rails-acu 2.0.0 → 2.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: edbbd908c54348250acdd6dee3aa62b88dfb7129
-  data.tar.gz: e9f71d527b9f688669270c5c7a81df819aedc3af
+  metadata.gz: 7a7d60b156e3659b6855ebf7aaf31408b27d7cca
+  data.tar.gz: 3348325c341c48d2a4a24019882caca888f44d49
 SHA512:
-  metadata.gz: ce4b049791e6de8c5285658c5a4334ff26e4d3c20a39e7431ef95f21d4137f338b5cb3eca45de3a49a6f62f12757644a8710fe60f4f21dacd6d05de0d46bad10
-  data.tar.gz: 5359d87f2f690d8e802882b301f575fd466364268663de0bdff90560b20e5c47bd285d1e511cc13a12aaaf962946dbb33b22e08aa8321a06a3805ec0f69aa9d5
+  metadata.gz: ab06cba37ec9e9ee51a7f8c7d339e1d98906f4abb6521d616132411322c3de435017a51faeb816ac22a2a6af64d6473a9d3362e51c2d500d4e3ddd7bd4ebc261
+  data.tar.gz: 54381599563969a2a81af8f4d8a92e853f0667b4b30fe34aed5f7fb3e8cea53da2b517cbf6eb62750007ebd736824eda5419c81acefece4a5266fefbd6aba511

data/Gemfile.lock

@@ -7,7 +7,7 @@ GIT
 PATH
   remote: .
   specs:
-    rails-acu (2.0.0)
+    rails-acu (2.1.0)
       rails (~> 5.0.0, >= 5.0.0)
 
 GEM

data/README.md

@@ -49,21 +49,33 @@ Acu::Rules.define do
 
   whois :admin, args: [:user] { |c| c and c.user_type == :ADMIN.to_s }
 
-  whois :client, args: [:user] { |c| c and c.user_type == :CLIENT.to_s }
+  whois :client, args: [:user] { |c| c and c.user_type == :PUBLIC.to_s }
+
+  # admin can access to everywhere
+  allow :admin
 
   # the default namespace
-  namespace do
-    controller :home, except: [:some_secret_action] do
-      allow :everyone
+  namespace do  
+    # assume anyone can access, your default namespace
+    allow :everyone
+    controller :home, :shop do
+      allow :admin, :client, on: [:some_secret_action1, :some_secret_action2]
+      # OR
+      # action :some_secret_action1, :some_secret_action2 do
+      #  allow :admin, :client
+      # end
     end
-    controller :home do
-      allow [:admin, :client], on: [:some_secret_action]
+  end
+
+  # allow every get access to public controller in 3 [default(the `nil`), admin]
+  namespace nil, :admin do
+    controller :public do
+      allow :everyone
     end
   end
 
   # the admin namespace
   namespace :admin do
-    allow :admin
 
     controller :contact, only: [:send_message] do
       allow :everyone
@@ -83,8 +95,7 @@ As we define our rules at the first line, we have to say who are the entities? _
 Once we defined our entities we can set their binary access permissions at namespace/controller/action levels using `allow` and `deny` helpers. **that is it, we are done tutorialing; from now on is just tiny details. :)**
 
 > **Scenario:** We have a *public* site which serves to its client's; we have 2 namespaces on this site, one is the _default_ namespace with _home_ controller in it, and the second namespace belongs to the _admin_ of site which has many controllers and also a _contact_ controller.<br />
-We want to grant access to everyone for all of _home_ controller actions in _default_ namespace **except** the `some_secret_action`; but this `some_secret_action` can be accessed via the `:admin` and `:client` entities.<br />
-By default only `:admin` can access to the _admin_ namespace, but we made an exception for 2 actions in the `Admin::ContactController` which everyone can `send_message` to the admin and only clients can ask for `support`.<br />
+We want to grant access to everyone for all of _home_ controller actions in _default_ namespace **except** the `some_secret_action1` and `some_secret_action2`; but these `some_secret_action*` can be accessed via the `:admin` and `:client` entities. By default only `:admin` can access to everywhere, but in namespace `admin` we made an exception for 2 actions in the `Admin::ContactController` which everyone can `send_message` to the admin and only clients can ask for `support`. Finally we want to grant access to everyone for _public_ controllers in our 2 namespaces _the default_ and _admin_. <br />
 If you back trace it in the above example you can easily find this scenario in the rules, plain and simple.
 
 ### Gaurding the requests

data/lib/acu/rules.rb

@@ -30,32 +30,41 @@ module Acu
 
       # only: only the defined `controllers` in the `namespace`
       # except: except the defined `controllers` in the `namespace`
-      def namespace name = nil, except: nil, only: nil
+      def namespace *names, except: nil, only: nil
+        names = [nil] if names.empty?
         only = nil if only and not (only.kind_of?(Array) or only.length == 0)
         except = nil if except and not (except.kind_of?(Array) or except.length == 0)
-        raise Errors::AmbiguousRule.new('cannot have both `only` and `except` options at the same time for namespace `%s`' %name) if only and except
-        pass namespace: { name: name ? name.downcase : name, except: except, only: only } do
-          yield
+        raise Errors::AmbiguousRule.new('cannot have both `only` and `except` options at the same time for namespace(s) `%s`' %names.join(', ')) if only and except
+        names.each do |name|
+          pass namespace: { name: name ? name.downcase : name, except: except, only: only } do
+            yield
+          end
         end
       end
 
       # only: only the defined `actions` in the `controller`
       # except: except the defined `actions` in the `controller`
-      def controller name, except: nil, only: nil
+      def controller *names, except: nil, only: nil
+        names = [names].flatten if name
         only = nil if only and not (only.kind_of?(Array) or only.length == 0)
         except = nil if except and not (except.kind_of?(Array) or except.length == 0)
         raise Errors::AmbiguousRule.new("there is already an `except` or `only` constraints defined in container namespace `#{@_params[:namespace][:name]}`") if @_params[:namespace] and (@_params[:namespace][:except] || @_params[:namespace][:only])
-        raise Errors::AmbiguousRule.new('cannot have both `only` and `except` options at the same time for controller `%s`' %name) if only and except
-        pass controller: { name: name.downcase, except: except, only: only } do
-          yield
+        raise Errors::AmbiguousRule.new('cannot have both `only` and `except` options at the same time for controller(s) `%s`' %names.join(', ')) if only and except
+        names.each do |name|
+          pass controller: { name: name.downcase, except: except, only: only } do
+            yield
+          end
         end
       end
 
-      def action name
+      def action *names
+        names = [names].flatten if name
         raise Errors::AmbiguousRule.new("at least one of the parent `controller` or `namespace` needs to be defined for the this action") if not (@_params[:namespace] || @_params[:controller])
-        raise Errors::AmbiguousRule.new("there is already an `except` or `only` constraints defined in container controller `#{@_params[:controller][:name]}`") if @_params[:controller] and (@_params[:controller][:except] || @_params[:controller][:only])
-        pass action: { name: name.downcase } do
-          yield
+        raise Errors::AmbiguousRule.new("there is already an `except` or `only` constraints defined in container controller(s) `#{@_params[:controller][:name]}`") if @_params[:controller] and (@_params[:controller][:except] || @_params[:controller][:only])
+        names.each do |name|
+          pass action: { name: name.downcase } do
+            yield
+          end
         end
       end
 
@@ -80,20 +89,20 @@ module Acu
       # at this point we assign the class varible rules #
       ###################################################
 
-      def allow symbol, on: []
-        op symbol, @GRANT_SYMBOL, on
+      def allow *symbol, on: []
+        op *symbol, @GRANT_SYMBOL, on
       end
 
-      def deny symbol, on: []
-        op symbol, @DENY_SYMBOL, on
+      def deny *symbol, on: []
+        op *symbol, @DENY_SYMBOL, on
       end
 
       ################### end of ops ####################
 
       protected
 
-      def op symbol, opr, on
-        symbol = [symbol].flatten if symbol
+      def op *symbol, opr, on
+        symbol = symbol.flatten
         raise Errors::InvalidData.new("invalid argument") if not symbol or symbol.to_s.blank? or opr.to_s.blank?
         raise Errors::AmbiguousRule.new("cannot have `on` argument inside the action `#{@_params[:action][:name]}`") if not on.empty? and @_params[:action]
         raise Errors::InvalidData.new("the symbol `#{symbol}` is not defined by `whois`") if not symbol.all? { |s| @entities.include? s }

data/lib/acu/version.rb

@@ -1,3 +1,3 @@
 module Acu
-  VERSION = '2.0.0'
+  VERSION = '2.1.0'
 end

data/lib/generators/templates/rules.rb

@@ -1,25 +1,37 @@
 # This is an examble, modify it as well
 Acu::Rules.define do
-  # anyone make a request could be count as everyone!
+  # anyone makes a request could be count as everyone!
   whois :everyone { true }
 
   # whois :admin, args: [:user] { |c| c and c.user_type.symbol == :ADMIN.to_s }
   # whois :client, args: [:user] { |c| c and c.user_type.symbol == :PUBLIC.to_s }
 
-  # assume anyone can access
-  # this has security leak of overrideing the `allow_by_default` config
-  # allow :everyone
+  # admin can access anywhere
+  # allow :admin
 
-  # the default namespace
-  # namespace do
-  #   controller :home do
-  #     allow [:admin, :client], on: [:some_secret_action]
+  # # the default namespace
+  # namespace do  
+  #   # assume anyone can access, your default namespace
+  #   allow :everyone
+  #
+  #   controller :home, :shop do
+  #     allow :admin, :client, on: [:some_secret_action1, :some_secret_action2]
+  #     # OR
+  #     # action :some_secret_action1, :some_secret_action2 do
+  #     #  allow :admin, :client
+  #     # end
   #   end
   # end
 
-  # the admin namespace
+  # # allow every get access to public controller in 3 [default(the `nil`), admin, emplyee]
+  # namespace nil, :admin, :emplyee do
+  #   controller :public do
+  #     allow :everyone
+  #   end
+  # end
+
+  # # the admin namespace
   # namespace :admin do
-  #   allow :admin
 
   #   controller :contact, only: [:send_message] do
   #     allow :everyone

data/spec/dummy/spec/controllers/admin/manage_controller_spec.rb

@@ -28,7 +28,7 @@ RSpec.describe Admin::ManageController, type: :controller do
     end
     # we filtered the default namespace not this
     get :index
-    expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*action="index".*as `:everyone`/
+    expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*namespace="admin".*controller="manage".*action="index".*as `:everyone`/
 
     Acu::Rules.define do
       namespace :admin, except: [:posts] do
@@ -39,11 +39,11 @@ RSpec.describe Admin::ManageController, type: :controller do
       end
     end
     expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
-    expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*as `:everyone`/
+    expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*namespace="admin".*controller="manage".*action="index".*as `:everyone`/
     expect {get :show}.to raise_error(Acu::Errors::AccessDenied)
-    expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="show".*as `:everyone`/
+    expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*namespace="admin".*controller="manage".*action="show".*as `:everyone`/
     expect {get :list}.to raise_error(Acu::Errors::AccessDenied)
-    expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="list".*as `:everyone`/
+    expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*namespace="admin".*controller="manage".*action="list".*as `:everyone`/
   end
   it '[local-global & args]' do
     Acu::Rules.define do
@@ -58,10 +58,10 @@ RSpec.describe Admin::ManageController, type: :controller do
     end
     Acu::Monitor.args c: :admin
     get :index
-    expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*action="index".*as `:admin`/
+    expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*namespace="admin".*controller="manage".*action="index".*as `:admin`/
     Acu::Monitor.args c: :client
     expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
-    expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*\[autherized by :allow_by_default\]/
+    expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*namespace="admin".*controller="manage".*action="index".*\[autherized by :allow_by_default\]/
 
     [:client, :admin].each do |cc|
       Acu::Monitor.args c: cc

data/spec/dummy/spec/controllers/home_controller_spec.rb

@@ -14,6 +14,7 @@ RSpec.describe HomeController, type: :controller do
       config.cache_expires_in = nil
       config.cache_race_condition_ttl = nil
     end
+    @controller = HomeController.new
   }
 
   def setup **kwargs
@@ -64,7 +65,7 @@ RSpec.describe HomeController, type: :controller do
         expect(Acu::Rules.rules.length).to be 1
         expect(Acu::Rules.rules[{}].length).to be 2
         get :index
-        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*action="index".*as `:everyone, :client`/
+        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*namespace=nil.*controller="home".*action="index".*as `:everyone, :client`/
       end
       it "{ one of rules failed = AccessDenied }" do
         Acu::Rules.define do
@@ -76,7 +77,7 @@ RSpec.describe HomeController, type: :controller do
           deny :client
         end
         expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
-        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*as `:everyone, :client`/
+        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*namespace=nil.*controller="home".*action="index".*as `:everyone, :client`/
 
         Acu::Rules.define do
           whois :client { false }
@@ -84,7 +85,7 @@ RSpec.describe HomeController, type: :controller do
           deny :client
         end
         get :index
-        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*action="index".*as `:everyone`/
+        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*namespace=nil.*controller="home".*action="index".*as `:everyone`/
       end
     end
     context "[levels]" do
@@ -104,7 +105,7 @@ RSpec.describe HomeController, type: :controller do
             end
           end
           expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
-          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*as `:everyone`/
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*namespace=nil.*controller="home".*action="index".*as `:everyone`/
           Acu::Rules.define do
             namespace do
               allow :everyone
@@ -127,7 +128,7 @@ RSpec.describe HomeController, type: :controller do
             deny :everyone
           end
           expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
-          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*as `:everyone`/
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*namespace=nil.*controller="home".*action="index".*as `:everyone`/
         end
         it "[with only]" do
           Acu::Rules.define do
@@ -137,7 +138,7 @@ RSpec.describe HomeController, type: :controller do
             end
           end
           get :index
-          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*action="index".*as `:everyone`/
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*namespace=nil.*controller="home".*action="index".*as `:everyone`/
 
           Acu::Rules.define do
             whois :everyone { true }
@@ -151,7 +152,7 @@ RSpec.describe HomeController, type: :controller do
           end
           # by override
           expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
-          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*as `:everyone`/
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*namespace=nil.*controller="home".*action="index".*as `:everyone`/
         end
         it "[with except]" do
           Acu::Rules.define do
@@ -171,7 +172,7 @@ RSpec.describe HomeController, type: :controller do
             end
           end
           get :index
-          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*action="index".*as `:everyone`/
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*namespace=nil.*controller="home".*action="index".*as `:everyone`/
         end
       end
 
@@ -200,9 +201,9 @@ RSpec.describe HomeController, type: :controller do
           end
           # deny by default
           expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
-          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*\[autherized by :allow_by_default\]/
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*namespace=nil.*controller="home".*action="index".*\[autherized by :allow_by_default\]/
           expect {get :contact}.to raise_error(Acu::Errors::AccessDenied)
-          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="contact".*\[autherized by :allow_by_default\]/
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*namespace=nil.*controller="home".*action="contact".*\[autherized by :allow_by_default\]/
 
           Acu::Rules.define do
             controller :home, only: [:contact] do
@@ -212,7 +213,7 @@ RSpec.describe HomeController, type: :controller do
           get :contact
           # deny by default
           expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
-          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*\[autherized by :allow_by_default\]/
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*namespace=nil.*controller="home".*action="index".*\[autherized by :allow_by_default\]/
 
           # the rules won't override with above, this will give us the needed flexibility for multi-dimentional rules
           Acu::Rules.define do
@@ -256,10 +257,10 @@ RSpec.describe HomeController, type: :controller do
           end
           # we have rule for this
           expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
-          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*as `:everyone`/
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*namespace=nil.*controller="home".*action="index".*as `:everyone`/
           # and this is by detailt
           expect {get :contact}.to raise_error(Acu::Errors::AccessDenied)
-          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="contact".*\[autherized by :allow_by_default\]/
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*namespace=nil.*controller="home".*action="contact".*\[autherized by :allow_by_default\]/
         end
       end
 
@@ -273,9 +274,9 @@ RSpec.describe HomeController, type: :controller do
             end
           end
           get :index
-          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*action="index".*as `:everyone`/
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*namespace=nil.*controller="home".*action="index".*as `:everyone`/
           get :contact
-          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*action="contact".*as `:everyone`/
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*namespace=nil.*controller="home".*action="contact".*as `:everyone`/
 
           Acu::Rules.define do
             namespace do
@@ -284,9 +285,9 @@ RSpec.describe HomeController, type: :controller do
             end
           end
           get :index
-          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*action="index".*as `:everyone`/
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*namespace=nil.*controller="home".*action="index".*as `:everyone`/
           expect {get :contact}.to raise_error(Acu::Errors::AccessDenied)
-          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="contact".*as `:everyone`/
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*namespace=nil.*controller="home".*action="contact".*as `:everyone`/
 
         end
 
@@ -298,7 +299,7 @@ RSpec.describe HomeController, type: :controller do
           end
           # deny by default
           expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
-          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*\[autherized by :allow_by_default\]/
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*namespace=nil.*controller="home".*action="index".*\[autherized by :allow_by_default\]/
 
           Acu::Rules.define do
             controller :home do
@@ -308,7 +309,7 @@ RSpec.describe HomeController, type: :controller do
           get :contact
           # deny by default
           expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
-          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*\[autherized by :allow_by_default\]/
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*namespace=nil.*controller="home".*action="index".*\[autherized by :allow_by_default\]/
 
           Acu::Rules.define do
             controller :home do
@@ -330,7 +331,7 @@ RSpec.describe HomeController, type: :controller do
           end
           # deny by default
           expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
-          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*\[autherized by :allow_by_default\]/
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*namespace=nil.*controller="home".*action="index".*\[autherized by :allow_by_default\]/
 
           Acu::Rules.define do
             namespace do
@@ -342,7 +343,7 @@ RSpec.describe HomeController, type: :controller do
           get :contact
           # deny by default
           expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
-          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*\[autherized by :allow_by_default\]/
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*namespace=nil.*controller="home".*action="index".*\[autherized by :allow_by_default\]/
 
           Acu::Rules.define do
             namespace do
@@ -367,9 +368,9 @@ RSpec.describe HomeController, type: :controller do
             end
           end
           expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
-          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*\[autherized by :allow_by_default\]/
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*namespace=nil.*controller="home".*action="index".*\[autherized by :allow_by_default\]/
           expect {get :contact}.to raise_error(Acu::Errors::AccessDenied)
-          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="contact".*\[autherized by :allow_by_default\]/
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*namespace=nil.*controller="home".*action="contact".*\[autherized by :allow_by_default\]/
         end
         it '[local-global]' do
           Acu::Rules.define do
@@ -382,83 +383,137 @@ RSpec.describe HomeController, type: :controller do
             end
           end
           get :contact
-          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*action="contact".*as `:everyone`/
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*namespace=nil.*controller="home".*action="contact".*as `:everyone`/
           expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
-          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*as `:everyone`/
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*namespace=nil.*controller="home".*action="index".*as `:everyone`/
         end
       end
+    end
+    context "[allow/deny]" do
+      it "[allow]" do
+        expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
+        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*namespace=nil.*controller="home".*action="index".*\[autherized by :allow_by_default\]/
+        expect {get :contact}.to raise_error(Acu::Errors::AccessDenied)
+        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*namespace=nil.*controller="home".*action="contact".*\[autherized by :allow_by_default\]/
 
-      context "[allow/deny]" do
-        it "[allow]" do
-          expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
-          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*\[autherized by :allow_by_default\]/
-          expect {get :contact}.to raise_error(Acu::Errors::AccessDenied)
-          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="contact".*\[autherized by :allow_by_default\]/
+        Acu::Rules.define do
+          whois :everyone { true }
+          namespace do
+            controller :home do
+              allow :everyone, on: [:index, :contact]
+            end
+          end
+        end
+        get :index
+        get :contact
+      end
+      it "[deny]" do
+        Acu::Rules.define do
+          whois :everyone { true }
+          allow :everyone
+        end
+        get :index
+        get :contact
 
-          Acu::Rules.define do
-            whois :everyone { true }
-            namespace do
-              controller :home do
-                allow :everyone, on: [:index, :contact]
-              end
+        Acu::Rules.define do
+          whois :everyone { true }
+          namespace do
+            controller :home do
+              deny :everyone, on: [:index, :contact]
             end
           end
-          get :index
-          get :contact
         end
-        it "[deny]" do
-          Acu::Rules.define do
-            whois :everyone { true }
-            allow :everyone
+        expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
+        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*namespace=nil.*controller="home".*action="index".*as `:everyone`/
+        expect {get :contact}.to raise_error(Acu::Errors::AccessDenied)
+        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*namespace=nil.*controller="home".*action="contact".*as `:everyone`/
+      end
+    end
+    context "[bulk settings]" do
+      it "[allow/deny]" do
+        Acu::Rules.define do
+          whois :everyone { true }
+          whois :client { false }
+          namespace do
+            controller :home do
+              allow [:everyone, :client], on: [:index, :contact]
+            end
           end
-          get :index
-          get :contact
-
-          Acu::Rules.define do
-            whois :everyone { true }
-            namespace do
-              controller :home do
-                deny :everyone, on: [:index, :contact]
-              end
+        end
+        get :index
+        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*namespace=nil.*controller="home".*action="index".*as `:everyone`/
+        get :contact
+        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*namespace=nil.*controller="home".*action="contact".*as `:everyone`/
+        Acu::Rules.define { whois :client { true } }
+        get :index
+        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*namespace=nil.*controller="home".*action="index".*as `:everyone, :client`/
+        get :contact
+        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*namespace=nil.*controller="home".*action="contact".*as `:everyone, :client`/
+        Acu::Rules.define do
+          namespace do
+            controller :home do
+              action :index { deny [:everyone, :client] }
             end
           end
-          expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
-          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*as `:everyone`/
-          expect {get :contact}.to raise_error(Acu::Errors::AccessDenied)
-          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="contact".*as `:everyone`/
         end
-        it "[bulk settings]" do
-          Acu::Rules.define do
-            whois :everyone { true }
-            whois :client { false }
-            namespace do
-              controller :home do
-                allow [:everyone, :client], on: [:index, :contact]
-              end
+        expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
+        # the first rule that failed is going to mention
+        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*namespace=nil.*controller="home".*action="index".*as `:everyone, :client`/
+        get :contact
+        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*namespace=nil.*controller="home".*action="contact".*as `:everyone, :client`/
+      end
+      it "[namespace/controller]" do
+        Acu::Rules.define do
+          whois :everyone { true }
+          namespace nil, :admin do
+            allow :everyone
+            controller :home, :manage, only: [:index] do
+              deny :everyone
             end
           end
-          get :index
-          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*action="index".*as `:everyone`/
-          get :contact
-          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*action="contact".*as `:everyone`/
-          Acu::Rules.define { whois :client { true } }
-          get :index
-          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*action="index".*as `:everyone, :client`/
-          get :contact
-          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*action="contact".*as `:everyone, :client`/
-          Acu::Rules.define do
-            namespace do
-              controller :home do
-                action :index { deny [:everyone, :client] }
+        end
+        get :contact
+        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*namespace=nil.*controller="home".*action="contact".*as `:everyone`/
+        expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
+        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*namespace=nil.*controller="home".*action="index".*as `:everyone`/
+        
+        @controller = Admin::ManageController.new
+
+        expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
+        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*namespace="admin".*controller="manage".*action="index".*as `:everyone`/
+
+        [:show, :list, :delete, :add, :prove].each do |action|
+          get action
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*namespace="admin".*controller="manage".*action="#{action.to_s}".*as `:everyone`/
+        end
+      end
+      it "[action]" do
+        Acu::Rules.define do
+          whois :everyone { true }
+          namespace do
+            allow :everyone
+          end
+        end
+        [:index, :contact].each do |action|
+          get action
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*namespace=nil.*controller="home".*action="#{action.to_s}".*as `:everyone`/
+        end
+
+        Acu::Rules.define do
+          namespace do
+            controller :home do
+              action :index, :contact do
+                deny :everyone
               end
             end
           end
-          expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
-          # the first rule that failed is going to mention
-          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*as `:everyone, :client`/
-          get :contact
-          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*action="contact".*as `:everyone, :client`/
         end
+
+        [:index, :contact].each do |action|
+          expect {get action}.to raise_error(Acu::Errors::AccessDenied)
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*namespace=nil.*controller="home".*action="#{action.to_s}".*as `:everyone`/
+        end
+
       end
     end
   end
@@ -512,9 +567,9 @@ RSpec.describe HomeController, type: :controller do
       # it shouldn't use cache because we haven't told it yet
       5.times do
         get :index
-        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /\[-\] access GRANTED to.*action="index".*as `:everyone`/
+        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /\[-\] access GRANTED to.*namespace=nil.*controller="home".*action="index".*as `:everyone`/
         expect {get :contact}.to raise_error(Acu::Errors::AccessDenied)
-        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /\[x\] access DENIED to.*action="contact".*as `:everyone`/
+        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /\[x\] access DENIED to.*namespace=nil.*controller="home".*action="contact".*as `:everyone`/
       end
 
       setup use_cache: true
@@ -527,9 +582,9 @@ RSpec.describe HomeController, type: :controller do
       # both request should be ruled by cache now!
       5.times do
         get :index
-        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /\[-\]\[c\] access GRANTED to.*action="index".*as `:everyone`/
+        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /\[-\]\[c\] access GRANTED to.*namespace=nil.*controller="home".*action="index".*as `:everyone`/
         expect {get :contact}.to raise_error(Acu::Errors::AccessDenied)
-        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /\[x\]\[c\] access DENIED to.*action="contact".*as `:everyone`/
+        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /\[x\]\[c\] access DENIED to.*namespace=nil.*controller="home".*action="contact".*as `:everyone`/
       end
     end
     it '[maintains cache]' do
@@ -545,9 +600,9 @@ RSpec.describe HomeController, type: :controller do
       end
       5.times do
         get :index
-        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /\[-\]\[c\] access GRANTED to.*action="index".*as `:everyone`/
+        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /\[-\]\[c\] access GRANTED to.*namespace=nil.*controller="home".*action="index".*as `:everyone`/
         expect {get :contact}.to raise_error(Acu::Errors::AccessDenied)
-        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /\[x\]\[c\] access DENIED to.*action="contact".*as `:everyone`/
+        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /\[x\]\[c\] access DENIED to.*namespace=nil.*controller="home".*action="contact".*as `:everyone`/
       end
     end
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rails-acu
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 2.1.0
 platform: ruby
 authors:
 - Dariush Hasanpour
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-04-01 00:00:00.000000000 Z
+date: 2017-04-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails