield if result and block_given?
-      result
-    end
-    # As has_role? except checks all roles included in the role hierarchy
-    def has_role_with_hierarchy?(*roles)
-      user_roles = authorization_engine.roles_with_hierarchy_for(current_user)
-      result = roles.all? do |role|
-        user_roles.include?(role)
-      end
-      yield if result and block_given?
-      result
-    end
-    # As has_any_role? except checks all roles included in the role hierarchy
-    def has_any_role_with_hierarchy?(*roles)
-      user_roles = authorization_engine.roles_with_hierarchy_for(current_user)
-      result = roles.any? do |role|
-        user_roles.include?(role)
-      end
-      yield if result and block_given?
-      result
-    end
-    protected
-    def filter_access_filter # :nodoc:
-      permissions = self.class.all_filter_access_permissions
-      all_permissions = permissions.select {|p| p.actions.include?(:all)}
-      matching_permissions = permissions.select {|p| p.matches?(action_name)}
-      allowed = false
-      auth_exception = nil
-      begin
-        allowed = if !matching_permissions.empty?
-                    matching_permissions.all? {|perm| perm.permit!(self)}
-                  elsif !all_permissions.empty?
-                    all_permissions.all? {|perm| perm.permit!(self)}
-                  else
-                    !DEFAULT_DENY
-                  end
-      rescue NotAuthorized => e
-        auth_exception = e
-      end
-      unless allowed
-        if all_permissions.empty? and matching_permissions.empty?
-          logger.warn "Permission denied: No matching filter access " +
-            "rule found for #{self.class.controller_name}.#{action_name}"
-        elsif auth_exception
-          logger.info "Permission denied: #{auth_exception}"
-        end
-        if respond_to?(:permission_denied, true)
-          # permission_denied needs to render or redirect
-          send(:permission_denied)
-        else
-          send(:render, :plain => "You are not allowed to access this action.",
-            :status => :forbidden)
-        end
-      end
-    end
-    def load_controller_object(context_without_namespace = nil, model = nil) # :nodoc:
-      instance_var = :"@#{context_without_namespace.to_s.singularize}"
-      model = model ? model.classify.constantize : context_without_namespace.to_s.classify.constantize
-      instance_variable_set(instance_var, model.find(params[:id]))
-    end
-    def load_parent_controller_object(parent_context_without_namespace) # :nodoc:
-      instance_var = :"@#{parent_context_without_namespace.to_s.singularize}"
-      model = parent_context_without_namespace.to_s.classify.constantize
-      instance_variable_set(instance_var, model.find(params[:"#{parent_context_without_namespace.to_s.singularize}_id"]))
-    end
-    def new_controller_object_from_params(context_without_namespace, parent_context_without_namespace, strong_params) # :nodoc:
-      model_or_proxy = parent_context_without_namespace ?
-           instance_variable_get(:"@#{parent_context_without_namespace.to_s.singularize}").send(context_without_namespace.to_sym) :
-           context_without_namespace.to_s.classify.constantize
-      instance_var = :"@#{context_without_namespace.to_s.singularize}"
-      instance_variable_set(instance_var,
-        model_or_proxy.new(params[context_without_namespace.to_s.singularize]))
-    end
-    def new_blank_controller_object(context_without_namespace, parent_context_without_namespace, strong_params, model) # :nodoc:
-      if model
-        model_or_proxy = model.to_s.classify.constantize
-      else
-        model_or_proxy = parent_context_without_namespace ?
-        instance_variable_get(:"@#{parent_context_without_namespace.to_s.singularize}").send(context_without_namespace.to_sym) :
-        context_without_namespace.to_s.classify.constantize
-      end
-      instance_var = :"@#{context_without_namespace.to_s.singularize}"
-      instance_variable_set(instance_var,
-        model_or_proxy.new())
-    end
-    def new_controller_object_for_collection(context_without_namespace, parent_context_without_namespace, strong_params) # :nodoc:
-      model_or_proxy = parent_context_without_namespace ?
-           instance_variable_get(:"@#{parent_context_without_namespace.to_s.singularize}").send(context_without_namespace.to_sym) :
-           context_without_namespace.to_s.classify.constantize
-      instance_var = :"@#{context_without_namespace.to_s.singularize}"
-      instance_variable_set(instance_var, model_or_proxy.new)
-    end
-    def options_for_permit(object_or_sym = nil, options = {}, bang = true)
-      context = object = nil
-      if object_or_sym.nil?
-        context = self.class.decl_auth_context
-      elsif !Authorization.is_a_association_proxy?(object_or_sym) and object_or_sym.is_a?(Symbol)
-        context = object_or_sym
-      else
-        object = object_or_sym
-      end
-      result = {:object => object,
-        :context => context,
-        :skip_attribute_test => object.nil?,
-        :bang => bang}.merge(options)
-      result[:user] = current_user unless result.key?(:user)
-      result
-    end
-    module ClassMethods
-      #
-      # Defines a filter to be applied according to the authorization of the
-      # current user.  Requires at least one symbol corresponding to an
-      # action as parameter.  The special symbol :+all+ refers to all actions.
-      # The all :+all+ statement is only employed if no specific statement is
-      # present.
-      #   class UserController < ApplicationController
-      #     filter_access_to :index
-      #     filter_access_to :new, :edit
-      #     filter_access_to :all
-      #     ...
-      #   end
-      #
-      # The default is to allow access unconditionally if no rule matches.
-      # Thus, including the +filter_access_to+ :+all+ statement is a good
-      # idea, implementing a default-deny policy.
-      #
-      # When the access is denied, the method +permission_denied+ is called
-      # on the current controller, if defined.  Else, a simple "you are not
-      # allowed" string is output.  Log.info is given more information on the
-      # reasons of denial.
-      #
-      #   def permission_denied
-      #     flash[:error] = 'Sorry, you are not allowed to the requested page.'
-      #     respond_to do |format|
-      #       format.html { redirect_to(:back) rescue redirect_to('/') }
-      #       format.xml  { head :unauthorized }
-      #       format.js   { head :unauthorized }
-      #     end
-      #   end
-      #
-      # By default, required privileges are inferred from the action name and
-      # the controller name.  Thus, in UserController :+edit+ requires
-      # :+edit+ +users+.  To specify required privilege, use the option :+require+
-      #   filter_access_to :new, :create, :require => :create, :context => :users
-      #
-      # Without the :+attribute_check+ option, no constraints from the
-      # authorization rules are enforced because for some actions (collections,
-      # +new+, +create+), there is no object to evaluate conditions against.  To
-      # allow attribute checks on all actions, it is a common pattern to provide
-      # custom objects through +before_actions+:
-      #   class BranchesController < ApplicationController
-      #     before_action :load_company
-      #     before_action :new_branch_from_company_and_params,
-      #       :only => [:index, :new, :create]
-      #     filter_access_to :all, :attribute_check => true
-      #
-      #     protected
-      #     def new_branch_from_company_and_params
-      #       @branch = @company.branches.new(params[:branch])
-      #     end
-      #   end
-      # NOTE: +before_actions+ need to be defined before the first
-      # +filter_access_to+ call.
-      #
-      # For further customization, a custom filter expression may be formulated
-      # in a block, which is then evaluated in the context of the controller
-      # on a matching request.  That is, for checking two objects, use the
-      # following:
-      #   filter_access_to :merge do
-      #     permitted_to!(:update, User.find(params[:original_id])) and
-      #       permitted_to!(:delete, User.find(params[:id]))
-      #   end
-      # The block should raise a Authorization::AuthorizationError or return
-      # false if the access is to be denied.
-      #
-      # Later calls to filter_access_to with overlapping actions overwrite
-      # previous ones for that action.
-      #
-      # All options:
-      # [:+require+]
-      #   Privilege required; defaults to action_name
-      # [:+context+]
-      #   The privilege's context, defaults to decl_auth_context, which consists
-      #   of controller_name, prepended by any namespaces
-      # [:+attribute_check+]
-      #   Enables the check of attributes defined in the authorization rules.
-      #   Defaults to false.  If enabled, filter_access_to will use a context
-      #   object from one of the following sources (in that order):
-      #   * the method from the :+load_method+ option,
-      #   * an instance variable named after the singular of the context
-      #     (by default from the controller name, e.g. @post for PostsController),
-      #   * a find on the context model, using +params+[:id] as id value.
-      #   Any of these methods will only be employed if :+attribute_check+
-      #   is enabled.
-      # [:+model+]
-      #   The data model to load a context object from.  Defaults to the
-      #   context, singularized.
-      # [:+load_method+]
-      #   Specify a method by symbol or a Proc object which should be used
-      #   to load the object.  Both should return the loaded object.
-      #   If a Proc object is given, e.g. by way of
-      #   +lambda+, it is called in the instance of the controller.
-      #   Example demonstrating the default behavior:
-      #     filter_access_to :show, :attribute_check => true,
-      #                      :load_method => lambda { User.find(params[:id]) }
-      #
-      def filter_access_to(*args, &filter_block)
-        options = args.last.is_a?(Hash) ? args.pop : {}
-        options = {
-          :require => nil,
-          :context => nil,
-          :attribute_check => false,
-          :model => nil,
-          :load_method => nil,
-          :strong_parameters => nil
-        }.merge!(options)
-        privilege = options[:require]
-        context = options[:context]
-        actions = args.flatten
-        # prevent setting filter_access_filter multiple times
-        skip_before_action(:filter_access_filter) if method_defined?(:filter_access_filter)
-        before_action :filter_access_filter
-        filter_access_permissions.each do |perm|
-          perm.remove_actions(actions)
-        end
-        filter_access_permissions <<
-          ControllerPermission.new(actions, privilege, context,
-                                   options[:strong_parameters],
-                                   options[:attribute_check],
-                                   options[:model],
-                                   options[:load_method],
-                                   filter_block)
-      end
-      # Disables authorization entirely.  Requires at least one symbol corresponding
-      # to an action as parameter.  The special symbol :+all+ refers to all actions.
-      # The all :+all+ statement is only employed if no specific statement is
-      # present.
-      def no_filter_access_to(*args)
-        filter_access_to args do
-          true
-        end
-      end
-      # Collecting all the ControllerPermission objects from the controller
-      # hierarchy.  Permissions for actions are overwritten by calls to
-      # filter_access_to in child controllers with the same action.
-      def all_filter_access_permissions # :nodoc:
-        ancestors.inject([]) do |perms, mod|
-          if mod.respond_to?(:filter_access_permissions, true)
-            perms +
-              mod.filter_access_permissions.collect do |p1|
-                p1.clone.remove_actions(perms.inject(Set.new) {|actions, p2| actions + p2.actions})
-              end
-          else
-            perms
-          end
-        end
-      end
-      # To DRY up the filter_access_to statements in restful controllers,
-      # filter_resource_access combines typical filter_access_to and
-      # before_action calls, which set up the instance variables.
-      #
-      # The simplest case are top-level resource controllers with only the
-      # seven CRUD methods, e.g.
-      #   class CompanyController < ApplicationController
-      #     filter_resource_access
-      #
-      #     def index...
-      #   end
-      # Here, all CRUD actions are protected through a filter_access_to :all
-      # statement.  :+attribute_check+ is enabled for all actions except for
-      # the collection action :+index+.  To have an object for attribute checks
-      # available, filter_resource_access will set the instance variable
-      # @+company+ in before filters.  For the member actions (:+show+, :+edit+,
-      # :+update+, :+destroy+) @company is set to Company.find(params[:id]).
-      # For +new+ actions (:+new+, :+create+), filter_resource_access creates
-      # a new object from company parameters: Company.new(params[:company].
-      #
-      # For nested resources, the parent object may be loaded automatically.
-      #   class BranchController < ApplicationController
-      #     filter_resource_access :nested_in => :companies
-      #   end
-      # Again, the CRUD actions are protected.  Now, for all CRUD actions,
-      # the parent object @company is loaded from params[:company_id].  It is
-      # also used when creating @branch for +new+ actions.  Here, attribute_check
-      # is enabled for the collection :+index+ as well, checking attributes on a
-      # @company.branches.new method.
-      #
-      # In many cases, the default seven CRUD actions are not sufficient.  As in
-      # the resource definition for routing you may thus give additional member,
-      # new and collection methods.  The +options+ allow you to specify the
-      # required privileges for each action by providing a hash or an array of
-      # pairs.  By default, for each action the action name is taken as privilege
-      # (action search in the example below requires the privilege :index
-      # :companies).  Any controller action that is not specified and does not
-      # belong to the seven CRUD actions is handled as a member method.
-      #   class CompanyController < ApplicationController
-      #     filter_resource_access :collection => [[:search, :index], :index],
-      #         :additional_member => {:mark_as_key_company => :update}
-      #   end
-      # The +additional_+* options add to the respective CRUD actions,
-      # the other options (:+member+, :+collection+, :+new+) replace their
-      # respective CRUD actions.
-      #    filter_resource_access :member => { :toggle_open => :update }
-      # Would declare :toggle_open as the only member action in the controller and
-      # require that permission :update is granted for the current user.
-      #    filter_resource_access :additional_member => { :toggle_open => :update }
-      # Would add a member action :+toggle_open+ to the default members, such as :+show+.
-      #
-      # If :+collection+ is an array of method names filter_resource_access will
-      # associate a permission with the method that is the same as the method
-      # name and no attribute checks will be performed unless
-      #   :attribute_check => true
-      # is added in the options.
-      #
-      # You can override the default object loading by implementing any of the
-      # following instance methods on the controller.  Examples are given for the
-      # BranchController (with +nested_in+ set to :+companies+):
-      # [+new_branch_from_params+]
-      #   Used for +new+ actions.
-      # [+new_branch_for_collection+]
-      #   Used for +collection+ actions if the +nested_in+ option is set.
-      # [+load_branch+]
-      #   Used for +member+ actions.
-      # [+load_company+]
-      #   Used for all +new+, +member+, and +collection+ actions if the
-      #   +nested_in+ option is set.
-      #
-      # All options:
-      # [:+member+]
-      #   Member methods are actions like +show+, which have an params[:id] from
-      #   which to load the controller object and assign it to @controller_name,
-      #   e.g. @+branch+.
-      #
-      #   By default, member actions are [:+show+, :+edit+, :+update+,
-      #   :+destroy+].  Also, any action not belonging to the seven CRUD actions
-      #   are handled as member actions.
-      #
-      #   There are three different syntax to specify member, collection and
-      #   new actions.
-      #   * Hash:  Lets you set the required privilege for each action:
-      #     {:+show+ => :+show+, :+mark_as_important+ => :+update+}
-      #   * Array of actions or pairs: [:+show+, [:+mark_as_important+, :+update+]],
-      #     with single actions requiring the privilege of the same name as the method.
-      #   * Single method symbol: :+show+
-      # [:+additional_member+]
-      #   Allows to add additional member actions to the default resource +member+
-      #   actions.
-      # [:+collection+]
-      #   Collection actions are like :+index+, actions without any controller object
-      #   to check attributes of.  If +nested_in+ is given, a new object is
-      #   created from the parent object, e.g. @company.branches.new.  Without
-      #   +nested_in+, attribute check is deactivated for these actions.  By
-      #   default, collection is set to :+index+.
-      # [:+additional_collection+]
-      #   Allows to add additional collection actions to the default resource +collection+
-      #   actions.
-      # [:+new+]
-      #   +new+ methods are actions such as +new+ and +create+, which don't
-      #   receive a params[:id] to load an object from, but
-      #   a params[:controller_name_singular] hash with attributes for a new
-      #   object.  The attributes will be used here to create a new object and
-      #   check the object against the authorization rules.  The object is
-      #   assigned to @controller_name_singular, e.g. @branch.
-      #
-      #   If +nested_in+ is given, the new object
-      #   is created from the parent_object.controller_name
-      #   proxy, e.g. company.branches.new(params[:branch]).  By default,
-      #   +new+ is set to [:new, :create].
-      # [:+additional_new+]
-      #   Allows to add additional new actions to the default resource +new+ actions.
-      # [:+context+]
-      #   The context is used to determine the model to load objects from for the
-      #   before_actions and the context of privileges to use in authorization
-      #   checks.
-      # [:+nested_in+]
-      #   Specifies the parent controller if the resource is nested in another
-      #   one.  This is used to automatically load the parent object, e.g.
-      #   @+company+ from params[:company_id] for a BranchController nested in
-      #   a CompanyController.
-      # [:+shallow+]
-      #   Only relevant when used in conjunction with +nested_in+. Specifies a nested resource
-      #   as being a shallow nested resource, resulting in the controller not attempting to
-      #   load a parent object for all member actions defined by +member+ and
-      #   +additional_member+ or rather the default member actions (:+show+, :+edit+,
-      #   :+update+, :+destroy+).
-      # [:+no_attribute_check+]
-      #   Allows to set actions for which no attribute check should be performed.
-      #   See filter_access_to on details.  By default, with no +nested_in+,
-      #   +no_attribute_check+ is set to all collections.  If +nested_in+ is given
-      #   +no_attribute_check+ is empty by default.
-      # [:+strong_parameters+]
-      #   If set to true, relies on controller to provide instance variable and
-      #   create new object in :create action.  Set true if you use strong_params
-      #   and false if you use protected_attributes.
-      #
-      def filter_resource_access(options = {})
-        options = {
-          :new        => [:new, :create],
-          :additional_new => nil,
-          :member     => [:show, :edit, :update, :destroy],
-          :additional_member => nil,
-          :collection => [:index],
-          :additional_collection => nil,
-          #:new_method_for_collection => nil,  # only symbol method name
-          #:new_method => nil,                 # only symbol method name
-          #:load_method => nil,                # only symbol method name
-          :no_attribute_check => nil,
-          :context    => nil,
-          :model => nil,
-          :nested_in  => nil,
-          :strong_parameters => nil
-        }.merge(options)
-        options.merge!({ :strong_parameters => true }) if options[:strong_parameters] == nil
-        new_actions = actions_from_option( options[:new] ).merge(
-            actions_from_option(options[:additional_new]) )
-        members = actions_from_option(options[:member]).merge(
-            actions_from_option(options[:additional_member]))
-        collections = actions_from_option(options[:collection]).merge(
-            actions_from_option(options[:additional_collection]))
-        no_attribute_check_actions = options[:strong_parameters] ? actions_from_option(options[:collection]).merge(actions_from_option([:create])) : collections
-        options[:no_attribute_check] ||= no_attribute_check_actions.keys unless options[:nested_in]
-        unless options[:nested_in].blank?
-          load_parent_method = :"load_#{options[:nested_in].to_s.singularize}"
-          shallow_exceptions = options[:shallow] ? {:except => members.keys} : {}
-          before_action shallow_exceptions do |controller|
-            if controller.respond_to?(load_parent_method, true)
-              controller.send(load_parent_method)
-            else
-              controller.send(:load_parent_controller_object, options[:nested_in])
-            end
-          end
-          new_for_collection_method = :"new_#{controller_name.singularize}_for_collection"
-          before_action :only => collections.keys do |controller|
-            # new_for_collection
-            if controller.respond_to?(new_for_collection_method, true)
-              controller.send(new_for_collection_method)
-            else
-              controller.send(:new_controller_object_for_collection,
-                  options[:context] || controller_name, options[:nested_in], options[:strong_parameters])
-            end
-          end
-        end
-        unless options[:strong_parameters]
-          new_from_params_method = :"new_#{controller_name.singularize}_from_params"
-          before_action :only => new_actions.keys do |controller|
-            # new_from_params
-            if controller.respond_to?(new_from_params_method, true)
-              controller.send(new_from_params_method)
-            else
-              controller.send(:new_controller_object_from_params,
-                  options[:context] || controller_name, options[:nested_in], options[:strong_parameters])
-            end
-          end
-        else
-          new_object_method = :"new_#{controller_name.singularize}"
-          before_action :only => :new do |controller|
-            # new_from_params
-            if controller.respond_to?(new_object_method, true)
-              controller.send(new_object_method)
-            else
-              controller.send(:new_blank_controller_object,
-                  options[:context] || controller_name, options[:nested_in], options[:strong_parameters], options[:model])
-            end
-          end
-        end
-        load_method = :"load_#{controller_name.singularize}"
-        before_action :only => members.keys do |controller|
-          # load controller object
-          if controller.respond_to?(load_method, true)
-            controller.send(load_method)
-          else
-            controller.send(:load_controller_object, options[:context] || controller_name, options[:model])
-          end
-        end
-        filter_access_to :all, :attribute_check => true, :context => options[:context], :model => options[:model]
-        members.merge(new_actions).merge(collections).each do |action, privilege|
-          if action != privilege or (options[:no_attribute_check] and options[:no_attribute_check].include?(action))
-            filter_options = {
-              :strong_parameters => options[:strong_parameters],
-              :context          => options[:context],
-              :attribute_check  => !options[:no_attribute_check] || !options[:no_attribute_check].include?(action),
-              :model => options[:model]
-            }
-            filter_options[:require] = privilege if action != privilege
-            filter_access_to(action, filter_options)
-          end
-        end
-      end
-      # Returns the context for authorization checks in the current controller.
-      # Uses the controller_name and prepends any namespaces underscored and
-      # joined with underscores.
-      #
-      # E.g.
-      #   AllThosePeopleController         => :all_those_people
-      #   AnyName::Space::ThingsController => :any_name_space_things
-      #
-      def decl_auth_context
-        prefixes = name.split('::')[0..-2].map(&:underscore)
-        ((prefixes + [controller_name]) * '_').to_sym
-      end
-      protected
-      def filter_access_permissions # :nodoc:
-        unless filter_access_permissions?
-          ancestors[1..-1].reverse.each do |mod|
-            mod.filter_access_permissions if mod.respond_to?(:filter_access_permissions, true)
-          end
-        end
-        class_variable_set(:@@declarative_authorization_permissions, {}) unless filter_access_permissions?
-        class_variable_get(:@@declarative_authorization_permissions)[self.name] ||= []
-      end
-      def filter_access_permissions? # :nodoc:
-        class_variable_defined?(:@@declarative_authorization_permissions)
-      end
-      def actions_from_option(option) # :nodoc:
-        case option
-        when nil
-          {}
-        when Symbol, String
-          {option.to_sym => option.to_sym}
-        when Hash
-          option
-        when Enumerable
-          option.each_with_object({}) do |action, hash|
-            if action.is_a?(Array)
-              raise "Unexpected option format: #{option.inspect}" if action.length != 2
-              hash[action.first] = action.last
-            else
-              hash[action.to_sym] = action.to_sym
-            end
-          end
-        end
-      end
-    end
-  end
-  class ControllerPermission # :nodoc:
-    attr_reader :actions, :privilege, :context, :attribute_check, :strong_params
-    def initialize(actions, privilege, context, strong_params, attribute_check = false,
-                    load_object_model = nil, load_object_method = nil,
-                    filter_block = nil)
-      @actions = actions.to_set
-      @privilege = privilege
-      @context = context
-      @load_object_model = load_object_model
-      @load_object_method = load_object_method
-      @filter_block = filter_block
-      @attribute_check = attribute_check
-      @strong_params = strong_params
-    end
-    def matches?(action_name)
-      @actions.include?(action_name.to_sym)
-    end
-    def permit!(contr)
-      if @filter_block
-        return contr.instance_eval(&@filter_block)
-      end
-      object = @attribute_check ? load_object(contr) : nil
-      privilege = @privilege || :"#{contr.action_name}"
-      contr.authorization_engine.permit!(privilege,
-                                         :user => contr.send(:current_user),
-                                         :object => object,
-                                         :skip_attribute_test => !@attribute_check,
-                                         :context => @context || contr.class.decl_auth_context)
-    end
-    def remove_actions(actions)
-      @actions -= actions
-      self
-    end
-    private
-    def load_object(contr)
-      if @load_object_method and @load_object_method.is_a?(Symbol)
-        contr.send(@load_object_method)
-      elsif @load_object_method and @load_object_method.is_a?(Proc)
-        contr.instance_eval(&@load_object_method)
-      else
-        load_object_model = @load_object_model ||
-            (@context ? @context.to_s.classify.constantize : contr.class.controller_name.classify.constantize)
-        load_object_model = load_object_model.classify.constantize if load_object_model.is_a?(String)
-        instance_var = "@#{load_object_model.name.demodulize.underscore}"
-        object = contr.instance_variable_get(instance_var)
-        unless object
-          begin
-            object = @strong_params ? load_object_model.find_or_initialize_by(:id => contr.params[:id]) : load_object_model.find(contr.params[:id])
-          rescue => e
-            contr.logger.debug("filter_access_to tried to find " +
-                "#{load_object_model} from params[:id] " +
-                "(#{contr.params[:id].inspect}), because attribute_check is enabled " +
-                "and #{instance_var.to_s} isn't set, but failed: #{e.class.name}: #{e}")
-            raise if AuthorizationInController.failed_auto_loading_is_not_found?
-          end
-          contr.instance_variable_set(instance_var, object)
-        end
-        object
-      end
-    end
-  end
-end
+# Authorization::AuthorizationInController
+require File.dirname(__FILE__) + '/authorization.rb'
+module Authorization
+  module AuthorizationInController
+    def self.included(base) # :nodoc:
+      base.extend(ClassMethods)
+      base.module_eval do
+        before_action(:filter_access_filter) if method_defined?(:filter_access_filter)
+      end
+    end
+    DEFAULT_DENY = false
+    # If attribute_check is set for filter_access_to, decl_auth_context will try to
+    # load the appropriate object from the current controller's model with
+    # the id from params[:id].  If that fails, a 404 Not Found is often the
+    # right way to handle the error.  If you have additional measures in place
+    # that restricts the find scope, handling this error as a permission denied
+    # might be a better way.  Set failed_auto_loading_is_not_found to false
+    # for the latter behavior.
+    @@failed_auto_loading_is_not_found = true
+    def self.failed_auto_loading_is_not_found?
+      @@failed_auto_loading_is_not_found
+    end
+    def self.failed_auto_loading_is_not_found=(new_value)
+      @@failed_auto_loading_is_not_found = new_value
+    end
+    # Returns the Authorization::Engine for the current controller.
+    def authorization_engine
+      @authorization_engine ||= Authorization::Engine.instance
+    end
+    # If the current user meets the given privilege, permitted_to? returns true
+    # and yields to the optional block.  The attribute checks that are defined
+    # in the authorization rules are only evaluated if an object is given
+    # for context.
+    #
+    # See examples for Authorization::AuthorizationHelper #permitted_to?
+    #
+    # If no object or context is specified, the controller_name is used as
+    # context.
+    #
+    def permitted_to?(privilege, object_or_sym = nil, options = {})
+      if authorization_engine.permit!(privilege, options_for_permit(object_or_sym, options, false))
+        yield if block_given?
+        true
+      else
+        false
+      end
+    end
+    # Works similar to the permitted_to? method, but
+    # throws the authorization exceptions, just like Engine#permit!
+    def permitted_to!(privilege, object_or_sym = nil, options = {})
+      authorization_engine.permit!(privilege, options_for_permit(object_or_sym, options, true))
+    end
+    # While permitted_to? is used for authorization, in some cases
+    # content should only be shown to some users without being concerned
+    # with authorization.  E.g. to only show the most relevant menu options
+    # to a certain group of users.  That is what has_role? should be used for.
+    def has_role?(*roles)
+      user_roles = authorization_engine.roles_for(current_user)
+      result = roles.all? do |role|
+        user_roles.include?(role)
+      end
+      yield if result and block_given?
+      result
+    end
+    # Intended to be used where you want to allow users with any single listed role to view
+    # the content in question
+    def has_any_role?(*roles)
+      user_roles = authorization_engine.roles_for(current_user)
+      result = roles.any? do |role|
+        user_roles.include?(role)
+      end
+      yield if result and block_given?
+      result
+    end
+    # As has_role? except checks all roles included in the role hierarchy
+    def has_role_with_hierarchy?(*roles)
+      user_roles = authorization_engine.roles_with_hierarchy_for(current_user)
+      result = roles.all? do |role|
+        user_roles.include?(role)
+      end
+      yield if result and block_given?
+      result
+    end
+    # As has_any_role? except checks all roles included in the role hierarchy
+    def has_any_role_with_hierarchy?(*roles)
+      user_roles = authorization_engine.roles_with_hierarchy_for(current_user)
+      result = roles.any? do |role|
+        user_roles.include?(role)
+      end
+      yield if result and block_given?
+      result
+    end
+    protected
+    def filter_access_filter # :nodoc:
+      permissions = self.class.all_filter_access_permissions
+      all_permissions = permissions.select {|p| p.actions.include?(:all)}
+      matching_permissions = permissions.select {|p| p.matches?(action_name)}
+      allowed = false
+      auth_exception = nil
+      begin
+        allowed = if !matching_permissions.empty?
+                    matching_permissions.all? {|perm| perm.permit!(self)}
+                  elsif !all_permissions.empty?
+                    all_permissions.all? {|perm| perm.permit!(self)}
+                  else
+                    !DEFAULT_DENY
+                  end
+      rescue NotAuthorized => e
+        auth_exception = e
+      end
+      unless allowed
+        if all_permissions.empty? and matching_permissions.empty?
+          logger.warn "Permission denied: No matching filter access " +
+            "rule found for #{self.class.controller_name}.#{action_name}"
+        elsif auth_exception
+          logger.info "Permission denied: #{auth_exception}"
+        end
+        if respond_to?(:permission_denied, true)
+          # permission_denied needs to render or redirect
+          send(:permission_denied)
+        else
+          send(:render, :plain => "You are not allowed to access this action.",
+            :status => :forbidden)
+        end
+      end
+    end
+    def load_controller_object(context_without_namespace = nil, model = nil) # :nodoc:
+      instance_var = :"@#{context_without_namespace.to_s.singularize}"
+      model = model ? model.classify.constantize : context_without_namespace.to_s.classify.constantize
+      instance_variable_set(instance_var, model.find(params[:id]))
+    end
+    def load_parent_controller_object(parent_context_without_namespace) # :nodoc:
+      instance_var = :"@#{parent_context_without_namespace.to_s.singularize}"
+      model = parent_context_without_namespace.to_s.classify.constantize
+      instance_variable_set(instance_var, model.find(params[:"#{parent_context_without_namespace.to_s.singularize}_id"]))
+    end
+    def new_controller_object_from_params(context_without_namespace, parent_context_without_namespace, strong_params) # :nodoc:
+      model_or_proxy = parent_context_without_namespace ?
+           instance_variable_get(:"@#{parent_context_without_namespace.to_s.singularize}").send(context_without_namespace.to_sym) :
+           context_without_namespace.to_s.classify.constantize
+      instance_var = :"@#{context_without_namespace.to_s.singularize}"
+      instance_variable_set(instance_var,
+        model_or_proxy.new(params[context_without_namespace.to_s.singularize]))
+    end
+    def new_blank_controller_object(context_without_namespace, parent_context_without_namespace, strong_params, model) # :nodoc:
+      if model
+        model_or_proxy = model.to_s.classify.constantize
+      else
+        model_or_proxy = parent_context_without_namespace ?
+        instance_variable_get(:"@#{parent_context_without_namespace.to_s.singularize}").send(context_without_namespace.to_sym) :
+        context_without_namespace.to_s.classify.constantize
+      end
+      instance_var = :"@#{context_without_namespace.to_s.singularize}"
+      instance_variable_set(instance_var,
+        model_or_proxy.new())
+    end
+    def new_controller_object_for_collection(context_without_namespace, parent_context_without_namespace, strong_params) # :nodoc:
+      model_or_proxy = parent_context_without_namespace ?
+           instance_variable_get(:"@#{parent_context_without_namespace.to_s.singularize}").send(context_without_namespace.to_sym) :
+           context_without_namespace.to_s.classify.constantize
+      instance_var = :"@#{context_without_namespace.to_s.singularize}"
+      instance_variable_set(instance_var, model_or_proxy.new)
+    end
+    def options_for_permit(object_or_sym = nil, options = {}, bang = true)
+      context = object = nil
+      if object_or_sym.nil?
+        context = self.class.decl_auth_context
+      elsif !Authorization.is_a_association_proxy?(object_or_sym) and object_or_sym.is_a?(Symbol)
+        context = object_or_sym
+      else
+        object = object_or_sym
+      end
+      result = {:object => object,
+        :context => context,
+        :skip_attribute_test => object.nil?,
+        :bang => bang}.merge(options)
+      result[:user] = current_user unless result.key?(:user)
+      result
+    end
+    module ClassMethods
+      #
+      # Defines a filter to be applied according to the authorization of the
+      # current user.  Requires at least one symbol corresponding to an
+      # action as parameter.  The special symbol :+all+ refers to all actions.
+      # The all :+all+ statement is only employed if no specific statement is
+      # present.
+      #   class UserController < ApplicationController
+      #     filter_access_to :index
+      #     filter_access_to :new, :edit
+      #     filter_access_to :all
+      #     ...
+      #   end
+      #
+      # The default is to allow access unconditionally if no rule matches.
+      # Thus, including the +filter_access_to+ :+all+ statement is a good
+      # idea, implementing a default-deny policy.
+      #
+      # When the access is denied, the method +permission_denied+ is called
+      # on the current controller, if defined.  Else, a simple "you are not
+      # allowed" string is output.  Log.info is given more information on the
+      # reasons of denial.
+      #
+      #   def permission_denied
+      #     flash[:error] = 'Sorry, you are not allowed to the requested page.'
+      #     respond_to do |format|
+      #       format.html { redirect_to(:back) rescue redirect_to('/') }
+      #       format.xml  { head :unauthorized }
+      #       format.js   { head :unauthorized }
+      #     end
+      #   end
+      #
+      # By default, required privileges are inferred from the action name and
+      # the controller name.  Thus, in UserController :+edit+ requires
+      # :+edit+ +users+.  To specify required privilege, use the option :+require+
+      #   filter_access_to :new, :create, :require => :create, :context => :users
+      #
+      # Without the :+attribute_check+ option, no constraints from the
+      # authorization rules are enforced because for some actions (collections,
+      # +new+, +create+), there is no object to evaluate conditions against.  To
+      # allow attribute checks on all actions, it is a common pattern to provide
+      # custom objects through +before_actions+:
+      #   class BranchesController < ApplicationController
+      #     before_action :load_company
+      #     before_action :new_branch_from_company_and_params,
+      #       :only => [:index, :new, :create]
+      #     filter_access_to :all, :attribute_check => true
+      #
+      #     protected
+      #     def new_branch_from_company_and_params
+      #       @branch = @company.branches.new(params[:branch])
+      #     end
+      #   end
+      # NOTE: +before_actions+ need to be defined before the first
+      # +filter_access_to+ call.
+      #
+      # For further customization, a custom filter expression may be formulated
+      # in a block, which is then evaluated in the context of the controller
+      # on a matching request.  That is, for checking two objects, use the
+      # following:
+      #   filter_access_to :merge do
+      #     permitted_to!(:update, User.find(params[:original_id])) and
+      #       permitted_to!(:delete, User.find(params[:id]))
+      #   end
+      # The block should raise a Authorization::AuthorizationError or return
+      # false if the access is to be denied.
+      #
+      # Later calls to filter_access_to with overlapping actions overwrite
+      # previous ones for that action.
+      #
+      # All options:
+      # [:+require+]
+      #   Privilege required; defaults to action_name
+      # [:+context+]
+      #   The privilege's context, defaults to decl_auth_context, which consists
+      #   of controller_name, prepended by any namespaces
+      # [:+attribute_check+]
+      #   Enables the check of attributes defined in the authorization rules.
+      #   Defaults to false.  If enabled, filter_access_to will use a context
+      #   object from one of the following sources (in that order):
+      #   * the method from the :+load_method+ option,
+      #   * an instance variable named after the singular of the context
+      #     (by default from the controller name, e.g. @post for PostsController),
+      #   * a find on the context model, using +params+[:id] as id value.
+      #   Any of these methods will only be employed if :+attribute_check+
+      #   is enabled.
+      # [:+model+]
+      #   The data model to load a context object from.  Defaults to the
+      #   context, singularized.
+      # [:+load_method+]
+      #   Specify a method by symbol or a Proc object which should be used
+      #   to load the object.  Both should return the loaded object.
+      #   If a Proc object is given, e.g. by way of
+      #   +lambda+, it is called in the instance of the controller.
+      #   Example demonstrating the default behavior:
+      #     filter_access_to :show, :attribute_check => true,
+      #                      :load_method => lambda { User.find(params[:id]) }
+      #
+      def filter_access_to(*args, &filter_block)
+        options = args.last.is_a?(Hash) ? args.pop : {}
+        options = {
+          :require => nil,
+          :context => nil,
+          :attribute_check => false,
+          :model => nil,
+          :load_method => nil,
+          :strong_parameters => nil
+        }.merge!(options)
+        privilege = options[:require]
+        context = options[:context]
+        actions = args.flatten
+        # prevent setting filter_access_filter multiple times
+        skip_before_action(:filter_access_filter) if method_defined?(:filter_access_filter)
+        before_action :filter_access_filter
+        filter_access_permissions.each do |perm|
+          perm.remove_actions(actions)
+        end
+        filter_access_permissions <<
+          ControllerPermission.new(actions, privilege, context,
+                                   options[:strong_parameters],
+                                   options[:attribute_check],
+                                   options[:model],
+                                   options[:load_method],
+                                   filter_block)
+      end
+      # Disables authorization entirely.  Requires at least one symbol corresponding
+      # to an action as parameter.  The special symbol :+all+ refers to all actions.
+      # The all :+all+ statement is only employed if no specific statement is
+      # present.
+      def no_filter_access_to(*args)
+        filter_access_to args do
+          true
+        end
+      end
+      # Collecting all the ControllerPermission objects from the controller
+      # hierarchy.  Permissions for actions are overwritten by calls to
+      # filter_access_to in child controllers with the same action.
+      def all_filter_access_permissions # :nodoc:
+        ancestors.inject([]) do |perms, mod|
+          if mod.respond_to?(:filter_access_permissions, true)
+            perms +
+              mod.filter_access_permissions.collect do |p1|
+                p1.clone.remove_actions(perms.inject(Set.new) {|actions, p2| actions + p2.actions})
+              end
+          else
+            perms
+          end
+        end
+      end
+      # To DRY up the filter_access_to statements in restful controllers,
+      # filter_resource_access combines typical filter_access_to and
+      # before_action calls, which set up the instance variables.
+      #
+      # The simplest case are top-level resource controllers with only the
+      # seven CRUD methods, e.g.
+      #   class CompanyController < ApplicationController
+      #     filter_resource_access
+      #
+      #     def index...
+      #   end
+      # Here, all CRUD actions are protected through a filter_access_to :all
+      # statement.  :+attribute_check+ is enabled for all actions except for
+      # the collection action :+index+.  To have an object for attribute checks
+      # available, filter_resource_access will set the instance variable
+      # @+company+ in before filters.  For the member actions (:+show+, :+edit+,
+      # :+update+, :+destroy+) @company is set to Company.find(params[:id]).
+      # For +new+ actions (:+new+, :+create+), filter_resource_access creates
+      # a new object from company parameters: Company.new(params[:company].
+      #
+      # For nested resources, the parent object may be loaded automatically.
+      #   class BranchController < ApplicationController
+      #     filter_resource_access :nested_in => :companies
+      #   end
+      # Again, the CRUD actions are protected.  Now, for all CRUD actions,
+      # the parent object @company is loaded from params[:company_id].  It is
+      # also used when creating @branch for +new+ actions.  Here, attribute_check
+      # is enabled for the collection :+index+ as well, checking attributes on a
+      # @company.branches.new method.
+      #
+      # In many cases, the default seven CRUD actions are not sufficient.  As in
+      # the resource definition for routing you may thus give additional member,
+      # new and collection methods.  The +options+ allow you to specify the
+      # required privileges for each action by providing a hash or an array of
+      # pairs.  By default, for each action the action name is taken as privilege
+      # (action search in the example below requires the privilege :index
+      # :companies).  Any controller action that is not specified and does not
+      # belong to the seven CRUD actions is handled as a member method.
+      #   class CompanyController < ApplicationController
+      #     filter_resource_access :collection => [[:search, :index], :index],
+      #         :additional_member => {:mark_as_key_company => :update}
+      #   end
+      # The +additional_+* options add to the respective CRUD actions,
+      # the other options (:+member+, :+collection+, :+new+) replace their
+      # respective CRUD actions.
+      #    filter_resource_access :member => { :toggle_open => :update }
+      # Would declare :toggle_open as the only member action in the controller and
+      # require that permission :update is granted for the current user.
+      #    filter_resource_access :additional_member => { :toggle_open => :update }
+      # Would add a member action :+toggle_open+ to the default members, such as :+show+.
+      #
+      # If :+collection+ is an array of method names filter_resource_access will
+      # associate a permission with the method that is the same as the method
+      # name and no attribute checks will be performed unless
+      #   :attribute_check => true
+      # is added in the options.
+      #
+      # You can override the default object loading by implementing any of the
+      # following instance methods on the controller.  Examples are given for the
+      # BranchController (with +nested_in+ set to :+companies+):
+      # [+new_branch_from_params+]
+      #   Used for +new+ actions.
+      # [+new_branch_for_collection+]
+      #   Used for +collection+ actions if the +nested_in+ option is set.
+      # [+load_branch+]
+      #   Used for +member+ actions.
+      # [+load_company+]
+      #   Used for all +new+, +member+, and +collection+ actions if the
+      #   +nested_in+ option is set.
+      #
+      # All options:
+      # [:+member+]
+      #   Member methods are actions like +show+, which have an params[:id] from
+      #   which to load the controller object and assign it to @controller_name,
+      #   e.g. @+branch+.
+      #
+      #   By default, member actions are [:+show+, :+edit+, :+update+,
+      #   :+destroy+].  Also, any action not belonging to the seven CRUD actions
+      #   are handled as member actions.
+      #
+      #   There are three different syntax to specify member, collection and
+      #   new actions.
+      #   * Hash:  Lets you set the required privilege for each action:
+      #     {:+show+ => :+show+, :+mark_as_important+ => :+update+}
+      #   * Array of actions or pairs: [:+show+, [:+mark_as_important+, :+update+]],
+      #     with single actions requiring the privilege of the same name as the method.
+      #   * Single method symbol: :+show+
+      # [:+additional_member+]
+      #   Allows to add additional member actions to the default resource +member+
+      #   actions.
+      # [:+collection+]
+      #   Collection actions are like :+index+, actions without any controller object
+      #   to check attributes of.  If +nested_in+ is given, a new object is
+      #   created from the parent object, e.g. @company.branches.new.  Without
+      #   +nested_in+, attribute check is deactivated for these actions.  By
+      #   default, collection is set to :+index+.
+      # [:+additional_collection+]
+      #   Allows to add additional collection actions to the default resource +collection+
+      #   actions.
+      # [:+new+]
+      #   +new+ methods are actions such as +new+ and +create+, which don't
+      #   receive a params[:id] to load an object from, but
+      #   a params[:controller_name_singular] hash with attributes for a new
+      #   object.  The attributes will be used here to create a new object and
+      #   check the object against the authorization rules.  The object is
+      #   assigned to @controller_name_singular, e.g. @branch.
+      #
+      #   If +nested_in+ is given, the new object
+      #   is created from the parent_object.controller_name
+      #   proxy, e.g. company.branches.new(params[:branch]).  By default,
+      #   +new+ is set to [:new, :create].
+      # [:+additional_new+]
+      #   Allows to add additional new actions to the default resource +new+ actions.
+      # [:+context+]
+      #   The context is used to determine the model to load objects from for the
+      #   before_actions and the context of privileges to use in authorization
+      #   checks.
+      # [:+nested_in+]
+      #   Specifies the parent controller if the resource is nested in another
+      #   one.  This is used to automatically load the parent object, e.g.
+      #   @+company+ from params[:company_id] for a BranchController nested in
+      #   a CompanyController.
+      # [:+shallow+]
+      #   Only relevant when used in conjunction with +nested_in+. Specifies a nested resource
+      #   as being a shallow nested resource, resulting in the controller not attempting to
+      #   load a parent object for all member actions defined by +member+ and
+      #   +additional_member+ or rather the default member actions (:+show+, :+edit+,
+      #   :+update+, :+destroy+).
+      # [:+no_attribute_check+]
+      #   Allows to set actions for which no attribute check should be performed.
+      #   See filter_access_to on details.  By default, with no +nested_in+,
+      #   +no_attribute_check+ is set to all collections.  If +nested_in+ is given
+      #   +no_attribute_check+ is empty by default.
+      # [:+strong_parameters+]
+      #   If set to true, relies on controller to provide instance variable and
+      #   create new object in :create action.  Set true if you use strong_params
+      #   and false if you use protected_attributes.
+      #
+      def filter_resource_access(options = {})
+        options = {
+          :new        => [:new, :create],
+          :additional_new => nil,
+          :member     => [:show, :edit, :update, :destroy],
+          :additional_member => nil,
+          :collection => [:index],
+          :additional_collection => nil,
+          #:new_method_for_collection => nil,  # only symbol method name
+          #:new_method => nil,                 # only symbol method name
+          #:load_method => nil,                # only symbol method name
+          :no_attribute_check => nil,
+          :context    => nil,
+          :model => nil,
+          :nested_in  => nil,
+          :strong_parameters => nil
+        }.merge(options)
+        options.merge!({ :strong_parameters => true }) if options[:strong_parameters] == nil
+        new_actions = actions_from_option( options[:new] ).merge(
+            actions_from_option(options[:additional_new]) )
+        members = actions_from_option(options[:member]).merge(
+            actions_from_option(options[:additional_member]))
+        collections = actions_from_option(options[:collection]).merge(
+            actions_from_option(options[:additional_collection]))
+        no_attribute_check_actions = options[:strong_parameters] ? actions_from_option(options[:collection]).merge(actions_from_option([:create])) : collections
+        options[:no_attribute_check] ||= no_attribute_check_actions.keys unless options[:nested_in]
+        unless options[:nested_in].blank?
+          load_parent_method = :"load_#{options[:nested_in].to_s.singularize}"
+          shallow_exceptions = options[:shallow] ? {:except => members.keys} : {}
+          before_action shallow_exceptions do |controller|
+            if controller.respond_to?(load_parent_method, true)
+              controller.send(load_parent_method)
+            else
+              controller.send(:load_parent_controller_object, options[:nested_in])
+            end
+          end
+          new_for_collection_method = :"new_#{controller_name.singularize}_for_collection"
+          before_action :only => collections.keys do |controller|
+            # new_for_collection
+            if controller.respond_to?(new_for_collection_method, true)
+              controller.send(new_for_collection_method)
+            else
+              controller.send(:new_controller_object_for_collection,
+                  options[:context] || controller_name, options[:nested_in], options[:strong_parameters])
+            end
+          end
+        end
+        unless options[:strong_parameters]
+          new_from_params_method = :"new_#{controller_name.singularize}_from_params"
+          before_action :only => new_actions.keys do |controller|
+            # new_from_params
+            if controller.respond_to?(new_from_params_method, true)
+              controller.send(new_from_params_method)
+            else
+              controller.send(:new_controller_object_from_params,
+                  options[:context] || controller_name, options[:nested_in], options[:strong_parameters])
+            end
+          end
+        else
+          new_object_method = :"new_#{controller_name.singularize}"
+          before_action :only => :new do |controller|
+            # new_from_params
+            if controller.respond_to?(new_object_method, true)
+              controller.send(new_object_method)
+            else
+              controller.send(:new_blank_controller_object,
+                  options[:context] || controller_name, options[:nested_in], options[:strong_parameters], options[:model])
+            end
+          end
+        end
+        load_method = :"load_#{controller_name.singularize}"
+        before_action :only => members.keys do |controller|
+          # load controller object
+          if controller.respond_to?(load_method, true)
+            controller.send(load_method)
+          else
+            controller.send(:load_controller_object, options[:context] || controller_name, options[:model])
+          end
+        end
+        filter_access_to :all, :attribute_check => true, :context => options[:context], :model => options[:model]
+        members.merge(new_actions).merge(collections).each do |action, privilege|
+          if action != privilege or (options[:no_attribute_check] and options[:no_attribute_check].include?(action))
+            filter_options = {
+              :strong_parameters => options[:strong_parameters],
+              :context          => options[:context],
+              :attribute_check  => !options[:no_attribute_check] || !options[:no_attribute_check].include?(action),
+              :model => options[:model]
+            }
+            filter_options[:require] = privilege if action != privilege
+            filter_access_to(action, filter_options)
+          end
+        end
+      end
+      # Returns the context for authorization checks in the current controller.
+      # Uses the controller_name and prepends any namespaces underscored and
+      # joined with underscores.
+      #
+      # E.g.
+      #   AllThosePeopleController         => :all_those_people
+      #   AnyName::Space::ThingsController => :any_name_space_things
+      #
+      def decl_auth_context
+        prefixes = name.split('::')[0..-2].map(&:underscore)
+        ((prefixes + [controller_name]) * '_').to_sym
+      end
+      protected
+      def filter_access_permissions # :nodoc:
+        unless filter_access_permissions?
+          ancestors[1..-1].reverse.each do |mod|
+            mod.filter_access_permissions if mod.respond_to?(:filter_access_permissions, true)
+          end
+        end
+        class_variable_set(:@@declarative_authorization_permissions, {}) unless filter_access_permissions?
+        class_variable_get(:@@declarative_authorization_permissions)[self.name] ||= []
+      end
+      def filter_access_permissions? # :nodoc:
+        class_variable_defined?(:@@declarative_authorization_permissions)
+      end
+      def actions_from_option(option) # :nodoc:
+        case option
+        when nil
+          {}
+        when Symbol, String
+          {option.to_sym => option.to_sym}
+        when Hash
+          option
+        when Enumerable
+          option.each_with_object({}) do |action, hash|
+            if action.is_a?(Array)
+              raise "Unexpected option format: #{option.inspect}" if action.length != 2
+              hash[action.first] = action.last
+            else
+              hash[action.to_sym] = action.to_sym
+            end
+          end
+        end
+      end
+    end
+  end
+  class ControllerPermission # :nodoc:
+    attr_reader :actions, :privilege, :context, :attribute_check, :strong_params
+    def initialize(actions, privilege, context, strong_params, attribute_check = false,
+                    load_object_model = nil, load_object_method = nil,
+                    filter_block = nil)
+      @actions = actions.to_set
+      @privilege = privilege
+      @context = context
+      @load_object_model = load_object_model
+      @load_object_method = load_object_method
+      @filter_block = filter_block
+      @attribute_check = attribute_check
+      @strong_params = strong_params
+    end
+    def matches?(action_name)
+      @actions.include?(action_name.to_sym)
+    end
+    def permit!(contr)
+      if @filter_block
+        return contr.instance_eval(&@filter_block)
+      end
+      object = @attribute_check ? load_object(contr) : nil
+      privilege = @privilege || :"#{contr.action_name}"
+      contr.authorization_engine.permit!(privilege,
+                                         :user => contr.send(:current_user),
+                                         :object => object,
+                                         :skip_attribute_test => !@attribute_check,
+                                         :context => @context || contr.class.decl_auth_context)
+    end
+    def remove_actions(actions)
+      @actions -= actions
+      self
+    end
+    private
+    def load_object(contr)
+      if @load_object_method and @load_object_method.is_a?(Symbol)
+        contr.send(@load_object_method)
+      elsif @load_object_method and @load_object_method.is_a?(Proc)
+        contr.instance_eval(&@load_object_method)
+      else
+        load_object_model = @load_object_model ||
+            (@context ? @context.to_s.classify.constantize : contr.class.controller_name.classify.constantize)
+        load_object_model = load_object_model.classify.constantize if load_object_model.is_a?(String)
+        instance_var = "@#{load_object_model.name.demodulize.underscore}"
+        object = contr.instance_variable_get(instance_var)
+        unless object
+          begin
+            object = @strong_params ? load_object_model.find_or_initialize_by(:id => contr.params[:id]) : load_object_model.find(contr.params[:id])
+          rescue => e
+            contr.logger.debug("filter_access_to tried to find " +
+                "#{load_object_model} from params[:id] " +
+                "(#{contr.params[:id].inspect}), because attribute_check is enabled " +
+                "and #{instance_var.to_s} isn't set, but failed: #{e.class.name}: #{e}")
+            raise if AuthorizationInController.failed_auto_loading_is_not_found?
+          end
+          contr.instance_variable_set(instance_var, object)
+        end
+        object
+      end
+    end
+  end
+end