RubyGems - be9-acl9 - Versions diffs - 0.9.1 → 0.9.2 - Mend

be9-acl9 0.9.1 → 0.9.2

Files changed (14) hide show

data/CHANGELOG.textile +9 -0
data/Manifest +14 -11
data/README.textile +59 -22
data/acl9.gemspec +4 -4
data/lib/acl9/controller_extensions.rb +37 -13
data/lib/acl9/controller_extensions/dsl_base.rb +212 -0
data/lib/acl9/controller_extensions/generators.rb +119 -0
data/lib/acl9/version.rb +1 -1
data/spec/access_control_spec.rb +87 -13
data/spec/dsl_base_spec.rb +703 -0
data/spec/roles_spec.rb +1 -0
metadata +22 -18
data/lib/acl9/controller_extensions/filter_producer.rb +0 -244
data/spec/filter_producer_spec.rb +0 -707

@@ -1,4 +1,5 @@
 require File.join(File.dirname(__FILE__), 'spec_helper')
+require File.join(File.dirname(__FILE__), '..', 'lib', 'acl9')
 require File.join(File.dirname(__FILE__), 'models')
 #Logger = ActiveRecord::Base.logger

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: be9-acl9
 version: !ruby/object:Gem::Version
-  version: 0.9.1
+  version: 0.9.2
 platform: ruby
 authors:
 - Oleg Dashevskii
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
-date: 2009-01-03 00:00:00 -08:00
+date: 2009-01-14 00:00:00 -08:00
 default_executable:
 dependencies:
 - !ruby/object:Gem::Dependency
@@ -37,36 +37,40 @@ executables: []
 extensions: []
 extra_rdoc_files:
-- lib/acl9/config.rb
+- lib/acl9/model_extensions.rb
+- lib/acl9/version.rb
 - lib/acl9/model_extensions/subject.rb
 - lib/acl9/model_extensions/object.rb
+- lib/acl9/controller_extensions/generators.rb
+- lib/acl9/controller_extensions/dsl_base.rb
+- lib/acl9/config.rb
 - lib/acl9/controller_extensions.rb
-- lib/acl9/controller_extensions/filter_producer.rb
-- lib/acl9/version.rb
-- lib/acl9/model_extensions.rb
 - lib/acl9.rb
 - README.textile
+- CHANGELOG.textile
 files:
-- lib/acl9/config.rb
+- init.rb
+- Manifest
+- lib/acl9/model_extensions.rb
+- lib/acl9/version.rb
 - lib/acl9/model_extensions/subject.rb
 - lib/acl9/model_extensions/object.rb
+- lib/acl9/controller_extensions/generators.rb
+- lib/acl9/controller_extensions/dsl_base.rb
+- lib/acl9/config.rb
 - lib/acl9/controller_extensions.rb
-- lib/acl9/controller_extensions/filter_producer.rb
-- lib/acl9/version.rb
-- lib/acl9/model_extensions.rb
 - lib/acl9.rb
+- README.textile
+- acl9.gemspec
+- CHANGELOG.textile
+- MIT-LICENSE
+- Rakefile
 - spec/db/schema.rb
-- spec/filter_producer_spec.rb
+- spec/dsl_base_spec.rb
 - spec/spec_helper.rb
-- spec/models.rb
 - spec/access_control_spec.rb
 - spec/roles_spec.rb
-- Manifest
-- MIT-LICENSE
-- Rakefile
-- README.textile
-- init.rb
-- acl9.gemspec
+- spec/models.rb
 has_rdoc: true
 homepage: http://github.com/be9/acl9
 post_install_message:

data/lib/acl9/controller_extensions/filter_producer.rb DELETED

@@ -1,244 +0,0 @@
-require 'set'
-module Acl9
-  class AccessDenied < Exception; end
-  class FilterSyntaxError < Exception; end
-  class FilterProducer
-    attr_reader :allows, :denys
-    def initialize(subject_method)
-      @subject_method = subject_method
-      @default_action = nil
-      @allows = []
-      @denys = []
-      @subject = "controller.send(:#{subject_method})"
-    end
-    def acl(&acl_block)
-      self.instance_eval(&acl_block)
-    end
-    def to_s
-      _allowance_check_expression
-    end
-    def to_proc
-      code = <<-RUBY
-        lambda do |controller|
-          unless #{self.to_s}
-            raise Acl9::AccessDenied
-          end
-        end
-      RUBY
-      self.instance_eval(code, __FILE__, __LINE__)
-    rescue SyntaxError
-      raise FilterSyntaxError, code
-    end
-    def to_method_code(method_name, filter = true)
-      body = if filter
-               "unless #{self.to_s}; raise Acl9::AccessDenied; end"
-             else
-               self.to_s
-             end
-      <<-RUBY
-        def #{method_name}
-          controller = self
-          #{body}
-        end
-      RUBY
-    end
-    def default_action
-      @default_action.nil? ? :deny : @default_action
-    end
-    protected
-    def default(default_action)
-      raise ArgumentError, "default can only be called once in access_control block" if @default_action
-      unless [:allow, :deny].include? default_action
-        raise ArgumentError, "invalid value for default (can be :allow or :deny)"
-      end
-      @default_action = default_action
-    end
-    def allow(*args)
-      @current_rule = :allow
-      _parse_and_add_rule(*args)
-    end
-    def deny(*args)
-      @current_rule = :deny
-      _parse_and_add_rule(*args)
-    end
-    def actions(*args, &block)
-      raise ArgumentError, "actions should receive at least 1 action as argument" if args.size < 1
-      subsidiary = FilterProducer.new(@subject_method)
-      class <<subsidiary
-        def actions(*args)
-          raise ArgumentError, "You cannot use actions inside another actions block"
-        end
-        def default(*args)
-          raise ArgumentError, "You cannot use default inside an actions block"
-        end
-        def _set_action_clause(to, except)
-          raise ArgumentError, "You cannot use :to/:except inside actions block" if to || except
-        end
-      end
-      subsidiary.acl(&block)
-      action_check = _action_check_expression(args)
-      squash = lambda do |rules|
-        _either_of(rules) + ' && ' + action_check
-      end
-      @allows << squash.call(subsidiary.allows) if subsidiary.allows.size > 0
-      @denys  << squash.call(subsidiary.denys)  if subsidiary.denys.size > 0
-    end
-    alias action actions
-    def anonymous
-      nil
-    end
-    def all
-      true
-    end
-    def logged_in
-      false
-    end
-    private
-    def _parse_and_add_rule(*args)
-      options = if args.last.is_a? Hash
-                  args.pop
-                else
-                  {}
-                end
-      _set_action_clause(options.delete(:to), options.delete(:except))
-      object = _role_object(options)
-      role_checks = args.map do |who|
-        case who
-        when nil   then "#{@subject}.nil?"    # anonymous
-        when false then "!#{@subject}.nil?"   # logged_in
-        when true  then "true"                # all
-        else
-          "!#{@subject}.nil? && #{@subject}.has_role?('#{who.to_s.singularize}', #{object})"
-        end
-      end
-      _add_rule case role_checks.size
-                when 0
-                  raise ArgumentError, "allow/deny should have at least 1 argument"
-                when 1 then role_checks.first
-                else
-                  _either_of(role_checks)
-                end
-    end
-    def _either_of(exprs)
-      exprs.map { |expr| "(#{expr})" }.join(' || ')
-    end
-    def _add_rule(what)
-      what = "(#{what}) && #{@action_clause}" if @action_clause
-      (@current_rule == :allow ? @allows : @denys) << what
-    end
-    def _set_action_clause(to, except)
-      raise ArgumentError, "both :to and :except cannot be specified in the rule" if to && except
-      @action_clause = nil
-      action_list = to || except
-      return unless action_list
-      expr = _action_check_expression(action_list)
-      @action_clause = if to
-                         "#{expr}"
-                       else
-                         "!#{expr}"
-                       end
-    end
-    def _action_check_expression(action_list)
-      unless action_list.is_a?(Array)
-        action_list = [ action_list.to_s ]
-      end
-      case action_list.size
-      when 0 then "true"
-      when 1 then "(controller.action_name == '#{action_list.first}')"
-      else
-        set_of_actions = "Set.new([" + action_list.map { |act| "'#{act}'"}.join(',')  + "])"
-        "#{set_of_actions}.include?(controller.action_name)"
-      end
-    end
-    VALID_PREPOSITIONS = %w(of for in on at by).freeze unless defined? VALID_PREPOSITIONS
-    def _role_object(options)
-      object = nil
-      VALID_PREPOSITIONS.each do |prep|
-        if options[prep.to_sym]
-          raise ArgumentError, "You may only use one preposition to specify object" if object
-          object = options[prep.to_sym]
-        end
-      end
-      case object
-      when Class
-        object.to_s
-      when Symbol
-        "controller.instance_variable_get('@#{object}')"
-      when nil
-        "nil"
-      else
-        raise ArgumentError, "object specified by preposition can only be a Class or a Symbol"
-      end
-    end
-    def _allowance_check_expression
-      allowed_expr = if @allows.size > 0
-                       @allows.map { |clause| "(#{clause})" }.join(' || ')
-                     else
-                       "false"
-                     end
-      not_denied_expr = if @denys.size > 0
-                          @denys.map { |clause| "!(#{clause})" }.join(' && ')
-                        else
-                          "true"
-                        end
-      [allowed_expr, not_denied_expr].
-        map { |expr| "(#{expr})" }.
-        join(default_action == :deny ? ' && ' : ' || ')
-    end
-  end
-end

data/spec/filter_producer_spec.rb DELETED

@@ -1,707 +0,0 @@
-require File.join(File.dirname(__FILE__), 'spec_helper')
-require File.join(File.dirname(__FILE__), '..', 'lib', 'acl9', 'controller_extensions', 'filter_producer')
-class FakeUser
-  def initialize
-    @roles = {}
-  end
-  def has_role?(role, object = nil)
-    @roles.include?([role.to_s, object])
-  end
-  def <<(role)
-    role = [role] unless role.is_a? Array
-    role << nil if role.size == 1
-    raise unless role[0]
-    role[0] = role[0].to_s
-    @roles[role] = true
-  end
-end
-class FakeFoo; end
-class FakeBar; end
-module PermissionChecks
-  class FakeController
-    attr_reader :current_user, :action_name
-    def initialize(user, *args)
-      @current_user = user
-      @action_name = (args[0] || 'index').to_s
-      ivars = args.last.is_a?(Hash) ? args.last : {}
-      for name, value in ivars
-        instance_variable_set "@#{name}", value
-      end
-    end
-  end
-  def permit(user, *args)
-    run(user, *args).should_not == false
-    self
-  end
-  def forbid(user, *args)
-    begin
-      run(user, *args)
-      raise "User #{user.inspect} was permitted, but should not have been to"
-    rescue Acl9::AccessDenied
-      # ok here
-    end
-    self
-  end
-  def show_code
-    puts "\n", self.to_s
-    self
-  end
-  private
-  def run(user, *args)
-    self.to_proc.call(FakeController.new(user, *args))
-  end
-end
-describe Acl9::FilterProducer do
-  describe "dsl" do
-    before do
-      @user = FakeUser.new
-      @user2 = FakeUser.new
-      @user3 = FakeUser.new
-      @foo = FakeFoo.new
-      @foo2 = FakeFoo.new
-      @foo3 = FakeFoo.new
-    end
-    describe "default" do
-      it "should set default action to deny if none specified" do
-        acl do end.default_action.should == :deny
-      end
-      it "should set default action to allow" do
-        acl do
-          default :allow
-        end.default_action.should == :allow
-      end
-      it "should set default action to deny" do
-        acl do
-          default :deny
-        end.default_action.should == :deny
-      end
-      it "should raise ArgumentError with unknown default_action" do
-        arg_err do
-          default 123
-        end
-      end
-      it "should raise ArgumentError when default is called more than once" do
-        arg_err do
-          default :deny
-          default :deny
-        end
-      end
-    end
-    describe "empty blocks" do
-      it "should deny everyone with default deny" do
-        acl do
-        end.forbid(nil).forbid(@user)
-      end
-      it "should allow everyone with default allow" do
-        acl do
-          default :allow
-        end.permit(nil).permit(@user)
-      end
-    end
-    describe "empty" do
-      it "allow should raise an ArgumentError" do
-        arg_err { allow }
-      end
-      it "deny should raise an ArgumentError" do
-        arg_err { deny }
-      end
-    end
-    describe "anonymous" do
-      it "'allow nil' should allow anonymous, but not logged in" do
-        acl do
-          allow nil
-        end.permit(nil).forbid(@user)
-      end
-      it "'allow anonymous' should allow anonymous, but not logged in" do
-        acl do
-          allow anonymous
-        end.permit(nil).forbid(@user)
-      end
-      it "'deny nil' should deny anonymous, but not logged in" do
-        acl do
-          default :allow
-          deny nil
-        end.forbid(nil).permit(@user)
-      end
-      it "'deny anonymous' should deny anonymous, but not logged in" do
-        acl do
-          default :allow
-          deny anonymous
-        end.forbid(nil).permit(@user)
-      end
-    end
-    describe "all" do
-      it "'allow all' should allow all" do
-        acl do
-          allow all
-        end.permit(nil).permit(@user)
-      end
-      it "'deny all' should deny all" do
-        acl do
-          default :allow
-          deny all
-        end.forbid(nil).forbid(@user)
-      end
-    end
-    describe "default :allow" do
-      it "should allow when neither allow nor deny conditions are matched" do
-        acl do
-          default :allow
-          allow :blah
-          deny :bzz
-        end.permit(nil).permit(@user)
-      end
-      it "should deny when deny is matched, but allow is not" do
-        acl do
-          default :allow
-          deny all
-          allow :blah
-        end.forbid(nil).forbid(@user)
-      end
-      it "should allow when allow is matched, but deny is not" do
-        @user << :cool
-        acl do
-          default :allow
-          deny nil
-          allow :cool
-        end.permit(@user)
-      end
-      it "should allow both allow and deny conditions are matched" do
-        @user << :cool
-        acl do
-          default :allow
-          deny :cool
-          allow :cool
-        end.permit(@user)
-        acl do
-          default :allow
-          deny all
-          allow all
-        end.permit(@user).permit(nil).permit(@user2)
-      end
-    end
-    describe "logged_in" do
-      it "'allow logged_in' should allow logged in, but not anonymous" do
-        acl do
-          allow logged_in
-        end.forbid(nil).permit(@user)
-      end
-      it "'allow logged_in' should deny logged in, but not anonymous" do
-        acl do
-          default :allow
-          deny logged_in
-        end.permit(nil).forbid(@user)
-      end
-    end
-    describe "default :deny" do
-      it "should deny when neither allow nor deny conditions are matched" do
-        acl do
-          default :deny
-          allow :blah
-          deny :bzz
-        end.forbid(nil).forbid(@user)
-      end
-      it "should deny when deny is matched, but allow is not" do
-        acl do
-          default :deny
-          deny all
-          allow :blah
-        end.forbid(nil).forbid(@user)
-      end
-      it "should allow when allow is matched, but deny is not" do
-        @user << :cool
-        acl do
-          default :deny
-          deny nil
-          allow :cool
-        end.permit(@user)
-      end
-      it "should deny both allow and deny conditions are matched" do
-        @user << :cool
-        acl do
-          default :deny
-          deny :cool
-          allow :cool
-        end.forbid(@user)
-        acl do
-          default :deny
-          deny all
-          allow all
-        end.forbid(@user).forbid(nil).forbid(@user2)
-      end
-    end
-    describe "global roles" do
-      it "#allow with role" do
-        @user << :admin
-        acl { allow :admin }.permit(@user).forbid(nil).forbid(@user2)
-      end
-      it "#allow with plural role name" do
-        @user << :mouse
-        acl do
-          allow :mice
-        end.permit(@user).forbid(nil).forbid(@user2)
-      end
-      it "#allow with several roles" do
-        @user << :admin
-        @user << :cool
-        @user2 << :cool
-        @user3 << :super
-        acl do
-          allow :admin
-          allow :cool
-        end.permit(@user).permit(@user2).forbid(nil).forbid(@user3)
-      end
-      it "#deny with role" do
-        @user << :foo
-        acl { default :allow; deny :foo }.forbid(@user).permit(nil).permit(@user2)
-      end
-      it "#deny with plural role name" do
-        @user << :mouse
-        acl do
-          default :allow
-          deny :mice
-        end.forbid(@user).permit(nil).permit(@user2)
-      end
-      it "#deny with several roles" do
-        @user << :admin
-        @user << :cool
-        @user2 << :cool
-        @user3 << :super
-        acl do
-          default :allow
-          deny :admin
-          deny :cool
-        end.forbid(@user).forbid(@user2).permit(nil).permit(@user3)
-      end
-    end
-    describe "prepositions" do
-      [:of, :for, :in, :on, :at, :by].each do |prep|
-        it "#allow with object role (:#{prep}) should check controller's ivar" do
-          @user << [:manager, @foo]
-          acl do
-            allow :manager, prep => :foo
-          end.
-          permit(@user, :foo => @foo).
-          forbid(@user, :foo => @foo2).
-          forbid(@user, :foo => FakeFoo).
-          forbid(nil, :foo => @foo).
-          forbid(@user2, :foo => @foo)
-        end
-        it "#allow with invalid value for preposition should raise an ArgumentError" do
-          arg_err do
-            allow :hom, :by => 1
-          end
-        end
-      end
-      it "#allow with a class role should verify this role against a class" do
-        @user << [:owner, FakeFoo]
-        acl do
-          allow :owner, :of => FakeFoo
-        end.permit(@user).forbid(nil).forbid(@user2)
-      end
-      [:of, :for, :in, :on, :at, :by].each do |prep|
-        it "#deny with object role (:#{prep}) should check controller's ivar" do
-          @user << [:bastard, @foo]
-          acl do
-            default :allow
-            deny :bastard, prep => :foo
-          end.
-          forbid(@user, :foo => @foo).
-          permit(@user, :foo => @foo2).
-          permit(@user, :foo => FakeFoo).
-          permit(nil, :foo => @foo).
-          permit(@user2, :foo => @foo)
-        end
-        it "#deny with invalid value for preposition should raise an ArgumentError" do
-          arg_err do
-            deny :her, :for => "him"
-          end
-        end
-      end
-      it "#deny with a class role should verify this role against a class" do
-        @user << [:ignorant, FakeFoo]
-        acl do
-          default :allow
-          deny :ignorant, :of => FakeFoo
-        end.forbid(@user).permit(nil).permit(@user2)
-      end
-      it "#allow with several prepositions should raise an ArgumentError" do
-        arg_err do
-          allow :some, :by => :one, :for => :another
-        end
-      end
-      it "#deny with several prepositions should raise an ArgumentError" do
-        arg_err do
-          deny :some, :in => :here, :on => :today
-        end
-      end
-    end
-    describe ":to and :except" do
-      it "should raise an ArgumentError when both :to and :except are specified" do
-        arg_err do
-          allow all, :to => :index, :except => ['show', 'edit']
-        end
-      end
-      describe do
-        after do
-          %w(index show).each                 { |act| @list.permit(nil, act) }
-          %w(edit update delete destroy).each { |act| @list.forbid(nil, act) }
-          %w(index show edit update).each { |act| @list.permit(@user, act) }
-          %w(delete destroy).each         { |act| @list.forbid(@user, act) }
-          %w(index show edit update delete destroy).each { |act| @list.permit(@user2, act) }
-        end
-        it ":to should limit rule scope to specified actions" do
-          @user << :manager
-          @user2 << :trusted
-          @list = acl do
-            allow all,       :to => [:index, :show]
-            allow 'manager', :to => :edit
-            allow 'manager', :to => 'update'
-            allow 'trusted', :to => %w(edit update delete destroy)
-          end
-        end
-        it ":except should limit rule scope to all actions except specified" do
-          @user << :manager
-          @user2 << :trusted
-          @list = acl do
-            allow all,       :except => %w(edit update delete destroy)
-            allow 'manager', :except => %w(delete destroy)
-            allow 'trusted'
-          end
-        end
-      end
-    end
-    describe "several roles as arguments" do
-      it "#allow should be able to receive a role list (global roles)" do
-        @user << :bzz
-        @user2 << :whoa
-        acl do
-          allow :bzz, :whoa
-        end.permit(@user).permit(@user2).forbid(nil).forbid(@user3)
-      end
-      it "#allow should be able to receive a role list (object roles)" do
-        @user << [:maker, @foo]
-        @user2 << [:faker, @foo2]
-        acl do
-          allow :maker, :faker, :of => :foo
-        end.
-        permit(@user, :foo => @foo).
-        forbid(@user, :foo => @foo2).
-        permit(@user2, :foo => @foo2).
-        forbid(@user2, :foo => @foo).
-        forbid(@user3, :foo => @foo).
-        forbid(@user3, :foo => @foo2).
-        forbid(nil)
-      end
-      it "#allow should be able to receive a role list (class roles)" do
-        @user  << [:frooble, FakeFoo]
-        @user2 << [:oombigle, FakeFoo]
-        @user3 << :frooble
-        acl do
-          allow :frooble, :oombigle, :by => FakeFoo
-        end.
-        permit(@user).
-        permit(@user2).
-        forbid(@user3).
-        forbid(nil)
-      end
-      it "#deny should be able to receive a role list (global roles)" do
-        @user << :bzz
-        @user2 << :whoa
-        acl do
-          default :allow
-          deny :bzz, :whoa
-        end.forbid(@user).forbid(@user2).permit(nil).permit(@user3)
-      end
-      it "#deny should be able to receive a role list (object roles)" do
-        @user << [:maker, @foo]
-        @user2 << [:faker, @foo2]
-        @user3 = FakeUser.new
-        acl do
-          default :allow
-          deny :maker, :faker, :of => :foo
-        end.
-        forbid(@user, :foo => @foo).
-        permit(@user, :foo => @foo2).
-        forbid(@user2, :foo => @foo2).
-        permit(@user2, :foo => @foo).
-        permit(@user3, :foo => @foo).
-        permit(@user3, :foo => @foo2).
-        permit(nil)
-      end
-      it "#deny should be able to receive a role list (class roles)" do
-        @user  << [:frooble, FakeFoo]
-        @user2 << [:oombigle, FakeFoo]
-        @user3 << :frooble
-        acl do
-          default :allow
-          deny :frooble, :oombigle, :by => FakeFoo
-        end.
-        forbid(@user).
-        forbid(@user2).
-        permit(@user3).
-        permit(nil)
-      end
-      it "should also respect :to and :except" do
-        class Moo; end
-        @user << :foo
-        @user2 << [:joo, @foo]
-        @user3 << [:qoo, Moo]
-        acl do
-          allow :foo, :boo,              :to => [:index, :show]
-          allow :zoo, :joo, :by => :foo, :to => [:edit, :update]
-          allow :qoo, :woo, :of => Moo
-          deny  :qoo, :woo, :of => Moo,  :except => [:delete, :destroy]
-        end.
-        permit(@user, 'index').
-        permit(@user, 'show').
-        forbid(@user, 'edit').
-        permit(@user2, 'edit', :foo => @foo).
-        permit(@user2, 'update', :foo => @foo).
-        forbid(@user2, 'show', :foo => @foo).
-        forbid(@user2, 'show').
-        permit(@user3, 'delete').
-        permit(@user3, 'destroy').
-        forbid(@user3, 'edit').
-        forbid(@user3, 'show')
-      end
-    end
-    describe "actions block" do
-      it "should raise an ArgumentError when actions has no block" do
-        arg_err do
-          actions :foo, :bar
-        end
-      end
-      it "should raise an ArgumentError when actions has no arguments" do
-        arg_err do
-          actions do end
-        end
-      end
-      it "should raise an ArgumentError when actions is called inside actions block" do
-        arg_err do
-          actions :foo, :bar do
-            actions :foo, :bar do
-            end
-          end
-        end
-      end
-      it "should raise an ArgumentError when default is called inside actions block" do
-        arg_err do
-          actions :foo, :bar do
-            default :allow
-          end
-        end
-      end
-      [:to, :except].each do |opt|
-        it "should raise an ArgumentError when allow is called with #{opt} option" do
-          arg_err do
-            actions :foo do
-              allow all, opt => :bar
-            end
-          end
-        end
-        it "should raise an ArgumentError when deny is called with #{opt} option" do
-          arg_err do
-            actions :foo do
-              deny all, opt => :bar
-            end
-          end
-        end
-      end
-      it "empty actions block should do nothing" do
-        acl do
-          actions :foo do
-          end
-          allow all
-        end.permit(nil).permit(nil, :foo)
-      end
-      it "#allow should limit its scope to specified actions" do
-        @user << :bee
-        acl do
-          actions :edit do
-            allow :bee
-          end
-        end.
-        permit(@user, :edit).
-        forbid(@user, :update)
-      end
-      it "#deny should limit its scope to specified actions" do
-        @user << :bee
-        acl do
-          default :allow
-          actions :edit do
-            deny :bee
-          end
-        end.
-        forbid(@user, :edit).
-        permit(@user, :update)
-      end
-      it "#allow and #deny should work together inside actions block" do
-        @foo = FakeFoo.new
-        @user << [:owner, @foo]
-        @user2 << :hacker
-        @user2 << :the_destroyer
-        @user3 << [:owner, @foo]
-        @user3 << :hacker
-        list = acl do
-          actions :show, :index do
-            allow all
-          end
-          actions :edit, :update do
-            allow :owner, :of => :object
-            deny :hacker
-          end
-          actions :delete, :destroy do
-            allow :owner, :of => :object
-            allow :the_destroyer
-          end
-        end
-        @all_actions = %w(show index edit update delete destroy)
-        permit_some(list, @user,  @all_actions, :object => @foo)
-        permit_some(list, @user2, %w(show index delete destroy))
-        permit_some(list, @user3, %w(show index delete destroy), :object => @foo)
-      end
-    end
-    private
-    def acl(meth = :current_user, &block)
-      producer = Acl9::FilterProducer.new(meth)
-      producer.acl(&block)
-      producer.extend(PermissionChecks)
-      producer
-    end
-    def arg_err(&block)
-      lambda do
-        acl(&block)
-      end.should raise_error(ArgumentError)
-    end
-    def permit_some(list, user, actions, vars = {})
-      actions.each                  { |act| list.permit(user, act, vars) }
-      (@all_actions - actions).each { |act| list.forbid(user, act, vars) }
-    end
-  end
-end