declarative_authorization 0.4 → 0.4.1

data/CHANGELOG

@@ -1,3 +1,7 @@
+* Support shallow nested resources [jjb]
+
+* Allow multiple authorization rules files [kaichen]
+
 ** RELEASE 0.4 (November 15, 2009) **
 
 * Implemented controller namespace handling [sb]

data/README.rdoc

@@ -1,23 +1,18 @@
 = Declarative Authorization
 
 The declarative authorization plugin offers an authorization mechanism inspired 
-by _RBAC_.  The most notable distinction to existing authorization plugins is the 
-declarative authorization approach.  That is, authorization rules are not 
+by _RBAC_.  The most notable distinction to other authorization plugins is the
+declarative approach.  That is, authorization rules are not defined
 programmatically in between business logic but in an authorization configuration.
 
-Currently, Rails authorization plugins only provide for programmatic 
-authorization rules.  That is, the developer needs to specify which roles are 
+With programmatic authorization rules, the developer needs to specify which roles are
 allowed to access a specific controller action or a part of a view, which is
-not DRY.  With a growing application code base and functions, as it happens 
-especially in agile development processes, it may be decided to introduce new 
-roles.  Then, at several places of the source code the new group needs to be 
-added, possibly leading to omissions and thus hard to test errors.  Another 
-aspect are changing authorization requirements in development or
-even after taking the application into production.  Then, privileges of
-certain roles need to be easily adjusted when the original assumptions
-concerning access control prove unrealistic.  In these situations, a
-declarative approach as offered by this plugin increases the development
-and maintenance efficiency.
+not DRY.  With a growing application code base roles' permissions often
+change and new roles are introduced. Then, at several places of the source code
+the changes have to be implemented, possibly leading to omissions and thus hard
+to find errors.  In these cases, a declarative approach as offered by decl_auth
+increases the development and maintenance efficiency.
+
 
 Plugin features
 * Authorization at controller action level
@@ -37,6 +32,10 @@ Requirements
 See below for installation instructions.
 
 
+There is a decl_auth screencast by Ryan Bates, nicely introducing the main concepts:
+http://railscasts.com/episodes/188-declarative-authorization
+
+
 = Authorization Data Model
 
  ----- App domain ----|-------- Authorization conf ---------|------- App domain ------
@@ -75,7 +74,7 @@ A fully functional example application can be found at
 http://github.com/stffn/decl_auth_demo_app
 
 Details on the demonstrated methods can be found in the API docs, either
-generated yourself or at http://www.tzi.org/~sbartsch/declarative_authorization
+generated by yourself or at http://www.tzi.org/~sbartsch/declarative_authorization
 
 == Controller
 
@@ -219,7 +218,7 @@ As access control on read are costly, with possibly lots of objects being
 loaded at a time in one query, checks on read need to be actived explicitly by
 adding the :include_read option.
 
-=== Query rewriting using named scopes
+=== Query rewriting through named scopes
 When retrieving large sets of records from databases, any authorization needs
 to be integrated into the query in order to prevent inefficient filtering
 afterwards and to use LIMIT and OFFSET in SQL statements.  To keep authorization
@@ -242,7 +241,8 @@ the conditions for manual rewrites.
 
 == Authorization Rules
 
-Authorization rules are defined in config/authorization_rules.rb.  E.g.
+Authorization rules are defined in config/authorization_rules.rb
+(Or redefine rules files path via +Authorization::AUTH_RULE_FILES+).  E.g.
 
     authorization do
       role :admin do
@@ -324,8 +324,7 @@ authorization in mind.
 
 In your test_helper.rb, to enable the helpers add
 
-    require File.expand_path(File.dirname(__FILE__) +
-        "/../vendor/plugins/declarative_authorization/lib/maintenance")
+    require 'declarative_authorization/maintenance'
 
     class Test::Unit::TestCase
       include Authorization::TestHelper
@@ -451,7 +450,7 @@ All bang methods throw exceptions which may be used to retrieve more
 information about a denied access than a Boolean value.
 
 
-== Authorization Browser
+== Authorization Development Support
 
 If your authorization rules become more complex, you might be glad to use
 the authorization rules browser that comes with declarative_authorization.
@@ -468,7 +467,9 @@ Then, point your browser to
 
 The browser needs Rails 2.3 (for Engine support).  The graphical view requires 
 Graphviz (which e.g. can be installed through the graphviz package under Debian 
-and Ubuntu) and has only been tested under Linux.
+and Ubuntu) and has only been tested under Linux.  Note: for Change Support
+you'll need to have a User#login method that returns a non-ambiguous user
+name for identification.
 
 
 = Help and Contact
@@ -489,18 +490,10 @@ sbartsch at tzi.org
 
 = Contributors
 
-Thanks to
-* Eike Carls
-* Erik Dahlstrand
-* Jeroen van Dijk
-* Jeremy Friesen
-* Brian Langenfeld
-* Georg Ledermann
-* Geoff Longman
-* Olly Lylo
-* Mark Mansour
-* Thomas Maurer
-* Mike Vincent
+Thanks to John Joseph Bachir, Eike Carls, Kai Chen, Erik Dahlstrand,
+Jeroen van Dijk, Sebastian Dyck, Jeremy Friesen, Daniel Kristensen, Brian Langenfeld,
+Georg Ledermann, Geoff Longman, Olly Lylo, Mark Mansour, Thomas Maurer,
+Mike Vincent
 
 
 = Licence

data/app/controllers/authorization_rules_controller.rb

@@ -37,7 +37,7 @@ class AuthorizationRulesController < ApplicationController
     @privileges = authorization_engine.auth_rules.collect {|rule| rule.privileges.to_a}.flatten.uniq
     @privileges = @privileges.collect do |priv|
       priv = Authorization::DevelopmentSupport::AnalyzerEngine::Privilege.for_sym(priv, authorization_engine)
-      (priv.descendants + priv.ancestors).map(&:to_sym)
+      ([priv] + priv.descendants + priv.ancestors).map(&:to_sym)
     end.flatten.uniq
     @privileges.sort_by {|priv| priv.to_s}
     @privilege = params[:privilege].to_sym rescue @privileges.first

data/lib/declarative_authorization/authorization.rb

@@ -20,7 +20,7 @@ module Authorization
   # The exception is raised to ensure that the entire rule is invalidated.
   class NilAttributeValueError < AuthorizationError; end
   
-  AUTH_DSL_FILE = "#{RAILS_ROOT}/config/authorization_rules.rb"
+  AUTH_DSL_FILES = ["#{RAILS_ROOT}/config/authorization_rules.rb"] unless defined? AUTH_DSL_FILES
   
   # Controller-independent method for retrieving the current user.
   # Needed for model security where the current controller is not available.
@@ -62,12 +62,12 @@ module Authorization
       :rev_role_hierarchy
     
     # If +reader+ is not given, a new one is created with the default
-    # authorization configuration of +AUTH_DSL_FILE+.  If given, may be either
+    # authorization configuration of +AUTH_DSL_FILES+.  If given, may be either
     # a Reader object or a path to a configuration file.
     def initialize (reader = nil)
       if reader.nil?
         begin
-          reader = Reader::DSLReader.load(AUTH_DSL_FILE)
+          reader = Reader::DSLReader.load(AUTH_DSL_FILES)
         rescue SystemCallError
           reader = Reader::DSLReader.new
         end
@@ -309,18 +309,8 @@ module Authorization
     # Returns the privilege hierarchy flattened for given privileges in context.
     def flatten_privileges (privileges, context = nil)
       # TODO caching?
-      #if context.nil?
-      #  context = privileges.collect { |p| p.to_s.split('_') }.
-      #                       reject { |p_p| p_p.length < 2 }.
-      #                       collect { |p_p| (p_p[1..-1] * '_').to_sym }.first
-      #  raise AuthorizationUsageError, "No context given or inferable from privileges #{privileges.inspect}" unless context
-      #end
       raise AuthorizationUsageError, "No context given or inferable from object" unless context
-      #context_regex = Regexp.new "_#{context}$"
-      # TODO work with contextless privileges
-      #flattened_privileges = privileges.collect {|p| p.to_s.sub(context_regex, '')}
-      flattened_privileges = privileges.clone #collect {|p| p.to_s.end_with?(context.to_s) ?
-                                              #       p : [p, "#{p}_#{context}".to_sym] }.flatten
+      flattened_privileges = privileges.clone
       flattened_privileges.each do |priv|
         flattened_privileges.concat(@rev_priv_hierarchy[[priv, nil]]).uniq! if @rev_priv_hierarchy[[priv, nil]]
         flattened_privileges.concat(@rev_priv_hierarchy[[priv, context]]).uniq! if @rev_priv_hierarchy[[priv, context]]
@@ -427,12 +417,11 @@ module Authorization
       (hash || @conditions_hash).all? do |attr, value|
         attr_value = object_attribute_value(object, attr)
         if value.is_a?(Hash)
-          case attr_value
-          when Enumerable
+          if attr_value.is_a?(Enumerable)
             attr_value.any? do |inner_value|
               validate?(attr_validator, inner_value, value)
             end
-          when nil
+          elsif attr_value == nil
             raise NilAttributeValueError, "Attribute #{attr.inspect} is nil in #{object.inspect}."
           else
             validate?(attr_validator, attr_value, value)
@@ -588,10 +577,9 @@ module Authorization
       when Hash
         hash_or_attr.all? do |attr, sub_hash|
           attr_value = object_attribute_value(object, attr)
-          case attr_value
-          when nil
+          if attr_value == nil
             raise NilAttributeValueError, "Attribute #{attr.inspect} is nil in #{object.inspect}."
-          when Enumerable
+          elsif attr_value.is_a?(Enumerable)
             attr_value.any? do |inner_value|
               validate?(attr_validator, inner_value, sub_hash)
             end
@@ -614,7 +602,11 @@ module Authorization
         @context ||= begin
           rule_model = attr_validator.context.to_s.classify.constantize
           context_reflection = self.class.reflection_for_path(rule_model, path + [hash_or_attr])
-          context_reflection.klass.table_name.to_sym
+          if context_reflection.klass.respond_to?(:decl_auth_context)
+            context_reflection.klass.decl_auth_context
+          else
+            context_reflection.klass.name.tableize.to_sym
+          end
         rescue # missing model, reflections
           hash_or_attr.to_s.pluralize.to_sym
         end

data/lib/declarative_authorization/in_controller.rb

@@ -416,6 +416,12 @@ module Authorization
       #   one.  This is used to automatically load the parent object, e.g.
       #   @+company+ from params[:company_id] for a BranchController nested in
       #   a CompanyController.
+      # [:+shallow+]
+      #   Only relevant when used in conjunction with +nested_in+. Specifies a nested resource
+      #   as being a shallow nested resource, resulting in the controller not attempting to
+      #   load a parent object for all member actions defined by +member+ and
+      #   +additional_member+ or rather the default member actions (:+show+, :+edit+,
+      #   :+update+, :+destroy+).
       # [:+no_attribute_check+]
       #   Allows to set actions for which no attribute check should be perfomed.
       #   See filter_access_to on details.  By default, with no +nested_in+,
@@ -448,10 +454,11 @@ module Authorization
         options[:no_attribute_check] ||= collections.keys unless options[:nested_in]
 
         unless options[:nested_in].blank?
-          load_method = :"load_#{options[:nested_in].to_s.singularize}"
-          before_filter do |controller|
-            if controller.respond_to?(load_method)
-              controller.send(load_method)
+          load_parent_method = :"load_#{options[:nested_in].to_s.singularize}"
+          shallow_exceptions = options[:shallow] ? {:except => members.keys} : {}
+          before_filter shallow_exceptions do |controller|
+            if controller.respond_to?(load_parent_method)
+              controller.send(load_parent_method)
             else
               controller.send(:load_parent_controller_object, options[:nested_in])
             end

data/lib/declarative_authorization/maintenance.rb

@@ -132,6 +132,11 @@ module Authorization
   #      ...
   #    end
   #  end
+  #
+  # Note: get_with etc. do two things to set the user for the request:
+  # Authorization.current_user is set and session[:user], session[:user_id]
+  # are set appropriately.  If you determine the current user in a different
+  # way, these methods might not work for you.
   module TestHelper
     include Authorization::Maintenance
     

data/lib/declarative_authorization/obligation_scope.rb

@@ -151,7 +151,7 @@ module Authorization
       map_table_alias_for( path )  # Claim a table alias for the path.
 
       # Claim alias for join table
-      if reflection.is_a?(ActiveRecord::Reflection::ThroughReflection)
+      if !reflection.respond_to?(:proxy_scope) and reflection.is_a?(ActiveRecord::Reflection::ThroughReflection)
         join_table_path = path[0..-2] + [reflection.options[:through]]
         reflection_for(join_table_path, true)
       end

data/lib/declarative_authorization/reader.rb

@@ -66,10 +66,13 @@ module Authorization
       end
 
       # Loads and parses a DSL from the given file name.
-      def self.load (dsl_file)
+      def self.load (dsl_files)
         # TODO cache reader in production mode?
         reader = new
-        reader.parse(File.read(dsl_file), dsl_file)
+        dsl_files = [dsl_files].flatten
+        dsl_files.each do |file|
+          reader.parse(File.read(file), file) if File.exist?(file)
+        end
         reader
       end
 

data/test/controller_filter_resource_access_test.rb

@@ -81,6 +81,19 @@ class NestedResource < MockDataObject
     "NestedResource"
   end
 end
+
+class ShallowNestedResource < MockDataObject
+  def initialize (attributes = {})
+    if attributes[:id]
+      attributes[:parent_mock] ||= ParentMock.new(:id => attributes[:id])
+    end
+    super(attributes)
+  end
+  def self.name
+    "ShallowNestedResource"
+  end
+end
+
 class ParentMock < MockDataObject
   def nested_resources
     Class.new do
@@ -93,6 +106,8 @@ class ParentMock < MockDataObject
     end.new(self)
   end
 
+  alias :shallow_nested_resources :nested_resources
+
   def == (other)
     id == other.id
   end
@@ -100,6 +115,7 @@ class ParentMock < MockDataObject
     "ParentMock"
   end
 end
+
 class NestedResourcesController < MocksController
   filter_resource_access :nested_in => :parent_mocks
   define_resource_actions
@@ -171,6 +187,107 @@ class NestedResourcesControllerTest < ActionController::TestCase
   end
 end
 
+class ShallowNestedResourcesController < MocksController
+  filter_resource_access :nested_in => :parent_mocks,
+                         :shallow => true,
+                         :additional_member => :additional_member_action
+  define_resource_actions
+  define_action_methods :additional_member_action
+end
+class ShallowNestedResourcesControllerTest < ActionController::TestCase
+  def test_nested_filter_index
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :shallow_nested_resources, :to => :index do
+            if_attribute :parent_mock => is {ParentMock.find("1")}
+          end
+        end
+      end
+    }
+
+    allowed_user = MockUser.new(:allowed_role)
+    request!(MockUser.new(:another_role), :index, reader, :parent_mock_id => "2")
+    assert !@controller.authorized?
+    request!(allowed_user, :index, reader, :parent_mock_id => "2",
+        :clear => [:@shallow_nested_resource, :@parent_mock])
+    assert !@controller.authorized?
+    request!(allowed_user, :index, reader, :parent_mock_id => "1",
+        :clear => [:@shallow_nested_resource, :@parent_mock])
+    assert assigns(:parent_mock)
+    assert @controller.authorized?
+  end
+
+  def test_nested_filter_show_with_id
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :shallow_nested_resources, :to => :show do
+            if_attribute :parent_mock => is {ParentMock.find("1")}
+          end
+        end
+      end
+    }
+
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :show, reader, :id => "2", :parent_mock_id => "2")
+    assert !@controller.authorized?
+    request!(allowed_user, :show, reader, :id => "1",
+        :clear => [:@shallow_nested_resource, :@parent_mock])
+    assert !assigns(:parent_mock)
+    assert assigns(:shallow_nested_resource)
+    assert @controller.authorized?
+  end
+
+  def test_nested_filter_new_with_params
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :shallow_nested_resources, :to => :new do
+            if_attribute :parent_mock => is {ParentMock.find("1")}
+          end
+        end
+      end
+    }
+
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :new, reader, :parent_mock_id => "2",
+        :shallow_nested_resource => {:id => "2"})
+    assert !@controller.authorized?
+    request!(allowed_user, :new, reader, :parent_mock_id => "1",
+        :shallow_nested_resource => {:id => "1"},
+        :clear => [:@shallow_nested_resource, :@parent_mock])
+    assert assigns(:parent_mock)
+    assert assigns(:shallow_nested_resource)
+    assert @controller.authorized?
+  end
+
+  def test_nested_filter_additional_member_action_with_id
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :shallow_nested_resources, :to => :additional_member_action do
+            if_attribute :parent_mock => is {ParentMock.find("1")}
+          end
+        end
+      end
+    }
+
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :additional_member_action, reader, :id => "2", :parent_mock_id => "2")
+    assert !@controller.authorized?
+    request!(allowed_user, :additional_member_action, reader, :id => "1",
+        :clear => [:@shallow_nested_resource, :@parent_mock])
+    assert !assigns(:parent_mock)
+    assert assigns(:shallow_nested_resource)
+    assert @controller.authorized?
+  end
+end
+
 
 class CustomMembersCollectionsResourceController < MocksController
   def self.controller_name

data/test/model_test.rb

@@ -40,6 +40,14 @@ class TestModel < ActiveRecord::Base
       :through => :test_attrs_with_primary_id, :class_name => "TestAttrThrough",
       :source => :n_way_join_item
   end
+
+  # for checking for unnecessary queries
+  mattr_accessor :query_count
+  def self.find(*args)
+    self.query_count ||= 0
+    self.query_count += 1
+    super(*args)
+  end
 end
 
 class NWayJoinItem < ActiveRecord::Base
@@ -97,8 +105,8 @@ class Country < ActiveRecord::Base
   has_many :companies
 end
 
-class ModelTest < Test::Unit::TestCase
-  def test_named_scope_multiple_deep_ored_belongs_to
+class NamedScopeModelTest < Test::Unit::TestCase
+  def test_multiple_deep_ored_belongs_to
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
@@ -111,19 +119,19 @@ class ModelTest < Test::Unit::TestCase
       end
     }
     Authorization::Engine.instance(reader)
-  
+
     test_model_1 = TestModel.create!
     test_model_2 = TestModel.create!
     test_attr_1 = TestAttr.create! :test_model_id => test_model_1.id,
                       :test_another_model_id => test_model_2.id
-  
+
     user = MockUser.new(:test_role, :id => test_attr_1)
     assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
     TestAttr.delete_all
     TestModel.delete_all
   end
-  
-  def test_named_scope_with_belongs_to_and_has_many_with_contains
+
+  def test_with_belongs_to_and_has_many_with_contains
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
@@ -135,11 +143,11 @@ class ModelTest < Test::Unit::TestCase
       end
     }
     Authorization::Engine.instance(reader)
-    
+
     test_attr_1 = TestAttr.create!
     test_model_1 = TestModel.create!
     test_model_1.test_attrs.create!
-    
+
     user = MockUser.new(:test_role, :test_attr_value => test_model_1.test_attrs.first.id )
     assert_equal 1, TestAttr.with_permissions_to( :read, :context => :test_attrs, :user => user ).length
     assert_equal 1, TestAttr.with_permissions_to( :read, :user => user ).length
@@ -150,7 +158,7 @@ class ModelTest < Test::Unit::TestCase
     TestModel.delete_all
   end
 
-  def test_named_scope_with_nested_has_many
+  def test_with_nested_has_many
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
@@ -180,7 +188,7 @@ class ModelTest < Test::Unit::TestCase
     TestAttr.delete_all
   end
 
-  def test_named_scope_with_nested_has_many_through
+  def test_with_nested_has_many_through
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
@@ -209,8 +217,8 @@ class ModelTest < Test::Unit::TestCase
     TestAttrThrough.delete_all
     TestAttr.delete_all
   end
-  
-  def test_named_scope_with_is
+
+  def test_with_is
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
@@ -222,12 +230,12 @@ class ModelTest < Test::Unit::TestCase
       end
     }
     Authorization::Engine.instance(reader)
-    
+
     test_model_1 = TestModel.create!
     TestModel.create!
-    
+
     user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
-    assert_equal 1, TestModel.with_permissions_to(:read, 
+    assert_equal 1, TestModel.with_permissions_to(:read,
       :context => :test_models, :user => user).length
     assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
     assert_raise Authorization::NotAuthorized do
@@ -278,12 +286,23 @@ class ModelTest < Test::Unit::TestCase
     TestModel.create!(:country_id => 2, :content => "Content")
 
     user = MockUser.new(:test_role)
+
+    TestModel.query_count = 0
     assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
+    assert_equal 1, TestModel.query_count
+
+    TestModel.query_count = 0
     assert_equal 1, TestModel.with_content.with_permissions_to(:read, :user => user).length
+    assert_equal 1, TestModel.query_count
+
+    TestModel.query_count = 0
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).with_content.length
+    assert_equal 1, TestModel.query_count
+
     TestModel.delete_all
   end
 
-  def test_named_scope_with_modified_context
+  def test_with_modified_context
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
@@ -304,7 +323,7 @@ class ModelTest < Test::Unit::TestCase
     SmallCompany.delete_all
   end
 
-  def test_named_scope_with_is_nil
+  def test_with_is_nil
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
@@ -332,7 +351,7 @@ class ModelTest < Test::Unit::TestCase
     TestModel.delete_all
   end
 
-  def test_named_scope_with_not_is
+  def test_with_not_is
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
@@ -352,8 +371,8 @@ class ModelTest < Test::Unit::TestCase
     assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
     TestModel.delete_all
   end
-  
-  def test_named_scope_with_empty_obligations
+
+  def test_with_empty_obligations
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
@@ -363,9 +382,9 @@ class ModelTest < Test::Unit::TestCase
       end
     }
     Authorization::Engine.instance(reader)
-    
+
     TestModel.create!
-    
+
     user = MockUser.new(:test_role)
     assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
     assert_raise Authorization::NotAuthorized do
@@ -373,8 +392,8 @@ class ModelTest < Test::Unit::TestCase
     end
     TestModel.delete_all
   end
-  
-  def test_named_scope_multiple_obligations
+
+  def test_multiple_obligations
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
@@ -389,17 +408,17 @@ class ModelTest < Test::Unit::TestCase
       end
     }
     Authorization::Engine.instance(reader)
-    
+
     test_model_1 = TestModel.create!
     test_model_2 = TestModel.create!
-    
-    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id, 
+
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id,
                         :test_attr_value_2 => test_model_2.id)
     assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
     TestModel.delete_all
   end
 
-  def test_named_scope_multiple_roles
+  def test_multiple_roles
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
@@ -426,8 +445,8 @@ class ModelTest < Test::Unit::TestCase
     assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).length
     TestAttr.delete_all
   end
-  
-  def test_named_scope_multiple_and_empty_obligations
+
+  def test_multiple_and_empty_obligations
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
@@ -440,16 +459,16 @@ class ModelTest < Test::Unit::TestCase
       end
     }
     Authorization::Engine.instance(reader)
-    
+
     test_model_1 = TestModel.create!
     TestModel.create!
-    
+
     user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
     assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
     TestModel.delete_all
   end
-  
-  def test_named_scope_multiple_attributes
+
+  def test_multiple_attributes
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
@@ -461,17 +480,17 @@ class ModelTest < Test::Unit::TestCase
       end
     }
     Authorization::Engine.instance(reader)
-    
+
     test_model_1 = TestModel.create! :content => 'bla'
     TestModel.create! :content => 'bla'
     TestModel.create!
-    
+
     user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
     assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
     TestModel.delete_all
   end
 
-  def test_named_scope_multiple_belongs_to
+  def test_multiple_belongs_to
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
@@ -491,8 +510,8 @@ class ModelTest < Test::Unit::TestCase
     assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
     TestAttr.delete_all
   end
-  
-  def test_named_scope_with_is_and_priv_hierarchy
+
+  def test_with_is_and_priv_hierarchy
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       privileges do
@@ -509,19 +528,19 @@ class ModelTest < Test::Unit::TestCase
       end
     }
     Authorization::Engine.instance(reader)
-    
+
     test_model_1 = TestModel.create!
     TestModel.create!
-    
+
     user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
-    assert_equal 1, TestModel.with_permissions_to(:list, 
+    assert_equal 1, TestModel.with_permissions_to(:list,
       :context => :test_models, :user => user).length
     assert_equal 1, TestModel.with_permissions_to(:list, :user => user).length
-    
+
     TestModel.delete_all
   end
-  
-  def test_named_scope_with_is_and_belongs_to
+
+  def test_with_is_and_belongs_to
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
@@ -533,20 +552,20 @@ class ModelTest < Test::Unit::TestCase
       end
     }
     Authorization::Engine.instance(reader)
-    
+
     test_model_1 = TestModel.create!
     test_model_1.test_attrs.create!
     TestModel.create!.test_attrs.create!
-    
+
     user = MockUser.new(:test_role, :test_model => test_model_1)
-    assert_equal 1, TestAttr.with_permissions_to(:read, 
+    assert_equal 1, TestAttr.with_permissions_to(:read,
       :context => :test_attrs, :user => user).length
-    
+
     TestModel.delete_all
     TestAttr.delete_all
   end
-  
-  def test_named_scope_with_deep_attribute
+
+  def test_with_deep_attribute
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
@@ -558,20 +577,20 @@ class ModelTest < Test::Unit::TestCase
       end
     }
     Authorization::Engine.instance(reader)
-    
+
     test_model_1 = TestModel.create!
     test_model_1.test_attrs.create!
     TestModel.create!.test_attrs.create!
-    
+
     user = MockUser.new(:test_role, :test_model_id => test_model_1.id)
-    assert_equal 1, TestAttr.with_permissions_to(:read, 
+    assert_equal 1, TestAttr.with_permissions_to(:read,
       :context => :test_attrs, :user => user).length
-    
+
     TestModel.delete_all
     TestAttr.delete_all
   end
-  
-  def test_named_scope_with_anded_rules
+
+  def test_with_anded_rules
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
@@ -584,21 +603,21 @@ class ModelTest < Test::Unit::TestCase
       end
     }
     Authorization::Engine.instance(reader)
-    
+
     test_model_1 = TestModel.create!
     test_model_1.test_attrs.create!(:attr => 1)
     TestModel.create!.test_attrs.create!(:attr => 1)
     TestModel.create!.test_attrs.create!
-    
+
     user = MockUser.new(:test_role, :test_model => test_model_1)
-    assert_equal 1, TestAttr.with_permissions_to(:read, 
+    assert_equal 1, TestAttr.with_permissions_to(:read,
       :context => :test_attrs, :user => user).length
-    
+
     TestModel.delete_all
     TestAttr.delete_all
   end
-  
-  def test_named_scope_with_contains
+
+  def test_with_contains
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
@@ -610,23 +629,23 @@ class ModelTest < Test::Unit::TestCase
       end
     }
     Authorization::Engine.instance(reader)
-    
+
     test_model_1 = TestModel.create!
     test_model_2 = TestModel.create!
     test_model_1.test_attrs.create!
     test_model_1.test_attrs.create!
     test_model_2.test_attrs.create!
-    
+
     user = MockUser.new(:test_role,
                         :id => test_model_1.test_attrs.first.id)
     assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
     assert_equal 1, TestModel.with_permissions_to(:read, :user => user).find(:all, :conditions => {:id => test_model_1.id}).length
-    
+
     TestModel.delete_all
     TestAttr.delete_all
   end
 
-  def test_named_scope_with_does_not_contain
+  def test_with_does_not_contain
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
@@ -651,8 +670,8 @@ class ModelTest < Test::Unit::TestCase
     TestModel.delete_all
     TestAttr.delete_all
   end
-  
-  def test_named_scope_with_contains_conditions
+
+  def test_with_contains_conditions
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
@@ -664,14 +683,14 @@ class ModelTest < Test::Unit::TestCase
       end
     }
     Authorization::Engine.instance(reader)
-    
+
     test_model_1 = TestModel.create!
     test_model_2 = TestModel.create!
     test_model_1.test_attrs_with_attr.create!
     test_model_1.test_attrs.create!(:attr => 2)
     test_model_2.test_attrs_with_attr.create!
     test_model_2.test_attrs.create!(:attr => 2)
-    
+
     #assert_equal 1, test_model_1.test_attrs_with_attr.length
     user = MockUser.new(:test_role,
                         :id => test_model_1.test_attrs.first.id)
@@ -679,12 +698,12 @@ class ModelTest < Test::Unit::TestCase
     user = MockUser.new(:test_role,
                         :id => test_model_1.test_attrs.last.id)
     assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
-        
+
     TestModel.delete_all
     TestAttr.delete_all
   end
-  
-  def test_named_scope_with_contains_through_conditions
+
+  def test_with_contains_through_conditions
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
@@ -696,14 +715,14 @@ class ModelTest < Test::Unit::TestCase
       end
     }
     Authorization::Engine.instance(reader)
-    
+
     test_model_1 = TestModel.create!
     test_model_2 = TestModel.create!
     test_model_1.test_attrs.create!(:attr => 1).test_attr_throughs.create!
     test_model_1.test_attrs.create!(:attr => 2).test_attr_throughs.create!
     test_model_2.test_attrs.create!(:attr => 1).test_attr_throughs.create!
     test_model_2.test_attrs.create!(:attr => 2).test_attr_throughs.create!
-    
+
     #assert_equal 1, test_model_1.test_attrs_with_attr.length
     user = MockUser.new(:test_role,
                         :id => test_model_1.test_attr_throughs.first.id)
@@ -717,7 +736,7 @@ class ModelTest < Test::Unit::TestCase
     TestAttr.delete_all
   end
 
-  def test_named_scope_with_contains_habtm
+  def test_with_contains_habtm
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
@@ -746,10 +765,10 @@ class ModelTest < Test::Unit::TestCase
     TestAttrThrough.delete_all
     TestAttr.delete_all
   end
-  
+
   # take this out for Rails prior to 2.2
   if ([Rails::VERSION::MAJOR, Rails::VERSION::MINOR] <=> [2, 2]) > -1
-    def test_named_scope_with_contains_through_primary_key
+    def test_with_contains_through_primary_key
       reader = Authorization::Reader::DSLReader.new
       reader.parse %{
         authorization do
@@ -761,7 +780,7 @@ class ModelTest < Test::Unit::TestCase
         end
       }
       Authorization::Engine.instance(reader)
-      
+
       test_attr_through_1 = TestAttrThrough.create!
       test_item = NWayJoinItem.create!
       test_model_1 = TestModel.create!(:test_attr_through_id => test_attr_through_1.id)
@@ -771,14 +790,14 @@ class ModelTest < Test::Unit::TestCase
       user = MockUser.new(:test_role,
                           :id => test_attr_through_1.id)
       assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
-             
+
       TestModel.delete_all
       TestAttrThrough.delete_all
       TestAttr.delete_all
     end
   end
 
-  def test_named_scope_with_intersects_with
+  def test_with_intersects_with
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
@@ -809,8 +828,8 @@ class ModelTest < Test::Unit::TestCase
     TestModel.delete_all
     TestAttr.delete_all
   end
-  
-  def test_named_scope_with_is_and_has_one
+
+  def test_with_is_and_has_one
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do :test_attr_has_one
@@ -822,47 +841,20 @@ class ModelTest < Test::Unit::TestCase
       end
     }
     Authorization::Engine.instance(reader)
-    
+
     test_model_1 = TestModel.create!
     test_attr_1 = test_model_1.test_attrs.create!
     TestModel.create!.test_attrs.create!
-    
+
     user = MockUser.new(:test_role, :test_attr => test_attr_1)
-    assert_equal 1, TestModel.with_permissions_to(:read, 
+    assert_equal 1, TestModel.with_permissions_to(:read,
       :context => :test_models, :user => user).length
-    
-    TestModel.delete_all
-    TestAttr.delete_all
-  end
-  
-  def test_permit_with_has_one_raises_no_name_error
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do :test_attr_has_one
-        role :test_role do
-          has_permission_on :test_attrs, :to => :update do
-            if_attribute :id => is { user.test_attr.id }
-          end
-        end
-      end
-    }
-    instance = Authorization::Engine.instance(reader)
-    
-    test_model = TestModel.create!
-    test_attr = test_model.create_test_attr_has_one
-    assert !test_attr.new_record?
-    
-    user = MockUser.new(:test_role, :test_attr => test_attr)
-    
-    assert_nothing_raised do
-      assert instance.permit?(:update, :user => user, :object => test_model.test_attr_has_one) 
-    end
-    
+
     TestModel.delete_all
     TestAttr.delete_all
   end
-  
-  def test_named_scope_with_is_and_has_one_through_conditions
+
+  def test_with_is_and_has_one_through_conditions
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
@@ -874,14 +866,14 @@ class ModelTest < Test::Unit::TestCase
       end
     }
     Authorization::Engine.instance(reader)
-    
+
     test_model_1 = TestModel.create!
     test_model_2 = TestModel.create!
     test_model_1.test_attrs.create!(:attr => 1).test_attr_throughs.create!
     test_model_1.test_attrs.create!(:attr => 2).test_attr_throughs.create!
     test_model_2.test_attrs.create!(:attr => 1).test_attr_throughs.create!
     test_model_2.test_attrs.create!(:attr => 2).test_attr_throughs.create!
-    
+
     #assert_equal 1, test_model_1.test_attrs_with_attr.length
     user = MockUser.new(:test_role,
                         :id => test_model_1.test_attr_throughs.first.id)
@@ -889,13 +881,13 @@ class ModelTest < Test::Unit::TestCase
     user = MockUser.new(:test_role,
                         :id => test_model_1.test_attr_throughs.last.id)
     assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
-           
+
     TestModel.delete_all
     TestAttr.delete_all
     TestAttrThrough.delete_all
   end
-  
-  def test_named_scope_with_is_in
+
+  def test_with_is_in
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
@@ -907,22 +899,22 @@ class ModelTest < Test::Unit::TestCase
       end
     }
     Authorization::Engine.instance(reader)
-    
+
     test_model_1 = TestModel.create!
     test_model_2 = TestModel.create!
     test_model_1.test_attrs.create!
     TestModel.create!.test_attrs.create!
-    
+
     user = MockUser.new(:test_role, :test_model => test_model_1,
       :test_model_2 => test_model_2)
-    assert_equal 1, TestAttr.with_permissions_to(:read, 
+    assert_equal 1, TestAttr.with_permissions_to(:read,
       :context => :test_attrs, :user => user).length
-    
+
     TestModel.delete_all
     TestAttr.delete_all
   end
 
-  def test_named_scope_with_not_is_in
+  def test_with_not_is_in
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
@@ -948,8 +940,8 @@ class ModelTest < Test::Unit::TestCase
     TestModel.delete_all
     TestAttr.delete_all
   end
-  
-  def test_named_scope_with_if_permitted_to
+
+  def test_with_if_permitted_to
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
@@ -964,17 +956,17 @@ class ModelTest < Test::Unit::TestCase
       end
     }
     Authorization::Engine.instance(reader)
-    
+
     test_model_1 = TestModel.create!
     test_attr_1 = test_model_1.test_attrs.create!
-    
+
     user = MockUser.new(:test_role, :id => test_attr_1.id)
     assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
     TestModel.delete_all
     TestAttr.delete_all
   end
 
-  def test_named_scope_with_if_permitted_to_with_no_child_permissions
+  def test_with_if_permitted_to_with_no_child_permissions
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
@@ -1010,12 +1002,12 @@ class ModelTest < Test::Unit::TestCase
     assert_raise Authorization::NotAuthorized do
       TestAttr.with_permissions_to(:read, :user => non_allowed_user).find(:all)
     end
-    
+
     TestModel.delete_all
     TestAttr.delete_all
   end
 
-  def test_named_scope_with_if_permitted_to_with_context_from_model
+  def test_with_if_permitted_to_with_context_from_model
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
@@ -1043,7 +1035,7 @@ class ModelTest < Test::Unit::TestCase
     TestAttr.delete_all
   end
 
-  def test_named_scope_with_has_many_if_permitted_to
+  def test_with_has_many_if_permitted_to
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
@@ -1070,7 +1062,7 @@ class ModelTest < Test::Unit::TestCase
     TestAttr.delete_all
   end
 
-  def test_named_scope_with_deep_has_many_if_permitted_to
+  def test_with_deep_has_many_if_permitted_to
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
@@ -1099,7 +1091,7 @@ class ModelTest < Test::Unit::TestCase
     TestAttr.delete_all
   end
 
-  def test_named_scope_with_if_permitted_to_and_empty_obligations
+  def test_with_if_permitted_to_and_empty_obligations
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
@@ -1122,7 +1114,7 @@ class ModelTest < Test::Unit::TestCase
     TestAttr.delete_all
   end
 
-  def test_named_scope_with_if_permitted_to_nil
+  def test_with_if_permitted_to_nil
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
@@ -1145,7 +1137,7 @@ class ModelTest < Test::Unit::TestCase
     TestAttr.delete_all
   end
 
-  def test_named_scope_with_if_permitted_to_self
+  def test_with_if_permitted_to_self
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
@@ -1170,265 +1162,449 @@ class ModelTest < Test::Unit::TestCase
     TestAttr.delete_all
     TestModel.delete_all
   end
-  
-  def test_model_security
+
+  def test_with_has_many_and_reoccuring_tables
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
-        role :test_role_unrestricted do
-          has_permission_on :test_model_security_models do
-            to :read, :create, :update, :delete
-          end
-        end
         role :test_role do
-          has_permission_on :test_model_security_models do
-            to :read, :create, :update, :delete
-            if_attribute :attr => is { 1 }
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_another_model => { :content => 'test_1_2' },
+                :test_model => { :content => 'test_1_1' }
           end
         end
-        role :test_role_restricted do
-        end
       end
     }
     Authorization::Engine.instance(reader)
-    
-    Authorization.current_user = MockUser.new(:test_role)
-    assert(object = TestModelSecurityModel.create)
-    Authorization.current_user = MockUser.new(:test_role_restricted)
-    assert_raise Authorization::NotAuthorized do
-      object.update_attributes(:attr_2 => 2)
-    end
-    Authorization.current_user = MockUser.new(:test_role)
-    assert_nothing_raised { object.update_attributes(:attr_2 => 2) }
-    object.reload
-    assert_equal 2, object.attr_2 
-    object.destroy
-    assert_raise ActiveRecord::RecordNotFound do
-      TestModelSecurityModel.find(object.id)
-    end
-    
-    assert_raise Authorization::AttributeAuthorizationError do
-      TestModelSecurityModel.create :attr => 2
-    end
-    object = TestModelSecurityModel.create
-    assert_raise Authorization::AttributeAuthorizationError do
-      object.update_attributes(:attr => 2)
-    end
-    Authorization.current_user = MockUser.new(:test_role_unrestricted)
-    object = TestModelSecurityModel.create :attr => 2
-    object_with_find = TestModelSecurityModelWithFind.create :attr => 2
-    Authorization.current_user = MockUser.new(:test_role)
-    assert_nothing_raised do
-      object.class.find(object.id)
-    end
-    assert_raise Authorization::AttributeAuthorizationError do
-      object_with_find.class.find(object_with_find.id)
-    end
-    assert_raise Authorization::AttributeAuthorizationError do
-      object.update_attributes(:attr_2 => 2)
-    end
-    # TODO test this:
-    #assert_raise Authorization::AuthorizationError do
-    #  object.update_attributes(:attr => 1)
-    #end
-    assert_raise Authorization::AttributeAuthorizationError do
-      object.destroy
-    end
-    
-    Authorization.current_user = MockUser.new(:test_role_2)
-    assert_raise Authorization::NotAuthorized do
-      TestModelSecurityModel.create
-    end
+
+    test_attr_1 = TestAttr.create!(
+        :test_model => TestModel.create!(:content => 'test_1_1'),
+        :test_another_model => TestModel.create!(:content => 'test_1_2')
+      )
+    test_attr_2 = TestAttr.create!(
+        :test_model => TestModel.create!(:content => 'test_2_1'),
+        :test_another_model => TestModel.create!(:content => 'test_2_2')
+      )
+
+    user = MockUser.new(:test_role)
+    assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
   end
-  
-  def test_model_security_with_assoc
+
+  def test_with_ored_rules_and_reoccuring_tables
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
         role :test_role do
-          has_permission_on :test_model_security_models do
-            to :create, :update, :delete
-            if_attribute :test_attrs => contains { user }
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_another_model => { :content => 'test_1_2' },
+                :test_model => { :content => 'test_1_1' }
+          end
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_another_model => { :content => 'test_2_2' },
+                :test_model => { :test_attrs => contains {user.test_attr} }
           end
         end
       end
     }
     Authorization::Engine.instance(reader)
+
+    test_attr_1 = TestAttr.create!(
+        :test_model => TestModel.create!(:content => 'test_1_1'),
+        :test_another_model => TestModel.create!(:content => 'test_1_2')
+      )
+    test_attr_2 = TestAttr.create!(
+        :test_model => TestModel.create!(:content => 'test_2_1'),
+        :test_another_model => TestModel.create!(:content => 'test_2_2')
+      )
+    test_attr_2.test_model.test_attrs.create!
+
+    user = MockUser.new(:test_role, :test_attr => test_attr_2.test_model.test_attrs.last)
+    assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+
+  def test_with_many_ored_rules_and_reoccuring_tables
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :branch => { :company => { :country => {
+                :test_models => contains { user.test_model }
+              }} }
+            if_attribute :company => { :country => {
+                :test_models => contains { user.test_model }
+              }}
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+
+    country = Country.create!(:name => 'country_1')
+    country.test_models.create!
+    test_attr_1 = TestAttr.create!(
+        :branch => Branch.create!(:name => 'branch_1',
+            :company => Company.create!(:name => 'company_1',
+                :country => country))
+      )
+    test_attr_2 = TestAttr.create!(
+        :company => Company.create!(:name => 'company_2',
+            :country => country)
+      )
+
+    user = MockUser.new(:test_role, :test_model => country.test_models.first)
+
+    assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+end
+
+class ModelTest < Test::Unit::TestCase
+  def test_permit_with_has_one_raises_no_name_error
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do :test_attr_has_one
+        role :test_role do
+          has_permission_on :test_attrs, :to => :update do
+            if_attribute :id => is { user.test_attr.id }
+          end
+        end
+      end
+    }
+    instance = Authorization::Engine.instance(reader)
+    
+    test_model = TestModel.create!
+    test_attr = test_model.create_test_attr_has_one
+    assert !test_attr.new_record?
+    
+    user = MockUser.new(:test_role, :test_attr => test_attr)
     
-    test_attr = TestAttr.create
-    test_attr.role_symbols << :test_role
-    Authorization.current_user = test_attr
-    assert(object = TestModelSecurityModel.create(:test_attrs => [test_attr]))
     assert_nothing_raised do
-      object.update_attributes(:attr_2 => 2)
+      assert instance.permit?(:update, :user => user, :object => test_model.test_attr_has_one) 
     end
+    
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+
+  def test_model_security_write_allowed
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+            if_attribute :attr => is { 1 }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+
+    Authorization.current_user = MockUser.new(:test_role)
+    assert(object = TestModelSecurityModel.create)
+
+    assert_nothing_raised { object.update_attributes(:attr_2 => 2) }
     object.reload
-    assert_equal 2, object.attr_2 
+    assert_equal 2, object.attr_2
     object.destroy
     assert_raise ActiveRecord::RecordNotFound do
       TestModelSecurityModel.find(object.id)
     end
   end
 
-  def test_using_access_control
-    assert !TestModel.using_access_control?
-    assert TestModelSecurityModel.using_access_control?
-  end
+  def test_model_security_write_not_allowed_no_privilege
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+            if_attribute :attr => is { 1 }
+          end
+        end
+        role :test_role_restricted do
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
 
-  def test_authorization_permit_association_proxy
+    Authorization.current_user = MockUser.new(:test_role)
+    assert(object = TestModelSecurityModel.create)
+
+    Authorization.current_user = MockUser.new(:test_role_restricted)
+    assert_raise Authorization::NotAuthorized do
+      object.update_attributes(:attr_2 => 2)
+    end
+  end
+  
+  def test_model_security_write_not_allowed_wrong_attribute_value
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
+        role :test_role_unrestricted do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+          end
+        end
         role :test_role do
-          has_permission_on :test_attrs, :to => :read do
-            if_attribute :test_model => {:content => "content" }
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+            if_attribute :attr => is { 1 }
           end
         end
       end
     }
-    engine = Authorization::Engine.instance(reader)
+    Authorization::Engine.instance(reader)
+    
+    Authorization.current_user = MockUser.new(:test_role)
+    assert(object = TestModelSecurityModel.create)
+    assert_raise Authorization::AttributeAuthorizationError do
+      TestModelSecurityModel.create :attr => 2
+    end
+    object = TestModelSecurityModel.create
+    assert_raise Authorization::AttributeAuthorizationError do
+      object.update_attributes(:attr => 2)
+    end
+    object.reload
 
-    test_model = TestModel.create(:content => "content")
-    assert engine.permit?(:read, :object => test_model.test_attrs,
-                          :user => MockUser.new(:test_role))
-    assert !engine.permit?(:read, :object => TestAttr.new,
-                          :user => MockUser.new(:test_role))
-    TestModel.delete_all
+    assert_nothing_raised do
+      object.update_attributes(:attr_2 => 1)
+    end
+    assert_raise Authorization::AttributeAuthorizationError do
+      object.update_attributes(:attr => 2)
+    end
   end
 
-  def test_multiple_roles_with_has_many_through
+  def test_model_security_with_and_without_find_restrictions
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
-        role :test_role_1 do
-          has_permission_on :test_models, :to => :read do
-            if_attribute :test_attr_throughs => contains {user.test_attr_through_id},
-                :content => 'test_1'
+        role :test_role_unrestricted do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+          end
+        end
+        role :test_role do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+            if_attribute :attr => is { 1 }
           end
         end
+      end
+    }
+    Authorization::Engine.instance(reader)
 
-        role :test_role_2 do
-          has_permission_on :test_models, :to => :read do
-            if_attribute :test_attr_throughs_2 => contains {user.test_attr_through_2_id},
-                :content => 'test_2'
+    Authorization.current_user = MockUser.new(:test_role_unrestricted)
+    object = TestModelSecurityModel.create :attr => 2
+    object_with_find = TestModelSecurityModelWithFind.create :attr => 2
+    Authorization.current_user = MockUser.new(:test_role)
+    assert_nothing_raised do
+      object.class.find(object.id)
+    end
+    assert_raise Authorization::AttributeAuthorizationError do
+      object_with_find.class.find(object_with_find.id)
+    end
+  end
+
+  def test_model_security_delete_unallowed
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role_unrestricted do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+          end
+        end
+        role :test_role do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+            if_attribute :attr => is { 1 }
           end
         end
       end
     }
     Authorization::Engine.instance(reader)
 
-    test_model_1 = TestModel.create! :content => 'test_1'
-    test_model_2 = TestModel.create! :content => 'test_2'
-    test_model_1.test_attrs.create!.test_attr_throughs.create!
-    test_model_2.test_attrs.create!.test_attr_throughs.create!
+    Authorization.current_user = MockUser.new(:test_role_unrestricted)
+    object = TestModelSecurityModel.create :attr => 2
+    Authorization.current_user = MockUser.new(:test_role)
 
-    user = MockUser.new(:test_role_1, :test_role_2,
-        :test_attr_through_id => test_model_1.test_attr_throughs.first.id,
-        :test_attr_through_2_id => test_model_2.test_attr_throughs.first.id)
-    assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
-    TestModel.delete_all
-    TestAttr.delete_all
-    TestAttrThrough.delete_all
+    assert_raise Authorization::AttributeAuthorizationError do
+      object.destroy
+    end
   end
 
-  def test_named_scope_with_has_many_and_reoccuring_tables
+  def test_model_security_changing_critical_attribute_unallowed
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
+        role :test_role_unrestricted do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+          end
+        end
         role :test_role do
-          has_permission_on :test_attrs, :to => :read do
-            if_attribute :test_another_model => { :content => 'test_1_2' },
-                :test_model => { :content => 'test_1_1' }
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+            if_attribute :attr => is { 1 }
           end
         end
       end
     }
     Authorization::Engine.instance(reader)
 
-    test_attr_1 = TestAttr.create!(
-        :test_model => TestModel.create!(:content => 'test_1_1'),
-        :test_another_model => TestModel.create!(:content => 'test_1_2')
-      )
-    test_attr_2 = TestAttr.create!(
-        :test_model => TestModel.create!(:content => 'test_2_1'),
-        :test_another_model => TestModel.create!(:content => 'test_2_2')
-      )
+    Authorization.current_user = MockUser.new(:test_role_unrestricted)
+    object = TestModelSecurityModel.create :attr => 2
+    Authorization.current_user = MockUser.new(:test_role)
 
-    user = MockUser.new(:test_role)
-    assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
-    TestModel.delete_all
-    TestAttr.delete_all
+    # TODO before not checked yet
+    #assert_raise Authorization::AuthorizationError do
+    #  object.update_attributes(:attr => 1)
+    #end
+  end
+
+  def test_model_security_no_role_unallowed
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+      end
+    }
+    Authorization::Engine.instance(reader)
+
+    Authorization.current_user = MockUser.new(:test_role_2)
+    assert_raise Authorization::NotAuthorized do
+      TestModelSecurityModel.create
+    end
   end
 
-  def test_named_scope_with_ored_rules_and_reoccuring_tables
+  def test_model_security_with_assoc
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
         role :test_role do
-          has_permission_on :test_attrs, :to => :read do
-            if_attribute :test_another_model => { :content => 'test_1_2' },
-                :test_model => { :content => 'test_1_1' }
+          has_permission_on :test_model_security_models do
+            to :create, :update, :delete
+            if_attribute :test_attrs => contains { user }
           end
-          has_permission_on :test_attrs, :to => :read do
-            if_attribute :test_another_model => { :content => 'test_2_2' },
-                :test_model => { :test_attrs => contains {user.test_attr} }
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    
+    test_attr = TestAttr.create
+    test_attr.role_symbols << :test_role
+    Authorization.current_user = test_attr
+    assert(object = TestModelSecurityModel.create(:test_attrs => [test_attr]))
+    assert_nothing_raised do
+      object.update_attributes(:attr_2 => 2)
+    end
+    object.reload
+    assert_equal 2, object.attr_2 
+    object.destroy
+    assert_raise ActiveRecord::RecordNotFound do
+      TestModelSecurityModel.find(object.id)
+    end
+  end
+
+  def test_model_security_with_update_attrbributes
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_model_security_models, :to => :update do
+            if_attribute :test_attrs => { :branch => is { user.branch }}
           end
         end
       end
     }
     Authorization::Engine.instance(reader)
 
-    test_attr_1 = TestAttr.create!(
-        :test_model => TestModel.create!(:content => 'test_1_1'),
-        :test_another_model => TestModel.create!(:content => 'test_1_2')
-      )
-    test_attr_2 = TestAttr.create!(
-        :test_model => TestModel.create!(:content => 'test_2_1'),
-        :test_another_model => TestModel.create!(:content => 'test_2_2')
-      )
-    test_attr_2.test_model.test_attrs.create!
+    params = {
+      :model_data => { :attr => 11 }
+    }
+
+    test_attr = TestAttr.create!(:branch => Branch.create!)
+    test_model = without_access_control do
+      TestModelSecurityModel.create!(:test_attrs => [test_attr])
+    end
+
+    with_user MockUser.new(:test_role, :branch => test_attr.branch) do
+      assert_nothing_raised do
+        test_model.update_attributes(params[:model_data])
+      end
+    end
+    assert_equal params[:model_data][:attr], test_model.reload.attr
 
-    user = MockUser.new(:test_role, :test_attr => test_attr_2.test_model.test_attrs.last)
-    assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).length
-    TestModel.delete_all
     TestAttr.delete_all
+    TestModelSecurityModel.delete_all
+    Branch.delete_all
+  end
+
+  def test_using_access_control
+    assert !TestModel.using_access_control?
+    assert TestModelSecurityModel.using_access_control?
   end
 
-  def test_named_scope_with_many_ored_rules_and_reoccuring_tables
+  def test_authorization_permit_association_proxy
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
       authorization do
         role :test_role do
           has_permission_on :test_attrs, :to => :read do
-            if_attribute :branch => { :company => { :country => { 
-                :test_models => contains { user.test_model } 
-              }} }
-            if_attribute :company => { :country => {
-                :test_models => contains { user.test_model }
-              }}
+            if_attribute :test_model => {:content => "content" }
           end
         end
       end
     }
-    Authorization::Engine.instance(reader)
+    engine = Authorization::Engine.instance(reader)
 
-    country = Country.create!(:name => 'country_1')
-    country.test_models.create!
-    test_attr_1 = TestAttr.create!(
-        :branch => Branch.create!(:name => 'branch_1',
-            :company => Company.create!(:name => 'company_1',
-                :country => country))
-      )
-    test_attr_2 = TestAttr.create!(
-        :company => Company.create!(:name => 'company_2',
-            :country => country)
-      )
+    test_model = TestModel.create(:content => "content")
+    assert engine.permit?(:read, :object => test_model.test_attrs,
+                          :user => MockUser.new(:test_role))
+    assert !engine.permit?(:read, :object => TestAttr.new,
+                          :user => MockUser.new(:test_role))
+    TestModel.delete_all
+  end
 
-    user = MockUser.new(:test_role, :test_model => country.test_models.first)
+  def test_multiple_roles_with_has_many_through
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role_1 do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attr_throughs => contains {user.test_attr_through_id},
+                :content => 'test_1'
+          end
+        end
 
-    assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).length
+        role :test_role_2 do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attr_throughs_2 => contains {user.test_attr_through_2_id},
+                :content => 'test_2'
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+
+    test_model_1 = TestModel.create! :content => 'test_1'
+    test_model_2 = TestModel.create! :content => 'test_2'
+    test_model_1.test_attrs.create!.test_attr_throughs.create!
+    test_model_2.test_attrs.create!.test_attr_throughs.create!
+
+    user = MockUser.new(:test_role_1, :test_role_2,
+        :test_attr_through_id => test_model_1.test_attr_throughs.first.id,
+        :test_attr_through_2_id => test_model_2.test_attr_throughs.first.id)
+    assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
     TestModel.delete_all
     TestAttr.delete_all
+    TestAttrThrough.delete_all
   end
 
   def test_model_permitted_to