RubyGems - ixtlan-guard - Versions diffs - 0.7.0 → 0.7.2 - Mend

ixtlan-guard 0.7.0 → 0.7.2

Files changed (39) hide show

data/features/generators.feature CHANGED Viewed

@@ -6,13 +6,3 @@ Feature: Generators for ixtlan-guard
     And I execute "rails generate scaffold account name:string --skip"
     And I execute "rake db:migrate test"
     Then the output should contain "7 tests, 10 assertions, 0 failures, 0 errors"
-  Scenario: The user-management-model generator creates user/group models, etc
-    Given I create new rails application with template "user_management.template" and "user-management" specs
-    And I execute "rails generate rspec:install"
-    And I execute "rails generate ixtlan:user_management_models user group name:string domain name:string locale code:string"
-# this tes env is needed since we execute the specs directly
-    And I execute "rails rake db:migrate -- -Drails.env=test"
-# needed due to bug in rspec-maven-plugin with emtpy gem-path
-    And I execute "gem exec ../rubygems/bin/rspec spec/user_management_models_spec.rb"
-    Then the output should contain "14 examples, 0 failures"

data/features/step_definitions/simple_steps.rb CHANGED Viewed

@@ -1,82 +1 @@
-require 'fileutils'
-require File.join(File.dirname(__FILE__), 'ruby_maven')
-def rmvn
-  @rmvn ||= Maven::RubyMaven.new
-end
-def copy_tests(tests)
-  FileUtils.mkdir_p(@app_directory)
-  FileUtils.cp_r(File.join('templates', "tests-#{tests}", "."),
-                 File.join(@app_directory, 'test'))
-end
-def copy_specs(specs)
-  FileUtils.mkdir_p(@app_directory)
-  FileUtils.cp_r(File.join('templates', "specs-#{specs}", "."),
-                 File.join(@app_directory, 'spec'))
-end
-def create_rails_application(template)
-  name = template.sub(/.template$/, '')
-  @app_directory = File.join('target', name)
-  # rails version from gemspec
-  gemspec = File.read(Dir.glob("*.gemspec")[0])
-  rails_version = gemspec.split("\n").detect { |l| l =~ /development_dep.*rails/ }.sub(/'$/, '').sub(/.*'/, '')
-  rmvn.options['-Dplugin.version'] = '0.28.4-SNAPSHOT'
-  rmvn.options['-Drails.version'] = rails_version
-  rmvn.options['-Dgem.home'] = ENV['GEM_HOME']
-  rmvn.options['-Dgem.path'] = ENV['GEM_PATH']
-  rmvn.options['-o'] = nil
-  FileUtils.rm_rf(@app_directory)
-  rmvn.exec("rails", "new", @app_directory, "-f")
-  # TODO that should be done via the rails new task !!!
-  rmvn.exec_in(@app_directory, "rails", "rake", "rails:template LOCATION=" + File.expand_path("templates/#{template}"))
-end
-Given /^I create new rails application with template "(.*)"$/ do |template|
-  create_rails_application(template)
-end
-Given /^I create new rails application with template "(.*)" and "(.*)" tests$/ do |template, tests|
-  create_rails_application(template)
-  copy_tests(tests)
-end
-Given /^I create new rails application with template "(.*)" and "(.*)" specs$/ do |template, specs|
-  create_rails_application(template)
-  copy_specs(specs)
-end
-Given /^me an existing rails application "(.*)"$/ do |name|
-  @app_directory = File.join('target', name)
-end
-Given /^me an existing rails application "(.*)" and "(.*)" tests$/ do |name, tests|
-  @app_directory = File.join('target', name)
-  copy_tests(tests)
-end
-Given /^me an existing rails application "(.*)" and "(.*)" specs$/ do |name, specs|
-  @app_directory = File.join('target', name)
-  copy_specs(specs)
-end
-And /^I execute \"(.*)\"$/ do |args|
-  rmvn.options['-l'] = "output.log"
-  rmvn.exec_in(@app_directory, args)
-end
-Then /^the output should contain \"(.*)\"$/ do |expected|
-  result = File.read(File.join(@app_directory, "output.log"))
-  expected.split(/\"?\s+and\s+\"?/).each do |exp|
-    puts exp
-    (result =~ /.*#{exp}.*/).should_not be_nil
-  end
-end
+require 'maven/cucumber_steps'

data/lib/ixtlan/guard/guard_ng.rb CHANGED Viewed

@@ -4,6 +4,8 @@ module Ixtlan
   module Guard
     class GuardNG
+      attr_reader :superuser
       def initialize(options = {})
         options[:guards_dir] ||= File.expand_path(".")
         @superuser = [(options[:superuser] || "root").to_s]
@@ -31,45 +33,67 @@ module Ixtlan
           end
       end
-      def allowed_groups(resource, action, current_groups)
-        allowed = @config.allowed_groups(resource, action) - blocked_groups + @superuser
+      def allowed_groups(resource_name, action, current_group_names)
+        allowed = @config.allowed_groups(resource_name, action) - blocked_groups + @superuser
         if allowed.member?('*')
-          current_groups - (blocked_groups - @superuser)
+          # keep superuser in current_groups if in there
+          current_group_names - (blocked_groups - @superuser)
         else
-          intersect(allowed, current_groups)
+          allowed & current_group_names
         end
       end
-      def allowed?(resource, action, current_groups, flavor = nil, &block)
-        current_groups = current_groups.collect { |g| g.to_s }
-        allowed_groups = self.allowed_groups(resource, action, current_groups)
-       logger.debug { "guard #{resource}##{action}: #{allowed_groups.size > 0}" }
-        if allowed_groups.size > 0
-          if block
-            g = allowed_groups.detect do |group|
-              block.call(group).member?(flavor)
-            end
-            logger.debug do
-              if g
-                "found group #{g} for #{flavor}"
-              else
-                "no group found for #{flavor}"
-              end
-            end
-            g != nil
+      def group_map(current_groups)
+        names = current_groups.collect do |g|
+          key = case g
+                when String
+                  g
+                when Symbol
+                  g.to_s
+                else
+                  g.name.to_s
+                end
+          [key, g]
+        end
+        Hash[*(names.flatten)]
+      end
+      private :group_map
+      def allowed?(resource_name, action, current_groups, association = nil, &block)
+        group_map = group_map(current_groups)
+        allowed_group_names = allowed_groups(resource_name, action, group_map.keys)
+        logger.debug { "guard #{resource_name}##{action}: #{allowed_group_names.size > 0}" }
+        if allowed_group_names.size > 0
+          if block || association
+            group_allowed?(group_map, allowed_group_names, association, &block)
           else
             true
           end
         else
-          unless @config.has_guard?(resource)
-            raise ::Ixtlan::Guard::GuardException.new("no guard config for '#{resource}'")
+          unless @config.has_guard?(resource_name)
+            raise ::Ixtlan::Guard::GuardException.new("no guard config for '#{resource_name}'")
           else
             false
           end
         end
       end
-      def permissions(current_groups, flavors = {})
+      def group_allowed?(group_map, allowed_group_names, association, &block)
+        g = allowed_group_names.detect do |group_name|
+          block.call(group_map[group_name], association)
+        end if association && block
+        logger.debug do
+          if g
+            "found group #{g} for #{association}"
+          else
+            "no group found for #{association}"
+          end
+        end
+        g != nil
+      end
+      def permissions(current_groups, &block)
+        group_map = group_map(current_groups)
         perms = []
         m = @config.map_of_all
         m.each do |resource, actions|
@@ -77,79 +101,56 @@ module Ixtlan
           perm = Node.new(:permission)
           perm[:resource] = resource
           perm[:actions] = nodes
-          defaults = actions.delete('defaults') || []
-          defaults = intersect(current_groups, defaults + @superuser) unless defaults.member?('*')
-          # no actions
-          # deny = false: !defaults.member?('*')
-          # deny = true: defaults.member?('*') || current_groups.member?(@superuser[0])
+          default_actions = actions.delete('defaults') || []
+          default_actions = group_map.keys & (default_actions + @superuser) unless default_actions.member?('*')
           deny = if actions.size == 0
-                   defaults.member?('*') || current_groups.member?(@superuser[0])
+                   # no actions
+                   # deny = false: !default_actions.member?('*')
+                   # deny = true: default_actions.member?('*') || current_group_names.member?(@superuser[0])
+                   default_actions.member?('*') || group_map.keys.member?(@superuser[0]) || !group_map.keys.detect {|g| default_actions.member? g }.nil?
                  else
                    # actions
-                   # deny = false : defaults == []
-                   # deny = true : defaults.member?('*')
-                   defaults.size != 0 || defaults.member?('*')
+                   # deny = false : default_actions == []
+                   # deny = true : default_actions.member?('*')
+                   default_actions.size != 0 || default_actions.member?('*')
                  end
           perm[:deny] = deny
           actions.each do |action, groups|
+            group_names = groups.collect { |g| g.is_a?(Hash) ? g.keys : g }.flatten if groups
             node = Node.new(:action)
             allowed_groups =
-              if groups && groups.member?('*')
-                current_groups
+              if groups && group_names.member?('*')
+                group_map.values
               else
-                intersect(current_groups, (groups || []) + @superuser)
+                names = group_map.keys & ((group_names || []) + @superuser)
+                names.collect { |name| group_map[name] }
               end
             if (deny && allowed_groups.size == 0) || (!deny && allowed_groups.size > 0)
               node[:name] = action
-#                f = {}
-#                flavors.each do |fl, block|
-#                  f[fl] = block.call(allowed_groups)
-#                end
-#                node[:flavors] = f if f.size > 0
-              nodes << node
-            end
-          end
-          perms << perm
-        end
-        perms
-      end
-      def permission_map(current_groups, flavors = {})
-        # TODO fix it - think first !!
-        perms = {}
-        m = @config.map_of_all
-        m.each do |resource, actions|
-          nodes = {}
-          actions.each do |action, groups|
-            if action == 'defaults'
-              nodes[action] = {}
-            else
-              allowed_groups = intersect(current_groups, (groups || []) + @superuser)
-              if allowed_groups.size > 0
-                f = {}
-                flavors.each do |fl, block|
-                  flav = block.call(allowed_groups)
-                  f[fl] = flav if flav.size > 0
+              if block
+                if allowed_groups.size > 0
+                  node.content.merge!(block.call(resource, action, allowed_groups) || {})
+                else
+                  perm.content.merge!(block.call(resource, action, group_map.values) || {})
                 end
-                nodes[action] = f
-              else
-                nodes[action] = nil # indicates not default action
               end
+              nodes << node
             end
           end
-          perms[resource] = nodes if nodes.size > 0
+          # TODO is that right like this ?
+          # only default_actions, i.e. no actions !!!
+          if block && actions.size == 0 && deny
+            perm.content.merge!(block.call(resource, nil, group_map.values) || {})
+          end
+          perms << perm
         end
         perms
       end
-      private
-      def intersect(set1, set2)
-        set1 - (set1 - set2)
-      end
     end
     class Node < Hash
+      attr_reader :content
       def initialize(name)
         map = super
         @content = {}

data/lib/ixtlan/guard/guard_rails.rb CHANGED Viewed

@@ -12,9 +12,7 @@ module Ixtlan
         def groups_for_current_user
           if respond_to?(:current_user) && current_user
-            current_user.groups.collect do |group|
-              group.name
-            end
+            current_user.groups
           else
             []
           end
@@ -37,23 +35,25 @@ module Ixtlan
           Rails.application.config.guard
         end
-        def check(flavor = nil, &block)
-          group_method = respond_to?(:current_user_group_names) ? :current_user_group_names : :groups_for_current_user
+        def check(association = nil, &block)
+          group_method = respond_to?(:current_user_groups) ? :current_user_groups : :groups_for_current_user
           unless guard.allowed?(params[:controller],
                                 params[:action],
                                 send(group_method),
-                                flavor,
+                                association,
                                 &block)
-            if flavor
-              raise ::Ixtlan::Guard::PermissionDenied.new("permission denied for '#{params[:controller]}##{params[:action]}##{flavor}'")
+            if association
+              raise ::Ixtlan::Guard::PermissionDenied.new("permission denied for '#{params[:controller]}##{params[:action]}##{association.class}(#{association.id})'")
             else
               raise ::Ixtlan::Guard::PermissionDenied.new("permission denied for '#{params[:controller]}##{params[:action]}'")
             end
           end
           true
         end
+        alias :authorize :check
         def authorization
+          warn "DEPRECATED: use 'authorize' instead"
           check
         end
       end

data/lib/ixtlan/guard/railtie.rb CHANGED Viewed

@@ -23,7 +23,7 @@ module Ixtlan
         app.config.guard = Ixtlan::Guard::GuardNG.new(options)
         ::ActionController::Base.send(:include, Ixtlan::ActionController::Guard)
-        ::ActionController::Base.send(:before_filter, :authorization)
+        ::ActionController::Base.send(:before_filter, :authorize)
         ::ActionView::Base.send(:include, Ixtlan::Allowed)
       end

data/spec/guard_cache_spec.rb CHANGED Viewed

@@ -9,7 +9,7 @@ $source1 = File.join(File.dirname(__FILE__), "guards", "users1_guard.yml")
 $source2 = File.join(File.dirname(__FILE__), "guards", "users2_guard.yml")
 $logger = Logger.new(STDOUT)
 def $logger.debug(&block)
-  info("\n\t[debug] " + block.call)
+#  info("\n\t[debug] " + block.call)
 end
 describe Ixtlan::Guard::GuardNG do

data/spec/guard_export_spec.rb CHANGED Viewed

@@ -7,7 +7,7 @@ describe Ixtlan::Guard::GuardNG do
   subject do
     logger = Logger.new(STDOUT)
     def logger.debug(&block)
-      info("\n\t[debug] " + block.call)
+   #   info("\n\t[debug] " + block.call)
     end
     Ixtlan::Guard::GuardNG.new(:guards_dir => File.join(File.dirname(__FILE__), "guards"), :logger => logger )
   end
@@ -15,37 +15,46 @@ describe Ixtlan::Guard::GuardNG do
   context '#permissions' do
     it 'should deny all without defaults but wildcard "*" actions' do
-      subject.permissions(['unknown_group']).should == [
+      subject.permissions(['unknown_group']).sort { |n,m| n[:resource] <=> m[:resource] }.should == [
          #allow nothing
-         {:permission=>{:resource=>"users", :actions=>[], :deny=>false}},
-         {:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
+         {:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}},
+         # allow anything but index
+         {:permission=>{:resource=>"allow_all_defaults", :actions=>[{:action=>{:name=>"index"}}], :deny=>true}},
          {:permission=>
            {
-             :resource=>"no_defaults",
+             :resource=>"defaults",
              :actions=>[{:action=>{:name=>"index"}}],
              :deny=>false #allow
            }
          },
-         {
-           :permission=>
+         {:permission=>
            {
-             :resource=>"defaults",
+             :resource=>"no_defaults",
              :actions=>[{:action=>{:name=>"index"}}],
              :deny=>false #allow
            }
          },
+         {:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
          #allow nothing
          {:permission=>{:resource=>"person", :actions=>[], :deny=>false}},
          #allow nothing
-         {:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}},
-         # allow anything but index
-         {:permission=>{:resource=>"allow_all_defaults", :actions=>[{:action=>{:name=>"index"}}], :deny=>true}}]
+         {:permission=>{:resource=>"regions", :actions=>[], :deny=>false}},
+         #allow nothing
+         {:permission=>{:resource=>"users", :actions=>[], :deny=>false}}]
     end
     it 'should deny some without defaults but wildcard "*" actions' do
-      subject.permissions(['no_admin']).should == [
+      subject.permissions(['no_admin']).sort { |n,m| n[:resource] <=> m[:resource] }.should == [
          #allow nothing
-         {:permission=>{:resource=>"users", :actions=>[], :deny=>false}},
-         {:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
+         {:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}},
+         # allow anything but index
+         {:permission=>{:resource=>"allow_all_defaults", :actions=>[{:action=>{:name=>"index"}}], :deny=>true}},
+         {:permission=>
+           {
+             :resource=>"defaults",
+             :actions=>[{:action=>{:name=>"index"}}],
+             :deny=>false #allow
+           }
+         },
          {:permission=>
            {
              :resource=>"no_defaults",
@@ -56,36 +65,39 @@ describe Ixtlan::Guard::GuardNG do
              :deny=>false #allow
            }
          },
-         {
-           :permission=>
-           {
-             :resource=>"defaults",
-             :actions=>[{:action=>{:name=>"index"}}],
-             :deny=>false #allow
-           }
-         },
+         {:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
          #allow nothing
          {:permission=>{:resource=>"person", :actions=>[], :deny=>false}},
          #allow nothing
-         {:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}},
-         # allow anything but index
-         {:permission=>{:resource=>"allow_all_defaults", :actions=>[{:action=>{:name=>"index"}}], :deny=>true}}]
+         {:permission=>{:resource=>"regions", :actions=>[], :deny=>false}},
+         #allow nothing
+         {:permission=>{:resource=>"users", :actions=>[], :deny=>false}}]
     end
     it 'should allow "root"' do
-      subject.permissions(['root']).should == [
-         {:permission=>{:resource=>"users", :actions=>[], :deny=>true}},
-         {:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
-         {:permission=>{:resource=>"no_defaults", :actions=>[], :deny=>true}},
+      subject.permissions(['root']).sort { |n,m| n[:resource] <=> m[:resource] }.should == [
+         {:permission=>{:resource=>"accounts", :actions=>[], :deny=>true}},
+         {:permission=>{:resource=>"allow_all_defaults", :actions=>[], :deny=>true}},
          {:permission=>{:resource=>"defaults", :actions=>[], :deny=>true}},
+         {:permission=>{:resource=>"no_defaults", :actions=>[], :deny=>true}},
+         {:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
          {:permission=>{:resource=>"person", :actions=>[], :deny=>true}},
-         {:permission=>{:resource=>"accounts", :actions=>[], :deny=>true}},
-         {:permission=>{:resource=>"allow_all_defaults", :actions=>[], :deny=>true}}]
+         {:permission=>{:resource=>"regions", :actions=>[], :deny=>true}},
+         {:permission=>{:resource=>"users", :actions=>[], :deny=>true}}]
     end
     it 'should allow with default group' do
-      subject.permissions(['_master']).should == [
+      subject.permissions(['_master']).sort { |n,m| n[:resource] <=> m[:resource] }.should == [
          #allow nothing
-         {:permission=>{:resource=>"users", :actions=>[], :deny=>false}},
-         {:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
+         {:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}},
+         # allow anything but index
+         {:permission=>{:resource=>"allow_all_defaults", :actions=>[{:action=>{:name=>"index"}}], :deny=>true}},
+         {:permission=>
+           {
+             :resource=>"defaults",
+             :actions=>[{:action=>{:name=>"show"}},
+                        {:action=>{:name=>"destroy"}}],
+             :deny=>true
+           }
+         },
          {:permission=>
            {
              :resource=>"no_defaults",
@@ -93,83 +105,99 @@ describe Ixtlan::Guard::GuardNG do
              :deny=>false #allow
            }
          },
-         {
-           :permission=>
+         {:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
+         #allow nothing
+         {:permission=>{:resource=>"person", :actions=>[], :deny=>false}},
+         #allow nothing
+         {:permission=>{:resource=>"regions", :actions=>[], :deny=>false}},
+         #allow nothing
+         {:permission=>{:resource=>"users", :actions=>[], :deny=>false}}]
+    end
+    it 'should allow with non-default group' do
+      subject.permissions(['_admin']).sort { |n,m| n[:resource] <=> m[:resource] }.should == [
+         #allow nothing
+         {:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}},
+         # allow anything but index
+         {:permission=>{:resource=>"allow_all_defaults", :actions=>[], :deny=>true}},
+         {:permission=>
            {
              :resource=>"defaults",
-             :actions=>[{:action=>{:name=>"show"}},
-                          {:action=>{:name=>"destroy"}}],
-             :deny=>true
+             :actions=>[{:action=>{:name=>"edit"}},
+                        {:action=>{:name=>"index"}},
+                        {:action=>{:name=>"show"}}],
+             :deny=>false # allow
            }
          },
+         {:permission=>
+           {
+             :resource=>"no_defaults",
+             :actions=>[{:action=>{:name=>"index"}}],
+             :deny=>false #allow
+           }
+         },
+         {:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
          #allow nothing
          {:permission=>{:resource=>"person", :actions=>[], :deny=>false}},
+         #allow nothing
+         {:permission=>{:resource=>"regions", :actions=>[], :deny=>false}},
+         #allow nothing
+         {:permission=>{:resource=>"users", :actions=>[], :deny=>false}}]
+    end
+    it 'should allow with association' do
+      group = Object.new
+      def group.name
+        "region"
+      end
+      subject.permissions([group])do |resource, action, groups|
+        if resource == 'regions'
+          case action
+          when 'show'
+            {:associations => [:europe, :asia]}
+          else
+            {}
+          end
+        else
+          {}
+        end
+      end.sort { |n,m| n[:resource] <=> m[:resource] }.should == [
          #allow nothing
          {:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}},
          # allow anything but index
-         {:permission=>{:resource=>"allow_all_defaults", :actions=>[{:action=>{:name=>"index"}}], :deny=>true}}]
-    end
-    it 'should allow with non-default group' do
-      subject.permissions(['_admin']).should == [
-         #allow nothing
-         {:permission=>{:resource=>"users", :actions=>[], :deny=>false}},
-         {:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
          {:permission=>
            {
-             :resource=>"no_defaults",
-             :actions=>[{:action=>{:name=>"index"}}],
-             :deny=>false #allow
+              :resource=>"allow_all_defaults",
+              :actions=>[{:action=>{:name=>"index"}}],
+              :deny=>true
            }
          },
-         {
-           :permission=>
+         {:permission=>
            {
              :resource=>"defaults",
-             :actions=>[{:action=>{:name=>"edit"}},
-                        {:action=>{:name=>"index"}},
-                        {:action=>{:name=>"show"}}],
+             :actions=>[{:action=>{:name=>"index"}}],
              :deny=>false # allow
            }
          },
+         {:permission=>
+           {
+             :resource=>"no_defaults",
+             :actions=>[{:action=>{:name=>"index"}}],
+             :deny=>false #allow
+           }
+         },
+         {:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
          #allow nothing
          {:permission=>{:resource=>"person", :actions=>[], :deny=>false}},
-         #allow nothing
-         {:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}},
-         # allow anything but index
-         {:permission=>{:resource=>"allow_all_defaults", :actions=>[], :deny=>true}}]
-    end
-  end
-  context '#permission_map' do
-    it 'should export' do
-      pending "check expectations before implementing specs"
-      subject.permission_map(['admin']).should == {"users"=>{"defaults"=>nil}, "person"=>{"defaults"=>nil, "destroy"=>{}, "index"=>{}}, "accounts"=>{"defaults"=>nil, "destroy"=>{}, "show"=>nil}}
-      subject.permission_map(['manager']).should == {"users"=>{"defaults"=>nil}, "person"=>{"defaults"=>nil, "destroy"=>nil, "index"=>{}}, "accounts"=>{"defaults"=>nil, "destroy"=>nil, "show"=>{}}}
-      subject.permission_map(['manager', 'admin']).should == {"users"=>{"defaults"=>nil}, "person"=>{"defaults"=>nil, "destroy"=>{}, "index"=>{}}, "accounts"=>{"defaults"=>nil, "destroy"=>{}, "show"=>{}}}
-      subject.permission_map(['users']).should == {"users"=>{"defaults"=>{}}, "person"=>{"defaults"=>nil, "destroy"=>nil, "index"=>nil}, "accounts"=>{"defaults"=>nil, "destroy"=>nil, "show"=>nil}}
-    end
-    it 'should export with flavor' do
-      pending "check expectations before implementing specs"
-      flavors = { 'admin' => ['example', 'dummy'], 'manager' => ['example', 'master'] }
-      domains = Proc.new do |groups|
-        groups.collect do |g|
-          flavors[g] || []
-        end.flatten.uniq
-      end
-      subject.permission_map(['admin'], 'domains' => domains).should == {"users"=>{"defaults"=>nil}, "person"=>{"defaults"=>nil, "destroy"=>{'domains'=>["example", "dummy"]}, "index"=>{'domains'=>["example", "dummy"]}}, "accounts"=>{"defaults"=>nil, "destroy"=>{'domains'=>["example", "dummy"]}, "show"=>nil}}
-      subject.permission_map(['manager'], 'domains' => domains).should == {"users"=>{"defaults"=>nil}, "person"=>{"defaults"=>nil, "destroy"=>nil, "index"=>{"domains"=>["example", "master"]}}, "accounts"=>{"defaults"=>nil, "destroy"=>nil, "show"=>{"domains"=>["example", "master"]}}}
-      subject.permission_map(['manager', 'admin'], 'domains' => domains).should == {"users"=>{"defaults"=>nil}, "person"=>{"defaults"=>nil, "destroy"=>{"domains"=>["example", "dummy"]}, "index"=>{"domains"=>["example", "master", "dummy"]}}, "accounts"=>{"defaults"=>nil, "destroy"=>{"domains"=>["example", "dummy"]}, "show"=>{"domains"=>["example", "master"]}}}
-      subject.permission_map(['users'], 'domains' => domains).should == {"users"=>{"defaults"=>{}}, "person"=>{"defaults"=>nil, "destroy"=>nil, "index"=>nil}, "accounts"=>{"defaults"=>nil, "destroy"=>nil, "show"=>nil}}
+         {:permission=>
+          {:resource=>"regions",
+           :actions=>
+            [{:action=>{:name=>"show", :associations=>[:europe, :asia]}},
+             {:action=>{:name=>"create"}}],
+           :deny=>false}},
+         #allow nothing
+         {:permission=>{:resource=>"users", :actions=>[], :deny=>false}}]
     end
   end
 end