cbac 0.6.5 → 0.6.7

data/lib/generators/cbac/copy_files/views/permissions/index.html.erb

@@ -1,7 +1,7 @@
 <div class="cbac">
 
   <h2>Subset:</h2>
-  <form action="<%= request.request_uri %>" method="get" name="subset_view_form">
+  <form action="<%= request.url %>" method="get" name="subset_view_form">
     <b>Privilege set</b> starts with: <input type="text" name="priv_substr" value="<%= params[:priv_substr] %>" /><br />
     <b>Role</b> starts with: <input type="text" name="role_substr" value="<%= params[:role_substr] %>" /><br/>
     <input type="submit" value="Submit" />

data/spec/cbac_authorization_check_spec.rb

@@ -0,0 +1,70 @@
+require 'spec_helper'
+require 'cbac'
+
+require_relative './fixtures/controllers/dating/daughter_controller'
+
+# create a fake controller with some actions
+describe Cbac do
+  describe :authorization_check do
+    include Cbac
+
+    before :all do
+      @controller = Dating::DaughterController.new
+
+      # define a set of privileges
+      Cbac::PrivilegeSet.add :go_out_with_daughter,      "Allows users to perform the actions nested in this privilege set"
+        # add some privileges to the given set
+        Privilege.resource :go_out_with_daughter,  "dating/daughter_controller/take_to_dinner", :post
+        Privilege.resource :go_out_with_daughter,  "dating/daughter_controller/bring_home", :post
+
+      # define a context role that can be evaluated when one of the privileges is invoked
+      ContextRole.add :suitable_boyfriend do |context|
+        context.send(:candidate).brought_flowers?
+      end
+
+      # allow any 'suitable_boyfriend' to invoke Privileges in the 'go_out_with_daughter' PrivilegeSet
+      Cbac::Permission.create(
+        :context_role => 'suitable_boyfriend',
+        :privilege_set_id => Cbac::PrivilegeSetRecord.where(
+          :name => 'go_out_with_daughter'
+        ).first.id
+      )
+    end
+
+    context "when a user attempts to invoke the action" do
+      before :each do
+        @controller.request = ActionDispatch::TestRequest.new
+        @controller.request.request_method = 'POST'
+
+        @controller.params = {
+          :controller => "dating/daughter_controller",
+          :action => "take_to_dinner"
+        }
+      end
+
+      context "and the contextual requirements are fulfilled" do
+        before :each do
+          ideal_son_in_law = mock('user', :brought_flowers? => true)
+          @controller.stub(:candidate).and_return(ideal_son_in_law)
+        end
+
+        specify "the action is invoked" do
+          @controller.authorize.should == true
+        end
+      end
+
+      context "and the contextual requirements are not fulfilled" do
+        before :each do
+          some_punk = mock('user', :brought_flowers? => false)
+          @controller.stub(:candidate).and_return(some_punk)
+        end
+
+        specify "the action is blocked" do
+          @controller.should_receive(:unauthorized)
+
+          @controller.authorize
+        end
+      end
+    end
+  end
+end

data/spec/cbac_pristine_file_spec.rb

@@ -1,18 +1,13 @@
-require 'spec'
-require File.expand_path(File.join(File.dirname(__FILE__), 'spec_helper'))
-require 'cbac/cbac_pristine/pristine'
-require 'cbac/cbac_pristine/pristine_permission'
-require 'cbac/cbac_pristine/pristine_role'
-require 'cbac/cbac_pristine/pristine_file'
+require 'spec_helper'
+
 include Cbac::CbacPristine
 
 describe "CbacPristineFile" do
   before(:each) do
-      @pristine_file = PristineFile.new("cbac.pristine")
+    @pristine_file = PristineFile.new(:file_name =>"cbac.pristine")
   end
 
   describe "indicate if a line looks like a pristine line" do
-    
     it "should indicate that a ruby style comment line is not a pristine line" do
       comment_line = "#this is a comment line in Ruby"
 
@@ -68,7 +63,7 @@ describe "CbacPristineFile" do
       privilege_set_name = "chat"
       line = "0:+:PrivilegeSet(#{privilege_set_name})Admin()"
 
-      @pristine_file.parse_privilege_set_name(line, 0).should == privilege_set_name      
+      @pristine_file.parse_privilege_set_name(line, 0).should == privilege_set_name
     end
 
     it "should fail if an invalid line is provided" do
@@ -142,7 +137,7 @@ describe "CbacPristineFile" do
 
 
     it "should return a generic role if a generic pristine file is used" do
-      @pristine_file = GenericPristineFile.new("cbac.pristine")
+      @pristine_file = GenericPristineFile.new(:file_name =>"cbac.pristine")
       line = "0:+:PrivilegeSet(chat)GenericRole(group_admins)"
 
       @pristine_file.parse_role(line, 0).role_type.should == PristineRole.ROLE_TYPES[:generic]
@@ -150,7 +145,7 @@ describe "CbacPristineFile" do
 
     it "should return an existing generic role if use_db is not specified" do
       generic_role_name = 'group_admins'
-      @pristine_file = GenericPristineFile.new("cbac.pristine")
+      @pristine_file = GenericPristineFile.new(:file_name =>"cbac.pristine")
       line = "0:+:PrivilegeSet(chat)GenericRole(#{generic_role_name})"
       existing_role = PristineRole.create(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:generic], :name => generic_role_name)
 
@@ -159,7 +154,7 @@ describe "CbacPristineFile" do
 
     it "should not use an existing role if use_db is set to false" do
       generic_role_name = 'group_admins'
-      @pristine_file = GenericPristineFile.new("cbac.pristine")
+      @pristine_file = GenericPristineFile.new(:file_name =>"cbac.pristine")
       line = "0:+:PrivilegeSet(chat)GenericRole(#{generic_role_name})"
       existing_role = PristineRole.create(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:generic], :name => generic_role_name)
 
@@ -167,7 +162,7 @@ describe "CbacPristineFile" do
     end
 
     it "should fail if an Admin role is used in a generic pristine file" do
-      @pristine_file = GenericPristineFile.new("cbac.pristine")
+      @pristine_file = GenericPristineFile.new(:file_name =>"cbac.pristine")
       line = "0:+:PrivilegeSet(chat)Admin()"
 
       proc{
@@ -176,7 +171,7 @@ describe "CbacPristineFile" do
     end
 
     it "should fail if an context role is used in a generic pristine file" do
-      @pristine_file = GenericPristineFile.new("cbac.pristine")
+      @pristine_file = GenericPristineFile.new(:file_name =>"cbac.pristine")
       line = "0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"
 
       proc{
@@ -185,7 +180,7 @@ describe "CbacPristineFile" do
     end
 
     it "should fail if an invalid line is provided in a generic pristine file" do
-      @pristine_file = GenericPristineFile.new("cbac.pristine")
+      @pristine_file = GenericPristineFile.new(:file_name =>"cbac.pristine")
       line = "0:+:PrivilegeSet(toeteraars)"
 
       proc{
@@ -195,14 +190,13 @@ describe "CbacPristineFile" do
   end
 
   describe "parsing a cbac_pristine file" do
-
     it "should fail if a row number is used twice" do
       pristine_file_lines = ["0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"]
       pristine_file_lines.push("0:+:PrivilegeSet(log_in)ContextRole(everybody)")
-      
+
       File.stub!(:open).and_return(pristine_file_lines)
 
-      pristine_file = PristineFile.new("cbac.pristine")
+      pristine_file = PristineFile.new(:file_name =>"cbac.pristine")
 
       proc{
         pristine_file.parse
@@ -216,7 +210,7 @@ describe "CbacPristineFile" do
 
       File.stub!(:open).and_return(pristine_file_lines)
 
-      pristine_file = PristineFile.new("cbac.pristine")
+      pristine_file = PristineFile.new(:file_name =>"cbac.pristine")
       pristine_file.parse
 
       pristine_file.permissions.length.should == pristine_file_lines.length
@@ -229,7 +223,7 @@ describe "CbacPristineFile" do
 
       File.stub!(:open).and_return(pristine_file_lines)
 
-      pristine_file = PristineFile.new("cbac.pristine")
+      pristine_file = PristineFile.new(:file_name =>"cbac.pristine")
       pristine_file.parse
 
       pristine_file.permissions.length.should == 2
@@ -242,7 +236,7 @@ describe "CbacPristineFile" do
 
       File.stub!(:open).and_return(pristine_file_lines)
 
-      pristine_file = PristineFile.new("cbac.pristine")
+      pristine_file = PristineFile.new(:file_name =>"cbac.pristine")
       pristine_file.parse
 
       pristine_file.permissions.length.should == 3
@@ -256,7 +250,7 @@ describe "CbacPristineFile" do
 
       File.stub!(:open).and_return(pristine_file_lines)
 
-      pristine_file = PristineFile.new("cbac.pristine")
+      pristine_file = PristineFile.new(:file_name =>"cbac.pristine")
       proc{
         pristine_file.parse
       }.should raise_error(SyntaxError)
@@ -266,7 +260,7 @@ describe "CbacPristineFile" do
       pristine_file_lines = ["0:x:PrivilegeSet(chat)ContextRole(logged_in_user)"]
       File.stub!(:open).and_return(pristine_file_lines)
 
-      pristine_file = PristineFile.new("cbac.pristine")
+      pristine_file = PristineFile.new(:file_name =>"cbac.pristine")
       proc{
         pristine_file.parse
       }.should raise_error(NotImplementedError)
@@ -276,7 +270,7 @@ describe "CbacPristineFile" do
       pristine_file_lines = ["0:=>:PrivilegeSet(chat)ContextRole(logged_in_user)"]
       File.stub!(:open).and_return(pristine_file_lines)
 
-      pristine_file = PristineFile.new("cbac.pristine")
+      pristine_file = PristineFile.new(:file_name =>"cbac.pristine")
       proc{
         pristine_file.parse
       }.should raise_error(NotImplementedError)
@@ -287,7 +281,7 @@ describe "CbacPristineFile" do
     before(:each) do
       @context_role = PristineRole.new(:role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context], :name => "logged_in_user")
       @admin_role = PristineRole.new(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:admin],:name => "administrator")
-      @pristine_file = PristineFile.new("cbac.pristine")
+      @pristine_file = PristineFile.new(:file_name =>"cbac.pristine")
     end
 
     it "should filter out the permissions which were revoked" do
@@ -324,7 +318,6 @@ describe "CbacPristineFile" do
       proc {
         @pristine_file.permission_set
       }.should raise_error(ArgumentError)
-
     end
   end
-end
+end

data/spec/cbac_pristine_permission_spec.rb

@@ -1,75 +1,67 @@
-
-require File.expand_path(File.join(File.dirname(__FILE__), 'spec_helper'))
-require 'spec'
-require '../lib/cbac/cbac_pristine/pristine'
-require '../lib/cbac/cbac_pristine/pristine_role'
-require '../lib/cbac/cbac_pristine/pristine_permission'
+require 'spec_helper'
 
 include Cbac::CbacPristine
 
 describe "CbacPristinePermission" do
-
-
   describe "convert pristine line to a yml fixture" do
     before(:each) do
-      @context_role = PristineRole.new(:role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context], :name => "logged_in_user")
       @admin_role = PristineRole.new(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:admin], :name => "administrator")
+      @context_role = PristineRole.new(:role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context], :name => "chat_starter")
     end
 
-
     it "should raise an error if the pristine line has no role" do
-      pristine_permission =  PristinePermission.new(:line_number => 1, :privilege_set_name => 'log_in', :pristine_role =>  nil)
-      lambda{
+      pristine_permission = PristinePermission.new(:line_number => 1, :privilege_set_name => 'log_in', :pristine_role =>  nil)
+      lambda {
         pristine_permission.to_yml_fixture
       }.should raise_error(ArgumentError)
     end
 
     it "should raise an error if the pristine line has no privilege_set_name" do
-      pristine_permission =  PristinePermission.new(:line_number => 1, :privilege_set_name => "", :pristine_role => @context_role)
-      lambda{
+      pristine_permission = PristinePermission.new(:line_number => 1, :privilege_set_name => "", :pristine_role => @context_role)
+      lambda {
         pristine_permission.to_yml_fixture
       }.should raise_error(ArgumentError)
     end
 
     it "should return a yml string starting with cbac_permission_ " do
-      pristine_permission =  PristinePermission.new(:line_number => 1, :privilege_set_name => "chat", :pristine_role => @context_role)
+      pristine_permission = PristinePermission.new(:line_number => 1, :privilege_set_name => "chat", :pristine_role => @context_role)
 
       pristine_permission.to_yml_fixture.should match(/\Acbac_permission_/)
     end
 
     it "should return a yml string containing the line number of the pristine line" do
       line_number= 100
-      pristine_permission =  PristinePermission.new(:line_number => line_number, :privilege_set_name => "chat", :pristine_role => @context_role)
+      pristine_permission = PristinePermission.new(:line_number => line_number, :privilege_set_name => "chat", :pristine_role => @context_role)
 
       pristine_permission.to_yml_fixture.should match(/id: #{line_number}/)
     end
 
     it "should return a yml string containing a generic role id of 0 if a context_role is used" do
-      pristine_permission =  PristinePermission.new(:line_number => 150, :privilege_set_name => "chat", :pristine_role => @context_role)
+      pristine_permission = PristinePermission.new(:line_number => 150, :privilege_set_name => "chat", :pristine_role => @context_role)
 
       pristine_permission.to_yml_fixture.should match(/generic_role_id: 0/)
     end
 
     it "should return a yml string containing the name of the context role if a context_role is used" do
-      pristine_permission =  PristinePermission.new(:line_number => 150, :privilege_set_name => "chat", :pristine_role => @context_role)
+      pristine_permission = PristinePermission.new(:line_number => 150, :privilege_set_name => "chat", :pristine_role => @context_role)
 
       pristine_permission.to_yml_fixture.should match(/context_role: #{@context_role.name}/)
     end
 
     it "should return a yml string containing the id of the generic role if a generic role is used" do
-      pristine_permission =  PristinePermission.new(:line_number => 150, :privilege_set_name => "chat", :pristine_role => @admin_role)
+      pristine_permission = PristinePermission.new(:line_number => 150, :privilege_set_name => "chat", :pristine_role => @admin_role)
 
       pristine_permission.to_yml_fixture.should match(/generic_role_id: #{@admin_role.id.to_s}/)
     end
 
     it "should return a yml string containing ruby code to find the privilege set by name" do
-      pristine_permission =  PristinePermission.new(:line_number => 150, :privilege_set_name => "chat", :pristine_role => @context_role)
+      pristine_permission = PristinePermission.new(:line_number => 150, :privilege_set_name => "chat", :pristine_role => @context_role)
 
       pristine_permission.to_yml_fixture.should match(/privilege_set_id: \<%= Cbac::PrivilegeSetRecord.find\(:first, :conditions => \{:name => '#{pristine_permission.privilege_set_name}'\}\)\.id %>/)
     end
 
     it "should return a yml string containing created_at and updated_at" do
-      pristine_permission =  PristinePermission.new(:line_number => 1, :privilege_set_name => "chat", :pristine_role => @context_role)
+      pristine_permission = PristinePermission.new(:line_number => 1, :privilege_set_name => "chat", :pristine_role => @context_role)
       pristine_permission.to_yml_fixture.should match(/created_at:.+updated_at:/m)
     end
   end
@@ -85,8 +77,8 @@ describe "CbacPristinePermission" do
 
     it "should return true if the pristine permission exists as generic cbac permission in the database" do
       Cbac::Permission.create(:privilege_set_id => @privilege_set.id, :generic_role_id => @admin_role.id)
-      
-      pristine_permission =  PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_admin_role)
+
+      pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_admin_role)
 
       pristine_permission.cbac_permission_exists?.should be_true
     end
@@ -94,19 +86,19 @@ describe "CbacPristinePermission" do
     it "should return true if the pristine permission exists as context cbac permission in the database" do
       Cbac::Permission.create(:privilege_set_id => @privilege_set.id, :generic_role_id => 0, :context_role => @pristine_context_role.name)
 
-      pristine_permission =  PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_context_role)
+      pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_context_role)
 
       pristine_permission.cbac_permission_exists?.should be_true
     end
 
     it "should return false if the pristine permission does not exist as context cbac permission in the database" do
-      pristine_permission =  PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_context_role)
+      pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_context_role)
 
       pristine_permission.cbac_permission_exists?.should be_false
     end
 
     it "should return false if the pristine permission does not exist as a generic cbac permission in the database" do
-      pristine_permission =  PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_admin_role)
+      pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_admin_role)
 
       pristine_permission.cbac_permission_exists?.should be_false
     end
@@ -115,7 +107,7 @@ describe "CbacPristinePermission" do
       group_admin = Cbac::GenericRole.create(:name => "group_administrator")
       Cbac::Permission.create(:privilege_set_id => @privilege_set.id, :generic_role_id => group_admin.id)
 
-      pristine_permission =  PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_admin_role)
+      pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_admin_role)
 
       pristine_permission.cbac_permission_exists?.should be_false
     end
@@ -123,7 +115,7 @@ describe "CbacPristinePermission" do
     it "should return false if a similar pristine permission exist as a context cbac permission in the database, but for another context role" do
       Cbac::Permission.create(:privilege_set_id => @privilege_set.id, :generic_role_id => 0, :context_role => "group_owner")
 
-      pristine_permission =  PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_context_role)
+      pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_context_role)
 
       pristine_permission.cbac_permission_exists?.should be_false
     end
@@ -131,13 +123,12 @@ describe "CbacPristinePermission" do
 
   describe "check if a known permission exists for this pristine permission" do
      before(:each) do
-
       @pristine_context_role = PristineRole.new(:role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context], :name => "logged_in_user")
       @pristine_admin_role = PristineRole.new(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:admin],  :name => "administrator")
     end
 
     it "should return true if the pristine permission exists as a known permission in the database" do
-      pristine_permission =  PristinePermission.new(:pristine_role => @pristine_admin_role, :line_number => 4, :privilege_set_name => "not relevant")
+      pristine_permission = PristinePermission.new(:pristine_role => @pristine_admin_role, :line_number => 4, :privilege_set_name => "not relevant")
 
       Cbac::KnownPermission.create(:permission_number => pristine_permission.line_number, :permission_type => Cbac::KnownPermission.PERMISSION_TYPES[:context])
 
@@ -145,125 +136,173 @@ describe "CbacPristinePermission" do
     end
   end
 
-  describe "apply the permission" do
+  describe "registering the change" do
     before(:each) do
       @privilege_set = Cbac::PrivilegeSetRecord.create(:name => "login")
-      @admin_role = Cbac::GenericRole.create(:name => "administrator")
 
-      @pristine_context_role = PristineRole.new(:role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context], :name => "logged_in_user")
+      @admin_role = Cbac::GenericRole.create(:name => "administrator")
       @pristine_admin_role = PristineRole.new(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:admin], :name => @admin_role.name)
-    end
-
 
-    it "should add the context permission to the database if operation + is used" do
-      pristine_permission =  PristinePermission.new(:privilege_set_name =>  @privilege_set.name, :pristine_role => @pristine_context_role)
-      pristine_permission.operation = '+'
+      @pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_admin_role)
+      @pristine_permission.operation = '+'
+      @pristine_permission.line_number = rand
 
-      proc {
-        pristine_permission.accept
-      }.should change(Cbac::Permission, :count).by(1)
-    end
-
-    it "should create a generic permission if operation + is used" do
-      pristine_permission =  PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_admin_role)
-      pristine_permission.operation = '+'
-
-      proc {
-        pristine_permission.accept
-      }.should change(Cbac::Permission, :count).by(1)
-    end
-
-    it "should delete the pristine permission since it was accepted" do
-      pristine_permission =  PristinePermission.create(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_admin_role, :operation => '+')
-
-      proc {
-        pristine_permission.accept
-      }.should change(PristinePermission, :count).by(-1)
-    end
-
-    it "should create a generic role if it doesn't exist in yet" do
-      cbac_privilege_set = Cbac::PrivilegeSetRecord.create(:name => "cbac_administration")
-
-      cbac_admin_role = PristineRole.new(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:generic], :name => "cbac_administrator")
-      pristine_permission =  PristinePermission.new(:privilege_set_name => cbac_privilege_set.name, :pristine_role => cbac_admin_role)
-      pristine_permission.operation = '+'
-
-      proc {
-        pristine_permission.accept
-      }.should change(Cbac::GenericRole, :count).by(1)
-    end
-
-    it "should use an existing role if possible" do
-      pristine_permission =  PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_admin_role)
-      pristine_permission.operation = '+'
-
-      pristine_permission.accept
-      # test smell: depends on a clean database
-      cbac_permission = Cbac::Permission.first
-
-      cbac_permission.generic_role.should == @admin_role
-    end
-
-    it "should remove an existing permission if operation - is used" do
-      Cbac::Permission.create(:privilege_set_id => @privilege_set.id, :generic_role_id => 0, :context_role => @pristine_context_role.name)
-
-      pristine_permission =  PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_context_role)
-      pristine_permission.operation = '-'
-
-      proc {
-        pristine_permission.accept
-      }.should change(Cbac::Permission, :count).by(-1)
-    end
-
-    it "should raise an error if operation - is used and the permission does not exist" do
-      pristine_permission =  PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_context_role)
-      pristine_permission.operation = '-'
-
-      proc {
-        pristine_permission.accept
-      }.should raise_error(ArgumentError)
+      @pristine_file = mock('pristine_file', :permissions => [ @pristine_permission ])
+      @pristine_permission.stub(:pristine_file).and_return @pristine_file
     end
 
     it "should create a known permission to record a change" do
-      pristine_permission =  PristinePermission.new(:privilege_set_name =>  @privilege_set.name, :pristine_role => @pristine_context_role)
-      pristine_permission.operation = '+'
-
       proc {
-        pristine_permission.accept
+        @pristine_permission.accept
       }.should change(Cbac::KnownPermission, :count).by(1)
     end
 
     it "should create a known permission with specified permission identifier" do
-      pristine_permission =  PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_context_role)
-      pristine_permission.operation = '+'
-
-      pristine_permission.accept
+      @pristine_permission.accept
 
       known_permission = Cbac::KnownPermission.last
 
-      known_permission.permission_number.should == pristine_permission.line_number
+      known_permission.permission_number.should == @pristine_permission.line_number
     end
 
     it "should create a known permission with specified role type" do
-      pristine_permission =  PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_context_role)
-      pristine_permission.operation = '+'
-
-      pristine_permission.accept
+      @pristine_permission.accept
 
       known_permission = Cbac::KnownPermission.last
 
       known_permission.permission_type.should == Cbac::KnownPermission.PERMISSION_TYPES[:context]
     end
 
-    it "should also create a known permission if operation - is used to revoke a permission" do
-      Cbac::Permission.create(:privilege_set_id => @privilege_set.id, :generic_role_id => 0, :context_role => @pristine_context_role.name)
+    context "if the operation is '-'" do
+      before :each do
+        Cbac::Permission.create(:privilege_set_id => @privilege_set.id, :generic_role_id => @pristine_admin_role.role_id, :context_role => @pristine_admin_role.name)
 
-      pristine_permission =  PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_context_role)
-      pristine_permission.operation = '-'
+        @pristine_permission.operation = '-'
+      end
 
-      proc {
-        pristine_permission.accept
-      }.should change(Cbac::KnownPermission, :count).by(1)
+      it "should still create a known permission" do
+        proc {
+          @pristine_permission.accept
+        }.should change(Cbac::KnownPermission, :count).by(1)
+      end
+    end
+  end
+
+  describe "apply the permission" do
+    before(:each) do
+      @privilege_set = Cbac::PrivilegeSetRecord.create(:name => "login")
+      @admin_role = Cbac::GenericRole.create(:name => "administrator")
+
+      @pristine_context_role = PristineRole.new(:role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context], :name => "logged_in_user")
+      @pristine_admin_role = PristineRole.new(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:admin], :name => @admin_role.name)
+
+      @pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name)
+      @pristine_permission.stub(:register_change)
+    end
+
+    context "if operation '+' is used" do
+      before :each do
+        @pristine_permission.operation = '+'
+      end
+
+      context "if the role is a context role" do
+        before :each do
+          @pristine_permission.pristine_role = @pristine_context_role
+          @pristine_permission.save!
+        end
+
+        it "should delete the pristine permission since it was accepted" do
+          proc {
+            @pristine_permission.accept
+          }.should change(PristinePermission, :count).by(-1)
+        end
+
+        it "should register the change" do
+          @pristine_permission.should_receive(:register_change)
+
+          @pristine_permission.accept
+        end
+
+        it "should add the context permission to the database" do
+          proc {
+            @pristine_permission.accept
+          }.should change(Cbac::Permission, :count).by(1)
+        end
+      end
+
+      context "if the role is a generic role" do
+        before :each do
+          @pristine_permission.pristine_role = @pristine_admin_role
+          @pristine_permission.save!
+        end
+
+        it "should delete the pristine permission since it was accepted" do
+          proc {
+            @pristine_permission.accept
+          }.should change(PristinePermission, :count).by(-1)
+        end
+
+        it "should register the change" do
+          @pristine_permission.should_receive(:register_change)
+
+          @pristine_permission.accept
+        end
+
+        it "should create a generic permission" do
+          proc {
+            @pristine_permission.accept
+          }.should change(Cbac::Permission, :count).by(1)
+        end
+
+        context "and the given role already exists" do
+          it "should use the existing role" do
+            @pristine_permission.pristine_role = @pristine_admin_role
+
+            @pristine_permission.accept
+
+            Cbac::Permission.last.generic_role.should == @admin_role
+          end
+        end
+
+        context "but no role with that name exists" do
+          before :each do
+            Cbac::GenericRole.delete_all
+          end
+
+          it "should create a generic role if it doesn't exist in yet" do
+            proc {
+              @pristine_permission.accept
+            }.should change(Cbac::GenericRole, :count).by(1)
+          end
+        end
+      end
+    end
+
+    context "if operation '-' is used" do
+      before :each do
+        @pristine_permission.operation = '-'
+        @pristine_permission.pristine_role = @pristine_context_role
+      end
+
+      it "should remove an existing permission" do
+        Cbac::Permission.create(:privilege_set_id => @privilege_set.id, :generic_role_id => 0, :context_role => @pristine_context_role.name)
+
+        proc {
+          @pristine_permission.accept
+        }.should change(Cbac::Permission, :count).by(-1)
+      end
+
+      context "if the permission specified does not exist" do
+        before :each do
+          Cbac::Permission.delete_all
+        end
+
+        it "should raise an error" do
+          proc {
+            @pristine_permission.accept
+          }.should raise_error(ArgumentError)
+        end
+      end
     end
   end
 
@@ -274,7 +313,7 @@ describe "CbacPristinePermission" do
     end
 
     it "should persist the pristine permission to the database" do
-      pristine_permission =  PristinePermission.new(:privilege_set_name => "login", :pristine_role => @pristine_context_role, :operation => '+')
+      pristine_permission = PristinePermission.new(:privilege_set_name => "login", :pristine_role => @pristine_context_role, :operation => '+')
 
       proc {
         pristine_permission.stage
@@ -283,7 +322,7 @@ describe "CbacPristinePermission" do
     end
 
     it "should persist the associated role if it doesn't exist yet" do
-      pristine_permission =  PristinePermission.new(:privilege_set_name => "login", :pristine_role => @pristine_context_role, :operation => '+')
+      pristine_permission = PristinePermission.new(:privilege_set_name => "login", :pristine_role => @pristine_context_role, :operation => '+')
 
       proc {
         pristine_permission.stage
@@ -294,7 +333,7 @@ describe "CbacPristinePermission" do
       privilege_set = Cbac::PrivilegeSetRecord.create(:name => "login")
       Cbac::Permission.create(:privilege_set_id => privilege_set.id, :generic_role_id => 0, :context_role => @pristine_context_role.name)
 
-      pristine_permission =  PristinePermission.new(:operation => '+', :privilege_set_name => privilege_set.name, :pristine_role => @pristine_context_role)
+      pristine_permission = PristinePermission.new(:operation => '+', :privilege_set_name => privilege_set.name, :pristine_role => @pristine_context_role)
       proc {
         pristine_permission.stage
       }.should_not change(Cbac::CbacPristine::PristinePermission, :count)
@@ -304,7 +343,7 @@ describe "CbacPristinePermission" do
       privilege_set = Cbac::PrivilegeSetRecord.create(:name => "login")
       Cbac::Permission.create(:privilege_set_id => privilege_set.id, :generic_role_id => 0, :context_role => @pristine_context_role.name)
 
-      pristine_permission =  PristinePermission.new(:operation => '-', :privilege_set_name => privilege_set.name, :pristine_role => @pristine_context_role)
+      pristine_permission = PristinePermission.new(:operation => '-', :privilege_set_name => privilege_set.name, :pristine_role => @pristine_context_role)
       proc {
         pristine_permission.stage
       }.should change(Cbac::CbacPristine::PristinePermission, :count).by(1)
@@ -313,7 +352,7 @@ describe "CbacPristinePermission" do
     it "should not create a new pristine permission if a staged add permission exists and this pristine permission wants to revoke" do
       privilege_set_name = "chat"
       PristinePermission.new(:operation => '+', :privilege_set_name => privilege_set_name, :pristine_role => @pristine_context_role)
-      pristine_revoke_permission =  PristinePermission.new(:operation => '-', :privilege_set_name => privilege_set_name, :pristine_role => @pristine_context_role)
+      pristine_revoke_permission = PristinePermission.new(:operation => '-', :privilege_set_name => privilege_set_name, :pristine_role => @pristine_context_role)
 
       proc {
         pristine_revoke_permission.stage
@@ -323,7 +362,7 @@ describe "CbacPristinePermission" do
     it "should delete a staged add permission if the pristine permission wants to revoke the same permission" do
       privilege_set_name = "chat"
       PristinePermission.create(:operation => '+', :privilege_set_name => privilege_set_name, :pristine_role => @pristine_context_role)
-      pristine_revoke_permission =  PristinePermission.new(:operation => '-', :privilege_set_name => privilege_set_name, :pristine_role => @pristine_context_role)
+      pristine_revoke_permission = PristinePermission.new(:operation => '-', :privilege_set_name => privilege_set_name, :pristine_role => @pristine_context_role)
 
       proc {
         pristine_revoke_permission.stage
@@ -332,7 +371,7 @@ describe "CbacPristinePermission" do
 
     it "should not create a new pristine permission if a cbac known permission exists" do
       known_number = 1
-      pristine_permission =  PristinePermission.new(:line_number => known_number, :privilege_set_name => "name not relevant", :pristine_role => @pristine_context_role)
+      pristine_permission = PristinePermission.new(:line_number => known_number, :privilege_set_name => "name not relevant", :pristine_role => @pristine_context_role)
       Cbac::KnownPermission.create(:permission_number => known_number, :permission_type => Cbac::KnownPermission.PERMISSION_TYPES[:context])
 
       proc {
@@ -344,15 +383,12 @@ describe "CbacPristinePermission" do
     it "should raise an error if the same pristine permission is staged twice" do
       privilege_set_name = "chat"
       PristinePermission.create(:operation => '+', :privilege_set_name => privilege_set_name, :pristine_role => @pristine_context_role, :line_number => 2)
-      pristine_permission =  PristinePermission.new(:operation => '+', :privilege_set_name => privilege_set_name, :pristine_role => @pristine_context_role, :line_number => 3)
+      pristine_permission = PristinePermission.new(:operation => '+', :privilege_set_name => privilege_set_name, :pristine_role => @pristine_context_role, :line_number => 3)
 
       proc {
         pristine_permission.stage
       }.should raise_error(ArgumentError)
     end
-
-
   end
-
 end