permit 0.9.0

data/.gitignore

@@ -0,0 +1,5 @@
+.yardoc
+doc
+README.html
+coverage
+pkg

data/.yardopts

@@ -0,0 +1,3 @@
+--protected
+-
+generators/permit/USAGE

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2010 [name of plugin creator]
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.mkd

@@ -0,0 +1,238 @@
+# Permit
+A flexible controller authorization tool for Ruby on Rails.
+
+**Source:**    [http://github.com/dnd/permit](http://github.com/dnd/permit)  
+**Issues:**    [http://github.com/dnd/permit/issues](http://github.com/dnd/permit/issues)  
+**Docs:**      [http://yardoc.org/docs/dnd-permit](http://yardoc.org/docs/dnd-permit)  
+**Author:**    Steve Valaitis  
+**Copyright:** 2010  
+**License:**   MIT License
+
+* [Description](#description)
+* [Installation & Setup](#setup)
+* [Usage](#usage)
+* [Specs & Coverage](#specs)
+* [Problems](#problems)
+
+<span id="description"></span>
+## How does it work?
+Permit works by allowing you to define a series of allow or deny rules to
+authorize a person. The rules that apply for the action of the current request
+are then evaluated against the current person. Rule evaluation stops as soon as
+a match is found. If a deny rule matches, `#access_denied` will be called, and
+the person will be prevented from accessing the action. If an allow rule
+matches, the person will be directed to the action as normal.  If no rules
+match, the person will be denied access. This can be overridden either at the
+global or controller level by setting the `default_access` option to `:allow`.
+Keep in mind that _deny rules are always run first_.
+
+There are three different types of authorizations that you can use with Permit.
+They are as follows:
+
+### Static Authorizations
+These are the most basic forms of authorization and allow you to use one of
+these roles by itself to authorize someone.
+
+  * `:everyone` - Exactly what it says, an authorization that applies to everyone.
+  * `:guest` - Indicates a guest to the application, and only matches if
+    `current_person#guest?` returns `true`.
+  * `:person` - Indicates an authorized person, and only matches if
+    `current_person#guest?` returns `false`.
+
+Example:
+
+    allow :guest, :to => :index
+
+### Dynamic Authorization
+When using the `:person` role, you can additionally specify the `:who`/`:that` and
+`:of`/`:on` options. This will cause the current person object to be sent as an
+argument to the method indicated by `:who`/`:that` on the target resource
+indicated by `:of`/`:on`. If the method call returns `true` then the rule will be
+a match. 
+
+If the symbol given to `:who`/`:that` is prefixed with `is_` some special sugar will be
+applied, causing Permit to try and use various methods on the resource. You can
+see these methods in the documentation for
+[PermitRule#initialize](http://yardoc.org/docs/dnd-permit/Permit/PermitRule:initialize)
+
+A dynamic authorization might look like this:
+
+    allow :person, :who => :is_owner, :of => :project, :to => :write
+
+### Named Authorizations
+These are authorizations using custom roles that you define in the database and
+are mapped to a person in an authorizations table. A person may be granted a
+role for a given resource, more than one resource, or no resource at
+all\(depending on what the role definition allows\).
+
+Some named authorizations might look like:
+
+    allow :admin, :of => :team, :to => :show
+    allow [:project_owner, :project_manager], :of => :project, :to => :all
+
+<span id="setup"></span>
+## How do I get it?
+
+### Installation
+You can install Permit as a gem(make sure to add "`config.gem 'permit'`" to your
+`config/environment.rb` file):
+
+    sudo gem install permit
+
+or as a plugin:
+
+    script/plugin install git://github.com/dnd/permit.git
+
+as a gem from source:
+
+    git clone git://github.com/dnd/permit.git
+    sudo rake install
+
+### Setup
+
+#### Pre-requisites
+You must have a `Person` model, _or_ some other model that represents an
+authorized user of the system that responds to `#guest?`. Permit will not create
+this model for you. You can get as fancy as you want with the `guest?` method, 
+but a simple example would be:
+
+     def guest?
+       new_record?
+     end
+
+#### Generation
+If you are not going to use named authorizations, run:
+
+    script/generate permit [Person] --init-only
+
+If you are going to use named authorizations you can run:
+
+    script/generate permit [Person [Authorization [Role]]]
+
+You are not required to pass in any arguments to the generator. The arguments
+above are optional, and reflect the default names that Permit uses. These only
+need to be specified if you want to use different class name(s).  So if you
+wanted to use an existing `Employee` class for authorization instead of the
+default `Person`, run:
+
+    script/generate permit Employee
+
+For full details on the generator take a look at the `--help`
+
+Run the migration for the roles and authorizations:
+
+    rake db:migrate
+
+#### Controller
+Include Permit in your `ApplicationController`:
+
+    include Permit::ControllerExtensions
+
+Create a method that returns the current authorization subject. This will by
+default be inferred from the class name given to Permit for initialization, and
+takes the form of `current_*`. So if the class was `Person`, Permit would look
+for `current_person`. For `User` it would be `current_user`, etc... If the
+method you want to use doesn't follow this convention it can be overridden in
+the initializer.
+
+    Permit::Config.controller_subject_method = :logged_user
+
+<span id="usage"></span>
+## How do I use it?
+
+### Controller
+After you have "included" Permit into your controller, it is still not active.
+For that you must define a block of rules by calling
+[`permit`](http://yardoc.org/docs/dnd-permit/Permit/ControllerExtensions/PermitClassMethods:permit)
+in your controller. If you want to by default protect all of your controllers,
+you can just make an empty permit call in your base controller class\(such as
+`ApplicationController`\).
+
+Something to keep in mind is that when `permit` is called, a before filter is
+set to check the authorizations. Any setup that you need to do for setting
+the current subject, or the resource to be used in `:of`/`:on` criteria needs to
+be done through before filters set prior to this call.
+
+_**The rules defined in `permit` blocks are not additive.** When a new `permit` call
+is made, it wipes out any previously set rules. It also resets the before filter
+position for checking the authorizations thus allowing you to add any other
+before filters you may need in your implementing controller._
+
+You can create "allow" and "deny" rules by passing at minimum, a role, and one
+or more actions that the rule applies to. The actions will be expanded using the
+aliases defined in
+[Permit::Config.action_aliases](http://yardoc.org/docs/dnd-permit/Permit/Config.action_aliases),
+and are expanded in a non-recursive fashion. You can optionally pass `:all` for
+the action, which will cause the rule to be tested for all actions. "allow"
+rules accept the `:to` key for actions, and "deny" rules accept the `:from` key.
+
+For the full documentation and description of options you can use for creating rules
+see the documentation for
+[PermitRule#initialize](http://yardoc.org/docs/dnd-permit/Permit/PermitRule:initialize)
+
+    permit do
+      deny :person, :from => [:write, :destroy], :if => Proc.new {|person, context| person.status == :on_leave}
+      allow :person, :who => :has_commented?, :on => :article, :to => :show
+      allow :person, :who => :is_author, :of => :article, :to => [:read, :write]
+      allow :admin, :to => :all
+    end
+
+> Deny a person from new, create, edit, update, delete, and destroy if they are on leave.
+
+> Allow a person who has commented on the article to show. `@article.has_commented?(current_person)`
+
+> Allow person who is the author of the article to index, show, new, create,
+> edit, and update. `@article.author == current_person`
+
+> Allow a person that has the admin role for no resource to access any action.
+> `current_person.authorized?(:admin, nil)
+
+#### Helpers
+The following helpers are included for use in your views, or for one off
+operations in your controllers.
+
+  * `allowed?` - Returns `true` if the person matches the rule criteria
+  * `denied?` - Returns `true` if the person does not match the rule criteria
+  * `authorized?` - Calls `current_person.authorized?`
+
+See
+[Permit::ControllerExtensions::InstanceMethods](http://yardoc.org/docs/dnd-permit/Permit/ControllerExtensions/PermitInstanceMethods)
+for the full documentation on these methods.
+
+
+### Models
+_This aspect of Permit only applies if you are using named authorizations._
+
+Named authorizations are setup based on the call to
+`Permit::Config.set_core_models` in your initializer. This call sets up your
+authorization, person, and role models by calling `permit_authorization`,
+`permit_person`, and `permit_role` on them respectively.
+
+The extensions for authorization, and role setup some basic validations to
+ensure the integrity of the models.
+
+#### Resources
+To setup a model to be used as a resource for authorization, call
+`permit_authorizable` inside of it.
+
+#### Associations
+The person, role, and resource models are setup with a `has_many :authorizations` 
+association. This association is extended with a few methods that are documented
+in [AssociationExtensions](http://yardoc.org/docs/dnd-permit/Permit/Models/AssociationExtensions)
+
+#### Person
+The person model is extended with a few methods to simplify authorizing, and
+revoking roles, as well as checking if the person is authorized on a given set
+of roles for a resource. These methods are documented in
+[PersonInstanceMethods](http://yardoc.org/docs/dnd-permit/Permit/Models/PersonExtensions/PersonInstanceMethods).
+
+<span id="specs"></span>
+## Specs & Coverage
+Permit currently has fairly high test coverage\(>95%\). To run the specs for
+Permit, the plugin will most likely need to be inside of an existing Rails
+application.
+
+<span id="problems"></span>
+## Problems?
+Please use the [GitHub issue tracker](http://github.com/dnd/permit/issues) for
+any bugs, problems, or unexpected behavior you run across while using Permit.

data/Rakefile

@@ -0,0 +1,69 @@
+require 'rake'
+require 'rake/testtask'
+require 'rake/rdoctask'
+
+desc 'Default: run specs tests.'
+task :default => :spec
+
+begin
+  require 'spec'
+  require 'spec/rake/spectask'
+
+  desc 'Run all specs'
+  Spec::Rake::SpecTask.new 'spec' do |t|
+    t.spec_files = FileList['spec']
+    t.spec_opts = ["--colour"]
+  end
+
+  begin
+    require 'rcov'
+
+    desc 'Run all specs with rcov'
+    Spec::Rake::SpecTask.new 'rcov' do |t|
+      t.spec_files = FileList['spec']
+      t.rcov = true
+      t.rcov_opts = ['--exclude', 'spec,app/,config/,rubygems/']
+    end
+  rescue LoadError
+    warn "RCov is not available. To run specs with coverage `gem install rcov`."
+  end
+rescue LoadError
+  warn "RSpec is not available. To run specs `gem install rspec`."
+end
+
+desc 'Generate documentation for the permit plugin.'
+Rake::RDocTask.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'Permit'
+  rdoc.options << '--line-numbers' << '--inline-source'
+  rdoc.rdoc_files.include('README')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+begin
+  require 'yard'
+
+  desc 'Generate YARDocs'
+  YARD::Rake::YardocTask.new do |t|
+    t.files   = ['lib/**/*.rb']
+  end
+rescue LoadError
+  warn "YARD not available. To compile YARDocs `gem install yard`."
+end
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gem|
+    gem.name = "permit"
+    gem.summary = "A flexible authorization plugin for Ruby on Rails."
+    gem.email = "steve@digitalnothing.com"
+    gem.homepage = "http://github.com/dnd/permit"
+    gem.author = "Steve Valaitis"
+    gem.files.exclude 'autotest'
+    gem.extra_rdoc_files = ['README.mkd']
+  end
+  Jeweler::GemcutterTasks.new
+rescue LoadError
+  warn "Jeweler not available. To install `gem install jeweler`."
+end
+

data/VERSION.yml

@@ -0,0 +1,5 @@
+---
+:major: 0
+:minor: 9
+:patch: 0
+:build:

data/generators/permit/USAGE

@@ -0,0 +1,40 @@
+Description:
+  The permit generator creates the authorization and role models, as well as the 
+  migration and an initializer.
+
+  You can optionally pass in different names for the authorization, role, and 
+  person class that you want to use. Changing the value for Person will not 
+  alter any existing models, but will be used to generate the proper foreign-key 
+  in the migration.
+
+  script/generate permit [Person [Authorization [Role]]]
+
+  If you don't want to use named authorizations, and only want to generate the 
+  initializer pass in the --init-only option. You can optionally pass the name
+  of the class that represents an authenticated user and the generator will set
+  the name of the current_* method to use to retrieve the subject for
+  authorization.
+
+  script/generate permit [Person] --init-only
+
+Example:
+  script/generate permit
+
+  This will create:
+    Model:       app/models/authorization.rb
+    Model:       app/models/role.rb
+    Migration:   db/migrate/xxx_create_permit_structure.rb
+    Initializer: config/initializers/permit.rb
+
+  script/generate permit Employee Access Job
+
+  This will create:
+    Model:       app/models/access.rb
+    Model:       app/models/job.rb
+    Migration:   db/migrate/xxx_create_permit_structure.rb
+    Initializer: config/initializers/permit.rb
+
+  script/generate permit --init-only
+
+  This will create:
+    Initializer: config/initializers/permit.rb

data/generators/permit/permit_generator.rb

@@ -0,0 +1,25 @@
+class PermitGenerator < Rails::Generator::Base
+  default_options :setup_named_roles => true
+
+  attr_reader :authorization_class, :role_class, :person_class
+  def manifest
+    record do |m|
+      @person_class = (args.shift || 'Person').camelize
+      @authorization_class = (args.shift || 'Authorization').camelize
+      @role_class = (args.shift || 'Role').camelize
+
+      m.template 'initializer.rb', 'config/initializers/permit.rb'
+
+      if options[:setup_named_roles]
+        m.template 'role.rb', "app/models/#{role_class.underscore}.rb"
+        m.template 'authorization.rb', "app/models/#{authorization_class.underscore}.rb"
+        m.migration_template 'migration.rb', "db/migrate", :migration_file_name => "create_permit_structure"
+      end
+    end
+  end
+
+protected
+  def add_options!(opt)
+    opt.on("--init-only", "Only generate the initializer file.") {|v| options[:setup_named_roles] = false}
+  end
+end

data/generators/permit/templates/authorization.rb

@@ -0,0 +1,2 @@
+class <%=authorization_class%> < ActiveRecord::Base
+end

data/generators/permit/templates/initializer.rb

@@ -0,0 +1,37 @@
+# Sets up the core models to be used for authorizations, people, and roles. This 
+# call is only required if you are using named authorizations, and may only be 
+# called once. If you are not using named authorizations you may leave this 
+# commented out.
+<%if options[:setup_named_roles] -%>
+Permit::Config.set_core_models(<%=authorization_class%>, <%=person_class%>, <%=role_class%>)
+<%else -%>
+# Permit::Config.set_core_models(Authorization, Person, Role)
+<%end -%>
+
+# Sets the method to use for retrieving the current authorization subject. Leave
+# this nil and Permit will infer the method name(current_*) from the
+# authorization subject model name given to #set_core_models. If named
+# authorizations aren't being used then this will default to :current_person.
+<%if !options[:setup_named_roles] && person_class != 'Person' -%>
+Permit::Config.controller_subject_method = :current_<%=person_class.underscore %>
+<%else -%>
+# Permit::Config.controller_subject_method = nil
+<%end -%>
+
+# Controls the default response given by PermitRules#permitted? when no rules 
+# match. To automatically allow access if no rules match, set this to :allow. 
+# Default is :deny.
+# Permit::Config.default_access = :deny
+
+# You can modify the action_aliases hash to add your own aliases to be used for 
+# expansion by PermitRules. The hash key is a Symbol for the action to be 
+# expanded, and an array of Symbols representing the actions to expand it into. 
+# Alias expansion is non-rescursive. The defaults are:
+# {
+#    :create => [:new, :create], 
+#    :update => [:edit, :update], 
+#    :destroy => [:delete, :destroy],
+#    :read => [:index, :show], 
+#    :write => [:new, :create, :edit, :update]
+#  }
+# Permit::Config.action_aliases

data/generators/permit/templates/migration.rb

@@ -0,0 +1,28 @@
+class CreatePermitStructure < ActiveRecord::Migration
+  def self.up
+    create_table :<%=role_class.tableize%> do |t|
+      t.string :key, :name, :null => false
+      t.string :description
+      t.boolean :requires_resource, :authorize_resource, :null => false, :default => true
+    end
+
+    add_index :<%=role_class.tableize%>, :key, :unique => true
+
+    create_table :<%=authorization_class.tableize%> do |t|
+      t.integer :<%=person_class.underscore%>_id, :<%=role_class.underscore%>_id, :null => false
+      t.string :resource_type
+      t.integer :resource_id
+      t.timestamps
+    end
+
+    add_index :<%=authorization_class.tableize%>, :<%=person_class.underscore%>_id
+    add_index :<%=authorization_class.tableize%>, :<%=role_class.underscore%>_id
+    add_index :<%=authorization_class.tableize%>, [:<%=person_class.underscore%>_id, :<%=role_class.underscore%>_id, :resource_type, :resource_id], :unique => true, :name => '<%=authorization_class.tableize%>_idx_uniq'
+  end
+
+  
+  def self.down
+    drop_table :<%=authorization_class.tableize%>
+    drop_table :<%=role_class.tableize%>
+  end
+end

data/generators/permit/templates/role.rb

@@ -0,0 +1,2 @@
+class <%=role_class%> < ActiveRecord::Base
+end

data/init.rb

@@ -0,0 +1 @@
+require File.dirname(__FILE__) + "/rails/init.rb"

data/install.rb

@@ -0,0 +1 @@
+# Install hook code here

data/lib/models/association.rb

@@ -0,0 +1,89 @@
+module Permit
+  module Models
+    # Defines a set of methods to extend the has_many :authorizations 
+    # associations to help with querying for common cases. Some of these methods
+    # do not show up in the documentation because they are dynamically created
+    # with class_eval so that they can be explicit to the models you use for the
+    # Person and Role models.
+    module AssociationExtensions
+      include Permit::Support
+
+      # Finds all authorizations for the given resource
+      #
+      # @param [permit_authorizable, nil, :any] resource the resource to find 
+      #   authorizations for. :any may be given to find matches for any resource.
+      # @return [<permit_authorization>] the authorizations found for the resource.
+      def for(resource)
+        conditions = authorization_conditions(nil, resource)
+        find(:all, :conditions => conditions)
+      end
+
+      # Finds all authorizations for the given role(s).
+      #
+      # @param [permit_role, String, Symbol, <permit_role, String, Symbol>] 
+      #   roles the roles to find authorizations for.
+      # @return [<permit_authorization>] the authorizations found for the role(s).
+      def as(roles)
+        conditions = authorization_conditions(roles, :any)
+        find(:all, :conditions => conditions)
+      end
+
+      # Finds all authorizations for the given resource and role(s).
+      #
+      # @param [permit_authorizable, nil, :any] resource the resource to find 
+      #   authorizations for. :any may be given to find matches for any resource.
+      # @param [permit_role, String, Symbol, <permit_role, String, Symbol>] 
+      #   roles the roles to find authorizations for.
+      # @return [<permit_authorization>] the authorizations found for the resource and role(s)
+      def for_resource_as(resource, roles)
+        conditions = authorization_conditions(roles, resource)
+        find(:all, :conditions => conditions)
+      end
+
+      # Finds all of the resources authorized for the given role(s).
+      #
+      # @param [permit_role, String, Symbol, <permit_role, String, Symbol>] 
+      #   roles the roles to find authorizations for.
+      # @return [<permit_authorizable>] a unique list of resources authorized 
+      #   for the role(s).
+      def resources_as(roles)
+        as(roles).collect(&:resource).uniq
+      end
+
+      def self.extended(klass)
+        class_eval <<-END
+          # Finds all of the people that have authorizations for the given resource.
+          #
+          # @param [permit_authorizable, nil, :any] resource the resource to find 
+          #   authorizations for. :any may be given to find matches for any resource.
+          # @return [<permit_person>] a unique list of the people with 
+          #   authorizations for the resource.
+          def #{Permit::Config.person_class.plural_class_symbol.to_s}_for(resource)
+            self.for(resource).collect(&:#{Permit::Config.person_class.class_symbol.to_s}).uniq
+          end
+
+          # Finds all of the people that have authorizations for the given role(s).
+          #
+          # @param [permit_role, String, Symbol, <permit_role, String, Symbol>] 
+          #   roles the roles to find authorizations for.
+          # @return [<permit_person>] a unique list of the people with 
+          #   authorizations for the role(s).
+          def #{Permit::Config.person_class.plural_class_symbol.to_s}_as(roles)
+            as(roles).collect(&:#{Permit::Config.person_class.class_symbol.to_s}).uniq
+          end
+
+          # Finds all of the roles authorized for the given resource.
+          #
+          # @param [permit_authorizable, nil, :any] resource the resource to find 
+          #   authorizations for. :any may be given to find matches for any resource.
+          # @return [<permit_role>] a unique list of roles authorized for the 
+          #   resource.
+          def #{Permit::Config.role_class.plural_class_symbol.to_s}_for(resource)
+            self.for(resource).collect(&:#{Permit::Config.role_class.class_symbol.to_s}).uniq
+          end
+
+        END
+      end
+    end
+  end
+end

data/lib/models/authorizable.rb

@@ -0,0 +1,31 @@
+module Permit
+  module Models
+    module AuthorizableExtensions
+      def self.included(klass)
+        klass.extend AuthorizableClassMethods
+        klass.extend Permit::Support::ClassMethods
+      end
+
+      module AuthorizableClassMethods
+        def permit_authorizable
+          return if include? Permit::Models::AuthorizableExtensions::AuthorizableInstanceMethods
+          
+          Permit::Config.authorizable_classes << self
+
+          permit_authorized_model :as => :resource
+
+          def resource_type
+            self.base_class.to_s
+          end
+
+          include Permit::Support
+          include Permit::Models::AuthorizableExtensions::AuthorizableInstanceMethods          
+        end
+
+      end
+
+      module AuthorizableInstanceMethods
+      end
+    end
+  end
+end

data/lib/models/authorization.rb

@@ -0,0 +1,54 @@
+module Permit
+  module Models
+    module AuthorizationExtensions
+      def self.included(klass)
+        klass.extend AuthorizationClassMethods
+        klass.extend Permit::Support::ClassMethods
+      end
+
+      module AuthorizationClassMethods
+        # Defines the current model class as handling authorizations for Permit.
+        def permit_authorization
+          return if include? Permit::Models::AuthorizationExtensions::AuthorizationInstanceMethods
+          
+          belongs_to :resource, :polymorphic => true
+          belongs_to Permit::Config.person_class.class_symbol, :class_name => Permit::Config.person_class.name
+          belongs_to Permit::Config.role_class.class_symbol, :class_name => Permit::Config.role_class.name
+
+          class_eval <<-END
+            protected
+            def permit_person_proxy
+              #{Permit::Config.person_class.class_symbol.to_s}
+            end
+
+            def permit_role_proxy
+              #{Permit::Config.role_class.class_symbol.to_s}
+            end
+          END
+
+          validates_presence_of Permit::Config.person_class.class_symbol, Permit::Config.role_class.class_symbol
+          validate :resource_presence
+          validate :authorization_uniqueness
+
+          include Permit::Models::AuthorizationExtensions::AuthorizationInstanceMethods
+        end
+      end
+
+      module AuthorizationInstanceMethods
+        protected
+        def authorization_uniqueness
+          return true unless permit_person_proxy
+          errors.add(Permit::Config.role_class.class_symbol, "This person is already authorized for this resource") if permit_person_proxy.authorized?(permit_role_proxy, resource)
+        end
+
+        def resource_presence
+          # Don't try to do anything if role isn't present
+          return true unless permit_role_proxy
+
+          errors.add(:resource, :blank) if permit_role_proxy.requires_resource? && resource.nil?
+          errors.add(:resource, "Specific resources may not be granted for this role.") if !permit_role_proxy.authorize_resource? && !resource.nil?
+        end
+      end
+    end
+  end
+end