be9-acl9 0.9.1

data/lib/acl9/model_extensions/object.rb

@@ -0,0 +1,27 @@
+module Acl9
+  module ModelExtensions
+    module Object
+      def accepts_role?(role_name, subject)
+        subject.has_role? role_name, self
+      end
+
+      def accepts_role!(role_name, subject)
+        subject.has_role! role_name, self
+      end
+
+      def accepts_no_role!(role_name, subject)
+        subject.has_no_role! role_name, self
+      end
+
+      def accepts_roles_by?(subject)
+        subject.has_roles_for? self
+      end
+
+      alias :accepts_role_by? :accepts_roles_by?
+
+      def accepted_roles_by(subject)
+        subject.roles_for self
+      end
+    end
+  end
+end

data/lib/acl9/model_extensions/subject.rb

@@ -0,0 +1,107 @@
+module Acl9
+  module ModelExtensions
+    module Subject
+      def has_role?(role_name, object = nil)
+        !! if object.nil?
+          self.roles.find_by_name(role_name.to_s) ||
+          self.roles.member?(get_role(role_name, nil))
+        else
+          role = get_role(role_name, object)
+          role && self.roles.exists?(role.id)
+        end
+      end
+
+      def has_role!(role_name, object = nil)
+        role = get_role(role_name, object)
+
+        if role.nil?
+          role_attrs = case object
+                       when Class then { :authorizable_type => object.to_s }
+                       when nil   then {}
+                       else            { :authorizable => object }
+                       end.merge(      { :name => role_name.to_s })
+
+          role = self._auth_role_class.create(role_attrs)          
+        end
+
+        self.roles << role if role && !self.roles.exists?( role.id )
+      end
+
+      def has_no_role!(role_name, object = nil)
+        delete_role(get_role(role_name, object))
+      end
+
+      def has_roles_for?(object)
+        !!self.roles.detect(&role_selecting_lambda(object))
+      end
+
+      alias :has_role_for? :has_roles_for?
+
+      def roles_for(object)
+        self.roles.select(&role_selecting_lambda(object))
+      end
+
+      def has_no_roles_for!(object = nil)
+        roles_for(object).each { |role| delete_role(role) }
+      end
+
+      def has_no_roles!
+        # for some reason simple 
+        #
+        #   self.roles.each { |role| delete_role(role) }
+        #
+        # doesn't work. seems like a bug in ActiveRecord
+        self.roles.map(&:id).each do |role_id|
+          delete_role self._auth_role_class.find(role_id)
+        end
+      end
+
+      private
+
+      def role_selecting_lambda(object)
+        case object
+        when Class
+          lambda { |role| role.authorizable_type == object.to_s }
+        when nil
+          lambda { |role| role.authorizable.nil? }
+        else
+          lambda do |role| 
+            role.authorizable_type == object.class.base_class.to_s && role.authorizable == object 
+          end
+        end
+      end
+
+      def get_role(role_name, object)
+        role_name = role_name.to_s
+
+        cond = case object
+               when Class
+                 [ 'name = ? and authorizable_type = ? and authorizable_id IS NULL', role_name, object.to_s ]
+               when nil
+                 [ 'name = ? and authorizable_type IS NULL and authorizable_id IS NULL', role_name ]
+               else
+                 [ 
+                   'name = ? and authorizable_type = ? and authorizable_id = ?',
+                   role_name, object.class.base_class.to_s, object.id 
+                 ]
+               end
+
+        self._auth_role_class.first :conditions => cond
+      end
+
+      def delete_role(role) 
+        if role
+          self.roles.delete role
+
+          role.destroy if role.users.empty?
+        end
+      end
+
+      protected
+
+      def _auth_role_class
+        self.class._auth_role_class_name.constantize
+      end
+    end
+  end
+end

data/lib/acl9/version.rb

@@ -0,0 +1,54 @@
+module Acl9 # :nodoc:
+  # = Version
+  #
+  # A class for describing the current version of a library. The version
+  # consists of three parts: the +major+ number, the +minor+ number, and the
+  # +tiny+ (or +patch+) number.
+  class Version
+    
+    include Comparable
+  
+    # A convenience method for instantiating a new Version instance with the
+    # given +major+, +minor+, and +tiny+ components.
+    def self.[](major, minor, tiny)
+      new(major, minor, tiny)
+    end
+
+    attr_reader :major, :minor, :tiny
+
+    # Create a new Version object with the given components.
+    def initialize(major, minor, tiny)
+      @major, @minor, @tiny = major, minor, tiny
+    end
+
+    # Compare this version to the given +version+ object.
+    def <=>(version)
+      to_i <=> version.to_i
+    end
+
+    # Converts this version object to a string, where each of the three
+    # version components are joined by the '.' character. E.g., 2.0.0.
+    def to_s
+      @to_s ||= [@major, @minor, @tiny].join(".")
+    end
+
+    # Converts this version to a canonical integer that may be compared
+    # against other version objects.
+    def to_i
+      @to_i ||= @major * 1_000_000 + @minor * 1_000 + @tiny
+    end
+    
+    def to_a
+      [@major, @minor, @tiny]
+    end
+
+    MAJOR = 0
+    MINOR = 9
+    TINY  = 1
+
+    # The current version as a Version instance
+    CURRENT = new(MAJOR, MINOR, TINY)
+    # The current version as a String
+    STRING = CURRENT.to_s
+  end
+end

data/spec/access_control_spec.rb

@@ -0,0 +1,185 @@
+require File.join(File.dirname(__FILE__), 'spec_helper')
+require File.join(File.dirname(__FILE__), '..', 'lib', 'acl9')
+
+class EmptyController < ActionController::Base
+  attr_accessor :current_user
+  before_filter :set_current_user
+
+  [:index, :show, :new, :edit, :update, :delete, :destroy].each do |act|
+    define_method(act) {}
+  end
+  
+  private
+
+  def set_current_user
+    if params[:user]
+      self.current_user = params[:user]
+    end
+  end
+end
+
+class Admin
+  def has_role?(role, obj = nil)
+    role == "admin"
+  end
+end
+
+# all these controllers behave the same way
+
+class AccessControllingController1 < EmptyController
+  access_control do
+    allow all, :to => [:index, :show]
+    allow :admin
+  end
+end
+
+class AccessControllingController2 < EmptyController
+  access_control :as_method => :acl do
+    allow all, :to => [:index, :show]
+    allow :admin, :except => [:index, :show]
+  end
+end
+
+class AccessControllingController3 < EmptyController
+  access_control :except => [:index, :show] do
+    allow :admin
+  end
+end
+
+class AccessControllingController4 < EmptyController
+  access_control :as_method => :acl, :filter => false do
+    allow all, :to => [:index, :show]
+    allow :admin
+  end
+
+  before_filter :check_acl
+
+  def check_acl
+    if self.acl
+      true
+    else 
+      raise Acl9::AccessDenied
+    end
+  end
+end
+
+describe "permit anonymous to index and show and admin everywhere else", :shared => true do
+  [:index, :show].each do |act|
+    it "should permit anonymous to #{act}" do
+      get act 
+    end
+  end
+
+  [:new, :edit, :update, :delete, :destroy].each do |act|
+    it "should forbid anonymous to #{act}" do
+      lambda do
+        get act 
+      end.should raise_error(Acl9::AccessDenied)
+    end
+  end
+  
+  [:index, :show, :new, :edit, :update, :delete, :destroy].each do |act|
+    it "should permit admin to #{act}" do
+      get act, :user => Admin.new
+    end
+  end
+end
+
+describe AccessControllingController1, :type => :controller do
+  it_should_behave_like "permit anonymous to index and show and admin everywhere else"
+end
+
+describe AccessControllingController2, :type => :controller do
+  it "should add :acl as a method" do
+    controller.should respond_to(:acl)
+  end
+
+  it_should_behave_like "permit anonymous to index and show and admin everywhere else"
+end
+
+describe AccessControllingController3, :type => :controller do
+  it_should_behave_like "permit anonymous to index and show and admin everywhere else"
+end
+
+describe AccessControllingController4, :type => :controller do
+  it_should_behave_like "permit anonymous to index and show and admin everywhere else"
+end
+
+class MyDearFoo
+  include Singleton
+end
+
+class VenerableBar; end
+
+class AccessControllingController5 < EmptyController
+  before_filter :set_ivars
+
+  access_control do
+    action :destroy do
+      allow :owner, :of => :foo
+      allow :bartender, :at => VenerableBar
+    end
+  end
+
+  private
+
+  def set_ivars
+    @foo = MyDearFoo.instance
+  end
+end
+
+describe AccessControllingController5, :type => :controller do
+  class OwnerOfFoo
+    def has_role?(role, obj)
+      role == 'owner' && obj == MyDearFoo.instance
+    end
+  end
+  
+  class Bartender
+    def has_role?(role, obj)
+      role == 'bartender' && obj == VenerableBar
+    end
+  end
+
+  it "should allow owner of foo to destroy" do
+    delete :destroy, :user => OwnerOfFoo.new
+  end
+  
+  it "should allow bartender to destroy" do
+    delete :destroy, :user => Bartender.new
+  end
+end
+
+class TheOnlyUser 
+  include Singleton
+
+  def has_role?(role, subj)
+    role == "the_only_one"
+  end
+end
+
+class AccessControllingController6 < ActionController::Base
+  access_control :subject_method => :the_only_user do
+    allow :the_only_one
+  end
+
+  def index; end
+
+  private
+
+  def the_only_user
+    params[:user]
+  end
+end
+
+describe AccessControllingController6, :type => :controller do
+  it "should allow the only user to index" do
+    get :index, :user => TheOnlyUser.instance
+  end
+  
+  it "should deny anonymous to index" do
+    lambda do
+      get :index
+    end.should raise_error(Acl9::AccessDenied)
+  end
+end

data/spec/db/schema.rb

@@ -0,0 +1,47 @@
+ActiveRecord::Schema.define(:version => 0) do
+  create_table "roles", :force => true do |t|
+    t.string   "name",              :limit => 40
+    t.string   "authorizable_type", :limit => 40
+    t.integer  "authorizable_id"
+    t.datetime "created_at"
+    t.datetime "updated_at"
+  end
+  
+  create_table "another_roles", :force => true do |t|
+    t.string   "name",              :limit => 40
+    t.string   "authorizable_type", :limit => 40
+    t.integer  "authorizable_id"
+    t.datetime "created_at"
+    t.datetime "updated_at"
+  end
+
+  create_table "users", :force => true do |t| end
+  create_table "another_subjects", :force => true do |t| end
+
+  create_table "roles_users", :id => false, :force => true do |t|
+    t.integer  "user_id"
+    t.integer  "role_id"
+    t.datetime "created_at"
+    t.datetime "updated_at"
+  end
+
+  create_table "another_roles_another_subjects", :id => false, :force => true do |t|
+    t.integer  "another_subject_id"
+    t.integer  "another_role_id"
+    t.datetime "created_at"
+    t.datetime "updated_at"
+  end
+  create_table "foos", :force => true do |t|
+    t.datetime "created_at"
+    t.datetime "updated_at"
+  end
+
+  create_table "bars", :force => true do |t|
+    t.datetime "created_at"
+    t.datetime "updated_at"
+  end
+  create_table "foo_bars", :force => true do |t|
+    t.datetime "created_at"
+    t.datetime "updated_at"
+  end
+end

data/spec/filter_producer_spec.rb

@@ -0,0 +1,707 @@
+require File.join(File.dirname(__FILE__), 'spec_helper')
+require File.join(File.dirname(__FILE__), '..', 'lib', 'acl9', 'controller_extensions', 'filter_producer')
+
+class FakeUser
+  def initialize
+    @roles = {}
+  end
+
+  def has_role?(role, object = nil)
+    @roles.include?([role.to_s, object])
+  end
+
+  def <<(role)
+    role = [role] unless role.is_a? Array
+
+    role << nil if role.size == 1
+    raise unless role[0]
+
+    role[0] = role[0].to_s
+
+    @roles[role] = true
+  end
+end
+
+class FakeFoo; end
+class FakeBar; end
+
+module PermissionChecks
+  class FakeController
+    attr_reader :current_user, :action_name
+    
+    def initialize(user, *args)
+      @current_user = user
+      @action_name = (args[0] || 'index').to_s
+
+      ivars = args.last.is_a?(Hash) ? args.last : {}
+
+      for name, value in ivars
+        instance_variable_set "@#{name}", value
+      end
+    end
+  end
+
+  def permit(user, *args)
+    run(user, *args).should_not == false
+
+    self
+  end
+
+  def forbid(user, *args)
+    begin
+      run(user, *args)  
+
+      raise "User #{user.inspect} was permitted, but should not have been to"
+    rescue Acl9::AccessDenied
+      # ok here
+    end
+
+    self
+  end
+
+  def show_code
+    puts "\n", self.to_s
+    self
+  end
+
+  private
+
+  def run(user, *args)
+    self.to_proc.call(FakeController.new(user, *args))
+  end
+
+end
+
+describe Acl9::FilterProducer do
+  describe "dsl" do
+    before do
+      @user = FakeUser.new
+      @user2 = FakeUser.new
+      @user3 = FakeUser.new
+      @foo = FakeFoo.new
+      @foo2 = FakeFoo.new
+      @foo3 = FakeFoo.new
+    end
+
+    describe "default" do
+      it "should set default action to deny if none specified" do
+        acl do end.default_action.should == :deny 
+      end
+      
+      it "should set default action to allow" do
+        acl do 
+          default :allow
+        end.default_action.should == :allow
+      end
+      
+      it "should set default action to deny" do
+        acl do 
+          default :deny
+        end.default_action.should == :deny
+      end
+      
+      it "should raise ArgumentError with unknown default_action" do
+        arg_err do 
+          default 123
+        end
+      end
+      
+      it "should raise ArgumentError when default is called more than once" do
+        arg_err do 
+          default :deny
+          default :deny
+        end
+      end
+    end
+
+    describe "empty blocks" do
+      it "should deny everyone with default deny" do
+        acl do
+        end.forbid(nil).forbid(@user)
+      end
+      
+      it "should allow everyone with default allow" do
+        acl do
+          default :allow
+        end.permit(nil).permit(@user)
+      end
+    end
+
+    describe "empty" do
+      it "allow should raise an ArgumentError" do
+        arg_err { allow }
+      end
+      
+      it "deny should raise an ArgumentError" do
+        arg_err { deny }
+      end
+    end
+
+    describe "anonymous" do
+      it "'allow nil' should allow anonymous, but not logged in" do
+        acl do
+          allow nil
+        end.permit(nil).forbid(@user)
+      end
+      
+      it "'allow anonymous' should allow anonymous, but not logged in" do
+        acl do
+          allow anonymous
+        end.permit(nil).forbid(@user)
+      end
+      
+      it "'deny nil' should deny anonymous, but not logged in" do
+        acl do
+          default :allow
+          deny nil
+        end.forbid(nil).permit(@user)
+      end
+      
+      it "'deny anonymous' should deny anonymous, but not logged in" do
+        acl do
+          default :allow
+          deny anonymous
+        end.forbid(nil).permit(@user)
+      end
+    end
+
+    describe "all" do
+      it "'allow all' should allow all" do
+        acl do
+          allow all
+        end.permit(nil).permit(@user)
+      end
+      
+      it "'deny all' should deny all" do
+        acl do
+          default :allow
+          deny all
+        end.forbid(nil).forbid(@user)
+      end
+    end
+
+    describe "default :allow" do
+      it "should allow when neither allow nor deny conditions are matched" do
+        acl do
+          default :allow
+          allow :blah
+          deny :bzz
+        end.permit(nil).permit(@user)
+      end
+      
+      it "should deny when deny is matched, but allow is not" do
+        acl do
+          default :allow
+          deny all
+          allow :blah
+        end.forbid(nil).forbid(@user)
+      end
+      
+      it "should allow when allow is matched, but deny is not" do
+        @user << :cool
+        acl do
+          default :allow
+          deny nil
+          allow :cool
+        end.permit(@user)
+      end
+      
+      it "should allow both allow and deny conditions are matched" do
+        @user << :cool
+        acl do
+          default :allow
+          deny :cool
+          allow :cool
+        end.permit(@user)
+        
+        acl do
+          default :allow
+          deny all
+          allow all
+        end.permit(@user).permit(nil).permit(@user2)
+      end
+    end
+   
+    describe "logged_in" do
+      it "'allow logged_in' should allow logged in, but not anonymous" do
+        acl do
+          allow logged_in
+        end.forbid(nil).permit(@user)
+      end
+      
+      it "'allow logged_in' should deny logged in, but not anonymous" do
+        acl do
+          default :allow
+          deny logged_in
+        end.permit(nil).forbid(@user)
+      end
+    end
+
+    describe "default :deny" do
+      it "should deny when neither allow nor deny conditions are matched" do
+        acl do
+          default :deny
+          allow :blah
+          deny :bzz
+        end.forbid(nil).forbid(@user)
+      end
+      
+      it "should deny when deny is matched, but allow is not" do
+        acl do
+          default :deny
+          deny all
+          allow :blah
+        end.forbid(nil).forbid(@user)
+      end
+      
+      it "should allow when allow is matched, but deny is not" do
+        @user << :cool
+        acl do
+          default :deny
+          deny nil
+          allow :cool
+        end.permit(@user)
+      end
+      
+      it "should deny both allow and deny conditions are matched" do
+        @user << :cool
+        acl do
+          default :deny
+          deny :cool
+          allow :cool
+        end.forbid(@user)
+        
+        acl do
+          default :deny
+          deny all
+          allow all
+        end.forbid(@user).forbid(nil).forbid(@user2)
+      end
+    end
+
+    describe "global roles" do
+      it "#allow with role" do
+        @user << :admin
+
+        acl { allow :admin }.permit(@user).forbid(nil).forbid(@user2)
+      end
+      
+      it "#allow with plural role name" do
+        @user << :mouse
+
+        acl do
+          allow :mice
+        end.permit(@user).forbid(nil).forbid(@user2)
+      end
+
+      it "#allow with several roles" do
+        @user << :admin
+        @user << :cool
+
+        @user2 << :cool
+
+        @user3 << :super
+
+        acl do
+          allow :admin
+          allow :cool
+        end.permit(@user).permit(@user2).forbid(nil).forbid(@user3)
+      end
+      
+      it "#deny with role" do
+        @user << :foo
+
+        acl { default :allow; deny :foo }.forbid(@user).permit(nil).permit(@user2)
+      end
+      
+      it "#deny with plural role name" do
+        @user << :mouse
+
+        acl do
+          default :allow
+          deny :mice
+        end.forbid(@user).permit(nil).permit(@user2)
+      end
+
+      it "#deny with several roles" do
+        @user << :admin
+        @user << :cool
+
+        @user2 << :cool
+
+        @user3 << :super
+
+        acl do
+          default :allow
+          deny :admin
+          deny :cool
+        end.forbid(@user).forbid(@user2).permit(nil).permit(@user3)
+      end
+    end
+
+    describe "prepositions" do
+      [:of, :for, :in, :on, :at, :by].each do |prep|
+        it "#allow with object role (:#{prep}) should check controller's ivar" do
+          @user << [:manager, @foo]
+
+          acl do
+            allow :manager, prep => :foo
+          end.
+          permit(@user, :foo => @foo).
+          forbid(@user, :foo => @foo2).
+          forbid(@user, :foo => FakeFoo).
+          forbid(nil, :foo => @foo).
+          forbid(@user2, :foo => @foo)
+        end
+
+        it "#allow with invalid value for preposition should raise an ArgumentError" do
+          arg_err do
+            allow :hom, :by => 1
+          end
+        end
+      end
+
+      it "#allow with a class role should verify this role against a class" do
+        @user << [:owner, FakeFoo]
+
+        acl do
+          allow :owner, :of => FakeFoo
+        end.permit(@user).forbid(nil).forbid(@user2)
+      end
+      
+      [:of, :for, :in, :on, :at, :by].each do |prep|
+        it "#deny with object role (:#{prep}) should check controller's ivar" do
+          @user << [:bastard, @foo]
+
+          acl do
+            default :allow
+            deny :bastard, prep => :foo
+          end.
+          forbid(@user, :foo => @foo).
+          permit(@user, :foo => @foo2).
+          permit(@user, :foo => FakeFoo).
+          permit(nil, :foo => @foo).
+          permit(@user2, :foo => @foo)
+        end
+        
+        it "#deny with invalid value for preposition should raise an ArgumentError" do
+          arg_err do
+            deny :her, :for => "him"
+          end
+        end
+      end
+
+      it "#deny with a class role should verify this role against a class" do
+        @user << [:ignorant, FakeFoo]
+
+        acl do
+          default :allow
+          deny :ignorant, :of => FakeFoo
+        end.forbid(@user).permit(nil).permit(@user2)
+      end
+
+      it "#allow with several prepositions should raise an ArgumentError" do
+        arg_err do
+          allow :some, :by => :one, :for => :another
+        end
+      end
+
+      it "#deny with several prepositions should raise an ArgumentError" do
+        arg_err do
+          deny :some, :in => :here, :on => :today
+        end
+      end
+    end
+
+    describe ":to and :except" do
+      it "should raise an ArgumentError when both :to and :except are specified" do
+        arg_err do
+          allow all, :to => :index, :except => ['show', 'edit']
+        end
+      end
+
+      describe do
+        after do
+          %w(index show).each                 { |act| @list.permit(nil, act) }
+          %w(edit update delete destroy).each { |act| @list.forbid(nil, act) }
+          
+          %w(index show edit update).each { |act| @list.permit(@user, act) }
+          %w(delete destroy).each         { |act| @list.forbid(@user, act) }
+
+          %w(index show edit update delete destroy).each { |act| @list.permit(@user2, act) }
+        end
+
+        it ":to should limit rule scope to specified actions" do
+          @user << :manager
+          @user2 << :trusted
+
+          @list = acl do
+            allow all,       :to => [:index, :show]
+
+            allow 'manager', :to => :edit
+            allow 'manager', :to => 'update'
+            allow 'trusted', :to => %w(edit update delete destroy)
+          end
+        end
+        
+        it ":except should limit rule scope to all actions except specified" do
+          @user << :manager
+          @user2 << :trusted
+
+          @list = acl do
+            allow all,       :except => %w(edit update delete destroy)
+
+            allow 'manager', :except => %w(delete destroy)
+            allow 'trusted'
+          end
+        end
+      end
+    end
+
+    describe "several roles as arguments" do
+      it "#allow should be able to receive a role list (global roles)" do
+        @user << :bzz
+        @user2 << :whoa
+
+        acl do
+          allow :bzz, :whoa
+        end.permit(@user).permit(@user2).forbid(nil).forbid(@user3)
+      end
+      
+      it "#allow should be able to receive a role list (object roles)" do
+        @user << [:maker, @foo]
+        @user2 << [:faker, @foo2]
+
+        acl do
+          allow :maker, :faker, :of => :foo
+        end.
+        permit(@user, :foo => @foo).
+        forbid(@user, :foo => @foo2).
+        permit(@user2, :foo => @foo2).
+        forbid(@user2, :foo => @foo).
+        forbid(@user3, :foo => @foo).
+        forbid(@user3, :foo => @foo2).
+        forbid(nil)
+      end
+      
+      it "#allow should be able to receive a role list (class roles)" do
+        @user  << [:frooble, FakeFoo]
+        @user2 << [:oombigle, FakeFoo]
+        @user3 << :frooble
+
+        acl do
+          allow :frooble, :oombigle, :by => FakeFoo
+        end.
+        permit(@user).
+        permit(@user2).
+        forbid(@user3).
+        forbid(nil)
+      end
+      
+      it "#deny should be able to receive a role list (global roles)" do
+        @user << :bzz
+        @user2 << :whoa
+
+        acl do
+          default :allow
+          deny :bzz, :whoa
+        end.forbid(@user).forbid(@user2).permit(nil).permit(@user3)
+      end
+      
+      it "#deny should be able to receive a role list (object roles)" do
+        @user << [:maker, @foo]
+        @user2 << [:faker, @foo2]
+        @user3 = FakeUser.new
+
+        acl do
+          default :allow
+          deny :maker, :faker, :of => :foo
+        end.
+        forbid(@user, :foo => @foo).
+        permit(@user, :foo => @foo2).
+        forbid(@user2, :foo => @foo2).
+        permit(@user2, :foo => @foo).
+        permit(@user3, :foo => @foo).
+        permit(@user3, :foo => @foo2).
+        permit(nil)
+      end
+      
+      it "#deny should be able to receive a role list (class roles)" do
+        @user  << [:frooble, FakeFoo]
+        @user2 << [:oombigle, FakeFoo]
+        @user3 << :frooble
+
+        acl do
+          default :allow
+          deny :frooble, :oombigle, :by => FakeFoo
+        end.
+        forbid(@user).
+        forbid(@user2).
+        permit(@user3).
+        permit(nil)
+      end
+
+      it "should also respect :to and :except" do
+        class Moo; end
+
+        @user << :foo
+        @user2 << [:joo, @foo]
+        @user3 << [:qoo, Moo]
+
+        acl do
+          allow :foo, :boo,              :to => [:index, :show]
+          allow :zoo, :joo, :by => :foo, :to => [:edit, :update]
+          allow :qoo, :woo, :of => Moo
+          deny  :qoo, :woo, :of => Moo,  :except => [:delete, :destroy]
+        end.
+        permit(@user, 'index').
+        permit(@user, 'show').
+        forbid(@user, 'edit').
+        permit(@user2, 'edit', :foo => @foo).
+        permit(@user2, 'update', :foo => @foo).
+        forbid(@user2, 'show', :foo => @foo).
+        forbid(@user2, 'show').
+        permit(@user3, 'delete').
+        permit(@user3, 'destroy').
+        forbid(@user3, 'edit').
+        forbid(@user3, 'show')
+      end
+    end
+
+    describe "actions block" do
+      it "should raise an ArgumentError when actions has no block" do
+        arg_err do
+          actions :foo, :bar
+        end
+      end
+      
+      it "should raise an ArgumentError when actions has no arguments" do
+        arg_err do
+          actions do end
+        end
+      end
+      
+      it "should raise an ArgumentError when actions is called inside actions block" do
+        arg_err do
+          actions :foo, :bar do 
+            actions :foo, :bar do
+            end
+          end
+        end
+      end
+      
+      it "should raise an ArgumentError when default is called inside actions block" do
+        arg_err do
+          actions :foo, :bar do 
+            default :allow
+          end
+        end
+      end
+
+      [:to, :except].each do |opt|
+        it "should raise an ArgumentError when allow is called with #{opt} option" do
+          arg_err do
+            actions :foo do 
+              allow all, opt => :bar
+            end
+          end
+        end
+        
+        it "should raise an ArgumentError when deny is called with #{opt} option" do
+          arg_err do
+            actions :foo do 
+              deny all, opt => :bar
+            end
+          end
+        end
+      end
+
+      it "empty actions block should do nothing" do
+        acl do
+          actions :foo do
+          end
+
+          allow all
+        end.permit(nil).permit(nil, :foo)
+      end
+
+      it "#allow should limit its scope to specified actions" do
+        @user << :bee
+
+        acl do
+          actions :edit do
+            allow :bee
+          end
+        end.
+        permit(@user, :edit).
+        forbid(@user, :update)
+      end
+
+      it "#deny should limit its scope to specified actions" do
+        @user << :bee
+
+        acl do
+          default :allow
+          actions :edit do
+            deny :bee
+          end
+        end.
+        forbid(@user, :edit).
+        permit(@user, :update)
+      end
+
+      it "#allow and #deny should work together inside actions block" do
+        @foo = FakeFoo.new
+        @user << [:owner, @foo]
+        @user2 << :hacker
+        @user2 << :the_destroyer
+        @user3 << [:owner, @foo]
+        @user3 << :hacker
+
+        list = acl do
+          actions :show, :index do
+            allow all
+          end
+
+          actions :edit, :update do
+            allow :owner, :of => :object
+            deny :hacker
+          end
+
+          actions :delete, :destroy do
+            allow :owner, :of => :object
+            allow :the_destroyer
+          end
+        end
+
+        @all_actions = %w(show index edit update delete destroy)
+
+        permit_some(list, @user,  @all_actions, :object => @foo)
+        permit_some(list, @user2, %w(show index delete destroy))
+        permit_some(list, @user3, %w(show index delete destroy), :object => @foo)
+      end
+    end
+
+    private
+
+    def acl(meth = :current_user, &block)
+      producer = Acl9::FilterProducer.new(meth)
+      producer.acl(&block)
+      
+      producer.extend(PermissionChecks)
+
+      producer
+    end
+
+    def arg_err(&block)
+      lambda do
+        acl(&block)
+      end.should raise_error(ArgumentError)
+    end
+
+    def permit_some(list, user, actions, vars = {})
+      actions.each                  { |act| list.permit(user, act, vars) }
+      (@all_actions - actions).each { |act| list.forbid(user, act, vars) }
+    end
+  end
+end