role_fu 0.1.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7d8ca75bef3838c779e395c17a16c8e61ddb6a7fdab7b2819412cd9356213436
-  data.tar.gz: b3b280add77cac1f4778c7e72b4ec3717e9554ab053cbcce869ef7180dd98ed2
+  metadata.gz: d75b379be1f3096ca3580d3b5f545c7e10e96a76ade4e1ea8ddf9df11272cf61
+  data.tar.gz: 9dda6cef944474db4c9fa70979f0a633a3ad90f51bee73faa6cc7ed2e13bfa68
 SHA512:
-  metadata.gz: 0c7448aa048ad1836888270417e15d2acf5375cef727059cac77e9dea5c644d2b5156fc9e90134d9918367b38e4c127f753f5dda01b836c24794baf0102646dd
-  data.tar.gz: 57a6f48677cb49653b3c22e298b13fb3ac13003bb7e8d895e9c17396304e8385b7fb7162db426a7862ce1aad3031396e66dda60a897f898952594ee6011a4784
+  metadata.gz: 51e073987c36ffd2c6faa06256362a75f79f1a83931fe2bc82e5f4d6750c4a355df4324c3f33dc1dcbe298d3d060b787b6d819da1b693f63edb9d4ed4dc008c5
+  data.tar.gz: 9e1b6a068bce303db00d70f538a311321fbc2ea1d1032b1522b028d0cf71835c7107589b3f194b48a0c242ba9afab49755a1213ab4a6ce2ba195a06fef8f9a10

data/Appraisals

@@ -1,11 +1,3 @@
-appraise "rails-7.0" do
-  gem "rails", "~> 7.0.0"
-end
-
-appraise "rails-7.1" do
-  gem "rails", "~> 7.1.0"
-end
-
 appraise "rails-7.2" do
   gem "rails", "~> 7.2.0"
 end

data/CHANGELOG.md

@@ -1,5 +1,28 @@
 ## [Unreleased]
 
+## [0.3.0] - 2026-02-03
+
+### BREAKING CHANGES
+
+- **Drop Rails 7.0 and 7.1 support**: Minimum required Rails version is now 7.2+
+  - Rails 7.0 and 7.1 require `sqlite3 ~> 1.4`, which conflicts with `sqlite3 ~> 2.0`
+  - Rails 7.2+ supports `sqlite3 >= 1.6.6`, ensuring compatibility with modern sqlite3 versions
+  - Updated `activerecord` dependency from `>= 7.0` to `>= 7.2`
+  - Removed Rails 7.0 and 7.1 from CI test matrix
+
+## [0.2.0] - 2026-02-03
+
+### Added
+
+- **Temporal Roles**: Support for role expiration (`expires_at`) and automatic filtering.
+- **Audit Logging**: Built-in generator for audit trails (`RoleAssignmentAudit`) and actor tracking (`RoleFu.with_actor`).
+- **Role Abilities**: Granular permissions system with `Permission` model and `role_fu_can?` helper.
+- **Metadata**: Support for attaching arbitrary JSON metadata to role assignments.
+- **Adapters**: Seamless integration with **Pundit** and **CanCanCan**.
+- **Permissive Mode**: Configuration option `global_roles_override` to match Rolify behavior.
+- **Cleanup Automation**: `rake role_fu:cleanup` task and ActiveJob generator for expired roles.
+- **Custom Aliases**: `role_fu_alias` to generate domain-specific methods (e.g., `add_group`, `in_group`).
+
 ## [0.1.0] - 2026-02-03
 
-- Initial release: modern role management for Rails with explicit models and N+1 prevention.
+- Initial release: modern role management for Rails with explicit models and N+1 prevention.

data/README.md

@@ -1,13 +1,14 @@
 # RoleFu
 
-RoleFu is a modern, explicit role management gem for Ruby on Rails. It is designed as a cleaner, more performant alternative to `rolify`.
+RoleFu is a modern, explicit role management gem for Ruby on Rails. It is designed as a cleaner, more performant alternative to legacy role gems, providing full control over role assignments and granular permissions.
 
 ## Why RoleFu?
 
-- **Explicit Models**: Unlike Rolify which often uses hidden `has_and_belongs_to_many` tables, RoleFu uses an explicit `RoleAssignment` join model. This makes it easier to extend with metadata (e.g., `created_by`, `expires_at`).
-- **N+1 Prevention**: Built-in support for `has_cached_role?` to work with preloaded associations.
-- **Strict by Default**: Focused on resource-specific roles with clear `has_role?` semantics.
-- **Orphaned Role Cleanup**: Automatically deletes roles when the last user assignment is removed.
+- **Explicit Models**: Uses an explicit `RoleAssignment` join model instead of hidden tables, making it easy to add metadata or audit trails.
+- **N+1 Prevention**: Built-in support for `has_cached_role?` and optimized scopes.
+- **Strict by Default**: Resource-specific checks are strict, ensuring global roles don't accidentally leak permissions unless configured otherwise.
+- **Advanced Features**: Supports temporal (expiring) roles, metadata, audit logging, and granular abilities.
+- **Modern Infrastructure**: Fully compatible with Rails 7.0 through 8.1, includes Lefthook and Appraisal support.
 
 ## Installation
 
@@ -25,17 +26,18 @@ bundle install
 
 ### Setup
 
-1. Run the install generator to create the configuration:
+1. **Install Configuration:**
 ```bash
 rails generate role_fu:install
 ```
 
-2. Generate the Role models (default names are `Role` and `RoleAssignment`):
+2. **Generate Models:**
+Default names are `Role` and `RoleAssignment`, linked to the `User` model.
 ```bash
 rails generate role_fu Role User
 ```
 
-3. Run migrations:
+3. **Run Migrations:**
 ```bash
 rails db:migrate
 ```
@@ -49,10 +51,10 @@ Include `RoleFu::Roleable` in your User model (done automatically by the generat
 ```ruby
 class User < ApplicationRecord
   include RoleFu::Roleable
-  
+
   # Optional callbacks
   role_fu_options after_add: :notify_user
-  
+
   def notify_user(role)
     # ...
   end
@@ -65,35 +67,122 @@ end
 user = User.find(1)
 
 # Global roles
-user.add_role(:admin)
-user.grant(:admin) # Alias
+user.grant(:admin)
 user.has_role?(:admin) # => true
-user.remove_role(:admin)
-user.revoke(:admin) # Alias
+user.revoke(:admin)
 
 # Resource-specific roles
 org = Organization.first
-user.add_role(:manager, org)
+user.grant(:manager, org)
 user.has_role?(:manager, org) # => true
 user.has_role?(:manager)      # => false (strict check)
 user.has_role?(:manager, :any) # => true
 user.only_has_role?(:manager, org) # => true if this is their only role
+```
 
-# Scopes (Finders)
+#### Scopes (Finders)
+
+```ruby
 User.with_role(:admin)
 User.with_role(:manager, org)
 User.without_role(:admin)
 User.with_any_role(:admin, :editor)
 User.with_all_roles(:admin, :manager)
+```
 
-# Resource Scopes
-Organization.with_role(:manager, user)
-Organization.without_role(:manager, user)
+---
+
+### Advanced Features
+
+#### 1. Temporal Roles (Expiration)
+Roles can be assigned with an expiration time. They are automatically filtered out from queries once expired.
+
+```ruby
+user.grant(:manager, org, expires_at: 1.week.from_now)
+
+# To physically remove expired roles from the database:
+# rake role_fu:cleanup
+
+# Or generate a scheduled ActiveJob:
+# rails generate role_fu:job
+```
+
+#### 2. Metadata
+Attach arbitrary metadata to a role assignment.
+
+```ruby
+user.grant(:manager, org, meta: { assigned_by: current_user.id, reason: "Project lead" })
+```
+
+#### 3. Audit Log
+Track every grant, revoke, and update (e.g., expiration extensions).
+
+**Setup:**
+```bash
+rails generate role_fu:audit
+rails db:migrate
+```
+
+**Usage:**
+Wrap changes in `with_actor` to capture the responsible user:
+```ruby
+RoleFu.with_actor(current_user) do
+  user.grant(:manager, org)
+end
+
+# Check history
+RoleAssignmentAudit.where(user: user).last
+# => #<RoleAssignmentAudit operation: "INSERT", whodunnit: "1", ...>
+```
+
+#### 4. Role Abilities (Permissions)
+Attach granular permissions to roles.
+
+**Setup:**
+```bash
+rails generate role_fu:abilities
+rails db:migrate
 ```
 
-#### Performance (N+1 Prevention)
+**Usage:**
+```ruby
+# Setup permissions
+manager_role = Role.find_by(name: "manager")
+manager_role.permissions.create(action: "posts.edit")
+
+# Check abilities
+user.role_fu_can?("posts.edit") # => true
+```
+
+---
+
+### Adapters (Pundit & CanCanCan)
+
+#### CanCanCan
+```ruby
+class Ability
+  include CanCan::Ability
+  include RoleFu::Adapters::CanCanCan
+
+  def initialize(user)
+    role_fu_load_permissions!(user)
+  end
+end
+```
 
-Use `has_cached_role?` when roles are preloaded.
+#### Pundit
+```ruby
+class ApplicationPolicy
+  include RoleFu::Adapters::Pundit
+end
+```
+*`PostPolicy#update?` will automatically check `user.role_fu_can?('posts.update')`.*
+
+---
+
+### Performance (N+1 Prevention)
+
+Use `has_cached_role?` when roles are preloaded to avoid database roundtrips.
 
 ```ruby
 users = User.includes(:roles).all
@@ -102,7 +191,7 @@ users.each do |user|
 end
 ```
 
-### Resourceable (Models with roles)
+### Resourceable
 
 Include `RoleFu::Resourceable` in any model that should have roles scoped to it.
 
@@ -113,32 +202,55 @@ end
 
 org = Organization.first
 org.users_with_role(:manager)
-org.count_users_with_role(:admin)
 org.available_roles # ["manager", "admin"]
-```
 
-## Comparison with Rolify
-
-| Feature | Rolify | RoleFu |
-|---------|--------|--------|
-| Join Model | Implicit (HABTM) | Explicit (RoleAssignment) |
-| Performance | Frequent N+1 | Cached role support + Optimized Scopes |
-| Orphaned Roles | Configurable cleanup | Automatic cleanup |
-| Scopes | `User.with_role` | `User.with_role`, `without_role`, `with_any`, `with_all` |
-| Modern Rails | Older codebase | Optimized for Rails 7+ |
+# Scopes
+Organization.with_role(:manager, user)
+Organization.without_role(:manager, user)
+```
 
 ## Configuration
 
-If your models are named differently (e.g., `Account` instead of `User`, or `Group` instead of `Role`), you can configure them in `config/initializers/role_fu.rb`:
+Customize your model names in `config/initializers/role_fu.rb`:
 
 ```ruby
 RoleFu.configure do |config|
   config.user_class_name = "Account"
   config.role_class_name = "Group"
-  config.role_assignment_class_name = "GroupAssignment" # Optional
+  
+  # Enable Rolify-style permissive checks (Global roles override resource checks)
+  config.global_roles_override = true
 end
 ```
 
+## Custom Aliases (e.g. Groups)
+
+If you prefer different terminology (e.g., "Groups" instead of "Roles"), you can alias the methods in your models:
+
+```ruby
+class User < ApplicationRecord
+  include RoleFu::Roleable
+  role_fu_alias :group
+end
+
+# Now you can use:
+user.add_group(:admin)
+user.has_group?(:admin)
+User.in_group(:admin)      # Alias for with_group/with_role
+User.not_in_group(:admin)  # Alias for without_group/without_role
+```
+
+## Migrating from Rolify
+
+1. **Code Changes**: Replace `rolify` with `include RoleFu::Roleable` and `resourcify` with `include RoleFu::Resourceable`.
+2. **Data Migration**:
+```sql
+INSERT INTO role_assignments (user_id, role_id, created_at, updated_at)
+SELECT user_id, role_id, NOW(), NOW()
+FROM users_roles;
+```
+3. **Behavior**: Set `config.global_roles_override = true` if you rely on global roles satisfying resource checks.
+
 ## License
 
-The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/gemfiles/rails_7.2.gemfile.lock

@@ -1,8 +1,8 @@
 PATH
   remote: ..
   specs:
-    role_fu (0.1.0)
-      activerecord (>= 7.0)
+    role_fu (0.3.0)
+      activerecord (>= 7.2)
 
 GEM
   remote: https://rubygems.org/
@@ -389,7 +389,7 @@ CHECKSUMS
   rdoc (7.1.0) sha256=494899df0706c178596ca6e1d50f1b7eb285a9b2aae715be5abd742734f17363
   regexp_parser (2.11.3) sha256=ca13f381a173b7a93450e53459075c9b76a10433caadcb2f1180f2c741fc55a4
   reline (0.6.3) sha256=1198b04973565b36ec0f11542ab3f5cfeeec34823f4e54cebde90968092b1835
-  role_fu (0.1.0)
+  role_fu (0.3.0)
   rspec (3.13.2) sha256=206284a08ad798e61f86d7ca3e376718d52c0bc944626b2349266f239f820587
   rspec-core (3.13.6) sha256=a8823c6411667b60a8bca135364351dda34cd55e44ff94c4be4633b37d828b2d
   rspec-expectations (3.13.5) sha256=33a4d3a1d95060aea4c94e9f237030a8f9eae5615e9bd85718fe3a09e4b58836

data/gemfiles/rails_8.0.gemfile.lock

@@ -1,8 +1,8 @@
 PATH
   remote: ..
   specs:
-    role_fu (0.1.0)
-      activerecord (>= 7.0)
+    role_fu (0.3.0)
+      activerecord (>= 7.2)
 
 GEM
   remote: https://rubygems.org/
@@ -385,7 +385,7 @@ CHECKSUMS
   rdoc (7.1.0) sha256=494899df0706c178596ca6e1d50f1b7eb285a9b2aae715be5abd742734f17363
   regexp_parser (2.11.3) sha256=ca13f381a173b7a93450e53459075c9b76a10433caadcb2f1180f2c741fc55a4
   reline (0.6.3) sha256=1198b04973565b36ec0f11542ab3f5cfeeec34823f4e54cebde90968092b1835
-  role_fu (0.1.0)
+  role_fu (0.3.0)
   rspec (3.13.2) sha256=206284a08ad798e61f86d7ca3e376718d52c0bc944626b2349266f239f820587
   rspec-core (3.13.6) sha256=a8823c6411667b60a8bca135364351dda34cd55e44ff94c4be4633b37d828b2d
   rspec-expectations (3.13.5) sha256=33a4d3a1d95060aea4c94e9f237030a8f9eae5615e9bd85718fe3a09e4b58836

data/gemfiles/rails_8.1.gemfile.lock

@@ -1,8 +1,8 @@
 PATH
   remote: ..
   specs:
-    role_fu (0.1.0)
-      activerecord (>= 7.0)
+    role_fu (0.3.0)
+      activerecord (>= 7.2)
 
 GEM
   remote: https://rubygems.org/
@@ -387,7 +387,7 @@ CHECKSUMS
   rdoc (7.1.0) sha256=494899df0706c178596ca6e1d50f1b7eb285a9b2aae715be5abd742734f17363
   regexp_parser (2.11.3) sha256=ca13f381a173b7a93450e53459075c9b76a10433caadcb2f1180f2c741fc55a4
   reline (0.6.3) sha256=1198b04973565b36ec0f11542ab3f5cfeeec34823f4e54cebde90968092b1835
-  role_fu (0.1.0)
+  role_fu (0.3.0)
   rspec (3.13.2) sha256=206284a08ad798e61f86d7ca3e376718d52c0bc944626b2349266f239f820587
   rspec-core (3.13.6) sha256=a8823c6411667b60a8bca135364351dda34cd55e44ff94c4be4633b37d828b2d
   rspec-expectations (3.13.5) sha256=33a4d3a1d95060aea4c94e9f237030a8f9eae5615e9bd85718fe3a09e4b58836

data/lib/generators/role_fu/abilities_generator.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+require "rails/generators/active_record"
+
+module RoleFu
+  module Generators
+    class AbilitiesGenerator < ActiveRecord::Generators::Base
+      source_root File.expand_path("templates", __dir__)
+
+      def generate_permission_model
+        template "permission.rb.erb", "app/models/permission.rb"
+      end
+
+      def create_migration
+        migration_template "abilities_migration.rb.erb", "db/migrate/role_fu_create_permissions.rb", migration_version: migration_version
+      end
+
+      def inject_into_role_model
+        role_cname = RoleFu.configuration.role_class_name
+        path = "app/models/#{role_cname.underscore}.rb"
+
+        if File.exist?(path)
+          inject_into_class(path, role_cname.constantize) do
+            "  has_many :permissions, dependent: :destroy\n"
+          end
+        else
+          say "Role model #{role_cname} not found. Please add 'has_many :permissions' manually."
+        end
+      end
+
+      def inject_into_user_model
+        user_cname = RoleFu.configuration.user_class_name
+        path = "app/models/#{user_cname.underscore}.rb"
+
+        if File.exist?(path)
+          inject_into_class(path, user_cname.constantize) do
+            "  include RoleFu::Ability\n"
+          end
+        else
+          say "User model #{user_cname} not found. Please add 'include RoleFu::Ability' manually."
+        end
+      end
+
+      private
+
+      def migration_version
+        "[#{Rails::VERSION::MAJOR}.#{Rails::VERSION::MINOR}]" if Rails::VERSION::MAJOR >= 5
+      end
+    end
+  end
+end

data/lib/generators/role_fu/audit_generator.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require "rails/generators/active_record"
+
+module RoleFu
+  module Generators
+    class AuditGenerator < ActiveRecord::Generators::Base
+      source_root File.expand_path("templates", __dir__)
+
+      def create_migration
+        migration_template "audit_migration.rb.erb", "db/migrate/role_fu_create_audits.rb", migration_version: migration_version
+      end
+
+      def create_model
+        template "audit_model.rb.erb", "app/models/role_assignment_audit.rb"
+      end
+
+      private
+
+      def migration_version
+        "[#{Rails::VERSION::MAJOR}.#{Rails::VERSION::MINOR}]" if Rails::VERSION::MAJOR >= 5
+      end
+    end
+  end
+end

data/lib/generators/role_fu/job_generator.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require "rails/generators/base"
+
+module RoleFu
+  module Generators
+    class JobGenerator < Rails::Generators::Base
+      source_root File.expand_path("templates", __dir__)
+
+      def create_job
+        template "cleanup_job.rb.erb", "app/jobs/role_fu/cleanup_job.rb"
+      end
+    end
+  end
+end

data/lib/generators/role_fu/templates/abilities_migration.rb.erb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class RoleFuCreatePermissions < ActiveRecord::Migration<%= migration_version %>
+  def change
+    create_table :permissions do |t|
+      t.references :role, null: false, index: true
+      t.string :action, null: false
+      t.jsonb :conditions, default: {}
+
+      t.timestamps
+    end
+    
+    add_index :permissions, [:role_id, :action]
+  end
+end

data/lib/generators/role_fu/templates/audit_migration.rb.erb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+class RoleFuCreateAudits < ActiveRecord::Migration<%= migration_version %>
+  def change
+    create_table :role_assignment_audits do |t|
+      t.references :user, index: true
+      t.references :role, index: true
+      t.references :role_assignment, index: true
+      t.string :operation, null: false # INSERT, UPDATE, DELETE
+      t.string :whodunnit
+      t.jsonb :meta_snapshot
+      t.datetime :expires_at_snapshot
+
+      t.timestamps
+    end
+    
+    # If using PostgreSQL, you can add a trigger here to automatically populate this table.
+    # Example (Conceptual):
+    # execute <<-SQL
+    #   CREATE TRIGGER ...
+    # SQL
+  end
+end

data/lib/generators/role_fu/templates/audit_model.rb.erb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class RoleAssignmentAudit < ApplicationRecord
+  belongs_to :user, optional: true
+  belongs_to :role, optional: true
+  belongs_to :role_assignment, optional: true
+end

data/lib/generators/role_fu/templates/cleanup_job.rb.erb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module RoleFu
+  class CleanupJob < ApplicationJob
+    queue_as :default
+
+    def perform
+      result = RoleFu::Cleanup.call
+      Rails.logger.info("RoleFu::CleanupJob: Deleted #{result[:deleted]} expired assignments.")
+    end
+  end
+end

data/lib/generators/role_fu/templates/migration.rb.erb

@@ -12,6 +12,8 @@ class RoleFuCreate<%= table_name.camelize %> < ActiveRecord::Migration<%= migrat
     create_table :<%= table_name.singularize %>_assignments do |t|
       t.references :<%= user_cname.underscore %>, index: true
       t.references :<%= table_name.singularize %>, index: true
+      t.datetime :expires_at, index: true
+      t.jsonb :meta, default: {}
 
       t.timestamps
     end

data/lib/generators/role_fu/templates/permission.rb.erb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class Permission < ApplicationRecord
+  include RoleFu::Permission
+end

data/lib/role_fu/ability.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module RoleFu
+  module Ability
+    extend ActiveSupport::Concern
+
+    def role_fu_can?(action, _resource = nil)
+      role_fu_permissions.include?(action.to_s)
+    end
+
+    def role_fu_permissions
+      return @_role_fu_permissions if defined?(@_role_fu_permissions) && @_role_fu_permissions
+
+      permission_class = "Permission".safe_constantize
+      return Set.new unless permission_class
+
+      scope = roles
+      scope = filter_expired(scope) if respond_to?(:filter_expired, true)
+
+      @_role_fu_permissions = scope.joins(:permissions).pluck("permissions.action").map(&:to_s).to_set
+    end
+  end
+end

data/lib/role_fu/adapters/cancancan.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module RoleFu
+  module Adapters
+    module CanCanCan
+      # Mixin for CanCan::Ability class
+      def role_fu_load_permissions!(user)
+        return unless user.respond_to?(:role_fu_permissions)
+
+        user.role_fu_permissions.each do |action|
+          # Action format: "posts.update" (resource.action) or "manage_all"
+          parts = action.split(".")
+
+          if parts.size == 2
+            subject_name, rule = parts
+            begin
+              subject_class = subject_name.classify.constantize
+              can rule.to_sym, subject_class
+            rescue NameError
+              can rule.to_sym, subject_name.to_sym
+            end
+          else
+            can action.to_sym, :all
+          end
+        end
+      end
+    end
+  end
+end

data/lib/role_fu/adapters/pundit.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module RoleFu
+  module Adapters
+    module Pundit
+      # Mixin for Pundit Policies (e.g. ApplicationPolicy)
+      def method_missing(method, *args, &block)
+        if method.to_s.end_with?("?")
+          action = method.to_s.delete_suffix("?")
+
+          # Infer resource from policy name: PostPolicy -> "posts"
+          resource_name = self.class.to_s.gsub("Policy", "").underscore.pluralize
+
+          # Check "posts.update"
+          permission = "#{resource_name}.#{action}"
+
+          return true if user.role_fu_can?(permission)
+        end
+
+        super
+      end
+
+      def respond_to_missing?(method, include_private = false)
+        method.to_s.end_with?("?") || super
+      end
+    end
+  end
+end

data/lib/role_fu/cleanup.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module RoleFu
+  class Cleanup
+    def self.call
+      assignment_class = RoleFu.configuration.role_assignment_class_name.constantize
+
+      if assignment_class.column_names.include?("expires_at")
+        count = assignment_class.where("expires_at < ?", Time.current).delete_all
+        {deleted: count}
+      else
+        {deleted: 0, error: "expires_at column missing"}
+      end
+    end
+  end
+end

data/lib/role_fu/configuration.rb

@@ -2,12 +2,13 @@
 
 module RoleFu
   class Configuration
-    attr_accessor :user_class_name, :role_class_name, :role_assignment_class_name
+    attr_accessor :user_class_name, :role_class_name, :role_assignment_class_name, :global_roles_override
 
     def initialize
       @user_class_name = "User"
       @role_class_name = "Role"
       @role_assignment_class_name = "RoleAssignment"
+      @global_roles_override = false
     end
   end