declarative_authorization 0.4.1 → 0.5

data/lib/declarative_authorization/railsengine.rb

@@ -0,0 +1,6 @@
+require 'rails'
+
+module Authorization
+  class RailsEngine < Rails::Engine
+  end
+end

data/lib/declarative_authorization/reader.rb

@@ -28,13 +28,19 @@ module Authorization
   # * AuthorizationRulesReader#is,
   # * AuthorizationRulesReader#is_not,
   # * AuthorizationRulesReader#is_in,
-  # * AuthorizationRulesReader#is_not_in
+  # * AuthorizationRulesReader#is_not_in,
+  # * AuthorizationRulesReader#lt,
+  # * AuthorizationRulesReader#lte,
+  # * AuthorizationRulesReader#gt,
+  # * AuthorizationRulesReader#gte
   #
   # And privilege definition methods
   # * PrivilegesReader#privilege,
   # * PrivilegesReader#includes
   #
   module Reader
+    # Signals that the specified file to load was not found.
+    class DSLFileNotFoundError < Exception; end
     # Signals errors that occur while reading and parsing an authorization DSL
     class DSLError < Exception; end
     # Signals errors in the syntax of an authorization DSL.
@@ -53,6 +59,19 @@ module Authorization
         @auth_rules_reader = AuthorizationRulesReader.new
       end
 
+      # ensures you get back a DSLReader
+      # if you provide a:
+      #   DSLReader - you will get it back.
+      #   String or Array - it will treat it as if you have passed a path or an array of paths and attempt to load those.
+      def self.factory(obj)
+        case obj
+        when Reader::DSLReader
+          obj
+        when String, Array
+          load(obj)
+        end
+      end
+
       # Parses a authorization DSL specification from the string given
       # in +dsl_data+.  Raises DSLSyntaxError if errors occur on parsing.
       def parse (dsl_data, file_name = nil)
@@ -71,7 +90,11 @@ module Authorization
         reader = new
         dsl_files = [dsl_files].flatten
         dsl_files.each do |file|
-          reader.parse(File.read(file), file) if File.exist?(file)
+          begin
+            reader.parse(File.read(file), file)
+          rescue SystemCallError
+            raise ::Authorization::Reader::DSLFileNotFoundError, "Error reading authorization rules file with path '#{file}'!  Please ensure it exists and that it is accessible."
+          end
         end
         reader
       end
@@ -148,12 +171,13 @@ module Authorization
 
     class AuthorizationRulesReader
       attr_reader :roles, :role_hierarchy, :auth_rules,
-        :role_descriptions, :role_titles # :nodoc:
+        :role_descriptions, :role_titles, :omnipotent_roles # :nodoc:
 
       def initialize # :nodoc:
         @current_role = nil
         @current_rule = nil
         @roles = []
+        @omnipotent_roles = []
         # higher_role => [lower_roles]
         @role_hierarchy = {}
         @role_titles = {}
@@ -248,7 +272,16 @@ module Authorization
           @current_rule = nil
         end
       end
-      
+
+      # Removes any permission checks for the current role.
+      #   role :admin
+      #     has_omnipotence
+      #   end
+      def has_omnipotence
+        raise DSLError, "has_omnipotence only allowed in role blocks" if @current_role.nil?
+        @omnipotent_roles << @current_role
+      end
+
       # Sets a description for the current role.  E.g.
       #   role :admin
       #     description "To be assigned to administrative personnel"
@@ -279,7 +312,7 @@ module Authorization
       #   end
       def to (*privs)
         raise DSLError, "to only allowed in has_permission_on blocks" if @current_rule.nil?
-        @current_rule.append_privileges(privs)
+        @current_rule.append_privileges(privs.flatten)
       end
 
       # In a has_permission_on block, if_attribute specifies conditions
@@ -442,6 +475,26 @@ module Authorization
         [:is_not_in, block]
       end
       
+      # Less than
+      def lt (&block)
+        [:lt, block]
+      end
+
+      # Less than or equal to
+      def lte (&block)
+        [:lte, block]
+      end
+
+      # Greater than
+      def gt (&block)
+        [:gt, block]
+      end
+
+      # Greater than or equal to
+      def gte (&block)
+        [:gte, block]
+      end
+
       private
       def parse_attribute_conditions_hash! (hash)
         merge_hash = {}
@@ -449,9 +502,9 @@ module Authorization
           if value.is_a?(Hash)
             parse_attribute_conditions_hash!(value)
           elsif !value.is_a?(Array)
-            merge_hash[key] = [:is, lambda { value }]
+            merge_hash[key] = [:is, proc { value }]
           elsif value.is_a?(Array) and !value[0].is_a?(Symbol)
-            merge_hash[key] = [:is_in, lambda { value }]
+            merge_hash[key] = [:is_in, proc { value }]
           end
         end
         hash.merge!(merge_hash)
@@ -465,3 +518,4 @@ module Authorization
     end
   end
 end
+

data/lib/tasks/authorization_tasks.rake

@@ -0,0 +1,82 @@
+namespace :auth do
+  desc "Lists all privileges used in controllers, views, models"
+  task :used_privileges do
+    # TODO note where privileges are used
+    require File.join(RAILS_ROOT, 'config', 'boot.rb')
+    require File.join(RAILS_ROOT, 'config', 'environment.rb')
+    controllers = [ApplicationController]
+    Dir.new("#{RAILS_ROOT}/app/controllers").entries.each do |controller_file|
+      if controller_file =~ /_controller/ 
+        controllers << controller_file.gsub(".rb","").camelize.constantize
+      end
+    end 
+    perms = controllers.select {|c| c.send(:class_variable_defined?, :@@permissions)}.
+                        inject([]) do |all, c|
+      contr_context = c.name.sub("Controller", "").tableize.to_sym
+      contr_perms = c.send(:class_variable_get, :@@permissions).collect do |cp|
+        [cp.privilege, cp.context || contr_context, cp]
+      end
+      if contr_perms.any? {|cp| cp[0].nil?}
+        contr_perms += c.send(:action_methods).collect {|am| am.to_sym}.
+                         reject {|am| contr_perms.any? {|cp| cp[2].actions.include?(am)}}.
+                         collect {|am| [am, contr_context]}
+      end
+      all += contr_perms.reject {|cp| cp[0].nil?}.collect {|cp| cp[0..1]}
+    end
+    
+    model_files = `grep -l "^[[:space:]]*using_access_control" #{RAILS_ROOT}/app/models/*.rb`.split("\n")
+    models_with_ac = model_files.collect {|mf| mf.sub(/^.*\//, "").sub(".rb", "").tableize.to_sym}
+    model_security_privs = [:create, :read, :update, :delete]
+    models_with_ac.each {|m| perms += model_security_privs.collect{|msp| [msp, m]}}
+
+    grep_file_pattern = "#{RAILS_ROOT}/app/models/*.rb #{RAILS_ROOT}/app/views/**/* #{RAILS_ROOT}/app/controllers/*.rb"
+    `grep "permitted_to?" #{grep_file_pattern}`.split("\n").each do |ptu|
+      file, grep_match = ptu.split(':', 2)
+      context = privilege = nil
+      if (match = grep_match.match(/permitted_to\?\(?\s*:(\w+),\s*(:?@?\w+)/))
+        privilege = match[1].to_sym
+        if match[2][0..0] == ':'
+          context = match[2][1..-1].to_sym
+        else
+          c = (match[2][0..0] == '@' ? match[2][1..-1] : match[2]).pluralize.to_sym
+          context = c if perms.any? {|p| p[1] == c}
+        end
+      end
+      if privilege.nil? or context.nil?
+        puts "Could not handle: #{ptu}"
+      else
+        perms << [privilege, context]
+      end
+    end
+    
+    `grep ".with_permissions_to" #{grep_file_pattern}`.split("\n").each do |wpt|
+      file, grep_match = wpt.split(':', 2)
+      context = privilege = nil
+      if match = grep_match.match(/(\w+\.)?with_permissions_to(\(:\w+)?/)
+        c = match[1][0..-2].tableize.to_sym if match[1]
+        c ||= File.basename(file, '.rb').tableize.to_sym
+        context = c if perms.any? {|p| p[1] == c}
+        privilege = match[2] && match[2][(match[2][0..0]=='(' ? 2 : 1)..-1].to_sym
+        privilege ||= :read
+      end
+      if privilege.nil? or context.nil?
+        puts "Could not handle: #{ptu}"
+      else
+        perms << [privilege, context]
+      end
+    end
+    
+    perms.uniq!
+    perm_hash = {}
+    perms.each do |cp| 
+      perm_hash[cp[1]] ||= []
+      perm_hash[cp[1]] << cp[0]
+    end
+
+    puts "Privileges currently in use:"
+    perm_hash.each do |context, privileges|
+      puts "  #{context.inspect}:\t#{privileges.collect {|p| p.inspect}.sort * ', '}"
+      #privileges.collect {|p| p.inspect}.sort.each {|p| puts "  #{p}"}
+    end
+  end
+end

data/test/authorization_test.rb

@@ -34,6 +34,20 @@ class AuthorizationTest < Test::Unit::TestCase
       :user => MockUser.new(:test_role))
   end
 
+  def test_permit_elevated_people
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :admin do
+          has_omnipotence
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert engine.permit?(:test, :context => :people,
+      :user => MockUser.new(:admin))
+  end
+
   def test_permit_multiple_contexts
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
@@ -539,6 +553,99 @@ class AuthorizationTest < Test::Unit::TestCase
               :object => MockDataObject.new(:test_attrs => [3,4] ))
   end
   
+  def test_attribute_lte
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %|
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => lte { user.test_attr }
+            if_attribute :test_attr => 3
+          end
+        end
+      end
+    |
+    engine = Authorization::Engine.new(reader)
+    # object < user -> pass
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 2),
+              :object => MockDataObject.new(:test_attr => 1))
+    # object > user && object = control -> pass
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 2),
+              :object => MockDataObject.new(:test_attr => 3))
+    # object = user -> pass
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 1),
+              :object => MockDataObject.new(:test_attr => 1))
+    # object > user -> fail
+    assert((not(engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 1),
+              :object => MockDataObject.new(:test_attr => 2)))))
+  end
+
+  def test_attribute_gt
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %|
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => gt { user.test_attr }
+            if_attribute :test_attr => 3
+          end
+        end
+      end
+    |
+    engine = Authorization::Engine.new(reader)
+    # object > user -> pass
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 1),
+              :object => MockDataObject.new(:test_attr => 2))
+    # object < user && object = control -> pass
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 4),
+              :object => MockDataObject.new(:test_attr => 3))
+    # object = user -> fail
+    assert((not(engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 1),
+              :object => MockDataObject.new(:test_attr => 1)))))
+    # object < user -> fail
+    assert((not(engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 2),
+              :object => MockDataObject.new(:test_attr => 1)))))
+  end
+
+  def test_attribute_gte
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %|
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => gte { user.test_attr }
+            if_attribute :test_attr => 3
+          end
+        end
+      end
+    |
+    engine = Authorization::Engine.new(reader)
+    # object > user -> pass
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 1),
+              :object => MockDataObject.new(:test_attr => 2))
+    # object < user && object = control -> pass
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 4),
+              :object => MockDataObject.new(:test_attr => 3))
+    # object = user -> pass
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 1),
+              :object => MockDataObject.new(:test_attr => 1))
+    # object < user -> fail
+    assert((not(engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 2),
+              :object => MockDataObject.new(:test_attr => 1)))))
+  end
+
   def test_attribute_deep
     reader = Authorization::Reader::DSLReader.new
     reader.parse %|
@@ -955,3 +1062,4 @@ class AuthorizationTest < Test::Unit::TestCase
         cloned_engine.auth_rules[0].attributes[0].send(:instance_variable_get, :@conditions_hash)[:attr].object_id
   end
 end
+

data/test/controller_test.rb

@@ -201,7 +201,7 @@ class LoadMockObjectsController < MocksController
   filter_access_to :show, :attribute_check => true, :model => LoadMockObject
   filter_access_to :edit, :attribute_check => true
   filter_access_to :update, :delete, :attribute_check => true,
-                   :load_method => lambda {MockDataObject.new(:test => 1)}
+                   :load_method => proc {MockDataObject.new(:test => 1)}
   filter_access_to :create do
     permitted_to! :edit, :load_mock_objects
   end
@@ -220,7 +220,8 @@ class LoadObjectControllerTest < ActionController::TestCase
       authorization do
         role :test_role do
           has_permission_on :load_mock_objects, :to => [:show, :edit] do
-            if_attribute :id => is {"1"}
+            if_attribute :id => 1
+            if_attribute :id => "1"
           end
         end
       end
@@ -372,7 +373,7 @@ class CommonChild1Controller < CommonController
 end
 class CommonChild2Controller < CommonController
   filter_access_to :delete
-  define_action_methods :show
+  define_action_methods :show, :delete
 end
 class HierachicalControllerTest < ActionController::TestCase
   tests CommonChild2Controller

data/test/dsl_reader_test.rb

@@ -90,6 +90,10 @@ class DSLReaderTest < Test::Unit::TestCase
             if_attribute :test_attr_4 => does_not_contain { user.test_attr }
             if_attribute :test_attr_5 => is_in { user.test_attr }
             if_attribute :test_attr_5 => is_not_in { user.test_attr }
+            if_attribute :test_attr_6 => lt { user.test_attr }
+            if_attribute :test_attr_6 => lte { user.test_attr }
+            if_attribute :test_attr_6 => gt { user.test_attr }
+            if_attribute :test_attr_6 => gte { user.test_attr }
           end
         end
       end
@@ -154,4 +158,21 @@ class DSLReaderTest < Test::Unit::TestCase
       }
     end
   end
+
+  def test_factory_returns_self
+    reader = Authorization::Reader::DSLReader.new
+    assert_equal(Authorization::Reader::DSLReader.factory(reader).object_id, reader.object_id)
+  end
+
+  def test_factory_loads_file
+    reader = Authorization::Reader::DSLReader.factory((DA_ROOT + "authorization_rules.dist.rb").to_s)
+    assert_equal(Authorization::Reader::DSLReader, reader.class)
+  end
+
+  def test_load_file_not_found
+    assert_raise(Authorization::Reader::DSLFileNotFoundError) do
+      Authorization::Reader::DSLReader.load("nonexistent_file.rb")
+    end
+  end
 end
+

data/test/helper_test.rb

@@ -99,6 +99,7 @@ class HelperTest < ActionController::TestCase
     
     assert has_role?(:test_role)
     assert !has_role?(:test_role2)
+    assert !has_role?(:test_role, :test_role2)
     
     block_evaled = false
     has_role?(:test_role) do

data/test/model_test.rb

@@ -26,14 +26,21 @@ class TestModel < ActiveRecord::Base
     :class_name => "TestAttrThrough", :source => :test_attr_throughs,
     :conditions => "test_attrs.attr = 1"
 
-  has_and_belongs_to_many :test_attr_throughs_habtm, :join_table => :test_attrs,
-      :class_name => "TestAttrThrough"
+  # TODO currently not working in Rails 3
+  if Rails.version < "3"
+    has_and_belongs_to_many :test_attr_throughs_habtm, :join_table => :test_attrs,
+        :class_name => "TestAttrThrough"
+  end
 
-  named_scope :with_content, :conditions => "test_models.content IS NOT NULL"
+  if Rails.version < "3"
+    named_scope :with_content, :conditions => "test_models.content IS NOT NULL"
+  else
+    scope :with_content, :conditions => "test_models.content IS NOT NULL"
+  end
 
   # Primary key test
-  # take this out for Rails prior to 2.2
-  if ([Rails::VERSION::MAJOR, Rails::VERSION::MINOR] <=> [2, 2]) > -1
+  # :primary_key only available from Rails 2.2
+  unless Rails.version < "2.2"
     has_many :test_attrs_with_primary_id, :class_name => "TestAttr",
       :primary_key => :test_attr_through_id, :foreign_key => :test_attr_through_id
     has_many :test_attr_throughs_with_primary_id, 
@@ -274,32 +281,43 @@ class NamedScopeModelTest < Test::Unit::TestCase
       authorization do
         role :test_role do
           has_permission_on :test_models, :to => :read do
-            if_attribute :country_id => 1
+            if_attribute :test_attr_through_id => 1
+          end
+          has_permission_on :test_attrs, :to => :read do
+            if_permitted_to :read, :test_model
           end
         end
       end
     }
     Authorization::Engine.instance(reader)
 
-    TestModel.create!(:country_id => 1, :content => "Content")
-    TestModel.create!(:country_id => 1)
-    TestModel.create!(:country_id => 2, :content => "Content")
+    country = Country.create!
+    model_1 = TestModel.create!(:test_attr_through_id => 1, :content => "Content")
+    country.test_models << model_1
+    TestModel.create!(:test_attr_through_id => 1)
+    TestModel.create!(:test_attr_through_id => 2, :content => "Content")
 
     user = MockUser.new(:test_role)
 
+    # TODO implement query_count for Rails 3
     TestModel.query_count = 0
     assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
-    assert_equal 1, TestModel.query_count
+    assert_equal 1, TestModel.query_count if Rails.version < "3"
 
     TestModel.query_count = 0
     assert_equal 1, TestModel.with_content.with_permissions_to(:read, :user => user).length
-    assert_equal 1, TestModel.query_count
+    assert_equal 1, TestModel.query_count if Rails.version < "3"
 
     TestModel.query_count = 0
     assert_equal 1, TestModel.with_permissions_to(:read, :user => user).with_content.length
-    assert_equal 1, TestModel.query_count
+    assert_equal 1, TestModel.query_count if Rails.version < "3"
+
+    TestModel.query_count = 0
+    assert_equal 1, country.test_models.with_permissions_to(:read, :user => user).length
+    assert_equal 1, TestModel.query_count if Rails.version < "3"
 
     TestModel.delete_all
+    Country.delete_all
   end
 
   def test_with_modified_context
@@ -372,6 +390,110 @@ class NamedScopeModelTest < Test::Unit::TestCase
     TestModel.delete_all
   end
 
+  def test_with_lt
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => lt { user.test_attr_value }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+
+    test_model_1 = TestModel.create!
+    TestModel.create!
+
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id + 1)
+    assert_equal 1, TestModel.with_permissions_to(:read,
+      :context => :test_models, :user => user).length
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    assert_raise Authorization::NotAuthorized do
+      TestModel.with_permissions_to(:update_test_models, :user => user)
+    end
+    TestModel.delete_all
+  end
+
+  def test_with_lte
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => lte { user.test_attr_value }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+
+    test_model_1 = TestModel.create!
+    2.times { TestModel.create! }
+
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id + 1)
+    assert_equal 2, TestModel.with_permissions_to(:read,
+      :context => :test_models, :user => user).length
+    assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
+    assert_raise Authorization::NotAuthorized do
+      TestModel.with_permissions_to(:update_test_models, :user => user)
+    end
+    TestModel.delete_all
+  end
+
+  def test_with_gt
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => gt { user.test_attr_value }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+
+    TestModel.create!
+    test_model_1 = TestModel.create!
+
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id - 1)
+    assert_equal 1, TestModel.with_permissions_to(:read,
+      :context => :test_models, :user => user).length
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    assert_raise Authorization::NotAuthorized do
+      TestModel.with_permissions_to(:update_test_models, :user => user)
+    end
+    TestModel.delete_all
+  end
+
+  def test_with_gte
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => gte { user.test_attr_value }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+
+    2.times { TestModel.create! }
+    test_model_1 = TestModel.create!
+
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id - 1)
+    assert_equal 2, TestModel.with_permissions_to(:read,
+      :context => :test_models, :user => user).length
+    assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
+    assert_raise Authorization::NotAuthorized do
+      TestModel.with_permissions_to(:update_test_models, :user => user)
+    end
+    TestModel.delete_all
+  end
+
   def test_with_empty_obligations
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
@@ -703,71 +825,78 @@ class NamedScopeModelTest < Test::Unit::TestCase
     TestAttr.delete_all
   end
 
-  def test_with_contains_through_conditions
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_models, :to => :read do
-            if_attribute :test_attr_throughs_with_attr => contains { user }
+  # TODO fails in Rails 3 because TestModel.scoped.joins(:test_attr_throughs_with_attr)
+  # does not work
+  if Rails.version < "3"
+    def test_with_contains_through_conditions
+      reader = Authorization::Reader::DSLReader.new
+      reader.parse %{
+        authorization do
+          role :test_role do
+            has_permission_on :test_models, :to => :read do
+              if_attribute :test_attr_throughs_with_attr => contains { user }
+            end
           end
         end
-      end
-    }
-    Authorization::Engine.instance(reader)
+      }
+      Authorization::Engine.instance(reader)
 
-    test_model_1 = TestModel.create!
-    test_model_2 = TestModel.create!
-    test_model_1.test_attrs.create!(:attr => 1).test_attr_throughs.create!
-    test_model_1.test_attrs.create!(:attr => 2).test_attr_throughs.create!
-    test_model_2.test_attrs.create!(:attr => 1).test_attr_throughs.create!
-    test_model_2.test_attrs.create!(:attr => 2).test_attr_throughs.create!
+      test_model_1 = TestModel.create!
+      test_model_2 = TestModel.create!
+      test_model_1.test_attrs.create!(:attr => 1).test_attr_throughs.create!
+      test_model_1.test_attrs.create!(:attr => 2).test_attr_throughs.create!
+      test_model_2.test_attrs.create!(:attr => 1).test_attr_throughs.create!
+      test_model_2.test_attrs.create!(:attr => 2).test_attr_throughs.create!
 
-    #assert_equal 1, test_model_1.test_attrs_with_attr.length
-    user = MockUser.new(:test_role,
-                        :id => test_model_1.test_attr_throughs.first.id)
-    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
-    user = MockUser.new(:test_role,
-                        :id => test_model_1.test_attr_throughs.last.id)
-    assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
+      #assert_equal 1, test_model_1.test_attrs_with_attr.length
+      user = MockUser.new(:test_role,
+                          :id => test_model_1.test_attr_throughs.first.id)
+      assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+      user = MockUser.new(:test_role,
+                          :id => test_model_1.test_attr_throughs.last.id)
+      assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
 
-    TestModel.delete_all
-    TestAttrThrough.delete_all
-    TestAttr.delete_all
+      TestModel.delete_all
+      TestAttrThrough.delete_all
+      TestAttr.delete_all
+    end
   end
 
-  def test_with_contains_habtm
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_models, :to => :read do
-            if_attribute :test_attr_throughs_habtm => contains { user.test_attr_through_id }
+  if Rails.version < "3"
+    def test_with_contains_habtm
+      reader = Authorization::Reader::DSLReader.new
+      reader.parse %{
+        authorization do
+          role :test_role do
+            has_permission_on :test_models, :to => :read do
+              if_attribute :test_attr_throughs_habtm => contains { user.test_attr_through_id }
+            end
           end
         end
-      end
-    }
-    Authorization::Engine.instance(reader)
+      }
+      Authorization::Engine.instance(reader)
 
-    test_model_1 = TestModel.create!
-    test_model_2 = TestModel.create!
-    test_attr_through_1 = TestAttrThrough.create!
-    test_attr_through_2 = TestAttrThrough.create!
-    TestAttr.create! :test_model_id => test_model_1.id, :test_attr_through_id => test_attr_through_1.id
-    TestAttr.create! :test_model_id => test_model_2.id, :test_attr_through_id => test_attr_through_2.id
+      # TODO habtm currently not working in Rails 3
+      test_model_1 = TestModel.create!
+      test_model_2 = TestModel.create!
+      test_attr_through_1 = TestAttrThrough.create!
+      test_attr_through_2 = TestAttrThrough.create!
+      TestAttr.create! :test_model_id => test_model_1.id, :test_attr_through_id => test_attr_through_1.id
+      TestAttr.create! :test_model_id => test_model_2.id, :test_attr_through_id => test_attr_through_2.id
 
-    user = MockUser.new(:test_role,
-                        :test_attr_through_id => test_model_1.test_attr_throughs_habtm.first.id)
-    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
-    assert_equal test_model_1, TestModel.with_permissions_to(:read, :user => user)[0]
+      user = MockUser.new(:test_role,
+                          :test_attr_through_id => test_model_1.test_attr_throughs_habtm.first.id)
+      assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+      assert_equal test_model_1, TestModel.with_permissions_to(:read, :user => user)[0]
 
-    TestModel.delete_all
-    TestAttrThrough.delete_all
-    TestAttr.delete_all
+      TestModel.delete_all
+      TestAttrThrough.delete_all
+      TestAttr.delete_all
+    end
   end
 
-  # take this out for Rails prior to 2.2
-  if ([Rails::VERSION::MAJOR, Rails::VERSION::MINOR] <=> [2, 2]) > -1
+  # :primary_key not available in Rails prior to 2.2
+  if Rails.version > "2.2"
     def test_with_contains_through_primary_key
       reader = Authorization::Reader::DSLReader.new
       reader.parse %{
@@ -854,37 +983,41 @@ class NamedScopeModelTest < Test::Unit::TestCase
     TestAttr.delete_all
   end
 
-  def test_with_is_and_has_one_through_conditions
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_models, :to => :read do
-            if_attribute :test_attr_throughs_with_attr_and_has_one => contains { user }
+  # TODO fails in Rails 3 because TestModel.scoped.joins(:test_attr_throughs_with_attr)
+  # does not work
+  if Rails.version < "3"
+    def test_with_is_and_has_one_through_conditions
+      reader = Authorization::Reader::DSLReader.new
+      reader.parse %{
+        authorization do
+          role :test_role do
+            has_permission_on :test_models, :to => :read do
+              if_attribute :test_attr_throughs_with_attr_and_has_one => is { user }
+            end
           end
         end
-      end
-    }
-    Authorization::Engine.instance(reader)
+      }
+      Authorization::Engine.instance(reader)
 
-    test_model_1 = TestModel.create!
-    test_model_2 = TestModel.create!
-    test_model_1.test_attrs.create!(:attr => 1).test_attr_throughs.create!
-    test_model_1.test_attrs.create!(:attr => 2).test_attr_throughs.create!
-    test_model_2.test_attrs.create!(:attr => 1).test_attr_throughs.create!
-    test_model_2.test_attrs.create!(:attr => 2).test_attr_throughs.create!
+      test_model_1 = TestModel.create!
+      test_model_2 = TestModel.create!
+      test_model_1.test_attrs.create!(:attr => 1).test_attr_throughs.create!
+      test_model_1.test_attrs.create!(:attr => 2).test_attr_throughs.create!
+      test_model_2.test_attrs.create!(:attr => 1).test_attr_throughs.create!
+      test_model_2.test_attrs.create!(:attr => 2).test_attr_throughs.create!
 
-    #assert_equal 1, test_model_1.test_attrs_with_attr.length
-    user = MockUser.new(:test_role,
-                        :id => test_model_1.test_attr_throughs.first.id)
-    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
-    user = MockUser.new(:test_role,
-                        :id => test_model_1.test_attr_throughs.last.id)
-    assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
+      #assert_equal 1, test_model_1.test_attrs_with_attr.length
+      user = MockUser.new(:test_role,
+                          :id => test_model_1.test_attr_throughs.first.id)
+      assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+      user = MockUser.new(:test_role,
+                          :id => test_model_1.test_attr_throughs.last.id)
+      assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
 
-    TestModel.delete_all
-    TestAttr.delete_all
-    TestAttrThrough.delete_all
+      TestModel.delete_all
+      TestAttr.delete_all
+      TestAttrThrough.delete_all
+    end
   end
 
   def test_with_is_in
@@ -1504,7 +1637,9 @@ class ModelTest < Test::Unit::TestCase
     assert_nothing_raised do
       object.update_attributes(:attr_2 => 2)
     end
-    object.reload
+    without_access_control do
+      object.reload
+    end
     assert_equal 2, object.attr_2 
     object.destroy
     assert_raise ActiveRecord::RecordNotFound do
@@ -1539,7 +1674,9 @@ class ModelTest < Test::Unit::TestCase
         test_model.update_attributes(params[:model_data])
       end
     end
-    assert_equal params[:model_data][:attr], test_model.reload.attr
+    without_access_control do
+      assert_equal params[:model_data][:attr], test_model.reload.attr
+    end
 
     TestAttr.delete_all
     TestModelSecurityModel.delete_all
@@ -1669,3 +1806,4 @@ class ModelTest < Test::Unit::TestCase
     assert !allowed_read_company.permitted_to?(:update, :user => user)
   end
 end
+