be9-acl9 0.9.1 → 0.9.2

data/lib/acl9/controller_extensions/generators.rb

@@ -0,0 +1,119 @@
+require File.join(File.dirname(__FILE__), 'dsl_base')
+
+module Acl9
+  class AccessDenied < StandardError; end
+  class FilterSyntaxError < StandardError; end
+
+  module Dsl
+    module Generators
+      class BaseGenerator < Acl9::Dsl::Base
+        def initialize(*args)
+          @subject_method = args[0]
+
+          super
+        end
+
+        protected
+
+        def _access_denied
+          "raise Acl9::AccessDenied"
+        end
+
+        def _subject_ref
+          "#{_controller_ref}send(:#{@subject_method})"
+        end
+
+        def _object_ref(object)
+          "#{_controller_ref}instance_variable_get('@#{object}')"
+        end
+
+        def _action_ref
+          "#{_controller_ref}action_name"
+        end
+
+        def _controller_ref
+          @controller ? "#{@controller}." : ''
+        end
+      end
+
+      class FilterLambda < BaseGenerator
+        def initialize(subject_method)
+          super
+
+          @controller = 'controller'
+        end
+
+        def install_on(controller_class, options)
+          controller_class.send(:before_filter, options, &self.to_proc)
+        end
+
+        def to_proc
+          code = <<-RUBY
+            lambda do |controller|
+              unless #{allowance_expression}
+                #{_access_denied}
+              end
+            end
+          RUBY
+          
+          self.instance_eval(code, __FILE__, __LINE__)
+        rescue SyntaxError
+          raise FilterSyntaxError, code
+        end
+      end
+      
+      class FilterMethod < BaseGenerator
+        def initialize(subject_method, method_name)
+          super
+
+          @method_name = method_name
+          @controller = nil
+        end
+        
+        def install_on(controller_class, options)
+          _add_method(controller_class)
+          controller_class.send(:before_filter, @method_name, options)
+        end
+
+        protected
+
+        def _add_method(controller_class)
+          code = self.to_method_code
+          controller_class.send(:class_eval, code, __FILE__, __LINE__)
+        rescue SyntaxError
+          raise FilterSyntaxError, code
+        end
+        
+        def to_method_code
+          <<-RUBY
+            def #{@method_name}
+              unless #{allowance_expression}
+                #{_access_denied}
+              end
+            end
+          RUBY
+        end
+      end
+      
+      class BooleanMethod < FilterMethod
+        def install_on(controller_class, *_)
+          _add_method(controller_class)
+        end
+
+        protected 
+        
+        def to_method_code
+          <<-RUBY
+            def #{@method_name}(options = {})
+              #{allowance_expression}
+            end
+          RUBY
+        end
+
+        def _object_ref(object)
+          "(options[:#{object}] || #{super})"
+        end
+      end
+    end
+  end
+end

data/lib/acl9/version.rb

@@ -44,7 +44,7 @@ module Acl9 # :nodoc:
 
     MAJOR = 0
     MINOR = 9
-    TINY  = 1
+    TINY  = 2
 
     # The current version as a Version instance
     CURRENT = new(MAJOR, MINOR, TINY)

data/spec/access_control_spec.rb

@@ -26,28 +26,35 @@ end
 
 # all these controllers behave the same way
 
-class AccessControllingController1 < EmptyController
+class ACLBlock < EmptyController
   access_control do
     allow all, :to => [:index, :show]
     allow :admin
   end
 end
 
-class AccessControllingController2 < EmptyController
+class ACLMethod < EmptyController
   access_control :as_method => :acl do
     allow all, :to => [:index, :show]
     allow :admin, :except => [:index, :show]
   end
 end
 
-class AccessControllingController3 < EmptyController
+class ACLMethod2 < EmptyController
+  access_control :acl do
+    allow all, :to => [:index, :show]
+    allow :admin, :except => [:index, :show]
+  end
+end
+
+class ACLArguments < EmptyController
   access_control :except => [:index, :show] do
     allow :admin
   end
 end
 
-class AccessControllingController4 < EmptyController
-  access_control :as_method => :acl, :filter => false do
+class ACLBooleanMethod < EmptyController
+  access_control :acl, :filter => false do
     allow all, :to => [:index, :show]
     allow :admin
   end
@@ -85,11 +92,19 @@ describe "permit anonymous to index and show and admin everywhere else", :shared
   end
 end
 
-describe AccessControllingController1, :type => :controller do
+describe ACLBlock, :type => :controller do
+  it_should_behave_like "permit anonymous to index and show and admin everywhere else"
+end
+
+describe ACLMethod, :type => :controller do
+  it "should add :acl as a method" do
+    controller.should respond_to(:acl)
+  end
+
   it_should_behave_like "permit anonymous to index and show and admin everywhere else"
 end
 
-describe AccessControllingController2, :type => :controller do
+describe ACLMethod2, :type => :controller do
   it "should add :acl as a method" do
     controller.should respond_to(:acl)
   end
@@ -97,11 +112,11 @@ describe AccessControllingController2, :type => :controller do
   it_should_behave_like "permit anonymous to index and show and admin everywhere else"
 end
 
-describe AccessControllingController3, :type => :controller do
+describe ACLArguments, :type => :controller do
   it_should_behave_like "permit anonymous to index and show and admin everywhere else"
 end
 
-describe AccessControllingController4, :type => :controller do
+describe ACLBooleanMethod, :type => :controller do
   it_should_behave_like "permit anonymous to index and show and admin everywhere else"
 end
 
@@ -111,7 +126,7 @@ end
 
 class VenerableBar; end
 
-class AccessControllingController5 < EmptyController
+class ACLIvars < EmptyController
   before_filter :set_ivars
 
   access_control do
@@ -128,7 +143,7 @@ class AccessControllingController5 < EmptyController
   end
 end
 
-describe AccessControllingController5, :type => :controller do
+describe ACLIvars, :type => :controller do
   class OwnerOfFoo
     def has_role?(role, obj)
       role == 'owner' && obj == MyDearFoo.instance
@@ -158,7 +173,7 @@ class TheOnlyUser
   end
 end
 
-class AccessControllingController6 < ActionController::Base
+class ACLSubjectMethod < ActionController::Base
   access_control :subject_method => :the_only_user do
     allow :the_only_one
   end
@@ -172,7 +187,7 @@ class AccessControllingController6 < ActionController::Base
   end
 end
 
-describe AccessControllingController6, :type => :controller do
+describe ACLSubjectMethod, :type => :controller do
   it "should allow the only user to index" do
     get :index, :user => TheOnlyUser.instance
   end
@@ -183,3 +198,62 @@ describe AccessControllingController6, :type => :controller do
     end.should raise_error(Acl9::AccessDenied)
   end
 end
+
+class ACLObjectsHash < ActionController::Base
+  access_control :allowed?, :filter => false do
+    allow :owner, :of => :foo
+  end
+
+  def allow
+    @foo = nil
+    raise unless allowed?(:foo => MyDearFoo.instance)
+  end
+  
+  def current_user
+    params[:user]
+  end
+end
+
+describe ACLObjectsHash, :type => :controller do
+  class FooOwner
+    def has_role?(role_name, obj)
+      role_name == 'owner' && obj == MyDearFoo.instance
+    end
+  end
+
+  it "should consider objects hash and prefer it to @ivar" do
+    get :allow, :user => FooOwner.new
+  end
+end
+
+describe "Argument checking" do
+  def arg_err(&block)
+    lambda do
+      block.call
+    end.should raise_error(ArgumentError)
+  end
+
+  it "should raise ArgumentError without a block" do
+    arg_err do
+      class FailureController < ActionController::Base
+        access_control 
+      end
+    end
+  end
+  
+  it "should raise ArgumentError with 1st argument which is not a symbol" do
+    arg_err do
+      class FailureController < ActionController::Base
+        access_control 123 do end
+      end
+    end
+  end
+  
+  it "should raise ArgumentError with more than 1 positional argument" do
+    arg_err do
+      class FailureController < ActionController::Base
+        access_control :foo, :bar do end
+      end
+    end
+  end
+end

data/spec/dsl_base_spec.rb

@@ -0,0 +1,703 @@
+require File.join(File.dirname(__FILE__), 'spec_helper')
+require File.join(File.dirname(__FILE__), '..', 'lib', 'acl9', 'controller_extensions', 'dsl_base')
+
+class FakeUser
+  def initialize
+    @roles = {}
+  end
+
+  def has_role?(role, object = nil)
+    @roles.include?([role.to_s, object])
+  end
+
+  def <<(role)
+    role = [role] unless role.is_a? Array
+
+    role << nil if role.size == 1
+    raise unless role[0]
+
+    role[0] = role[0].to_s
+
+    @roles[role] = true
+  end
+end
+
+class DslTester < Acl9::Dsl::Base
+  def initialize
+    super
+
+    @_subject = nil
+    @_objects = {}
+    @_current_action = nil
+  end
+  
+  def permit(user, *args)
+    check_allowance(user, *args).should == true
+
+    self
+  end
+  
+  def forbid(user, *args)
+    check_allowance(user, *args).should == false
+
+    self
+  end
+  
+  def show_code
+    puts "\n", allowance_expression
+    self
+  end
+
+  protected
+
+  def check_allowance(subject, *args)
+    @_subject = subject
+    @_current_action = (args[0] || 'index').to_s
+    @_objects = args.last.is_a?(Hash) ? args.last : {}
+
+    instance_eval(allowance_expression)
+  end
+
+  def _subject_ref
+    "@_subject"
+  end
+
+  def _object_ref(object)
+    "@_objects[:#{object.to_s}]"
+  end
+
+  def _action_ref
+    "@_current_action"
+  end
+end
+
+describe Acl9::Dsl::Base do
+  class Foo; end
+  class Bar; end
+
+  def arg_err(&block)
+    lambda do
+      acl(&block)
+    end.should raise_error(ArgumentError)
+  end
+
+  def acl(&block)
+    tester = DslTester.new
+    tester.acl_block!(&block)
+    
+    tester
+  end
+
+  def permit_some(tester, user, actions, vars = {})
+    actions.each                  { |act| tester.permit(user, act, vars) }
+    (@all_actions - actions).each { |act| tester.forbid(user, act, vars) }
+  end
+  
+  before do
+    @user = FakeUser.new
+    @user2 = FakeUser.new
+    @user3 = FakeUser.new
+    @foo = Foo.new
+    @foo2 = Foo.new
+    @foo3 = Foo.new
+  end
+
+  describe "default" do
+    it "should set default action to deny if none specified" do
+      acl do end.default_action.should == :deny 
+    end
+    
+    it "should set default action to allow" do
+      acl do 
+        default :allow
+      end.default_action.should == :allow
+    end
+    
+    it "should set default action to deny" do
+      acl do 
+        default :deny
+      end.default_action.should == :deny
+    end
+    
+    it "should raise ArgumentError with unknown default_action" do
+      arg_err do 
+        default 123
+      end
+    end
+    
+    it "should raise ArgumentError when default is called more than once" do
+      arg_err do 
+        default :deny
+        default :deny
+      end
+    end
+  end
+
+  describe "empty blocks" do
+    it "should deny everyone with default deny" do
+      acl do
+      end.forbid(nil).forbid(@user)
+    end
+    
+    it "should allow everyone with default allow" do
+      acl do
+        default :allow
+      end.permit(nil).permit(@user)
+    end
+  end
+
+  describe "empty" do
+    it "allow should raise an ArgumentError" do
+      arg_err { allow }
+    end
+    
+    it "deny should raise an ArgumentError" do
+      arg_err { deny }
+    end
+  end
+
+  describe "anonymous" do
+    it "'allow nil' should allow anonymous, but not logged in" do
+      acl do
+        allow nil
+      end.permit(nil).forbid(@user)
+    end
+    
+    it "'allow anonymous' should allow anonymous, but not logged in" do
+      acl do
+        allow anonymous
+      end.permit(nil).forbid(@user)
+    end
+    
+    it "'deny nil' should deny anonymous, but not logged in" do
+      acl do
+        default :allow
+        deny nil
+      end.forbid(nil).permit(@user)
+    end
+    
+    it "'deny anonymous' should deny anonymous, but not logged in" do
+      acl do
+        default :allow
+        deny anonymous
+      end.forbid(nil).permit(@user)
+    end
+  end
+
+  describe "all" do
+    it "'allow all' should allow all" do
+      acl do
+        allow all
+      end.permit(nil).permit(@user)
+    end
+    
+    it "'deny all' should deny all" do
+      acl do
+        default :allow
+        deny all
+      end.forbid(nil).forbid(@user)
+    end
+  end
+
+  describe "default :allow" do
+    it "should allow when neither allow nor deny conditions are matched" do
+      acl do
+        default :allow
+        allow :blah
+        deny :bzz
+      end.permit(nil).permit(@user)
+    end
+    
+    it "should deny when deny is matched, but allow is not" do
+      acl do
+        default :allow
+        deny all
+        allow :blah
+      end.forbid(nil).forbid(@user)
+    end
+    
+    it "should allow when allow is matched, but deny is not" do
+      @user << :cool
+      acl do
+        default :allow
+        deny nil
+        allow :cool
+      end.permit(@user)
+    end
+    
+    it "should allow both allow and deny conditions are matched" do
+      @user << :cool
+      acl do
+        default :allow
+        deny :cool
+        allow :cool
+      end.permit(@user)
+      
+      acl do
+        default :allow
+        deny all
+        allow all
+      end.permit(@user).permit(nil).permit(@user2)
+    end
+  end
+ 
+  describe "logged_in" do
+    it "'allow logged_in' should allow logged in, but not anonymous" do
+      acl do
+        allow logged_in
+      end.forbid(nil).permit(@user)
+    end
+    
+    it "'allow logged_in' should deny logged in, but not anonymous" do
+      acl do
+        default :allow
+        deny logged_in
+      end.permit(nil).forbid(@user)
+    end
+  end
+
+  describe "default :deny" do
+    it "should deny when neither allow nor deny conditions are matched" do
+      acl do
+        default :deny
+        allow :blah
+        deny :bzz
+      end.forbid(nil).forbid(@user)
+    end
+    
+    it "should deny when deny is matched, but allow is not" do
+      acl do
+        default :deny
+        deny all
+        allow :blah
+      end.forbid(nil).forbid(@user)
+    end
+    
+    it "should allow when allow is matched, but deny is not" do
+      @user << :cool
+      acl do
+        default :deny
+        deny nil
+        allow :cool
+      end.permit(@user)
+    end
+    
+    it "should deny both allow and deny conditions are matched" do
+      @user << :cool
+      acl do
+        default :deny
+        deny :cool
+        allow :cool
+      end.forbid(@user)
+      
+      acl do
+        default :deny
+        deny all
+        allow all
+      end.forbid(@user).forbid(nil).forbid(@user2)
+    end
+  end
+
+  describe "global roles" do
+    it "#allow with role" do
+      @user << :admin
+
+      acl { allow :admin }.permit(@user).forbid(nil).forbid(@user2)
+    end
+    
+    it "#allow with plural role name" do
+      @user << :mouse
+
+      acl do
+        allow :mice
+      end.permit(@user).forbid(nil).forbid(@user2)
+    end
+
+    it "#allow with several roles" do
+      @user << :admin
+      @user << :cool
+
+      @user2 << :cool
+
+      @user3 << :super
+
+      acl do
+        allow :admin
+        allow :cool
+      end.permit(@user).permit(@user2).forbid(nil).forbid(@user3)
+    end
+    
+    it "#deny with role" do
+      @user << :foo
+
+      acl { default :allow; deny :foo }.forbid(@user).permit(nil).permit(@user2)
+    end
+    
+    it "#deny with plural role name" do
+      @user << :mouse
+
+      acl do
+        default :allow
+        deny :mice
+      end.forbid(@user).permit(nil).permit(@user2)
+    end
+
+    it "#deny with several roles" do
+      @user << :admin
+      @user << :cool
+
+      @user2 << :cool
+
+      @user3 << :super
+
+      acl do
+        default :allow
+        deny :admin
+        deny :cool
+      end.forbid(@user).forbid(@user2).permit(nil).permit(@user3)
+    end
+  end
+
+  describe "prepositions" do
+    [:of, :for, :in, :on, :at, :by].each do |prep|
+      it "#allow with object role (:#{prep}) should check controller's ivar" do
+        @user << [:manager, @foo]
+
+        acl do
+          allow :manager, prep => :foo
+        end.
+        permit(@user, :foo => @foo).
+        forbid(@user, :foo => @foo2).
+        forbid(@user, :foo => Foo).
+        forbid(nil, :foo => @foo).
+        forbid(@user2, :foo => @foo)
+      end
+
+      it "#allow with invalid value for preposition should raise an ArgumentError" do
+        arg_err do
+          allow :hom, :by => 1
+        end
+      end
+    end
+
+    it "#allow with a class role should verify this role against a class" do
+      @user << [:owner, Foo]
+
+      acl do
+        allow :owner, :of => Foo
+      end.permit(@user).forbid(nil).forbid(@user2)
+    end
+    
+    [:of, :for, :in, :on, :at, :by].each do |prep|
+      it "#deny with object role (:#{prep}) should check controller's ivar" do
+        @user << [:bastard, @foo]
+
+        acl do
+          default :allow
+          deny :bastard, prep => :foo
+        end.
+        forbid(@user, :foo => @foo).
+        permit(@user, :foo => @foo2).
+        permit(@user, :foo => Foo).
+        permit(nil, :foo => @foo).
+        permit(@user2, :foo => @foo)
+      end
+      
+      it "#deny with invalid value for preposition should raise an ArgumentError" do
+        arg_err do
+          deny :her, :for => "him"
+        end
+      end
+    end
+
+    it "#deny with a class role should verify this role against a class" do
+      @user << [:ignorant, Foo]
+
+      acl do
+        default :allow
+        deny :ignorant, :of => Foo
+      end.forbid(@user).permit(nil).permit(@user2)
+    end
+
+    it "#allow with several prepositions should raise an ArgumentError" do
+      arg_err do
+        allow :some, :by => :one, :for => :another
+      end
+    end
+
+    it "#deny with several prepositions should raise an ArgumentError" do
+      arg_err do
+        deny :some, :in => :here, :on => :today
+      end
+    end
+  end
+
+  describe ":to and :except" do
+    it "should raise an ArgumentError when both :to and :except are specified" do
+      arg_err do
+        allow all, :to => :index, :except => ['show', 'edit']
+      end
+    end
+
+    describe do
+      after do
+        %w(index show).each                 { |act| @list.permit(nil, act) }
+        %w(edit update delete destroy).each { |act| @list.forbid(nil, act) }
+        
+        %w(index show edit update).each { |act| @list.permit(@user, act) }
+        %w(delete destroy).each         { |act| @list.forbid(@user, act) }
+
+        %w(index show edit update delete destroy).each { |act| @list.permit(@user2, act) }
+      end
+
+      it ":to should limit rule scope to specified actions" do
+        @user << :manager
+        @user2 << :trusted
+
+        @list = acl do
+          allow all,       :to => [:index, :show]
+
+          allow 'manager', :to => :edit
+          allow 'manager', :to => 'update'
+          allow 'trusted', :to => %w(edit update delete destroy)
+        end
+      end
+      
+      it ":except should limit rule scope to all actions except specified" do
+        @user << :manager
+        @user2 << :trusted
+
+        @list = acl do
+          allow all,       :except => %w(edit update delete destroy)
+
+          allow 'manager', :except => %w(delete destroy)
+          allow 'trusted'
+        end
+      end
+    end
+  end
+
+  describe "several roles as arguments" do
+    it "#allow should be able to receive a role list (global roles)" do
+      @user << :bzz
+      @user2 << :whoa
+
+      acl do
+        allow :bzz, :whoa
+      end.permit(@user).permit(@user2).forbid(nil).forbid(@user3)
+    end
+    
+    it "#allow should be able to receive a role list (object roles)" do
+      @user << [:maker, @foo]
+      @user2 << [:faker, @foo2]
+
+      acl do
+        allow :maker, :faker, :of => :foo
+      end.
+      permit(@user, :foo => @foo).
+      forbid(@user, :foo => @foo2).
+      permit(@user2, :foo => @foo2).
+      forbid(@user2, :foo => @foo).
+      forbid(@user3, :foo => @foo).
+      forbid(@user3, :foo => @foo2).
+      forbid(nil)
+    end
+    
+    it "#allow should be able to receive a role list (class roles)" do
+      @user  << [:frooble, Foo]
+      @user2 << [:oombigle, Foo]
+      @user3 << :frooble
+
+      acl do
+        allow :frooble, :oombigle, :by => Foo
+      end.
+      permit(@user).
+      permit(@user2).
+      forbid(@user3).
+      forbid(nil)
+    end
+    
+    it "#deny should be able to receive a role list (global roles)" do
+      @user << :bzz
+      @user2 << :whoa
+
+      acl do
+        default :allow
+        deny :bzz, :whoa
+      end.forbid(@user).forbid(@user2).permit(nil).permit(@user3)
+    end
+    
+    it "#deny should be able to receive a role list (object roles)" do
+      @user << [:maker, @foo]
+      @user2 << [:faker, @foo2]
+      @user3 = FakeUser.new
+
+      acl do
+        default :allow
+        deny :maker, :faker, :of => :foo
+      end.
+      forbid(@user, :foo => @foo).
+      permit(@user, :foo => @foo2).
+      forbid(@user2, :foo => @foo2).
+      permit(@user2, :foo => @foo).
+      permit(@user3, :foo => @foo).
+      permit(@user3, :foo => @foo2).
+      permit(nil)
+    end
+    
+    it "#deny should be able to receive a role list (class roles)" do
+      @user  << [:frooble, Foo]
+      @user2 << [:oombigle, Foo]
+      @user3 << :frooble
+
+      acl do
+        default :allow
+        deny :frooble, :oombigle, :by => Foo
+      end.
+      forbid(@user).
+      forbid(@user2).
+      permit(@user3).
+      permit(nil)
+    end
+
+    it "should also respect :to and :except" do
+      class Moo; end
+
+      @user << :foo
+      @user2 << [:joo, @foo]
+      @user3 << [:qoo, Moo]
+
+      acl do
+        allow :foo, :boo,              :to => [:index, :show]
+        allow :zoo, :joo, :by => :foo, :to => [:edit, :update]
+        allow :qoo, :woo, :of => Moo
+        deny  :qoo, :woo, :of => Moo,  :except => [:delete, :destroy]
+      end.
+      permit(@user, 'index').
+      permit(@user, 'show').
+      forbid(@user, 'edit').
+      permit(@user2, 'edit', :foo => @foo).
+      permit(@user2, 'update', :foo => @foo).
+      forbid(@user2, 'show', :foo => @foo).
+      forbid(@user2, 'show').
+      permit(@user3, 'delete').
+      permit(@user3, 'destroy').
+      forbid(@user3, 'edit').
+      forbid(@user3, 'show')
+    end
+  end
+
+  describe "actions block" do
+    it "should raise an ArgumentError when actions has no block" do
+      arg_err do
+        actions :foo, :bar
+      end
+    end
+    
+    it "should raise an ArgumentError when actions has no arguments" do
+      arg_err do
+        actions do end
+      end
+    end
+    
+    it "should raise an ArgumentError when actions is called inside actions block" do
+      arg_err do
+        actions :foo, :bar do 
+          actions :foo, :bar do
+          end
+        end
+      end
+    end
+    
+    it "should raise an ArgumentError when default is called inside actions block" do
+      arg_err do
+        actions :foo, :bar do 
+          default :allow
+        end
+      end
+    end
+
+    [:to, :except].each do |opt|
+      it "should raise an ArgumentError when allow is called with #{opt} option" do
+        arg_err do
+          actions :foo do 
+            allow all, opt => :bar
+          end
+        end
+      end
+      
+      it "should raise an ArgumentError when deny is called with #{opt} option" do
+        arg_err do
+          actions :foo do 
+            deny all, opt => :bar
+          end
+        end
+      end
+    end
+
+    it "empty actions block should do nothing" do
+      acl do
+        actions :foo do
+        end
+
+        allow all
+      end.permit(nil).permit(nil, :foo)
+    end
+
+    it "#allow should limit its scope to specified actions" do
+      @user << :bee
+
+      acl do
+        actions :edit do
+          allow :bee
+        end
+      end.
+      permit(@user, :edit).
+      forbid(@user, :update)
+    end
+
+    it "#deny should limit its scope to specified actions" do
+      @user << :bee
+
+      acl do
+        default :allow
+        actions :edit do
+          deny :bee
+        end
+      end.
+      forbid(@user, :edit).
+      permit(@user, :update)
+    end
+
+    it "#allow and #deny should work together inside actions block" do
+      @foo = Foo.new
+      @user << [:owner, @foo]
+      @user2 << :hacker
+      @user2 << :the_destroyer
+      @user3 << [:owner, @foo]
+      @user3 << :hacker
+
+      list = acl do
+        actions :show, :index do
+          allow all
+        end
+
+        actions :edit, :update do
+          allow :owner, :of => :object
+          deny :hacker
+        end
+
+        actions :delete, :destroy do
+          allow :owner, :of => :object
+          allow :the_destroyer
+        end
+      end
+
+      @all_actions = %w(show index edit update delete destroy)
+
+      permit_some(list, @user,  @all_actions, :object => @foo)
+      permit_some(list, @user2, %w(show index delete destroy))
+      permit_some(list, @user3, %w(show index delete destroy), :object => @foo)
+    end
+  end
+end