RubyGems - ixtlan-guard - Versions diffs - 0.7.0 → 0.7.2 - Mend

ixtlan-guard 0.7.0 → 0.7.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (39) hide show

data/features/generators.feature CHANGED Viewed

@@ -6,13 +6,3 @@ Feature: Generators for ixtlan-guard
     And I execute "rails generate scaffold account name:string --skip"
     And I execute "rake db:migrate test"
     Then the output should contain "7 tests, 10 assertions, 0 failures, 0 errors"
-  Scenario: The user-management-model generator creates user/group models, etc
-    Given I create new rails application with template "user_management.template" and "user-management" specs
-    And I execute "rails generate rspec:install"
-    And I execute "rails generate ixtlan:user_management_models user group name:string domain name:string locale code:string"
-# this tes env is needed since we execute the specs directly
-    And I execute "rails rake db:migrate -- -Drails.env=test"
-# needed due to bug in rspec-maven-plugin with emtpy gem-path
-    And I execute "gem exec ../rubygems/bin/rspec spec/user_management_models_spec.rb"
-    Then the output should contain "14 examples, 0 failures"

data/features/step_definitions/simple_steps.rb CHANGED Viewed

@@ -1,82 +1 @@
-require 'fileutils'
-require File.join(File.dirname(__FILE__), 'ruby_maven')
-def rmvn
-  @rmvn ||= Maven::RubyMaven.new
-end
-def copy_tests(tests)
-  FileUtils.mkdir_p(@app_directory)
-  FileUtils.cp_r(File.join('templates', "tests-#{tests}", "."),
-                 File.join(@app_directory, 'test'))
-end
-def copy_specs(specs)
-  FileUtils.mkdir_p(@app_directory)
-  FileUtils.cp_r(File.join('templates', "specs-#{specs}", "."),
-                 File.join(@app_directory, 'spec'))
-end
-def create_rails_application(template)
-  name = template.sub(/.template$/, '')
-  @app_directory = File.join('target', name)
-  # rails version from gemspec
-  gemspec = File.read(Dir.glob("*.gemspec")[0])
-  rails_version = gemspec.split("\n").detect { |l| l =~ /development_dep.*rails/ }.sub(/'$/, '').sub(/.*'/, '')
-  rmvn.options['-Dplugin.version'] = '0.28.4-SNAPSHOT'
-  rmvn.options['-Drails.version'] = rails_version
-  rmvn.options['-Dgem.home'] = ENV['GEM_HOME']
-  rmvn.options['-Dgem.path'] = ENV['GEM_PATH']
-  rmvn.options['-o'] = nil
-  FileUtils.rm_rf(@app_directory)
-  rmvn.exec("rails", "new", @app_directory, "-f")
-  # TODO that should be done via the rails new task !!!
-  rmvn.exec_in(@app_directory, "rails", "rake", "rails:template LOCATION=" + File.expand_path("templates/#{template}"))
-end
-Given /^I create new rails application with template "(.*)"$/ do |template|
-  create_rails_application(template)
-end
-Given /^I create new rails application with template "(.*)" and "(.*)" tests$/ do |template, tests|
-  create_rails_application(template)
-  copy_tests(tests)
-end
-Given /^I create new rails application with template "(.*)" and "(.*)" specs$/ do |template, specs|
-  create_rails_application(template)
-  copy_specs(specs)
-end
-Given /^me an existing rails application "(.*)"$/ do |name|
-  @app_directory = File.join('target', name)
-end
-Given /^me an existing rails application "(.*)" and "(.*)" tests$/ do |name, tests|
-  @app_directory = File.join('target', name)
-  copy_tests(tests)
-end
-Given /^me an existing rails application "(.*)" and "(.*)" specs$/ do |name, specs|
-  @app_directory = File.join('target', name)
-  copy_specs(specs)
-end
-And /^I execute \"(.*)\"$/ do |args|
-  rmvn.options['-l'] = "output.log"
-  rmvn.exec_in(@app_directory, args)
-end
-Then /^the output should contain \"(.*)\"$/ do |expected|
-  result = File.read(File.join(@app_directory, "output.log"))
-  expected.split(/\"?\s+and\s+\"?/).each do |exp|
-    puts exp
-    (result =~ /.*#{exp}.*/).should_not be_nil
-  end
-end
+require 'maven/cucumber_steps'

data/lib/ixtlan/guard/guard_ng.rb CHANGED Viewed

@@ -4,6 +4,8 @@ module Ixtlan
   module Guard
     class GuardNG
+      attr_reader :superuser
       def initialize(options = {})
         options[:guards_dir] ||= File.expand_path(".")
         @superuser = [(options[:superuser] || "root").to_s]
@@ -31,45 +33,67 @@ module Ixtlan
           end
       end
-      def allowed_groups(resource, action, current_groups)
-        allowed = @config.allowed_groups(resource, action) - blocked_groups + @superuser
+      def allowed_groups(resource_name, action, current_group_names)
+        allowed = @config.allowed_groups(resource_name, action) - blocked_groups + @superuser
         if allowed.member?('*')
-          current_groups - (blocked_groups - @superuser)
+          # keep superuser in current_groups if in there
+          current_group_names - (blocked_groups - @superuser)
         else
-          intersect(allowed, current_groups)
+          allowed & current_group_names
         end
       end
-      def allowed?(resource, action, current_groups, flavor = nil, &block)
-        current_groups = current_groups.collect { |g| g.to_s }
-        allowed_groups = self.allowed_groups(resource, action, current_groups)
-       logger.debug { "guard #{resource}##{action}: #{allowed_groups.size > 0}" }
-        if allowed_groups.size > 0
-          if block
-            g = allowed_groups.detect do |group|
-              block.call(group).member?(flavor)
-            end
-            logger.debug do
-              if g
-                "found group #{g} for #{flavor}"
-              else
-                "no group found for #{flavor}"
-              end
-            end
-            g != nil
+      def group_map(current_groups)
+        names = current_groups.collect do |g|
+          key = case g
+                when String
+                  g
+                when Symbol
+                  g.to_s
+                else
+                  g.name.to_s
+                end
+          [key, g]
+        end
+        Hash[*(names.flatten)]
+      end
+      private :group_map
+      def allowed?(resource_name, action, current_groups, association = nil, &block)
+        group_map = group_map(current_groups)
+        allowed_group_names = allowed_groups(resource_name, action, group_map.keys)
+        logger.debug { "guard #{resource_name}##{action}: #{allowed_group_names.size > 0}" }
+        if allowed_group_names.size > 0
+          if block || association
+            group_allowed?(group_map, allowed_group_names, association, &block)
           else
             true
           end
         else
-          unless @config.has_guard?(resource)
-            raise ::Ixtlan::Guard::GuardException.new("no guard config for '#{resource}'")
+          unless @config.has_guard?(resource_name)
+            raise ::Ixtlan::Guard::GuardException.new("no guard config for '#{resource_name}'")
           else
             false
           end
         end
       end
-      def permissions(current_groups, flavors = {})
+      def group_allowed?(group_map, allowed_group_names, association, &block)
+        g = allowed_group_names.detect do |group_name|
+          block.call(group_map[group_name], association)
+        end if association && block
+        logger.debug do
+          if g
+            "found group #{g} for #{association}"
+          else
+            "no group found for #{association}"
+          end
+        end
+        g != nil
+      end
+      def permissions(current_groups, &block)
+        group_map = group_map(current_groups)
         perms = []
         m = @config.map_of_all
         m.each do |resource, actions|
@@ -77,79 +101,56 @@ module Ixtlan
           perm = Node.new(:permission)
           perm[:resource] = resource
           perm[:actions] = nodes
-          defaults = actions.delete('defaults') || []
-          defaults = intersect(current_groups, defaults + @superuser) unless defaults.member?('*')
-          # no actions
-          # deny = false: !defaults.member?('*')
-          # deny = true: defaults.member?('*') || current_groups.member?(@superuser[0])
+          default_actions = actions.delete('defaults') || []
+          default_actions = group_map.keys & (default_actions + @superuser) unless default_actions.member?('*')
           deny = if actions.size == 0
-                   defaults.member?('*') || current_groups.member?(@superuser[0])
+                   # no actions
+                   # deny = false: !default_actions.member?('*')
+                   # deny = true: default_actions.member?('*') || current_group_names.member?(@superuser[0])
+                   default_actions.member?('*') || group_map.keys.member?(@superuser[0]) || !group_map.keys.detect {|g| default_actions.member? g }.nil?
                  else
                    # actions
-                   # deny = false : defaults == []
-                   # deny = true : defaults.member?('*')
-                   defaults.size != 0 || defaults.member?('*')
+                   # deny = false : default_actions == []
+                   # deny = true : default_actions.member?('*')
+                   default_actions.size != 0 || default_actions.member?('*')
                  end
           perm[:deny] = deny
           actions.each do |action, groups|
+            group_names = groups.collect { |g| g.is_a?(Hash) ? g.keys : g }.flatten if groups
             node = Node.new(:action)
             allowed_groups =
-              if groups && groups.member?('*')
-                current_groups
+              if groups && group_names.member?('*')
+                group_map.values
               else
-                intersect(current_groups, (groups || []) + @superuser)
+                names = group_map.keys & ((group_names || []) + @superuser)
+                names.collect { |name| group_map[name] }
               end
             if (deny && allowed_groups.size == 0) || (!deny && allowed_groups.size > 0)
               node[:name] = action
-#                f = {}
-#                flavors.each do |fl, block|
-#                  f[fl] = block.call(allowed_groups)
-#                end
-#                node[:flavors] = f if f.size > 0
-              nodes << node
-            end
-          end
-          perms << perm
-        end
-        perms
-      end
-      def permission_map(current_groups, flavors = {})
-        # TODO fix it - think first !!
-        perms = {}
-        m = @config.map_of_all
-        m.each do |resource, actions|
-          nodes = {}
-          actions.each do |action, groups|
-            if action == 'defaults'
-              nodes[action] = {}
-            else
-              allowed_groups = intersect(current_groups, (groups || []) + @superuser)
-              if allowed_groups.size > 0
-                f = {}
-                flavors.each do |fl, block|
-                  flav = block.call(allowed_groups)
-                  f[fl] = flav if flav.size > 0
+              if block
+                if allowed_groups.size > 0
+                  node.content.merge!(block.call(resource, action, allowed_groups) || {})
+                else
+                  perm.content.merge!(block.call(resource, action, group_map.values) || {})
                 end
-                nodes[action] = f
-              else
-                nodes[action] = nil # indicates not default action
               end
+              nodes << node
             end
           end
-          perms[resource] = nodes if nodes.size > 0
+          # TODO is that right like this ?
+          # only default_actions, i.e. no actions !!!
+          if block && actions.size == 0 && deny
+            perm.content.merge!(block.call(resource, nil, group_map.values) || {})
+          end
+          perms << perm
         end
         perms
       end
-      private
-      def intersect(set1, set2)
-        set1 - (set1 - set2)
-      end
     end
     class Node < Hash
+      attr_reader :content
       def initialize(name)
         map = super
         @content = {}

data/lib/ixtlan/guard/guard_rails.rb CHANGED Viewed

@@ -12,9 +12,7 @@ module Ixtlan
         def groups_for_current_user
           if respond_to?(:current_user) && current_user
-            current_user.groups.collect do |group|
-              group.name
-            end
+            current_user.groups
           else
             []
           end
@@ -37,23 +35,25 @@ module Ixtlan
           Rails.application.config.guard
         end
-        def check(flavor = nil, &block)
-          group_method = respond_to?(:current_user_group_names) ? :current_user_group_names : :groups_for_current_user
+        def check(association = nil, &block)
+          group_method = respond_to?(:current_user_groups) ? :current_user_groups : :groups_for_current_user
           unless guard.allowed?(params[:controller],
                                 params[:action],
                                 send(group_method),
-                                flavor,
+                                association,
                                 &block)
-            if flavor
-              raise ::Ixtlan::Guard::PermissionDenied.new("permission denied for '#{params[:controller]}##{params[:action]}##{flavor}'")
+            if association
+              raise ::Ixtlan::Guard::PermissionDenied.new("permission denied for '#{params[:controller]}##{params[:action]}##{association.class}(#{association.id})'")
             else
               raise ::Ixtlan::Guard::PermissionDenied.new("permission denied for '#{params[:controller]}##{params[:action]}'")
             end
           end
           true
         end
+        alias :authorize :check
         def authorization
+          warn "DEPRECATED: use 'authorize' instead"
           check
         end
       end

data/lib/ixtlan/guard/railtie.rb CHANGED Viewed

@@ -23,7 +23,7 @@ module Ixtlan
         app.config.guard = Ixtlan::Guard::GuardNG.new(options)
         ::ActionController::Base.send(:include, Ixtlan::ActionController::Guard)
-        ::ActionController::Base.send(:before_filter, :authorization)
+        ::ActionController::Base.send(:before_filter, :authorize)
         ::ActionView::Base.send(:include, Ixtlan::Allowed)
       end

data/spec/guard_cache_spec.rb CHANGED Viewed

@@ -9,7 +9,7 @@ $source1 = File.join(File.dirname(__FILE__), "guards", "users1_guard.yml")
 $source2 = File.join(File.dirname(__FILE__), "guards", "users2_guard.yml")
 $logger = Logger.new(STDOUT)
 def $logger.debug(&block)
-  info("\n\t[debug] " + block.call)
+#  info("\n\t[debug] " + block.call)
 end
 describe Ixtlan::Guard::GuardNG do

data/spec/guard_export_spec.rb CHANGED Viewed

@@ -7,7 +7,7 @@ describe Ixtlan::Guard::GuardNG do
   subject do
     logger = Logger.new(STDOUT)
     def logger.debug(&block)
-      info("\n\t[debug] " + block.call)
+   #   info("\n\t[debug] " + block.call)
     end
     Ixtlan::Guard::GuardNG.new(:guards_dir => File.join(File.dirname(__FILE__), "guards"), :logger => logger )
   end
@@ -15,37 +15,46 @@ describe Ixtlan::Guard::GuardNG do
   context '#permissions' do
     it 'should deny all without defaults but wildcard "*" actions' do
-      subject.permissions(['unknown_group']).should == [
+      subject.permissions(['unknown_group']).sort { |n,m| n[:resource] <=> m[:resource] }.should == [
          #allow nothing
-         {:permission=>{:resource=>"users", :actions=>[], :deny=>false}},
-         {:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
+         {:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}},
+         # allow anything but index
+         {:permission=>{:resource=>"allow_all_defaults", :actions=>[{:action=>{:name=>"index"}}], :deny=>true}},
          {:permission=>
            {
-             :resource=>"no_defaults",
+             :resource=>"defaults",
              :actions=>[{:action=>{:name=>"index"}}],
              :deny=>false #allow
            }
          },
-         {
-           :permission=>
+         {:permission=>
            {
-             :resource=>"defaults",
+             :resource=>"no_defaults",
              :actions=>[{:action=>{:name=>"index"}}],
              :deny=>false #allow
            }
          },
+         {:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
          #allow nothing
          {:permission=>{:resource=>"person", :actions=>[], :deny=>false}},
          #allow nothing
-         {:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}},
-         # allow anything but index
-         {:permission=>{:resource=>"allow_all_defaults", :actions=>[{:action=>{:name=>"index"}}], :deny=>true}}]
+         {:permission=>{:resource=>"regions", :actions=>[], :deny=>false}},
+         #allow nothing
+         {:permission=>{:resource=>"users", :actions=>[], :deny=>false}}]
     end
     it 'should deny some without defaults but wildcard "*" actions' do
-      subject.permissions(['no_admin']).should == [
+      subject.permissions(['no_admin']).sort { |n,m| n[:resource] <=> m[:resource] }.should == [
          #allow nothing
-         {:permission=>{:resource=>"users", :actions=>[], :deny=>false}},
-         {:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
+         {:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}},
+         # allow anything but index
+         {:permission=>{:resource=>"allow_all_defaults", :actions=>[{:action=>{:name=>"index"}}], :deny=>true}},
+         {:permission=>
+           {
+             :resource=>"defaults",
+             :actions=>[{:action=>{:name=>"index"}}],
+             :deny=>false #allow
+           }
+         },
          {:permission=>
            {
              :resource=>"no_defaults",
@@ -56,36 +65,39 @@ describe Ixtlan::Guard::GuardNG do
              :deny=>false #allow
            }
          },
-         {
-           :permission=>
-           {
-             :resource=>"defaults",
-             :actions=>[{:action=>{:name=>"index"}}],
-             :deny=>false #allow
-           }
-         },
+         {:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
          #allow nothing
          {:permission=>{:resource=>"person", :actions=>[], :deny=>false}},
          #allow nothing
-         {:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}},
-         # allow anything but index
-         {:permission=>{:resource=>"allow_all_defaults", :actions=>[{:action=>{:name=>"index"}}], :deny=>true}}]
+         {:permission=>{:resource=>"regions", :actions=>[], :deny=>false}},
+         #allow nothing
+         {:permission=>{:resource=>"users", :actions=>[], :deny=>false}}]
     end
     it 'should allow "root"' do
-      subject.permissions(['root']).should == [
-         {:permission=>{:resource=>"users", :actions=>[], :deny=>true}},
-         {:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
-         {:permission=>{:resource=>"no_defaults", :actions=>[], :deny=>true}},
+      subject.permissions(['root']).sort { |n,m| n[:resource] <=> m[:resource] }.should == [
+         {:permission=>{:resource=>"accounts", :actions=>[], :deny=>true}},
+         {:permission=>{:resource=>"allow_all_defaults", :actions=>[], :deny=>true}},
          {:permission=>{:resource=>"defaults", :actions=>[], :deny=>true}},
+         {:permission=>{:resource=>"no_defaults", :actions=>[], :deny=>true}},
+         {:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
          {:permission=>{:resource=>"person", :actions=>[], :deny=>true}},
-         {:permission=>{:resource=>"accounts", :actions=>[], :deny=>true}},
-         {:permission=>{:resource=>"allow_all_defaults", :actions=>[], :deny=>true}}]
+         {:permission=>{:resource=>"regions", :actions=>[], :deny=>true}},
+         {:permission=>{:resource=>"users", :actions=>[], :deny=>true}}]
     end
     it 'should allow with default group' do
-      subject.permissions(['_master']).should == [
+      subject.permissions(['_master']).sort { |n,m| n[:resource] <=> m[:resource] }.should == [
          #allow nothing
-         {:permission=>{:resource=>"users", :actions=>[], :deny=>false}},
-         {:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
+         {:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}},
+         # allow anything but index
+         {:permission=>{:resource=>"allow_all_defaults", :actions=>[{:action=>{:name=>"index"}}], :deny=>true}},
+         {:permission=>
+           {
+             :resource=>"defaults",
+             :actions=>[{:action=>{:name=>"show"}},
+                        {:action=>{:name=>"destroy"}}],
+             :deny=>true
+           }
+         },
          {:permission=>
            {
              :resource=>"no_defaults",
@@ -93,83 +105,99 @@ describe Ixtlan::Guard::GuardNG do
              :deny=>false #allow
            }
          },
-         {
-           :permission=>
+         {:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
+         #allow nothing
+         {:permission=>{:resource=>"person", :actions=>[], :deny=>false}},
+         #allow nothing
+         {:permission=>{:resource=>"regions", :actions=>[], :deny=>false}},
+         #allow nothing
+         {:permission=>{:resource=>"users", :actions=>[], :deny=>false}}]
+    end
+    it 'should allow with non-default group' do
+      subject.permissions(['_admin']).sort { |n,m| n[:resource] <=> m[:resource] }.should == [
+         #allow nothing
+         {:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}},
+         # allow anything but index
+         {:permission=>{:resource=>"allow_all_defaults", :actions=>[], :deny=>true}},
+         {:permission=>
            {
              :resource=>"defaults",
-             :actions=>[{:action=>{:name=>"show"}},
-                          {:action=>{:name=>"destroy"}}],
-             :deny=>true
+             :actions=>[{:action=>{:name=>"edit"}},
+                        {:action=>{:name=>"index"}},
+                        {:action=>{:name=>"show"}}],
+             :deny=>false # allow
            }
          },
+         {:permission=>
+           {
+             :resource=>"no_defaults",
+             :actions=>[{:action=>{:name=>"index"}}],
+             :deny=>false #allow
+           }
+         },
+         {:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
          #allow nothing
          {:permission=>{:resource=>"person", :actions=>[], :deny=>false}},
+         #allow nothing
+         {:permission=>{:resource=>"regions", :actions=>[], :deny=>false}},
+         #allow nothing
+         {:permission=>{:resource=>"users", :actions=>[], :deny=>false}}]
+    end
+    it 'should allow with association' do
+      group = Object.new
+      def group.name
+        "region"
+      end
+      subject.permissions([group])do |resource, action, groups|
+        if resource == 'regions'
+          case action
+          when 'show'
+            {:associations => [:europe, :asia]}
+          else
+            {}
+          end
+        else
+          {}
+        end
+      end.sort { |n,m| n[:resource] <=> m[:resource] }.should == [
          #allow nothing
          {:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}},
          # allow anything but index
-         {:permission=>{:resource=>"allow_all_defaults", :actions=>[{:action=>{:name=>"index"}}], :deny=>true}}]
-    end
-    it 'should allow with non-default group' do
-      subject.permissions(['_admin']).should == [
-         #allow nothing
-         {:permission=>{:resource=>"users", :actions=>[], :deny=>false}},
-         {:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
          {:permission=>
            {
-             :resource=>"no_defaults",
-             :actions=>[{:action=>{:name=>"index"}}],
-             :deny=>false #allow
+              :resource=>"allow_all_defaults",
+              :actions=>[{:action=>{:name=>"index"}}],
+              :deny=>true
            }
          },
-         {
-           :permission=>
+         {:permission=>
            {
              :resource=>"defaults",
-             :actions=>[{:action=>{:name=>"edit"}},
-                        {:action=>{:name=>"index"}},
-                        {:action=>{:name=>"show"}}],
+             :actions=>[{:action=>{:name=>"index"}}],
              :deny=>false # allow
            }
          },
+         {:permission=>
+           {
+             :resource=>"no_defaults",
+             :actions=>[{:action=>{:name=>"index"}}],
+             :deny=>false #allow
+           }
+         },
+         {:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
          #allow nothing
          {:permission=>{:resource=>"person", :actions=>[], :deny=>false}},
-         #allow nothing
-         {:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}},
-         # allow anything but index
-         {:permission=>{:resource=>"allow_all_defaults", :actions=>[], :deny=>true}}]
-    end
-  end
-  context '#permission_map' do
-    it 'should export' do
-      pending "check expectations before implementing specs"
-      subject.permission_map(['admin']).should == {"users"=>{"defaults"=>nil}, "person"=>{"defaults"=>nil, "destroy"=>{}, "index"=>{}}, "accounts"=>{"defaults"=>nil, "destroy"=>{}, "show"=>nil}}
-      subject.permission_map(['manager']).should == {"users"=>{"defaults"=>nil}, "person"=>{"defaults"=>nil, "destroy"=>nil, "index"=>{}}, "accounts"=>{"defaults"=>nil, "destroy"=>nil, "show"=>{}}}
-      subject.permission_map(['manager', 'admin']).should == {"users"=>{"defaults"=>nil}, "person"=>{"defaults"=>nil, "destroy"=>{}, "index"=>{}}, "accounts"=>{"defaults"=>nil, "destroy"=>{}, "show"=>{}}}
-      subject.permission_map(['users']).should == {"users"=>{"defaults"=>{}}, "person"=>{"defaults"=>nil, "destroy"=>nil, "index"=>nil}, "accounts"=>{"defaults"=>nil, "destroy"=>nil, "show"=>nil}}
-    end
-    it 'should export with flavor' do
-      pending "check expectations before implementing specs"
-      flavors = { 'admin' => ['example', 'dummy'], 'manager' => ['example', 'master'] }
-      domains = Proc.new do |groups|
-        groups.collect do |g|
-          flavors[g] || []
-        end.flatten.uniq
-      end
-      subject.permission_map(['admin'], 'domains' => domains).should == {"users"=>{"defaults"=>nil}, "person"=>{"defaults"=>nil, "destroy"=>{'domains'=>["example", "dummy"]}, "index"=>{'domains'=>["example", "dummy"]}}, "accounts"=>{"defaults"=>nil, "destroy"=>{'domains'=>["example", "dummy"]}, "show"=>nil}}
-      subject.permission_map(['manager'], 'domains' => domains).should == {"users"=>{"defaults"=>nil}, "person"=>{"defaults"=>nil, "destroy"=>nil, "index"=>{"domains"=>["example", "master"]}}, "accounts"=>{"defaults"=>nil, "destroy"=>nil, "show"=>{"domains"=>["example", "master"]}}}
-      subject.permission_map(['manager', 'admin'], 'domains' => domains).should == {"users"=>{"defaults"=>nil}, "person"=>{"defaults"=>nil, "destroy"=>{"domains"=>["example", "dummy"]}, "index"=>{"domains"=>["example", "master", "dummy"]}}, "accounts"=>{"defaults"=>nil, "destroy"=>{"domains"=>["example", "dummy"]}, "show"=>{"domains"=>["example", "master"]}}}
-      subject.permission_map(['users'], 'domains' => domains).should == {"users"=>{"defaults"=>{}}, "person"=>{"defaults"=>nil, "destroy"=>nil, "index"=>nil}, "accounts"=>{"defaults"=>nil, "destroy"=>nil, "show"=>nil}}
+         {:permission=>
+          {:resource=>"regions",
+           :actions=>
+            [{:action=>{:name=>"show", :associations=>[:europe, :asia]}},
+             {:action=>{:name=>"create"}}],
+           :deny=>false}},
+         #allow nothing
+         {:permission=>{:resource=>"users", :actions=>[], :deny=>false}}]
     end
   end
 end