permit 0.9.0

data/lib/models/person.rb

@@ -0,0 +1,148 @@
+module Permit
+  module Models
+    module PersonExtensions
+      def self.included(klass)
+        klass.extend PersonClassMethods
+        klass.extend Permit::Support::ClassMethods
+      end
+
+      module PersonClassMethods
+        # Defines the current model class as handling people for Permit.
+        def permit_person
+          return if include? Permit::Models::PersonExtensions::PersonInstanceMethods
+          
+          permit_authorized_model
+
+          include Permit::Support
+          include Permit::Models::PersonExtensions::PersonInstanceMethods
+        end
+      end
+
+      module PersonInstanceMethods
+        # Determines if the current person is authorized for any of the given 
+        # role(s) and resource.
+        #
+        # @param [Role, String, Symbol, <Role, String, Symbol>] roles the roles 
+        #   to check for authorization on.
+        # @param [Authorizable, nil, :any] resource the resource to check for 
+        #   authorization on.
+        # @return [true, false] true if the person is authorized on any of the a  
+        #   roles, false otherwise.
+        def authorized?(roles, resource)
+          permit_arrayify(roles).each do |r|
+            role = get_role(r)
+            next unless role
+            conditions = authorization_conditions(role, resource)
+            return true if permit_authorizations_proxy.exists?(conditions)
+          end
+          return false
+        end
+
+        # Determines if the current person is authorized for all of the given 
+        # roles and resource.
+        #
+        # @param [permit_role, String, Symbol, <permit_role, String, Symbol>] 
+        #   roles the roles to check for authorization on.
+        # @param [permit_authorizable, nil, :any] resource the resource to check for 
+        #   authorization on.
+        # @return [true, false] true if the person is authorized on all of the a  
+        #   roles, false otherwise.
+        def authorized_all?(roles, resource)
+          permit_arrayify(roles).each do |r|
+            role = get_role(r)
+            return false unless role
+            conditions = authorization_conditions(role, resource)
+            return false unless permit_authorizations_proxy.exists?(conditions)
+          end
+          return true
+        end
+
+        # Authorizes the current person for all of the roles for the given 
+        # resource, skipping any authorizations that the person already has. If 
+        # there are any issues with the authorization an error will be raised.  
+        # 
+        # <em>The authorizations are run in a transaction. If an error is 
+        # raised, *all* authorizations for the call will be rolled back.</em>
+        #
+        # @param [permit_role, String, Symbol, <permit_role, String, Symbol>] 
+        #   roles the roles to authorize the person on.
+        # @param [permit_authorizable, nil] resource the resource to authorize 
+        #   the person on.
+        # @return [true] true if no errors occur during authorization.
+        def authorize(roles, resource = nil)
+          Permit::Config.authorization_class.transaction do
+            permit_arrayify(roles).each do |r|
+              role = get_role(r)
+              next if authorized?(role, resource)
+
+              authz = permit_authorizations_proxy.build
+              authz.send("#{Permit::Config.role_class.class_symbol}=", role)
+              authz.resource = resource
+              authz.save!
+            end
+          end
+          return true
+        end
+
+        # Revokes existing authorizations from the current person for the given 
+        # roles and resource. If there are any issues with the revocation an 
+        # error will be raised. Otherwise, the operation will return an Array of 
+        # the Authorizations affected by the operation.
+        #
+        # This operation uses ActiveRecord's <tt>destroy_all</tt> method. For 
+        # more information on what this means, please reference the ActiveRecord 
+        # documentation.
+        #
+        # <em>The revocations are run in a transaction. If an error is raised, 
+        # *all* revocations for the call will be rolled back.</em>
+        #
+        # @param [permit_role, String, Symbol, <permit_role, String, Symbol>] 
+        #   roles the roles to revoke from the person.
+        # @param [permit_authorizable, nil, :any] resource the resource to 
+        #   revoke roles for. If +:any+ is given then any authorizations for the 
+        #   roles will be revoked.
+        # @return [<permit_authorization>] the authorizations that were revoked.
+        # @raise any errors that ActiveRecord encounters during processing.
+        def revoke(roles, resource)
+          remove_authorizations roles, resource do |conditions|
+            Permit::Config.authorization_class.destroy_all conditions
+          end
+        end
+
+        # Revokes existing authorizations from the current person for the given 
+        # roles and resource. If there are any issues with the revocation an 
+        # error will be raised. Otherwise, the operation will return the number 
+        # of authorizations affected.
+        #
+        # This operation uses ActiveRecord's <tt>delete_all</tt> method. For 
+        # more information on what this means, please reference the ActiveRecord 
+        # documentation.
+        #
+        # <em>The revocations are run in a transaction. If an error is raised, 
+        # *all* revocations for the call will be rolled back.</em>
+        #
+        # @param [permit_role, String, Symbol, <permit_role, String, Symbol>] 
+        #   roles the roles to revoke from the person.
+        # @param [permit_authorizable, nil, :any] resource the resource to 
+        #   revoke roles for. If +:any+ is given then any authorizations for the 
+        #   roles will be revoked.
+        # @return [Fixnum] the number of authorizations revoked.
+        # @raise any errors that ActiveRecord encounters during processing.
+        def revoke!(roles, resource)
+          remove_authorizations roles, resource do |conditions|
+            Permit::Config.authorization_class.delete_all conditions
+          end
+        end
+
+        protected
+        def remove_authorizations(roles, resource)
+          Permit::Config.authorization_class.transaction do
+            conditions = authorization_conditions(roles, resource, self)
+            yield conditions
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/models/role.rb

@@ -0,0 +1,59 @@
+module Permit
+  module Models
+    module RoleExtensions
+      def self.included(klass)
+        klass.extend RoleClassMethods
+        klass.extend Permit::Support::ClassMethods
+      end
+
+      module RoleClassMethods
+        def permit_role
+          return if include? Permit::Models::RoleExtensions::RoleInstanceMethods
+
+          permit_authorized_model
+
+          validates_presence_of :key, :name
+          validates_inclusion_of :requires_resource, :authorize_resource, :in => [true, false]
+          validates_uniqueness_of :key, :case_sensistive => false
+          validate :resource_requirement
+
+          # Finds the role by its key, preparing the passed in value before 
+          # querying.
+          #
+          # @param [String, Symbol] val the key value
+          # @return [Role, nil] the role that matches the key. nil if none are 
+          #   found.
+          def find_by_key(val)
+            find(:first, :conditions => {:key => prepare_key(val)})
+          end
+
+          # Prepares the key value for use.
+          #
+          # @param [String, Symbol] val the key value
+          # @return [String] the formatted key value.
+          def prepare_key(val)
+            val.nil? ? val : val.to_s.downcase
+          end
+
+          include Permit::Support
+          include Permit::Models::RoleExtensions::RoleInstanceMethods
+        end
+      end
+
+      module RoleInstanceMethods
+        # Sets the key for the role with extra processing to convert it from a 
+        # symbol and downcase it.
+        #
+        # @param [String, Symbol] val the key value.
+        def key=(val)
+          write_attribute :key, self.class.prepare_key(val)
+        end
+
+        protected
+        def resource_requirement
+          errors.add(:requires_resource, "cannot be true if authorize_resource is false") if !authorize_resource? && requires_resource?
+        end
+      end
+    end
+  end
+end

data/lib/permit/controller.rb

@@ -0,0 +1,132 @@
+module Permit
+  module ControllerExtensions
+    def self.included(klass)
+      klass.send :class_inheritable_accessor, :permit_rules
+      klass.send :include, PermitInstanceMethods
+      klass.send :extend, PermitClassMethods
+      klass.send :permit_rules=, PermitRules.new(Rails.logger)
+      klass.send :helper_method, :authorized?, :allowed?, :denied?
+
+      # This is only needed in development mode since models are not cached, and
+      # causes the models to end up in a weird state.  This forces Permit to
+      # reestablish the core classes it uses internally.
+      klass.send :before_filter, :reset_permit_core if Rails.env.development?
+    end
+
+    module PermitClassMethods
+      # Creates a new block of Permit authorization rules, and sets the before 
+      # filter to run them. The order of +deny+ and +allow+ rules do not matter. 
+      # +deny+ rules will always be run first, and evaluation terminates on the 
+      # first match.
+      #
+      # @example
+      #   permit do
+      #     deny :developer, :from => :all, :unless => Proc.new {(8..17).include?(Time.now.hour)}
+      #     allow :person, :who => :is_member, :of => :team, :to => :read
+      #     allow [:project_manager, :developer], :on => :project, :to => :all
+      #   end
+      #
+      # @param [Hash] options options to use when evaluating this block of
+      #   authorizations.
+      # @option options [:allow, :deny] :default_access overrides the
+      #   {Permit::Config.default_access} setting.
+      # @param [Block] &block the block containing the authorization rules. See
+      #   {PermitRules#allow} and {PermitRules#deny} for the syntax for the
+      #   respective types of rules.
+      def permit(options = {}, &block)
+        rules = PermitRules.new(Rails.logger, options)
+        rules.instance_eval(&block) if block_given?
+        self.permit_rules = rules
+        set_permit_before_filter
+      end
+
+      private
+      def set_permit_before_filter
+        # Remove check_authorizations if it was set in a super class so that
+        # other before filters that possibly set the needed resource have a
+        # chance to run.
+        filter_chain.delete_if {|f| f.method == :check_authorizations}
+        before_filter :check_authorizations unless filter_chain.include?(:check_authorizations)
+      end
+    end
+
+    module PermitInstanceMethods
+      protected
+      # Needed to reset the core models in development mode as they were defined
+      # in the initializer for Permit.
+      def reset_permit_core
+        Permit::Config.reset_core_models
+        return true
+      end
+
+      # Called by {#check_authorizations} when a person is not authorized to 
+      # access the current action. It calls +render_optional_error_file(401)+ on 
+      # the controller, to render a Not Authorized error.
+      #
+      # If +#access_denied+ is already defined on the superclass, or redefined 
+      # in the current controller then that will be called instead.
+      #
+      # @return [false] always returns false.
+      def access_denied
+        defined?(super) ? super : render_optional_error_file(401)
+        return false
+      end
+
+      # Evaluates the Permit authorization rules for the current person on the 
+      # current action. If the person is not permitted {#access_denied} will be 
+      # called.
+      def check_authorizations
+        return access_denied unless self.permit_rules.permitted?(permit_authorization_subject, params[:action].to_sym, binding)
+        true
+      end
+
+      # Creates a PermitRule with the arguments that are given, and attempts to 
+      # match it based on the current person and binding context.
+      #
+      # For information on the parameters for this method see 
+      # {PermitRule#initialize}.
+      #
+      # @return [Boolean] true if the rule matches, otherwise false.
+      def allowed?(roles, options = {})
+        rule = PermitRule.new roles, options
+        rule.matches? permit_authorization_subject, binding
+      end
+
+      # Creates a PermitRule with the arguments that are given, and attempts to 
+      # match it based on the current person and binding context.
+      #
+      # For information on the parameters for this method see 
+      # {PermitRule#initialize}.
+      #
+      # @return [Boolean] true if the rule does not match, otherwise false.
+      def denied?(roles, options = {})
+        !allowed? roles, options
+      end
+
+      # Shortcut for +current_person#authorized?+. If the current person is a 
+      # guest this will automatically return false.
+      # 
+      # For information on the parameters for this method see 
+      # {Permit::Models::PersonExtensions::PersonInstanceMethods#authorized?}
+      def authorized?(roles, resource)
+        permit_authorization_subject.guest? ? false : permit_authorization_subject.authorized?(roles, resource)
+      end
+
+    private
+      def permit_authorization_subject
+        return send(@controller_subject_method) if @controller_subject_method
+
+        @controller_subject_method = if Permit::Config.controller_subject_method
+          Permit::Config.controller_subject_method
+        elsif Permit::Config.person_class
+          klass_name = Permit::Config.person_class.class_name.underscore
+          "current_#{klass_name}".to_sym
+        else
+          :current_person
+        end
+
+        send(@controller_subject_method)
+      end
+    end
+  end
+end

data/lib/permit/permit_rule.rb

@@ -0,0 +1,198 @@
+module Permit
+  class PermitRule
+    include Permit::Support
+    
+    VALID_OPTION_KEYS = [:who, :that, :of, :on, :if, :unless]
+    BUILTIN_ROLES = [:person, :guest, :everyone]
+
+    attr_reader :roles, :target_var, :method, :if, :unless
+
+    # Creates a new PermitRule.
+    #
+    # +:if+ and +:unless+ conditions may be evaluated for static, dynamic, and 
+    # named authorizations. They are evaluated after the other rule checks are 
+    # applied, and only if the rule still matches. The conditionals may make a 
+    # matching rule not match, but will not make an unmatched rule match. If 
+    # both +:if+ and +:unless+ are given the +:if+ condition is run first, and 
+    # if the rule still matches the +:unless+ will be run.
+    #
+    # @param [:person, :guest, :everyone, Symbol, <Symbol>] roles the role(s) to 
+    #   test against.
+    #   - :person - +current_person.guest? == false+ This person should be 
+    #     authenticated. This indicates a dynamic authorization.
+    #   - :guest - +current_person.guest? == true+ This is a person that is not 
+    #     authenticated. This is a static authorization.
+    #   - :everyone - Any user of the system. This is a static authorization.
+    #   - Symbol/<Symbol> - This is the key or keys of any of the role(s) to 
+    #     match against in the database. This indicates a named authorization.
+    # @param [Hash] options the options to use to configure the authorization.
+    # @option options [Symbol] :who Indicates that a method should be checked on 
+    #   the target object to authorize. Checks a variety of possibilities, 
+    #   taking the first variation that the target responds to. 
+    #
+    #   When the symbol is prefixed with 'is_' then multiple methods will be 
+    #   tried passing the person in. The methods tried for +:is_owner+ would be 
+    #   +is_owner()+, +is_owner?()+, +owner()+, +owner+, +owners.exist?()+. If 
+    #   this option is given +:of+/+:on+ must also be given.
+    # @option options [Symbol] :that alias for +:who+
+    # @option options [Symbol] :of The name of the instance variable to use as 
+    #   the target resource.
+    #
+    #   In a dynamic authorization this is the object that will be tested using 
+    #   the value of +:who+/+:that+.
+    #
+    #   In a named authorization this is the resource the person must be 
+    #   authorized on for one or more of the roles. +:any+ may be given to 
+    #   indicate a match if the person has one of the roles for any resource. If 
+    #   not given, or set to +nil+, then the match will apply to a person that 
+    #   has a matching role authorization for a nil resource. 
+    # @option options [Symbol] :on alias for +:of+
+    # @option options [Symbol, String, Proc] :if code to evaluate at the end of the 
+    #   match if it is still valid. If it returns false, the rule will not match.
+    # @option options [Symbol, String, Proc] :unless code to evaluate at the end 
+    #   of the match if it is still valid. If it returns true, the rule will not 
+    #   match.
+    #
+    # @raise [PermitConfigurationError] if the rule options are invalid.
+    def initialize(roles, options = {})
+      options.assert_valid_keys *VALID_OPTION_KEYS
+
+      @roles = validate_roles(roles).freeze
+
+      validate_options options
+
+      @method = options[:who] || options[:that]
+      @target_var = options[:of] || options[:on]
+
+      @if = options[:if]
+      @unless = options[:unless]
+    end
+
+    # Determine if the passed in person matches this rule.
+    #
+    # @param [permit_person] person the person to evaluate for authorization
+    # @param [Binding] context_binding the binding to use to locate the resource 
+    #   and/or evaluate the if/unless conditions.
+    # @return [Boolean] true if the person matches the rule, otherwise 
+    #   false.
+    # @raise [PermitEvaluationError] if there is a problem evaluating the rule.
+    def matches?(person, context_binding)
+      matched = if BUILTIN_ROLES.include? @roles[0]
+        has_builtin_authorization? person, context_binding
+      else
+        has_named_authorizations? person, context_binding
+      end
+
+      passed_conditionals = matched ? passes_conditionals?(context_binding) : false
+      passed = matched && passed_conditionals
+      return passed
+    end
+
+    private
+    def validate_roles(roles)
+      roles = permit_arrayify(roles).compact.uniq
+      raise PermitConfigurationError, "At least one role must be specified." if roles.empty?
+      raise PermitConfigurationError, "Only one role may be specified when using :person, :guest, or :everyone" if (roles & BUILTIN_ROLES).size > 0 && roles.size > 1
+      roles.freeze
+    end
+
+    def validate_options(options)
+      if (options[:of] || options[:on]) && @roles[0] == :person
+        raise PermitConfigurationError, "When :of or :on are specified for the :person role a corresponding :who or :that must be given" unless options[:who] || options[:that]
+      end
+
+      if options[:who] || options[:that]
+        raise PermitConfigurationError, "The :who and :that options are only valid for the :person role." unless @roles[0] == :person
+        raise PermitConfigurationError, "When :who or :that is specified a corresponding :of or :on must be given" unless options[:of] || options[:on]
+      end
+
+      raise PermitConfigurationError, "Either :who or :that may be specified, but not both." if  options[:who] && options[:that]
+      raise PermitConfigurationError, "Either :of or :on may be specified, but not both." if options[:of] && options[:on]
+    end
+
+    def has_builtin_authorization?(person, context_binding)
+      case @roles[0]
+        when :everyone then true
+        when :guest then person.guest?
+        when :person then has_dynamic_authorization? person, context_binding
+        else false
+      end
+    end
+
+    def has_named_authorizations?(person, context_binding)
+      return false if person.guest?
+      resource = case @target_var
+                 when nil then nil
+                 when :any then :any
+                 else get_resource(context_binding)
+                 end
+      person.authorized? @roles, resource
+    end
+
+    def has_dynamic_authorization?(person, context_binding)
+      return false if person.guest?
+      return true if @target_var.nil?
+
+      resource = get_resource context_binding
+      methods = determine_method_sequence @method
+
+      methods.each do |name, type|
+        next unless resource.respond_to? name
+        
+        case type
+        when :method then return resource.send name, person
+        when :getter then return resource.send(name) == person
+        when :collection then return resource.send(name).exists?(person)
+        else return false
+        end
+      end
+
+      # Target didn't respond to any attempts. This would be a problem.
+      raise PermitEvaluationError, "Target object ':#{@target_var}' evaluated as #{resource.inspect} did not respond to any of the following: #{methods.collect {|n,t| n}.join(', ')}"
+    end
+
+    # is_owner - is_owner(), is_owner?(), owner?(), owner, owners.exists()
+    # is_manager? - is_manager?(), manager?()
+    # has_something - has_something()
+    # does_whatever - does_whatever()
+    def determine_method_sequence(method)
+      method = method.to_s
+      names = /^is_([\w\-]+(\?)?)$/.match method
+      return [[method, :method]] unless names
+      
+      # Name ends with question mark
+      if names[2] == "?"
+        [[names[0], :method], [names[1], :method]]
+      else
+        [
+          [names[0], :method],
+          [names[0] + '?', :method],
+          [names[1], :getter],
+          [names[1] + '?', :method],
+          [names[1].pluralize, :collection]
+        ]
+      end      
+    end
+
+    def get_resource(context_binding)
+      eval "@#{@target_var.to_s}", context_binding
+    end
+
+    def passes_conditionals?(context_binding)
+      return false unless eval_conditional @if, true, context_binding
+      return false if eval_conditional @unless, false, context_binding
+      true
+    end
+
+    def eval_conditional(condition, default, context_binding)
+      if condition
+        condition = condition.to_s if Symbol===condition
+        return (String===condition ? eval(condition, context_binding) : condition.call)
+      else
+        return default
+      end
+    end
+
+  end
+
+end

data/lib/permit/permit_rules.rb

@@ -0,0 +1,141 @@
+module Permit
+  class PermitRules
+    include Permit::Support
+
+    attr_accessor :action_deny_rules, :action_allow_rules, :logger, :options
+
+    # @param [#info] logger the logger to use when evaluating rules
+    # @param [Hash] options the set of options to use during rule evaluation
+    # @option options [Symbol] :default_access overrides the value in 
+    #   Permit::Config#default_access to indicate how {#permitted?} will behave if 
+    #   no rules match. 
+    def initialize(logger, options = {})
+      @action_deny_rules = {}
+      @action_allow_rules = {}
+      @logger = logger
+      @options = options
+    end
+
+    # Determines if the person is permitted on the specified action by first 
+    # evaluating deny rules, and then allow rules.  If the +:default_access+ 
+    # option is set then its value will be used instead of the value from 
+    # Permit::Config#default_access.
+    #
+    # @param [permit_person] person the person to check for authorization
+    # @param [Symbol] action the action to check for authorization on.
+    # @param [Binding] context_binding the binding to use to locate the resource 
+    #   and/or process if/unless constraints.
+    # @return [true, false] true if the person is permitted on the given action, 
+    #   false otherwise.
+    # @raise [PermitEvaluationError] if an error occurs while evaluating one of 
+    #   the rules.
+    def permitted?(person, action, context_binding)
+      # Denial takes priority over allow
+      return false if has_action_rule_match?(:deny, @action_deny_rules, person, action, context_binding)
+
+      return true if has_action_rule_match?(:allow, @action_allow_rules, person, action, context_binding)
+
+      # Default to no access if no rules match
+      default_access = (@options[:default_access] || Permit::Config.default_access)
+      return (default_access == :allow ? true : false)
+    end
+
+    # Adds an allow rule for the given actions to the collection.
+    #
+    # @example Allow a person that is a member of a team to show
+    #   allow :person, :who => :is_member, :of => :team, :to => :show
+    # @example Allow a person with either of the named roles for a resource to perform any "write" operations.
+    #   allow [:project_admin, :project_manager], :of => :project, :to => :write
+    #
+    # @param [Symbol, <Symbol>] roles the role(s) that the rule will apply to.
+    # @param [Hash] options the options used to build the rule.
+    # @option options [Symbol] :who the method to call on the target resource.
+    # @option options [Symbol] :that alias for :who
+    # @option options [Symbol] :of the name of the instance variable holding the target 
+    #   resource. If set to +:any+ then the match will apply to a person that has 
+    #   a matching role authorization for any resource. If not given, or set to 
+    #   +nil+, then the match will apply to a person that has a matching role 
+    #   authorization for a nil resource. +:any/nil+ functionality only applies 
+    #   when using named roles. (see Permit::NamedRoles).
+    # @option options [Symbol] :on alias for +:of+
+    # @option options [Symbol, <Symbol>] :to the action(s) to allow access to if this 
+    #   rule matches. +:all+ may be given to indicate that access is given to all 
+    #   actions if the rule matches. Actions will be expanded using the aliases
+    #   defined in {Permit::Config.action_aliases}. The expansion operation is
+    #   not recursive.
+    # @return [PermitRule] the rule that was created for the parameters.
+    # @raise [PermitConfigurationError] if +:to+ is not valid, or if the rule 
+    #   cannot be created.
+    def allow(roles, options = {})
+      actions = options.delete(:to)
+      rule = PermitRule.new(roles, options)
+      index_rule_by_actions @action_allow_rules, actions, rule
+      return rule
+    end
+
+    # Adds an deny rule for the given actions to the collection.
+    #
+    # @example Deny a person that is a member of a project from :show
+    #   deny :person, :who => :is_member, :of => :project, :from => :show
+    # @example Deny a person with either of the named roles for a resource from writing.
+    #   deny [:project_admin, :project_manager], :of => :project, :from => :write
+    #
+    # @param [Symbol, <Symbol>] roles the role(s) that the rule will apply to.
+    # @param [Hash] options the options used to build the rule.
+    # @option options [Symbol] :who the method to call on the target resource.
+    # @option options [Symbol] :that alias for +:who+
+    # @option options [Symbol] :of the name of the instance variable holding the target 
+    #   resource. If set to +:any+ then the match will apply to a person that has 
+    #   a matching role authorization for any resource. If not given, or set to 
+    #   +nil+, then the match will apply to a person that has a matching role 
+    #   authorization for a nil resource. :any/nil functionality only applies 
+    #   when using named roles. (see Permit::NamedRoles).
+    # @option options [Symbol] :on alias for +:of+
+    # @option options [Symbol, <Symbol>] :from the action(s) to deny access to if this 
+    #   rule matches. +:all+ may be given to indicate that access is denied to all 
+    #   actions if the rule matches. Actions will be expanded using the aliases
+    #   defined in {Permit::Config.action_aliases}. The expansion operation is
+    #   not recursive.
+    # @return [PermitRule] the rule that was created for the parameters.
+    # @raise [PermitConfigurationError] if +:from+ is not valid, or if the rule 
+    #   cannot be created.
+    def deny(roles, options = {})
+      actions = options.delete(:from)
+      rule = PermitRule.new(roles, options)
+      index_rule_by_actions @action_deny_rules, actions, rule
+      return rule
+    end
+
+    private
+    def index_rule_by_actions(action_rules, actions, rule)
+      determine_controlled_actions(actions).each do |a|
+        (action_rules[a] ||= []) << rule
+      end
+    end
+
+    def determine_controlled_actions(actions)
+      actions = permit_arrayify(actions).compact
+      raise PermitConfigurationError, "At least one action must be given to authorize access for." if actions.empty?
+      raise PermitConfigurationError, "If :all is specified for :to/:from then no other actions may be given." if (actions.include?(:all) && actions.size > 1)
+      expand_action_aliases actions
+    end
+
+    def expand_action_aliases(actions)
+      expanded_actions = actions.collect {|a| Permit::Config.action_aliases[a] || a}
+      expanded_actions.flatten.uniq
+    end
+
+    def has_action_rule_match?(type, rules, person, action, context_binding)
+      applicable_rules = (rules[action] || []) + (rules[:all] || [])
+      applicable_rules.each do |rule|
+        if rule.matches?(person, context_binding) 
+          @logger.info "#{person.inspect} matched #{type.to_s} rule: #{rule.inspect}"
+          return true
+        end
+      end
+
+      return false
+    end
+  end
+
+end