bali 2.0.0 → 2.1.1

data/lib/bali/dsl/map_rules_dsl.rb

@@ -7,10 +7,19 @@ class Bali::MapRulesDsl
   end
 
   # defining rules
-  def rules_for(target_class, target_alias_hash = {}, &block)
+  def rules_for(target_class, options_hash = {}, &block)
     @@lock.synchronize do
+      raise Bali::DslError "rules_for must describe a target which is a class" unless target_class.is_a?(Class)
       self.current_rule_class = Bali::RuleClass.new(target_class)
-      self.current_rule_class.alias_name = target_alias_hash[:as] || target_alias_hash["as"]
+
+      parent_class = options_hash[:inherits] || options_hash["inherits"]
+      if parent_class 
+        # in case there is inherits specification
+        raise Bali::DslError, "inherits must take a class" unless parent_class.is_a?(Class)
+        rule_class_from_parent = Bali::Integrators::Rule.rule_class_for(parent_class)
+        raise Bali::DslError, "not yet defined a rule class for #{parent_class}" if rule_class_from_parent.nil?
+        self.current_rule_class = rule_class_from_parent.clone(target_class: target_class)
+      end
 
       Bali::RulesForDsl.new(self).instance_eval(&block)
 
@@ -50,6 +59,10 @@ class Bali::MapRulesDsl
     raise Bali::DslError, "can_all block must be within describe block"
   end
 
+  def clear_rules
+    raise Bali::DslError, "clear_rules must be called within describe block"
+  end
+
   def cant_all(*params)
     puts "Deprecation Warning: declaring rules with cant_all will be deprecated on major release 3.0, use cannot instead"
     cannot_all *params

data/lib/bali/dsl/rules_for_dsl.rb

@@ -14,32 +14,30 @@ class Bali::RulesForDsl
   end
 
   def describe(*params)
-
-    subtargets = []
-    rules = {}
-
-    params.each do |passed_argument|
-      if passed_argument.is_a?(Symbol) || passed_argument.is_a?(String)
-        subtargets << passed_argument
-      elsif passed_argument.is_a?(NilClass)
-        subtargets << passed_argument
-      elsif passed_argument.is_a?(Array)
-        subtargets += passed_argument
-      elsif passed_argument.is_a?(Hash)
-        rules = passed_argument
-      else
-        raise Bali::DslError, "Allowed argument: symbol, string, nil and hash"
+    @@lock.synchronize do
+      subtargets = []
+      rules = {}
+
+      params.each do |passed_argument|
+        if passed_argument.is_a?(Symbol) || passed_argument.is_a?(String)
+          subtargets << passed_argument
+        elsif passed_argument.is_a?(NilClass)
+          subtargets << passed_argument
+        elsif passed_argument.is_a?(Array)
+          subtargets += passed_argument
+        elsif passed_argument.is_a?(Hash)
+          rules = passed_argument
+        else
+          raise Bali::DslError, "Allowed argument for describe: symbol, string, nil and hash"
+        end
       end
-    end
 
-    target_class = self.map_rules_dsl.current_rule_class.target_class
-    target_alias = self.map_rules_dsl.current_rule_class.alias_name
+      target_class = self.map_rules_dsl.current_rule_class.target_class
 
-    subtargets.each do |subtarget|
-      @@lock.synchronize do
+      subtargets.each do |subtarget|
         rule_group = self.current_rule_class.rules_for(subtarget)
         if rule_group.nil?
-          rule_group = Bali::RuleGroup.new(target_class, target_alias, subtarget)
+          rule_group = Bali::RuleGroup.new(target_class, subtarget)
         end
 
         self.current_rule_group = rule_group
@@ -64,12 +62,46 @@ class Bali::RulesForDsl
 
         # add current_rule_group
         self.map_rules_dsl.current_rule_class.add_rule_group(self.current_rule_group)
-      end # mutex synchronize
-    end # each subtarget
+      end # each subtarget
+    end # sync block
   end # describe
 
+  # others block
+  def others(*params)
+    @@lock.synchronize do
+      rules = {}
+
+      params.each do |passed_argument|
+        if passed_argument.is_a?(Hash)
+          rules = passed_argument
+        else
+          raise Bali::DslError, "Allowed argument for others: hash"
+        end
+      end
+
+      self.current_rule_group  = self.map_rules_dsl.current_rule_class.others_rule_group
+
+      if block_given?
+        yield
+      else
+        rules.each do |auth_val, operations|
+          if operations.is_a?(Array)
+            operations.each do |op|
+              rule = Bali::Rule.new(auth_val, op)
+              self.current_rule_group.add_rule(rule)
+            end
+          else
+            operation = operations
+            rule = Bali::Rule.new(auth_val, operation)
+            self.current_rule_group.add_rule(rule)
+          end
+        end # each rules
+      end # block_given?
+    end # synchronize
+  end # others
+
   # to define can and cant is basically using this method
-  def process_auth_rules(auth_val, operations)
+  def bali_process_auth_rules(auth_val, operations)
     conditional_hash = nil
 
     # scan operations for options
@@ -97,14 +129,20 @@ class Bali::RulesForDsl
         self.current_rule_group.add_rule(rule)
       end
     end
-  end # process_auth_rules
+  end # bali_process_auth_rules
+
+  # clear all defined rules
+  def clear_rules
+    self.current_rule_group.clear_rules
+    true
+  end
 
   def can(*operations)
-    process_auth_rules(:can, operations)
+    bali_process_auth_rules(:can, operations)
   end
 
   def cannot(*operations)
-    process_auth_rules(:cannot, operations)
+    bali_process_auth_rules(:cannot, operations)
   end
 
   def cant(*operations)

data/lib/bali/foundations/rule/rule.rb

@@ -17,6 +17,14 @@ class Bali::Rule
     self
   end
 
+  def clone
+    cloned_rule = Bali::Rule.new(auth_val, operation)
+    cloned_rule.decider = decider if decider
+    cloned_rule.decider_type = decider_type if decider_type
+
+    cloned_rule
+  end
+
   def auth_val=(aval)
     # TODO: in version 3 remove :cant
     if aval == :can || aval == :cannot
@@ -32,7 +40,7 @@ class Bali::Rule
     if dectype == :if || dectype == :unless
       @decider_type = dectype
     else
-      raise Bali::DslError, "decider type can only be either if or unless"
+      raise Bali::DslError, "decider type can only be either if or unless, got: #{dectype}"
     end
   end
 

data/lib/bali/foundations/rule/rule_class.rb

@@ -1,9 +1,16 @@
 # the parent of all Bali::RuleGroup.
 class Bali::RuleClass
   attr_reader :target_class
-  attr_accessor :alias_name
 
+  # consist of canonised subtarget and its rule group, eg: 
+  # {
+  #   general_user: RuleGroup
+  # }
   attr_accessor :rule_groups
+  
+  # rule group for "other" subtargets, always checked the last time
+  # after the "more proper" rule groups are checked
+  attr_accessor :others_rule_group
 
   def initialize(target_class)
     if target_class.is_a?(Class)
@@ -13,19 +20,43 @@ class Bali::RuleClass
     end
 
     self.rule_groups = {}
+    self.others_rule_group = Bali::RuleGroup.new(target_class, "__*__")
   end
 
   def add_rule_group(rule_group)
     if rule_group.is_a?(Bali::RuleGroup)
       target_user = rule_group.subtarget
-      self.rule_groups[Bali::RuleGroup.canon_name(target_user)] = rule_group
+      if target_user == "__*__" || target_user == :"__*__"
+        raise Bali::DslError, "__*__ is a reserved subtarget used by Bali's internal"
+      end
+      self.rule_groups[rule_group.subtarget] = rule_group
     else
-      raise Bali::DslError, "Rule group must be an instance of Bali::RuleGroup"
+      raise Bali::DslError, "Rule group must be an instance of Bali::RuleGroup, got: #{rule_group.class.name}"
     end
   end
 
   def rules_for(subtarget)
+    return others_rule_group if subtarget == "__*__"
     subtarget = Bali::RuleGroup.canon_name(subtarget)
     self.rule_groups[subtarget]
   end
+
+  # options can contains:
+  #  :target_class => identifying the target class on which the clone will be applied
+  def clone(options = {})
+    target_class = options.fetch(:target_class)
+    cloned_rc = Bali::RuleClass.new(target_class)
+
+    rule_groups.each do |subtarget, rule_group|
+      rule_group_clone = rule_group.clone
+      rule_group_clone.target = target_class
+      cloned_rc.add_rule_group(rule_group_clone)
+    end
+
+    others_rule_group_clone = others_rule_group.clone
+    others_rule_group_clone.target = target_class
+    cloned_rc.others_rule_group = others_rule_group_clone
+
+    cloned_rc
+  end
 end

data/lib/bali/foundations/rule/rule_group.rb

@@ -2,9 +2,6 @@ class Bali::RuleGroup
   # the target class
   attr_accessor :target
 
-  # the alias name for the target
-  attr_accessor :alias_tgt
-
   # the user to which this rule group is applied
   attr_accessor :subtarget
 
@@ -28,17 +25,30 @@ class Bali::RuleGroup
     end
   end
 
-  def initialize(target, alias_tgt, subtarget)
+  def initialize(target, subtarget)
     self.target = target
-    self.alias_tgt = alias_tgt
     self.subtarget = Bali::RuleGroup.canon_name(subtarget)
 
     self.cans = {}
     self.cants = {}
+
+    # by default, rule group is neither zeus nor plant
+    self.zeus = false
+    self.plant = false
+  end
+
+  def clone
+    cloned_rg = Bali::RuleGroup.new(target, subtarget)
+    cans.each_value { |can_rule| cloned_rg.add_rule(can_rule.clone) }
+    cants.each_value { |cant_rule| cloned_rg.add_rule(cant_rule.clone) }
+    cloned_rg.zeus = zeus
+    cloned_rg.plant = plant
+
+    cloned_rg
   end
 
   def add_rule(rule)
-    raise Bali::DslError, "Rule must be of class Bali::Rule" unless rule.is_a?(Bali::Rule)
+    raise Bali::DslError, "Rule must be of class Bali::Rule, got: #{rule.class.name}" unless rule.is_a?(Bali::Rule)
 
     # operation cannot be defined twice
     operation = rule.operation.to_sym
@@ -54,6 +64,11 @@ class Bali::RuleGroup
     end
   end
 
+  def clear_rules
+    self.cans = {}
+    self.cants = {}
+  end
+
   def get_rule(auth_val, operation)
     rule = nil
     case auth_val

data/lib/bali/integrators/rules_integrator.rb

@@ -6,14 +6,9 @@ module Bali::Integrators::Rule
   end
 
   def rule_class_for(target)
-    if target.is_a?(Symbol)
-      class_name = Bali::ALIASED_RULE_CLASS_MAP[target]
-      return class_name.nil? ? nil : rule_class_for(class_name)
-    else
-      raise Bali::DslError, "Target must be a class" unless target.is_a?(Class)
-      rule_class = Bali::RULE_CLASS_MAP[target.to_s]
-      return rule_class.nil? ? nil : rule_class
-    end
+    raise Bali::DslError, "Target must be a class" unless target.is_a?(Class)
+    rule_class = Bali::RULE_CLASS_MAP[target.to_s]
+    return rule_class.nil? ? nil : rule_class
   end
 
   # attempt to search the rule group, but if not exist, will return nil
@@ -30,26 +25,9 @@ module Bali::Integrators::Rule
   def add_rule_class(rule_class)
     if rule_class.is_a?(Bali::RuleClass)
       target = rule_class.target_class
-      alias_target = rule_class.alias_name
 
       raise Bali::DslError, "Target must be a class" unless target.is_a?(Class)
 
-      # remove any previous association of rule
-      begin
-        last_associated_alias = Bali::REVERSE_ALIASED_RULE_CLASS_MAP[target]
-        if last_associated_alias
-          Bali::ALIASED_RULE_CLASS_MAP.delete(last_associated_alias)
-          Bali::REVERSE_ALIASED_RULE_CLASS_MAP.delete(target)
-          Bali::RULE_CLASS_MAP.delete(target)
-        end
-      end
-
-      # if "as" is present
-      if alias_target.is_a?(Symbol)
-        Bali::ALIASED_RULE_CLASS_MAP[alias_target] = target
-        Bali::REVERSE_ALIASED_RULE_CLASS_MAP[target] = alias_target
-      end
-
       Bali::RULE_CLASS_MAP[target.to_s] = rule_class
       rule_class
     else

data/lib/bali/objector.rb

@@ -1,4 +1,4 @@
-# class that will be included in each instantiated target classes as defined
+# module that will be included in each instantiated target classes as defined
 # in map_rules
 module Bali::Objector
   def self.included(base)
@@ -41,6 +41,38 @@ module Bali::Objector
 end
 
 module Bali::Objector::Statics
+  # FUZY-ed value is happen when it is not really clear, need further cross checking,
+  # whether it is really allowed or not. It happens for example in block with others, such as this:
+  # 
+  # describe :finance do
+  #   cannot :view
+  # end
+  # others do
+  #   can :view
+  #   can :index
+  # end
+  #
+  # In the example above, objecting cannot view on finance will result in STRONG_FALSE, but
+  # objecting can index on finance will result in FUZY_TRUE.
+  #
+  # Eventually, all FUZY value will be normal TRUE or FALSE if no definite counterpart 
+  # is found/defined
+  BALI_FUZY_FALSE = -2
+  BALI_FUZY_TRUE = 2
+  BALI_FALSE = -1
+  BALI_TRUE = 1
+
+  # translate response for value above to traditional true/false
+  def bali_translate_response(bali_bool_value)
+    raise Bali::Error, "Expect bali value to be an integer" unless bali_bool_value.is_a?(Integer)
+    if bali_bool_value < 0
+      return false
+    elsif bali_bool_value > 0
+      return true
+    else 
+      raise Bali::Error, "Bali bool value can either be negative or positive integer"
+    end
+  end
 
   # will return array
   def bali_translate_subtarget_roles(_subtarget_roles)
@@ -61,7 +93,7 @@ module Bali::Objector::Statics
       Bali::TRANSLATED_SUBTARGET_ROLES.each do |subtarget_class, roles_field_name|
         if _subtarget_class == subtarget_class
           deducted_roles = _subtarget.send(roles_field_name)
-          if deducted_roles.is_a?(String) || deducted_roles.is_a?(Symbol)
+          if deducted_roles.is_a?(String) || deducted_roles.is_a?(Symbol) || deducted_roles.is_a?(NilClass)
             deducted_roles = [deducted_roles]
             break
           elsif deducted_roles.is_a?(Array)
@@ -87,42 +119,90 @@ module Bali::Objector::Statics
     # if performed on a class-level, don't call its class or it will return
     # Class. That's not what is expected.
     if self.is_a?(Class)
-      rule_group = Bali::Integrators::Rule.rule_group_for(self, subtarget)
+      klass = self
     else
-      rule_group = Bali::Integrators::Rule.rule_group_for(self.class, subtarget)
+      klass = self.class
     end
 
+    rule_group = Bali::Integrators::Rule.rule_group_for(klass, subtarget)
+    other_rule_group = Bali::Integrators::Rule.rule_group_for(klass, "__*__") 
+
+    rule = nil 
+
     # default of can? is false whenever RuleClass for that class is undefined
     # or RuleGroup for that subtarget is not defined
-    return false if rule_group.nil?
-
-    # get the specific rule
-    rule = rule_group.get_rule(:can, operation)
+    if rule_group.nil?
+      # no more chance for checking
+      return BALI_FALSE if other_rule_group.nil?
+    else
+      # get the specific rule from its own describe block
+      rule = rule_group.get_rule(:can, operation)
+    end
 
-    # plan subtarget is not allowed unless spesificly defined
-    return false if rule_group.plant? && rule.nil?
+    # retrieve rule from others group
+    otherly_rule = other_rule_group.get_rule(:can, operation)
 
     # godly subtarget is allowed to do as he wishes
     # so long that the rule is not specificly defined
     # or overwritten by subsequent rule
-    if rule_group.zeus?
+    if rule_group && rule_group.zeus?
       if rule.nil?
+        _options = options.dup
+        _options[:cross_check] = true
+        _options[:original_subtarget] = original_subtarget if _options[:original_subtarget].nil?
+
+        check_val = self.bali_cannot?(subtarget, operation, record, _options)
+
         # check further whether cant is defined to overwrite this can_all
-        if self.cannot?(subtarget, operation, record, cross_check: true)
-          return false
+        if check_val == BALI_TRUE 
+          return BALI_FALSE
         else
-          return true
+          return BALI_TRUE
         end
       end
     end
 
+    # do after crosscheck
+    # plan subtarget is not allowed unless spesificly defined
+    return BALI_FALSE if rule_group && rule_group.plant? && rule.nil? && otherly_rule.nil?
+
     if rule.nil?
       # default if can? for undefined rule is false, after related clause
       # cannot be found in cannot?
-      return false if options[:cross_check]
-      options[:cross_check] = true
-      return !self.cannot?(subtarget, operation, record, options)
-    else
+
+      unless options[:cross_check] 
+        options[:cross_check] = true
+        cross_check_value = self.bali_cannot?(subtarget, operation, record, options)
+      end
+
+      # either if rule from others block is defined, and the result so far is fuzy
+      # or, otherly rule is defined, and it is still a cross check
+      # plus, the result is not a definite BALI_TRUE/BALI_FALSE
+      #
+      # rationalisation:
+      # 1. Definite answer such as BALI_TRUE and BALI_FALSE is to be prioritised over
+      #    FUZY answer, because definite answer is not gathered from others block where
+      #    FUZY answer is. Therefore, it is an intended result
+      # 2. If the answer is FUZY, otherly_rule only be considered if the result 
+      #    is either FUZY TRUE or FUZY FALSE, or
+      # 3. Or, when already in cross check mode, we cannot retrieve cross_check_value
+      #    what we can is instead, if otherly rule is available, just to try the odd 
+      if (otherly_rule && cross_check_value && !(cross_check_value == BALI_TRUE || cross_check_value == BALI_FALSE)) ||
+          (otherly_rule && (cross_check_value == BALI_FUZY_FALSE || cross_check_value == BALI_FUZY_TRUE)) ||
+          (otherly_rule && options[:cross_check] && cross_check_value.nil?)
+        # give chance to check at the others block
+        rule = otherly_rule
+      else
+        # either the return is not fuzy, or otherly rule is undefined
+        if cross_check_value == BALI_TRUE
+          return BALI_FALSE
+        elsif cross_check_value == BALI_FALSE
+          return BALI_TRUE
+        end
+      end
+    end
+
+    if rule
       if rule.has_decider?
         # must test first
         decider = rule.decider
@@ -130,161 +210,185 @@ module Bali::Objector::Statics
         case decider.arity
         when 0
           if rule.decider_type == :if
-            if decider.()
-              return true
-            else
-              return false
-            end
+            return decider.() ? BALI_TRUE : BALI_FALSE
           elsif rule.decider_type == :unless
             unless decider.()
-              return true
+              return BALI_TRUE
             else
-              return false
+              return BALI_FALSE
             end
           end
         when 1
           if rule.decider_type == :if
-            if decider.(record)
-              return true
-            else
-              return false
-            end
+            return decider.(record) ? BALI_TRUE : BALI_FALSE
           elsif rule.decider_type == :unless
             unless decider.(record)
-              return true
+              return BALI_TRUE
             else
-              return false
+              return BALI_FALSE
             end
           end
         when 2
           if rule.decider_type == :if
-            if decider.(record, original_subtarget)
-              return true
-            else
-              return false
-            end
+            return decider.(record, original_subtarget) ? BALI_TRUE : BALI_FALSE
           elsif rule.decider_type == :unless
             unless decider.(record, original_subtarget)
-              return true
+              return BALI_TRUE
             else
-              return false
+              return BALI_FALSE
             end
           end
         end
       else
         # rule is properly defined
-        return true
+        return BALI_TRUE
       end
     end
+
+    # return fuzy if otherly rule defines contrary to this (can)
+    if other_rule_group.get_rule(:cannot, operation)
+      return BALI_FUZY_FALSE
+    else
+      return BALI_FALSE
+    end
   end
 
   def bali_cannot?(subtarget, operation, record = self, options = {})
     if self.is_a?(Class)
-      rule_group = Bali::Integrators::Rule.rule_group_for(self, subtarget)
+      klass = self
     else
-      rule_group = Bali::Integrators::Rule.rule_group_for(self.class, subtarget)
+      klass = self.class
     end
 
-    # default of cannot? is true whenever RuleClass for that class is undefined
-    # or RuleGroup for that subtarget is not defined
-    return true if rule_group.nil?
+    rule_group = Bali::Integrators::Rule.rule_group_for(klass, subtarget)
+    other_rule_group = Bali::Integrators::Rule.rule_group_for(klass, "__*__")
 
-    rule = rule_group.get_rule(:cannot, operation)
+    rule = nil
 
-    # godly subtarget is not to be prohibited in his endeavours
-    # so long that no specific rule about this operation is defined
-    return false if rule_group.zeus? && rule.nil?
+    # default of cannot? is true whenever RuleClass for that class is undefined
+    # or RuleGroup for that subtarget is not defined
+    if rule_group.nil?
+      return BALI_TRUE if other_rule_group.nil?
+    else
+      # get the specific rule from its own describe block
+      rule = rule_group.get_rule(:cannot, operation)
+    end
 
+    otherly_rule = other_rule_group.get_rule(:cannot, operation)
     # plant subtarget is not allowed to do things unless specificly defined
-    if rule_group.plant?
+    if rule_group && rule_group.plant?
       if rule.nil?
+        _options = options.dup
+        _options[:cross_check] = true
+        _options[:original_subtarget] = original_subtarget if _options[:original_subtarget].nil?
+        
         # check further whether defined in can?
-        if self.can?(subtarget, operation, record, cross_check: true)
-          return false # well, it is defined in can, so it must overwrite this cant_all rule
+        check_val = self.bali_can?(subtarget, operation, record, _options)
+
+        if check_val == BALI_TRUE
+          return BALI_FALSE # well, it is defined in can, so it must overwrite this cant_all rule
         else
           # plant, and then rule is not defined for further inspection. stright
           # is not allowed to do this thing
-          return true
+          return BALI_TRUE
         end
       end
     end
 
-    # if rule cannot be found, then true is returned for cannot? unless
-    # can? is defined exactly for the same target, and subtarget, and record (if given)
     if rule.nil?
-      return true if options[:cross_check]
-      options[:cross_check] = true
-      return !self.can?(subtarget, operation, record, options)
-    else
+      unless options[:cross_check]
+        options[:cross_check] = true
+        cross_check_value = self.bali_can?(subtarget, operation, record, options)
+      end
+
+      if (otherly_rule && cross_check_value && !(cross_check_value == BALI_TRUE || cross_check_value == BALI_FALSE)) ||
+          (otherly_rule && (cross_check_value == BALI_FUZY_FALSE || cross_check_value == BALI_FUZY_TRUE)) ||
+          (otherly_rule && options[:cross_check] && cross_check_value.nil?)
+        rule = otherly_rule
+      else
+        if cross_check_value == BALI_TRUE
+          # from can? because of cross check, then it should be false
+          return BALI_FALSE
+        elsif cross_check_value == BALI_FALSE
+          # from can? because of cross check returning false
+          # then it should be true, that is, cannot
+          return BALI_TRUE
+        end
+      end
+    end
+
+    # do after cross check
+    # godly subtarget is not to be prohibited in his endeavours
+    # so long that no specific rule about this operation is defined
+    return BALI_FALSE if rule_group && rule_group.zeus? && rule.nil? && otherly_rule.nil?
+
+    if rule
       if rule.has_decider?
         decider = rule.decider
         original_subtarget = options.fetch(:original_subtarget)
         case decider.arity
         when 0
           if rule.decider_type == :if
-            if decider.()
-              return true
-            else
-              return false
-            end
+            return decider.() ? BALI_TRUE : BALI_FALSE
           elsif rule.decider_type == :unless
             unless decider.()
-              return true
+              return BALI_TRUE
             else
-              return false
+              return BALI_FALSE
             end
           end
         when 1
           if rule.decider_type == :if
-            if decider.(record)
-              return true
-            else
-              return false
-            end
+            return decider.(record) ? BALI_TRUE : BALI_FALSE
           elsif rule.decider_type == :unless
             unless decider.(record)
-              return true
+              return BALI_TRUE
             else
-              return false
+              return BALI_FALSE
             end
           end
         when 2
           if rule.decider_type == :if
-            if decider.(record, original_subtarget)
-              return true
-            else
-              return false
-            end
+            return decider.(record, original_subtarget) ? BALI_TRUE : BALI_FALSE
           elsif rule.decider_type == :unless
             unless decider.(record, original_subtarget)
-              return true
+              return BALI_TRUE
             else
-              return false
+              return BALI_FALSE
             end
           end
         end
       else
-        return true # rule is properly defined
+        return BALI_TRUE # rule is properly defined
       end # if rule has decider
     end # if rule is nil
-  end
+
+    # return fuzy if otherly rule defines contrary to this cannot rule
+    if other_rule_group.get_rule(:can, operation)
+      return BALI_FUZY_TRUE
+    else
+      BALI_TRUE
+    end
+  end # bali cannot
 
   def can?(subtarget_roles, operation, record = self, options = {})
     subs = bali_translate_subtarget_roles(subtarget_roles)
     # well, it is largely not used unless decider's is 2 arity
     options[:original_subtarget] = options[:original_subtarget].nil? ? subtarget_roles : options[:original_subtarget]
 
-    can_value = false
+    can_value = BALI_FALSE 
     role = nil
 
     subs.each do |subtarget|
-      next if can_value
+      next if can_value == BALI_TRUE
       role = subtarget
       can_value = bali_can?(role, operation, record, options)
     end
 
-    yield options[:original_subtarget], role, can_value if can_value == false && block_given?
-    can_value
+    if can_value == BALI_FALSE && block_given?
+      yield options[:original_subtarget], role, bali_translate_response(can_value)
+    end
+    bali_translate_response can_value
   rescue => e
     if e.is_a?(Bali::AuthorizationError)
       raise e
@@ -302,19 +406,20 @@ module Bali::Objector::Statics
     subs = bali_translate_subtarget_roles subtarget_roles
     options[:original_subtarget] = options[:original_subtarget].nil? ? subtarget_roles : options[:original_subtarget]
 
+    cant_value = BALI_TRUE
+
     subs.each do |subtarget|
+      next if cant_value == BALI_FALSE
       cant_value = bali_cannot?(subtarget, operation, record, options)
-      if cant_value == false
+      if cant_value == BALI_FALSE
         role = subtarget
         if block_given?
-          yield options[:original_subtarget], role, false
-        else
-          return false
+          yield options[:original_subtarget], role, bali_translate_response(cant_value) 
         end
       end
     end
 
-    true
+    bali_translate_response cant_value
   rescue => e
     if e.is_a?(Bali::AuthorizationError)
       raise e