declarative_authorization 0.3.2.3 → 0.4

data/CHANGELOG

@@ -1,3 +1,49 @@
+** RELEASE 0.4 (November 15, 2009) **
+
+* Implemented controller namespace handling [sb]
+
+* Improved if_attribute to allow nesting of has_many associations [sb]
+
+* Improved if_permitted_to: allow has_many associations and improved context inference [sb]
+
+* Added option on handling non-existant auto-loaded object [sb]
+
+* Added with_user as module method [sb]
+
+* Change support i18n [sb]
+
+** RELEASE 0.3.2.3 (October 12, 2009) **
+
+* Switched to gemcutter [sb]
+
+* Fixed has_role? for guest user. Closes #8 [sb]
+
+* Fixed unnecessary DB query with named scopes [sb, ledermann]
+
+* Change support: suggestions: grouping, sorting by affected users [sb]
+
+* Fixed context inference from AR objects for STI by switching to #class.name.tableize [sb]
+
+* Allow multiple contexts as arguments to has_permission_on [Jeroen van Dijk]
+
+** RELEASE 0.3.2.2 (August 27, 2009) **
+
+* Fix without_access_control test cases [sb]
+
+* Fixed error on debug logging (Closes #6) [sb]
+
+* Fixed without_access_control instance method in TestHelper [sb]
+
+** RELEASE 0.3.2.1 (August 14, 2009) **
+
+* Fix gemspec for Rdoc generation [sb]
+
+** RELEASE 0.3.2 (August 13, 2009) **
+
+* Fix for model-level permitted_to?/! [sb]
+
+** RELEASE 0.3.1 (August 12, 2009) **
+
 * Change Support: Suggestion grouping, sort by affected users [sb]
 
 * Changed context derived from objects to #class.name.tableize to fix STI [sb]

data/app/helpers/authorization_rules_helper.rb

@@ -84,32 +84,63 @@ module AuthorizationRulesHelper
           role_color(role))
   end
 
+  def human_privilege (privilege)
+    begin
+      I18n.t(privilege, :scope => [:declarative_authorization, :privilege], :raise => true)
+    rescue
+      privilege.to_s
+    end
+  end
+
+  def human_context (context)
+    begin
+      context.to_s.classify.constantize.human_name
+    rescue
+      context.to_s
+    end
+  end
+
+  def human_privilege_context (privilege, context)
+    human = [human_privilege(privilege), human_context(context)]
+    begin
+      unless I18n.t(:verb_in_front_of_object, :scope => :declarative_authorization, :raise => true)
+        human.reverse!
+      end
+    rescue
+    end
+    human * " "
+  end
+
+  def human_role (role)
+    Authorization::Engine.instance.title_for(role) or role.to_s
+  end
+
   def describe_step (step, options = {})
     options = {:with_removal => false}.merge(options)
 
     case step[0]
     when :add_privilege
       dont_assign = prohibit_link(step[0,3],
-          "Add privilege <strong>#{h step[1].to_sym.inspect} #{h step[2].to_sym.inspect}</strong> to any role",
-          "Don't suggest adding #{h step[1].to_sym.inspect} #{h step[2].to_sym.inspect}.", options)
-      "Add privilege <strong>#{h step[1].inspect} #{h step[2].inspect}</strong>#{dont_assign} to role <strong>#{h step[3].to_sym.inspect}</strong>"
+          "Add privilege <strong>#{h human_privilege_context(step[1], step[2])}</strong> to any role",
+          "Don't suggest adding #{h human_privilege_context(step[1], step[2])}.", options)
+      "Add privilege <strong>#{h human_privilege_context(step[1], step[2])}</strong>#{dont_assign} to role <strong>#{h human_role(step[3].to_sym)}</strong>"
     when :remove_privilege
       dont_remove = prohibit_link(step[0,3], 
-          "Remove privilege <strong>#{h step[1].to_sym.inspect} #{h step[2].to_sym.inspect}</strong> from any role", 
-          "Don't suggest removing #{h step[1].to_sym.inspect} #{h step[2].to_sym.inspect}.", options)
-      "Remove privilege <strong>#{h step[1].inspect} #{h step[2].inspect}</strong>#{dont_remove} from role <strong>#{h step[3].to_sym.inspect}</strong>"
+          "Remove privilege <strong>#{h human_privilege_context(step[1], step[2])}</strong> from any role",
+          "Don't suggest removing #{h human_privilege_context(step[1], step[2])}.", options)
+      "Remove privilege <strong>#{h human_privilege_context(step[1], step[2])}</strong>#{dont_remove} from role <strong>#{h human_role(step[3].to_sym)}</strong>"
     when :add_role
-      "New role <strong>#{h step[1].to_sym.inspect}</strong>"
+      "New role <strong>#{h human_role(step[1].to_sym)}</strong>"
     when :assign_role_to_user
       dont_assign = prohibit_link(step[0,2],
-          "Assign role <strong>#{h step[1].to_sym.inspect}</strong> to any user",
-          "Don't suggest assigning #{h step[1].to_sym.inspect}.", options)
-      "Assign role <strong>#{h step[1].to_sym.inspect}</strong>#{dont_assign} to <strong>#{h readable_step_info(step[2])}</strong>"
+          "Assign role <strong>#{h human_role(step[1].to_sym)}</strong> to any user",
+          "Don't suggest assigning #{h human_role(step[1].to_sym)}.", options)
+      "Assign role <strong>#{h human_role(step[1].to_sym)}</strong>#{dont_assign} to <strong>#{h readable_step_info(step[2])}</strong>"
     when :remove_role_from_user
       dont_remove = prohibit_link(step[0,2],
-          "Remove role <strong>#{h step[1].to_sym.inspect}</strong> from any user",
-          "Don't suggest removing #{h step[1].to_sym.inspect}.", options)
-      "Remove role <strong>#{h step[1].to_sym.inspect}</strong>#{dont_remove} from <strong>#{h readable_step_info(step[2])}</strong>"
+          "Remove role <strong>#{h human_role(step[1].to_sym)}</strong> from any user",
+          "Don't suggest removing #{h human_role(step[1].to_sym)}.", options)
+      "Remove role <strong>#{h human_role(step[1].to_sym)}</strong>#{dont_remove} from <strong>#{h readable_step_info(step[2])}</strong>"
     else
       step.collect {|info| readable_step_info(info) }.map {|str| h str } * ', '
     end + prohibit_link(step, options[:with_removal] ? "#{escape_javascript(describe_step(step))}" : '',

data/app/views/authorization_rules/_change.erb

@@ -2,10 +2,10 @@
 <h2>Which permission to change?</h2>
 <p class="action-options">
   <label>Privilege</label>
-  <%= select_tag :privilege, options_for_select(@privileges.map(&:to_s).sort, @privilege.to_s) %>
+  <%= select_tag :privilege, options_for_select(@privileges.map {|p| [human_privilege(p), p.to_s]}.sort, @privilege.to_s) %>
   <br/>
   <label>On</label>
-  <%= select_tag :context, options_for_select(@contexts.map(&:to_s).sort, @context.to_s) %>
+  <%= select_tag :context, options_for_select(@contexts.map {|c| [human_context(c), c.to_s]}.sort, @context.to_s) %>
   <br/>
   <label></label>
   <%= link_to_function "Show current permissions", "show_current_permissions()", :class => 'unimportant' %>
@@ -35,7 +35,7 @@
       <tr class="<%= controller.authorization_engine.permit?(@privilege, :context => @context, :user => user, :skip_attribute_test => true) ? 'permitted' : 'not-permitted' %>">
         <td class="user_id"><%=h user.id %></td>
         <td style="font-weight:bold"><%=h user.login %></td>
-        <td><%=h user.role_symbols * ', ' %></td>
+        <td><%=h user.role_symbols.map {|r| human_role(r)} * ', ' %></td>
         <td><%= radio_button_tag "user[#{user.id}][permission]", "undetermined", true %></td>
         <td class="yes"><%= radio_button_tag "user[#{user.id}][permission]", "yes" %></td>
         <td class="no"><%= radio_button_tag "user[#{user.id}][permission]", "no" %></td>

data/app/views/authorization_rules/_suggestions.erb

@@ -30,13 +30,13 @@
               <% if grouped_approach.similar_approaches.empty? %>
                 <span class="unimportant show-others-in-group">No further suggestions in this group</span>
               <% else %>
-                <%= link_to_function "Show further #{pluralize grouped_approach.similar_approaches.length, "suggestion"} in this group", "show_group_approaches(#{group_index})", :class => "show-others-in-group" %>
+                <%= link_to_function "Show further <strong>#{pluralize grouped_approach.similar_approaches.length, "suggestion"}</strong> in this group", "show_group_approaches(#{group_index})", :class => "show-others-in-group" %>
               <% end %>
             <% end %>
             <%= link_to_function "Hide further suggestions", "hide_group_approaches(#{group_index})" if index > 0 and index == grouped_approach.similar_approaches.length %>
           </li>
           <% if index == 0 and group_index == 2 and @grouped_approaches.length > 3 %>
-            <li <%= !params[:show_all] ? '' : 'style="display: none"' %>><%= link_to_function "Show further #{pluralize(@grouped_approaches.length - 3, 'group')}", "show_all_groups(); $(this).up().hide()" %></li>
+            <li <%= !params[:show_all] ? '' : 'style="display: none"' %>><%= link_to_function "Show further <strong>#{pluralize(@grouped_approaches.length - 3, 'group')}</strong>", "show_all_groups(); $(this).up().hide()" %></li>
           <% end %>
         <% end %>
       <% end %>

data/app/views/authorization_rules/change.html.erb

@@ -8,6 +8,8 @@
 </div>
 <%= render 'show_graph' %>
 
+<div id="spinner" style="display:none">Searching...</div>
+
 <style type="text/css">
   .action-options label { display: block; float: left; width: 7em; padding-bottom: 0.5em }
   .action-options label.inline { display: inline; float: none }
@@ -52,17 +54,32 @@
   .unimportant, .remove, .prohibit { color: grey }
   .important { font-weight: bold }
   .remove { cursor: pointer }
+  #spinner { position: fixed; top: 0; right: 0; background: #FFE599; padding: 1em }
 </style>
 <% javascript_tag do %>
     function suggest_changes (refresh) {
-        if (!refresh)
+        var opened_groups = $$("#suggest-result>ul>li.secondary").select(function (li) {return li.visible()}).collect(function (li) {
+            return li.classNames().toArray()[1].split("-")[1];
+        }).uniq();
+
+        if (refresh)
+          $("spinner").show();
+        else
           $("suggest-result").innerHTML = "Searching...";
+
+
         $("suggest-result").show();
         new Ajax.Updater({success: 'suggest-result'}, '<%= suggest_change_authorization_rules_path %>', {
             method: 'get',
             onFailure: function(request) {
                 $("suggest-result").innerHTML = "Error while searching."
             },
+            onComplete: function () {
+                $("spinner").hide();
+                opened_groups.each(function (group_no) {
+                  show_group_approaches(group_no);
+                });
+            },
             parameters: $H($('change').down('form').serialize(true)).merge(refresh ? {show_all: "true"} : {}).toQueryString()
         });
         if (!refresh)
@@ -70,7 +87,7 @@
     }
 
     function show_suggest_graph (changes, filter_roles_params, filter_context, user_ids) {
-        var params = {changes: changes, highlight_privilege: $F('privilege')};
+        var params = {changes: changes, highlight_privilege: $F('privilege'), stacked_roles: '1'};
         if (filter_context)
           params['filter_contexts'] = filter_context;
         if (user_ids)

data/app/views/authorization_rules/graph.dot.erb

@@ -22,7 +22,7 @@ digraph rules {
     node [shape=ellipse,style=filled]
     <%= @stacked_roles ? '' : "rank = same" %>
     <% @roles.each do |role| %>
-    "<%= role.inspect %>" [fillcolor="<%= role_fill_color(role) %>"]
+    "<%= role.inspect %>" [fillcolor="<%= role_fill_color(role) %>",label="<%= human_role(role) %>"]
     // ,URL="javascript:set_filter({roles: '<%= role %>'})"
     <% end %>
     <% @roles.each do |role| %>
@@ -42,11 +42,11 @@ digraph rules {
 
   <% @contexts.each do |context| %>
     subgraph cluster_<%= context %>  {
-      label = "<%= context.inspect %>"
+      label = "<%= human_context(context) %>"
       style=filled; fillcolor="#eeeeee"
       node[fillcolor=white,style=filled]
       <% (@context_privs[context] || []).each do |priv| %>
-      <%= priv %>_<%= context %> [label="<%= priv.inspect %>"<%= ',fontcolor="#ff0000"' if @highlight_privilege == priv %>]
+      <%= priv %>_<%= context %> [label="<%= human_privilege(priv) %>"<%= ',fontcolor="#ff0000"' if @highlight_privilege == priv %>]
       <% end %>
       <% (@context_privs[context] || []).each do |priv| %>
         <% (@privilege_hierarchy[priv] || []).

data/lib/declarative_authorization/authorization.rb

@@ -207,6 +207,9 @@ module Authorization
     def obligations (privilege, options = {})
       options = {:context => nil}.merge(options)
       user, roles, privileges = user_roles_privleges_from_options(privilege, options)
+
+      permit!(privilege, :skip_attribute_test => true, :user => user, :context => options[:context])
+      
       attr_validator = AttributeValidator.new(self, user, nil, privilege, options[:context])
       matching_auth_rules(roles, privileges, options[:context]).collect do |rule|
         rule.obligations(attr_validator)
@@ -376,7 +379,20 @@ module Authorization
     end
 
     def obligations (attr_validator)
-      obligations = @attributes.collect {|attr| attr.obligation(attr_validator) }.flatten
+      exceptions = []
+      obligations = @attributes.collect do |attr|
+        begin
+          attr.obligation(attr_validator)
+        rescue NotAuthorized => e
+          exceptions << e
+          nil
+        end
+      end.flatten.compact
+
+      if exceptions.length > 0 and (@join_operator == :and or exceptions.length == @attributes.length)
+        raise NotAuthorized, "Missing authorization in collecting obligations: #{exceptions.map(&:to_s) * ", "}"
+      end
+
       if @join_operator == :and and !obligations.empty?
         merged_obligation = obligations.first
         obligations[1..-1].each do |obligation|
@@ -411,15 +427,17 @@ module Authorization
       (hash || @conditions_hash).all? do |attr, value|
         attr_value = object_attribute_value(object, attr)
         if value.is_a?(Hash)
-          if attr_value.is_a?(Array)
-            raise AuthorizationUsageError, "Unable evaluate multiple attributes " +
-              "on a collection.  Cannot use '=>' operator on #{attr.inspect} " +
-              "(#{attr_value.inspect}) for attributes #{value.inspect}."
-          elsif attr_value.nil?
+          case attr_value
+          when Enumerable
+            attr_value.any? do |inner_value|
+              validate?(attr_validator, inner_value, value)
+            end
+          when nil
             raise NilAttributeValueError, "Attribute #{attr.inspect} is nil in #{object.inspect}."
+          else
+            validate?(attr_validator, attr_value, value)
           end
-          validate?(attr_validator, attr_value, value)
-        elsif value.is_a?(Array) and value.length == 2
+        elsif value.is_a?(Array) and value.length == 2 and value.first.is_a?(Symbol)
           evaluated = if value[1].is_a?(Proc)
                         attr_validator.evaluate(value[1])
                       else
@@ -557,17 +575,29 @@ module Authorization
       case hash_or_attr
       when Symbol
         attr_value = object_attribute_value(object, hash_or_attr)
-        if attr_value.nil?
+        case attr_value
+        when nil
           raise NilAttributeValueError, "Attribute #{hash_or_attr.inspect} is nil in #{object.inspect}."
+        when Enumerable
+          attr_value.any? do |inner_value|
+            attr_validator.engine.permit? @privilege, :object => inner_value, :user => attr_validator.user
+          end
+        else
+          attr_validator.engine.permit? @privilege, :object => attr_value, :user => attr_validator.user
         end
-        attr_validator.engine.permit? @privilege, :object => attr_value, :user => attr_validator.user
       when Hash
         hash_or_attr.all? do |attr, sub_hash|
           attr_value = object_attribute_value(object, attr)
-          if attr_value.nil?
+          case attr_value
+          when nil
             raise NilAttributeValueError, "Attribute #{attr.inspect} is nil in #{object.inspect}."
+          when Enumerable
+            attr_value.any? do |inner_value|
+              validate?(attr_validator, inner_value, sub_hash)
+            end
+          else
+            validate?(attr_validator, attr_value, sub_hash)
           end
-          validate?(attr_validator, attr_value, sub_hash)
         end
       when NilClass
         attr_validator.engine.permit? @privilege, :object => object, :user => attr_validator.user
@@ -577,20 +607,29 @@ module Authorization
     end
 
     # may return an array of obligations to be OR'ed
-    def obligation (attr_validator, hash_or_attr = nil)
+    def obligation (attr_validator, hash_or_attr = nil, path = [])
       hash_or_attr ||= @attr_hash
       case hash_or_attr
       when Symbol
+        @context ||= begin
+          rule_model = attr_validator.context.to_s.classify.constantize
+          context_reflection = self.class.reflection_for_path(rule_model, path + [hash_or_attr])
+          context_reflection.klass.table_name.to_sym
+        rescue # missing model, reflections
+          hash_or_attr.to_s.pluralize.to_sym
+        end
+        
         obligations = attr_validator.engine.obligations(@privilege,
-                          :context => @context || hash_or_attr.to_s.pluralize.to_sym,
+                          :context => @context,
                           :user    => attr_validator.user)
+
         obligations.collect {|obl| {hash_or_attr => obl} }
       when Hash
         obligations_array_attrs = []
         obligations =
             hash_or_attr.inject({}) do |all, pair|
               attr, sub_hash = pair
-              all[attr] = obligation(attr_validator, sub_hash)
+              all[attr] = obligation(attr_validator, sub_hash, path + [attr])
               if all[attr].length > 1
                 obligations_array_attrs << attr
               else
@@ -622,6 +661,22 @@ module Authorization
     def to_long_s
       "if_permitted_to #{@privilege.inspect}, #{@attr_hash.inspect}"
     end
+
+    private
+    def self.reflection_for_path (parent_model, path)
+      reflection = path.empty? ? parent_model : begin
+        parent = reflection_for_path(parent_model, path[0..-2])
+        if !parent.respond_to?(:proxy_reflection) and parent.respond_to?(:klass)
+          parent.klass.reflect_on_association(path.last)
+        else
+          parent.reflect_on_association(path.last)
+        end
+      rescue
+        parent.reflect_on_association(path.last)
+      end
+      raise "invalid path #{path.inspect}" if reflection.nil?
+      reflection
+    end
   end
   
   # Represents a pseudo-user to facilitate guest users in applications

data/lib/declarative_authorization/in_controller.rb

@@ -12,6 +12,21 @@ module Authorization
     
     DEFAULT_DENY = false
     
+    # If attribute_check is set for filter_access_to, decl_auth will try to
+    # load the appropriate object from the current controller's model with
+    # the id from params[:id].  If that fails, a 404 Not Found is often the
+    # right way to handle the error.  If you have additional measures in place
+    # that restricts the find scope, handling this error as a permission denied
+    # might be a better way.  Set failed_auto_loading_is_not_found to false
+    # for the latter behaviour.
+    @@failed_auto_loading_is_not_found = true
+    def self.failed_auto_loading_is_not_found?
+      @@failed_auto_loading_is_not_found
+    end
+    def self.failed_auto_loading_is_not_found= (new_value)
+      @@failed_auto_loading_is_not_found = new_value
+    end
+
     # Returns the Authorization::Engine for the current controller.
     def authorization_engine
       @authorization_engine ||= Authorization::Engine.instance
@@ -36,7 +51,7 @@ module Authorization
     def permitted_to! (privilege, object_or_sym = nil, options = {}, &block)
       context = object = nil
       if object_or_sym.nil?
-        context = self.class.controller_name.to_sym
+        context = self.class.decl_auth_context
       elsif object_or_sym.is_a?(Symbol)
         context = object_or_sym
       else
@@ -118,32 +133,32 @@ module Authorization
       end
     end
 
-    def load_controller_object (context) # :nodoc:
-      instance_var = :"@#{context.to_s.singularize}"
-      model = context.to_s.classify.constantize
+    def load_controller_object (context_without_namespace = nil) # :nodoc:
+      instance_var = :"@#{context_without_namespace.to_s.singularize}"
+      model = context_without_namespace.to_s.classify.constantize
       instance_variable_set(instance_var, model.find(params[:id]))
     end
 
-    def load_parent_controller_object (parent_context) # :nodoc:
-      instance_var = :"@#{parent_context.to_s.singularize}"
-      model = parent_context.to_s.classify.constantize
-      instance_variable_set(instance_var, model.find(params[:"#{parent_context.to_s.singularize}_id"]))
+    def load_parent_controller_object (parent_context_without_namespace) # :nodoc:
+      instance_var = :"@#{parent_context_without_namespace.to_s.singularize}"
+      model = parent_context_without_namespace.to_s.classify.constantize
+      instance_variable_set(instance_var, model.find(params[:"#{parent_context_without_namespace.to_s.singularize}_id"]))
     end
 
-    def new_controller_object_from_params (context, parent_context) # :nodoc:
-      model_or_proxy = parent_context ?
-           instance_variable_get(:"@#{parent_context.to_s.singularize}").send(context.to_sym) :
-           context.to_s.classify.constantize
-      instance_var = :"@#{context.to_s.singularize}"
+    def new_controller_object_from_params (context_without_namespace, parent_context_without_namespace) # :nodoc:
+      model_or_proxy = parent_context_without_namespace ?
+           instance_variable_get(:"@#{parent_context_without_namespace.to_s.singularize}").send(context_without_namespace.to_sym) :
+           context_without_namespace.to_s.classify.constantize
+      instance_var = :"@#{context_without_namespace.to_s.singularize}"
       instance_variable_set(instance_var,
-          model_or_proxy.new(params[context.to_s.singularize]))
+          model_or_proxy.new(params[context_without_namespace.to_s.singularize]))
     end
 
-    def new_controller_object_for_collection (context, parent_context) # :nodoc:
-      model_or_proxy = parent_context ?
-           instance_variable_get(:"@#{parent_context.to_s.singularize}").send(context.to_sym) :
-           context.to_s.classify.constantize
-      instance_var = :"@#{context.to_s.singularize}"
+    def new_controller_object_for_collection (context_without_namespace, parent_context_without_namespace) # :nodoc:
+      model_or_proxy = parent_context_without_namespace ?
+           instance_variable_get(:"@#{parent_context_without_namespace.to_s.singularize}").send(context_without_namespace.to_sym) :
+           context_without_namespace.to_s.classify.constantize
+      instance_var = :"@#{context_without_namespace.to_s.singularize}"
       instance_variable_set(instance_var, model_or_proxy.new)
     end
 
@@ -221,7 +236,8 @@ module Authorization
       # [:+require+] 
       #   Privilege required; defaults to action_name
       # [:+context+] 
-      #   The privilege's context, defaults to controller_name, pluralized.
+      #   The privilege's context, defaults to decl_auth_context, which consists
+      #   of controller_name, prepended by any namespaces
       # [:+attribute_check+]
       #   Enables the check of attributes defined in the authorization rules.
       #   Defaults to false.  If enabled, filter_access_to will use a context
@@ -485,6 +501,19 @@ module Authorization
           end
         end
       end
+
+      # Returns the context for authorization checks in the current controller.
+      # Uses the controller_name and prepends any namespaces underscored and
+      # joined with underscores.
+      #
+      # E.g.
+      #   AllThosePeopleController         => :all_those_people
+      #   AnyName::Space::ThingsController => :any_name_space_things
+      #
+      def decl_auth_context
+        prefixes = name.split('::')[0..-2].map(&:underscore)
+        ((prefixes + [controller_name]) * '_').to_sym
+      end
       
       protected
       def filter_access_permissions # :nodoc:
@@ -545,22 +574,14 @@ module Authorization
       if @filter_block
         return contr.instance_eval(&@filter_block)
       end
-      context = @context || contr.class.controller_name.to_sym
-      object = @attribute_check ? load_object(contr, context) : nil
+      object = @attribute_check ? load_object(contr) : nil
       privilege = @privilege || :"#{contr.action_name}"
-      
-      #puts "Trying permit?(#{privilege.inspect}, "
-      #puts "               :user => #{contr.send(:current_user).inspect}, "
-      #puts "               :object => #{object.inspect}," 
-      #puts "               :skip_attribute_test => #{!@attribute_check}," 
-      #puts "               :context => #{contr.class.controller_name.pluralize.to_sym})"
-      res = contr.authorization_engine.permit!(privilege, 
+
+      contr.authorization_engine.permit!(privilege, 
                                          :user => contr.send(:current_user),
                                          :object => object,
                                          :skip_attribute_test => !@attribute_check,
-                                         :context => context)
-      #puts "permit? result: #{res.inspect}"
-      res
+                                         :context => @context || contr.class.decl_auth_context)
     end
     
     def remove_actions (actions)
@@ -569,24 +590,25 @@ module Authorization
     end
     
     private
-    def load_object(contr, context)
+    def load_object(contr)
       if @load_object_method and @load_object_method.is_a?(Symbol)
         contr.send(@load_object_method)
       elsif @load_object_method and @load_object_method.is_a?(Proc)
         contr.instance_eval(&@load_object_method)
       else
-        load_object_model = @load_object_model || context.to_s.classify.constantize
+        load_object_model = @load_object_model ||
+            (@context ? @context.to_s.classify.constantize : contr.class.controller_name.classify.constantize)
         instance_var = :"@#{load_object_model.name.underscore}"
         object = contr.instance_variable_get(instance_var)
         unless object
           begin
             object = load_object_model.find(contr.params[:id])
-          rescue ActiveRecord::RecordNotFound, RuntimeError
+          rescue RuntimeError => e
             contr.logger.debug("filter_access_to tried to find " +
-                "#{load_object_model.inspect} from params[:id] " +
+                "#{load_object_model} from params[:id] " +
                 "(#{contr.params[:id].inspect}), because attribute_check is enabled " +
-                "and #{instance_var.to_s} isn't set.")
-            raise
+                "and #{instance_var.to_s} isn't set, but failed: #{e.class.name}: #{e}")
+            raise if AuthorizationInController.failed_auto_loading_is_not_found?
           end
           contr.instance_variable_set(instance_var, object)
         end

data/lib/declarative_authorization/maintenance.rb

@@ -36,7 +36,11 @@ module Authorization
     # Sets the current user for the declarative authorization plugin to the
     # given one for the execution of the supplied block.  Suitable for tests
     # on certain users.
-    def with_user (user)
+    def with_user (user, &block)
+      Authorization::Maintenance.with_user(user, &block)
+    end
+
+    def self.with_user (user)
       prev_user = Authorization.current_user
       Authorization.current_user = user
       yield
@@ -138,7 +142,13 @@ module Authorization
         with_user(user, &block)
       end
     end
-    
+
+    # Test helper to test authorization rules.  E.g.
+    #   with_user a_normal_user do
+    #     should_not_be_allowed_to :update, :conferences
+    #     should_not_be_allowed_to :read, an_unpublished_conference
+    #     should_be_allowed_to :read, a_published_conference
+    #   end
     def should_be_allowed_to (privilege, object_or_context)
       options = {}
       options[object_or_context.is_a?(Symbol) ? :context : :object] = object_or_context
@@ -147,6 +157,7 @@ module Authorization
       end
     end
 
+    # See should_be_allowed_to
     def should_not_be_allowed_to (privilege, object_or_context)
       options = {}
       options[object_or_context.is_a?(Symbol) ? :context : :object] = object_or_context

data/lib/declarative_authorization/obligation_scope.rb

@@ -46,6 +46,7 @@ module Authorization
     # Consumes the given obligation, converting it into scope join and condition options.
     def parse!( obligation )
       @current_obligation = obligation
+      @join_table_joins = Set.new
       obligation_conditions[@current_obligation] ||= {}
       follow_path( obligation )
 
@@ -75,7 +76,7 @@ module Authorization
           follow_comparison( steps, past_steps[0..-2], past_steps[-1] )
         end
       else
-        raise "invalid obligation path #{[past_steps, steps].flatten}"
+        raise "invalid obligation path #{[past_steps, steps].inspect}"
       end
     end
     
@@ -120,7 +121,8 @@ module Authorization
     end
     
     # Returns the reflection corresponding to the given path.
-    def reflection_for( path )
+    def reflection_for(path, for_join_table_only = false)
+      @join_table_joins << path if for_join_table_only and !reflections[path]
       reflections[path] ||= map_reflection_for( path )
     end
     
@@ -147,6 +149,12 @@ module Authorization
 
       reflections[path] = reflection
       map_table_alias_for( path )  # Claim a table alias for the path.
+
+      # Claim alias for join table
+      if reflection.is_a?(ActiveRecord::Reflection::ThroughReflection)
+        join_table_path = path[0..-2] + [reflection.options[:through]]
+        reflection_for(join_table_path, true)
+      end
       
       reflection
     end
@@ -254,7 +262,7 @@ module Authorization
       joins = (@proxy_options[:joins] || []) + (@proxy_options[:includes] || [])
 
       reflections.keys.each do |path|
-        next if path.empty?
+        next if path.empty? or @join_table_joins.include?(path)
 
         existing_join = joins.find do |join|
           existing_path = join_to_path(join)

data/lib/declarative_authorization/reader.rb

@@ -302,6 +302,18 @@ module Authorization
       #       if_attribute :branch => { :company => is {user.branch.company} }
       #     end
       #   end
+      #
+      # has_many and has_many through associations may also be nested.
+      # Then, at least one item in the association needs to fulfill the
+      # subsequent condition:
+      #   if_attribute :company => { :branches => { :manager => { :last_name => is { user.last_name } } }
+      # Beware of possible performance issues when using has_many associations in
+      # permitted_to? checks.  For
+      #   permitted_to? :read, object
+      # a check like
+      #   object.company.branches.any? { |branch| branch.manager ... }
+      # will be executed.  with_permission_to scopes construct efficient SQL
+      # joins, though.
       # 
       # Multiple attributes in one :if_attribute statement are AND'ed.
       # Multiple if_attribute statements are OR'ed if the join operator for the
@@ -313,6 +325,8 @@ module Authorization
       #     if_attribute :branch => is {user.branch}, :changeable_by_coworker => true
       #     if_attribute :id => is {user.id}
       #   end
+      # The join operator for if_attribute rules can explicitly set to AND, though.
+      # See has_permission_on for details.
       #
       # Arrays and fixed values may be used directly as hash values:
       #   if_attribute :id   => 1
@@ -343,6 +357,14 @@ module Authorization
       # if_permitted_to associations may be nested as well:
       #   if_permitted_to :read, :branch => :company
       #
+      # You can even use has_many associations as target.  Then, it is checked
+      # if the current user has the required privilege on *any* of the target objects.
+      #   if_permitted_to :read, :branch => :employees
+      # Beware of performance issues with permission checks.  In the current implementation,
+      # all employees are checked until the first permitted is found.
+      # with_permissions_to, on the other hand, constructs more efficient SQL
+      # instead.
+      #
       # To check permissions based on the current object, the attribute has to
       # be left out:
       #   has_permission_on :branches, :to => :manage do
@@ -357,8 +379,9 @@ module Authorization
       #
       # Options:
       # [:+context+]
-      #   If the context of the refered object may not be infered from the
-      #   associations name, the context may be given explicitly:
+      #   When using with_permissions_to, the target context of the if_permitted_to
+      #   statement is infered from the last reflections target class.  Still,
+      #   you may override this algorithm by setting the context explicitly.
       #     if_permitted_to :read, :home_branch, :context => :branches
       #     if_permitted_to :read, :branch => :main_company, :context => :companies
       #

data/test/authorization_test.rb

@@ -122,6 +122,23 @@ class AuthorizationTest < Test::Unit::TestCase
       engine.obligations(:test, :context => :permissions,
           :user => MockUser.new(:test_role, :deeper_attr => 1, :deeper_attr_2 => 2))
   end
+
+  def test_obligations_with_has_many
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :attrs => { :deeper_attr => is { user.deeper_attr } }
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert_equal [{:attrs => {:deeper_attr => [:is, 1]}}],
+      engine.obligations(:test, :context => :permissions,
+          :user => MockUser.new(:test_role, :deeper_attr => 1))
+  end
   
   def test_obligations_with_conditions_and_empty
     reader = Authorization::Reader::DSLReader.new
@@ -174,6 +191,39 @@ class AuthorizationTest < Test::Unit::TestCase
           :user => MockUser.new(:test_role, :attr => 1))
   end
 
+  def test_obligations_with_has_many_permissions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :attr => is { user.attr }
+          end
+          has_permission_on :permission_children, :to => :test do
+            if_permitted_to :test, :permissions, :context => :permissions
+          end
+          has_permission_on :permission_children_2, :to => :test do
+            if_permitted_to :test, :permissions
+          end
+          has_permission_on :permission_children_children, :to => :test do
+            if_permitted_to :test, :permission_child => :permissions,
+                            :context => :permissions
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert_equal [{:permissions => {:attr => [:is, 1]}}],
+      engine.obligations(:test, :context => :permission_children,
+          :user => MockUser.new(:test_role, :attr => 1))
+    assert_equal [{:permissions => {:attr => [:is, 1]}}],
+      engine.obligations(:test, :context => :permission_children_2,
+          :user => MockUser.new(:test_role, :attr => 1))
+    assert_equal [{:permission_child => {:permissions => {:attr => [:is, 1]}}}],
+      engine.obligations(:test, :context => :permission_children_children,
+          :user => MockUser.new(:test_role, :attr => 1))
+  end
+
   def test_obligations_with_permissions_multiple
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
@@ -501,17 +551,43 @@ class AuthorizationTest < Test::Unit::TestCase
       end
     |
     engine = Authorization::Engine.new(reader)
-    attr_1_struct = Struct.new(:test_attr_2)
     assert engine.permit?(:test, :context => :permissions,
               :user => MockUser.new(:test_role),
-              :object => MockDataObject.new(:test_attr_1 => attr_1_struct.new([1,2])))
+              :object => MockDataObject.new(:test_attr_1 =>
+                    MockDataObject.new(:test_attr_2 => [1,2])))
     assert !engine.permit?(:test, :context => :permissions,
               :user => MockUser.new(:test_role),
-              :object => MockDataObject.new(:test_attr_1 => attr_1_struct.new([3,4])))
+              :object => MockDataObject.new(:test_attr_1 =>
+                    MockDataObject.new(:test_attr_2 => [3,4])))
     assert_equal [{:test_attr_1 => {:test_attr_2 => [:contains, 1]}}], 
       engine.obligations(:test, :context => :permissions, 
           :user => MockUser.new(:test_role))
   end
+
+  def test_attribute_has_many
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %|
+      authorization do
+        role :test_role do
+          has_permission_on :companies, :to => :read do
+            if_attribute :branches => {:city => is { user.city } }
+          end
+        end
+      end
+    |
+    engine = Authorization::Engine.new(reader)
+
+    company = MockDataObject.new(:branches => [
+        MockDataObject.new(:city => 'Barcelona'),
+        MockDataObject.new(:city => 'Paris')
+      ])
+    assert engine.permit!(:read, :context => :companies,
+              :user => MockUser.new(:test_role, :city => 'Paris'),
+              :object => company)
+    assert !engine.permit?(:read, :context => :companies,
+              :user => MockUser.new(:test_role, :city => 'London'),
+              :object => company)
+  end
   
   def test_attribute_non_block
     reader = Authorization::Reader::DSLReader.new
@@ -585,6 +661,32 @@ class AuthorizationTest < Test::Unit::TestCase
               :object => MockDataObject.new(:permission => perm_data_attr_2))
   end
 
+  def test_attribute_with_has_many_permissions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => 1
+          end
+          has_permission_on :permission_children, :to => :test do
+            if_permitted_to :test, :permissions
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+
+    perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
+    perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
+    assert engine.permit?(:test, :context => :permission_children,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:permissions => [perm_data_attr_1]))
+    assert !engine.permit?(:test, :context => :permission_children,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:permissions => [perm_data_attr_2]))
+  end
+
   def test_attribute_with_deep_permissions
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
@@ -613,6 +715,34 @@ class AuthorizationTest < Test::Unit::TestCase
                 MockDataObject.new(:permission => perm_data_attr_2)))
   end
 
+  def test_attribute_with_deep_has_many_permissions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => 1
+          end
+          has_permission_on :permission_children, :to => :test do
+            if_permitted_to :test, :shallow_permissions => :permission
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+
+    perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
+    perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
+    assert engine.permit?(:test, :context => :permission_children,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:shallow_permissions =>
+                [MockDataObject.new(:permission => perm_data_attr_1)]))
+    assert !engine.permit?(:test, :context => :permission_children,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:shallow_permissions =>
+                [MockDataObject.new(:permission => perm_data_attr_2)]))
+  end
+
   def test_attribute_with_permissions_nil
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{

data/test/controller_test.rb

@@ -254,6 +254,13 @@ class LoadObjectControllerTest < ActionController::TestCase
     assert_raise RuntimeError, "No id param supplied" do
       request!(MockUser.new(:test_role), "show", reader)
     end
+    
+    Authorization::AuthorizationInController.failed_auto_loading_is_not_found = false
+    assert_nothing_raised "Load error is only logged" do
+      request!(MockUser.new(:test_role), "show", reader)
+    end
+    assert !@controller.authorized?
+    Authorization::AuthorizationInController.failed_auto_loading_is_not_found = true
   end
   
   def test_filter_access_with_object_load_custom
@@ -384,3 +391,74 @@ class HierachicalControllerTest < ActionController::TestCase
     assert !@controller.authorized?
   end
 end
+
+##################
+module Name
+  class SpacedThingsController < MocksController
+    filter_access_to :show
+    filter_access_to :update, :context => :spaced_things
+    define_action_methods :show, :update
+  end
+end
+class NameSpacedControllerTest < ActionController::TestCase
+  tests Name::SpacedThingsController
+  def test_context
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :permitted_role do
+          has_permission_on :name_spaced_things, :to => :show
+          has_permission_on :spaced_things, :to => :update
+        end
+        role :prohibited_role do
+          has_permission_on :name_spaced_things, :to => :update
+          has_permission_on :spaced_things, :to => :show
+        end
+      end
+    }
+    request!(MockUser.new(:permitted_role), "show", reader)
+    assert @controller.authorized?
+    request!(MockUser.new(:prohibited_role), "show", reader)
+    assert !@controller.authorized?
+    request!(MockUser.new(:permitted_role), "update", reader)
+    assert @controller.authorized?
+    request!(MockUser.new(:prohibited_role), "update", reader)
+    assert !@controller.authorized?
+  end
+end
+
+module Deep
+  module NameSpaced
+    class ThingsController < MocksController
+      filter_access_to :show
+      filter_access_to :update, :context => :things
+      define_action_methods :show, :update
+    end
+  end
+end
+class DeepNameSpacedControllerTest < ActionController::TestCase
+  tests Deep::NameSpaced::ThingsController
+  def test_context
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :permitted_role do
+          has_permission_on :deep_name_spaced_things, :to => :show
+          has_permission_on :things, :to => :update
+        end
+        role :prohibited_role do
+          has_permission_on :deep_name_spaced_things, :to => :update
+          has_permission_on :things, :to => :show
+        end
+      end
+    }
+    request!(MockUser.new(:permitted_role), "show", reader)
+    assert @controller.authorized?
+    request!(MockUser.new(:prohibited_role), "show", reader)
+    assert !@controller.authorized?
+    request!(MockUser.new(:permitted_role), "update", reader)
+    assert @controller.authorized?
+    request!(MockUser.new(:prohibited_role), "update", reader)
+    assert !@controller.authorized?
+  end
+end

data/test/model_test.rb

@@ -15,6 +15,7 @@ end
 
 class TestModel < ActiveRecord::Base
   has_many :test_attrs
+  has_many :test_another_attrs, :class_name => "TestAttr", :foreign_key => :test_another_model_id
   has_many :test_attr_throughs, :through => :test_attrs
   has_many :test_attrs_with_attr, :class_name => "TestAttr", :conditions => {:attr => 1}
   has_many :test_attr_throughs_with_attr, :through => :test_attrs, 
@@ -148,6 +149,66 @@ class ModelTest < Test::Unit::TestCase
     TestAttr.delete_all
     TestModel.delete_all
   end
+
+  def test_named_scope_with_nested_has_many
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :companies, :to => :read do
+            if_attribute :branches => { :test_attrs => { :attr => is { user.test_attr_value } } }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+
+    allowed_company = Company.create!
+    allowed_company.branches.create!.test_attrs.create!(:attr => 1)
+    allowed_company.branches.create!.test_attrs.create!(:attr => 2)
+
+    prohibited_company = Company.create!
+    prohibited_company.branches.create!.test_attrs.create!(:attr => 3)
+
+    user = MockUser.new(:test_role, :test_attr_value => 1)
+    prohibited_user = MockUser.new(:test_role, :test_attr_value => 4)
+    assert_equal 1, Company.with_permissions_to(:read, :user => user).length
+    assert_equal 0, Company.with_permissions_to(:read, :user => prohibited_user).length
+
+    Company.delete_all
+    Branch.delete_all
+    TestAttr.delete_all
+  end
+
+  def test_named_scope_with_nested_has_many_through
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attr_throughs => { :test_attr => { :attr => is { user.test_attr_value } } }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+
+    allowed_model = TestModel.create!
+    allowed_model.test_attrs.create!(:attr => 1).test_attr_throughs.create!
+    allowed_model.test_attrs.create!(:attr => 2).test_attr_throughs.create!
+
+    prohibited_model = TestModel.create!
+    prohibited_model.test_attrs.create!(:attr => 3).test_attr_throughs.create!
+
+    user = MockUser.new(:test_role, :test_attr_value => 1)
+    prohibited_user = MockUser.new(:test_role, :test_attr_value => 4)
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    assert_equal 0, TestModel.with_permissions_to(:read, :user => prohibited_user).length
+
+    TestModel.delete_all
+    TestAttrThrough.delete_all
+    TestAttr.delete_all
+  end
   
   def test_named_scope_with_is
     reader = Authorization::Reader::DSLReader.new
@@ -831,6 +892,7 @@ class ModelTest < Test::Unit::TestCase
            
     TestModel.delete_all
     TestAttr.delete_all
+    TestAttrThrough.delete_all
   end
   
   def test_named_scope_with_is_in
@@ -912,6 +974,131 @@ class ModelTest < Test::Unit::TestCase
     TestAttr.delete_all
   end
 
+  def test_named_scope_with_if_permitted_to_with_no_child_permissions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :another_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attrs => contains { user }
+          end
+        end
+        role :additional_if_attribute do
+          has_permission_on :test_attrs, :to => :read do
+            if_permitted_to :read, :test_model
+            if_attribute :test_model => {:test_attrs => contains { user }}
+          end
+        end
+        role :only_permitted_to do
+          has_permission_on :test_attrs, :to => :read do
+            if_permitted_to :read, :test_model
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+
+    test_model_1 = TestModel.create!
+    test_attr_1 = test_model_1.test_attrs.create!
+
+    user = MockUser.new(:only_permitted_to, :another_role, :id => test_attr_1.id)
+    also_allowed_user = MockUser.new(:additional_if_attribute, :id => test_attr_1.id)
+    non_allowed_user = MockUser.new(:only_permitted_to, :id => test_attr_1.id)
+
+    assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
+    assert_equal 1, TestAttr.with_permissions_to(:read, :user => also_allowed_user).length
+    assert_raise Authorization::NotAuthorized do
+      TestAttr.with_permissions_to(:read, :user => non_allowed_user).find(:all)
+    end
+    
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+
+  def test_named_scope_with_if_permitted_to_with_context_from_model
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_another_attrs => contains { user }
+          end
+          has_permission_on :test_attrs, :to => :read do
+            if_permitted_to :read, :test_another_model
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+
+    test_model_1 = TestModel.create!
+    test_attr_1 = test_model_1.test_another_attrs.create!
+
+    user = MockUser.new(:test_role, :id => test_attr_1.id)
+    non_allowed_user = MockUser.new(:test_role, :id => 111)
+
+    assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
+    assert_equal 0, TestAttr.with_permissions_to(:read, :user => non_allowed_user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+
+  def test_named_scope_with_has_many_if_permitted_to
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_permitted_to :read, :test_attrs
+          end
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :attr => is { user.id }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+
+    test_model_1 = TestModel.create!
+    test_attr_1 = test_model_1.test_attrs.create!(:attr => 111)
+
+    user = MockUser.new(:test_role, :id => test_attr_1.attr)
+    non_allowed_user = MockUser.new(:test_role, :id => 333)
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    assert_equal 0, TestModel.with_permissions_to(:read, :user => non_allowed_user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+
+  def test_named_scope_with_deep_has_many_if_permitted_to
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :branches, :to => :read do
+            if_attribute :name => "A Branch"
+          end
+          has_permission_on :companies, :to => :read do
+            if_permitted_to :read, :test_attrs => :branch
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+
+    readable_company = Company.create!
+    readable_company.test_attrs.create!(:branch => Branch.create!(:name => "A Branch"))
+
+    forbidden_company = Company.create!
+    forbidden_company.test_attrs.create!(:branch => Branch.create!(:name => "Different Branch"))
+
+    user = MockUser.new(:test_role)
+    assert_equal 1, Company.with_permissions_to(:read, :user => user).length
+    Company.delete_all
+    Branch.delete_all
+    TestAttr.delete_all
+  end
+
   def test_named_scope_with_if_permitted_to_and_empty_obligations
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: declarative_authorization
 version: !ruby/object:Gem::Version 
-  version: 0.3.2.3
+  version: "0.4"
 platform: ruby
 authors: 
 - Steffen Bartsch
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2009-10-12 00:00:00 +02:00
+date: 2009-11-15 00:00:00 +01:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency