stonewall 0.0.1

data/.document

@@ -0,0 +1,5 @@
+README.rdoc
+lib/**/*.rb
+bin/*
+features/**/*.feature
+LICENSE

data/.gitignore

@@ -0,0 +1,21 @@
+## MAC OS
+.DS_Store
+
+## TEXTMATE
+*.tmproj
+tmtags
+
+## EMACS
+*~
+\#*
+.\#*
+
+## VIM
+*.swp
+
+## PROJECT::GENERAL
+coverage
+rdoc
+pkg
+
+## PROJECT::SPECIFIC

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2009 bokmann
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,27 @@
+= stonewall
+
+Stonewall is a state-based access control language extracted from the StonePath Stateful Workflow Modeling Gem (which was itself an extraction on a couple of projects, which were based on an internal Java workflow tool dating back to ~1998).  Long roots, but the ideas are being freshly re-evaluated in the context of an awesome language.
+
+StoneWall is not meant to be stand-alone - it will likely make assumptions about ActiveRecord (or ActiveModel when I start thinking about Rails 3).  It will be wedded into some rails concepts like controlers, etc.
+
+== Why another ACL? Aren't there like, 30 of em?
+StoneWall wants to be a complimentary dsl in the model that works alongside the StonePath DSL, allowing access control to be based on not just objects, users, and roles, but also on the state of the object being accessed... as in "A data entry clerk has read/write access while we are in the data entry state, read-only while we are in the data validation state, and no access at all in any other state."
+
+Further, I have some opinions about where access control belongs.  Access control is a business logic thing, and belongs in the model.  How to deal with blocked access is a controller thing, and how to vary the display of data when your rights change is a view thing.  Several acl projects out there act as if it belongs in the controller.
+
+== What does it look like?
+There was an earlier, functional version in StonePath gems prior to 0.3.0.  This work will be based on that work, but I'm re-evaluating everything about that earlier implementation.  The first attempt at an extraction wasn't 'opinionated' enough, and it suffered because of it.
+
+== Note on Patches/Pull Requests
+ 
+* Fork the project.
+* Make your feature addition or bug fix.
+* Add tests for it. This is important so I don't break it in a
+  future version unintentionally.
+* Commit, do not mess with rakefile, version, or history.
+  (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)
+* Send me a pull request. Bonus points for topic branches.
+
+== Copyright
+
+Copyright (c) 2010 bokmann. See LICENSE for details.

data/Rakefile

@@ -0,0 +1,56 @@
+require 'rubygems'
+require 'rake'
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gem|
+    gem.name = "stonewall"
+    gem.summary = %Q{extracting the acl constructs from stonepath}
+    gem.description = %Q{The acl from StoneWall, now as a shiny new gem!}
+    gem.email = "dbock@codesherpas.com"
+    gem.homepage = "http://github.com/bokmann/stonewall"
+    gem.authors = ["bokmann"]
+    gem.add_dependency('activerecord','>= 2.0.0')
+    gem.add_dependency('sentient_user','>= 0.1.0')
+    
+    gem.add_development_dependency "thoughtbot-shoulda", ">= 0"
+    # gem is a Gem::Specification... see http://www.rubygems.org/read/chapter/20 for additional settings
+  end
+  Jeweler::GemcutterTasks.new
+rescue LoadError
+  puts "Jeweler (or a dependency) not available. Install it with: gem install jeweler"
+end
+
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.pattern = 'test/**/test_*.rb'
+  test.verbose = true
+end
+
+begin
+  require 'rcov/rcovtask'
+  Rcov::RcovTask.new do |test|
+    test.libs << 'test'
+    test.pattern = 'test/**/test_*.rb'
+    test.verbose = true
+  end
+rescue LoadError
+  task :rcov do
+    abort "RCov is not available. In order to run rcov, you must: sudo gem install spicycode-rcov"
+  end
+end
+
+task :test => :check_dependencies
+
+task :default => :test
+
+require 'rake/rdoctask'
+Rake::RDocTask.new do |rdoc|
+  version = File.exist?('VERSION') ? File.read('VERSION') : ""
+
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "stonewall #{version}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/VERSION

@@ -0,0 +1 @@
+0.0.1

data/design_notes.txt

@@ -0,0 +1,427 @@
+class Schpoo
+
+  stonewall do |acl|
+    #guarded methods are now deniedd unless specifically allowed.
+    acl.guard :method_name
+    acl.guard :group_name, [:method_names, :method2, :method3, :etc]
+
+    #multiple_role_policy :any | :all - this should actually be defined in an initializer, not the class
+
+    acl.access_for :assistant_manager do |role|
+      role.allow :all #magic that undoes all guards
+      role.allow :method_name
+      role.check :group_name, do |o, u|  #pass in the object being guarded & the person requesting access
+        #return true or false
+      end
+    end
+
+    acl.authorization :verb do |user, object|
+      # return true/false
+      # can now say current_user.may_verb_schpoo?(my_schpoo) just like Aegis
+      # note that if you don't pass in a schpoo, you can check for class-level access. Thats up to you.
+    end
+
+  end
+end
+
+
+# if someone calls a method on a model that they aren't allowed to access, it throws an AccessViolationException
+
+
+
+# overly verbose, but nice.  no exception, just true, false.
+user.may_call(:method).on(object)
+user.may_call_method_on_schpoo?(my_schpoo)  #less practical
+user.may_send(object, :method) # probably easiest to implement
+user.may_auth_verb_schpoo(my_schpoo)
+
+
+class Schpoo
+
+  stonewall do |acl|
+    #guarded methods are now deniedd unless specifically allowed.
+    acl.guard :method_name
+    acl.guard :group_name, [:method_names, :method2, :method3, :etc]
+
+    #multiple_role_policy :any | :all 
+
+    acl.varies_on(:aasm_state) do |variant|
+      variant.value("created") do |acl|
+        acl.access_for :assistant_manager do |role|
+          role.allow :all #magic that undoes all guards
+          role.allow :method_name
+          role.check :group_name, do |o, u|  #pass in the object being guarded & the person requesting access
+            #return true or false
+          end
+        end
+      end
+
+	    variant.value("approved") do |acl|
+      end
+    end
+  end
+end
+
+
+
+
+#This shows a variant that gets data out of the db.
+
+class Schpoo
+
+  stonewall do |acl|
+
+    # This is the same dsl, but since it is just ruby code, you can mix it
+    # with ruby code that gets the data from a database.
+    # This code below is notional, but we coudl set it up as part of the
+    # whole framework if we want to get that complicated.
+    
+    #acl.load_protected_groups_for(self.to_sym)
+    protected_groups = ProtectedGroups.find_by_class_name(self.to_sym)
+    protected_groups.each do |group|
+      acl.guard group.name.to_sym, group.methods
+    end
+
+    #acl.load_grants_policy_for(self.to_sym)
+    acl.varies_on(:aasm_state) do |variant|
+      states.each do |state|
+      	variant.value(state) do |acl|
+          roles.each do |role|
+	        acl.access_for role do |r|
+	          allowed_methods = Grant.find_by_class_name_and_role(self.to_sym, role)
+	          r.allow allowed_methods.collect{ |m| m.name.to_sym }
+	        end
+	      end
+      end
+    end
+  end
+end
+
+# from the db perspective, to keep things simple, we only support methods in
+# groups.  You can use a default group named "all" if you don't want to take
+# avantage of groups.
+#protected_groups_table                  # grouped_methods_table
+#id    name    stonewall_id                # protected_group_id    method
+
+
+#stonewalls_table
+# class_name  variant_attribute
+#(the Stonewall object will also list all roles, methods, and method groups)
+
+#grants_table
+#stonewall_id    variant    role    method    method_group
+
+
+class Schpoo
+  require stonewall
+  
+  stonewall.load_from_db
+  
+  stonewall do |acl|
+    acl.authorization :view do |user, object|
+      return ["administrator", "Developer", "Manager"].include?(user.role)
+    end
+  end
+end
+
+<% if current_user.may_view_schpoo? %>
+  <%# render link to view here %>
+<% end %>
+
+and use in your own before_filters to guard things like the show method.
+
+Schpoo.reload_stonewall_policy
+
+
+
+
+
+
+
+
+
+
+
+
+
+class Schpoo
+
+  stonewall do |acl|
+    # tells the framework that if roles specify nothing for a guarded method,
+    # default answer is allow  (this is the default setting)
+    check_default :allow
+
+    # tells the framework that if roles specify nothing for a guarded method,
+    # default answer is denied
+    check_default :deny
+
+
+    # tells the framework users have multiple roles to check, and
+    # if default mode is allow:
+    #   any deny is a denial
+    # if default mode is deny:
+    #   any allow is an allowal
+    multiple_role_policy :any  
+
+    # tells the framework users have multiple roles to check, and
+    # if default mode is allow:
+    #   all must deny for denial
+    # if default mode is deny:
+    #   all must allow for allowal
+    multiple_role_policy :all    #this is the default setting
+
+
+    # declare what you want to guard everything else is unchecked
+    acl.guard_method :save
+    acl.guard_method :name
+    acl.guard_method :name=
+    acl.guard_method :description
+    acl.guard_method :description=
+
+    #you can group them for easy reference below
+    acl.method_group :modifiers, [:save, :name=, :description=]
+    acl.method_group :accessors, [:name, :description]
+
+    acl.access_for :assistant_manager do |role_definition|
+      role_definition.deny :name=  #use deny when :check_default is :allow
+      role_definition.allow :name= #use allow when :check_default is deny
+      role_Definition.check :name=, { |object, user|
+        # used when you want to make up your mind at runtime.
+        return false
+      }
+    end
+
+    acl.access_for :peon do |role_definition}
+      role_definition.field_variant(:aasm_state) do |state|
+        state.variant(:in_process) do |variant_definition|
+          variant_definition.deny :name=
+          variant_definition.allow :name=
+          variant_definition.check :name=, { |object, user, variant, value| 
+            return false
+          } 
+
+        state.variant(:catch_all) ...
+    end
+  end
+
+end
+
+
+
+
+we could even have code blocks for getting the role when given a user, etc.
+
+
+
+
+
+
+
+
+
+
+- access control is business logic and should be defined in the domain
+- this is the kind of problem that can be specified with a terse internal dsl
+- access is granular on methods on the instance or class level (on domain objects)
+- the framework should stay out of the way unless I want it
+- when I mark a method as guarded, it should be denied unless the access control specifically allows it.
+- I will have a current_user attribute in my session
+- my current_user will have either:
+      a role method that returns:
+        a string of the role name
+          or
+        an object that has a .name method that returns the role name
+    or
+      a roles method that returns a collection of objects that match the above description
+- those role names will be used as part of the access control dsl
+- if any of a users roles grants them access, they have access
+- access control is governed by intersection of the users role and the method they are accessing
+- optionally, access control is also governed by some state of the accessed object
+- exceptions are reserved for exceptional circumstance
+- models should throw exceptions if an access violation is attempted
+- models should have a "can?" or 'may I?" methods that return true or false, so a prudent developer can avoid access exceptions
+- controllers and views should have a terse method of checking access so that they can have logic flows to avoid exposing illegal operations.
+- if the UI is designed well, an end user should not be able to generate access violation exceptions on the models
+- the framework should give a minimal api to allow good ui design.
+
+    <% if current_user.is_allowed?(:access_to => "save", :on => this_complaint) %>
+
+    <% if current_user.may_print?(this_complaint) %>
+
+    <% if current_user.may_<authorization>?(this_complaint) %>
+
+
+    my_model.allows?(:method_symbol) #uses current user
+    my.model.allows_for_user?(:method_symbol, user)
+
+
+
+
+
+    # acl thoughts -
+    # I might want to pull acl out into its own gem.
+    # If I do, then the acl.for_state will get complicated.
+    # I might make it something that can be modeled like this:
+    #
+    # acl.for_field(:aasm_state).has_value("in_process") do
+    # end
+    #
+    # which would make this a *lot* more reusable in different
+    # contexts.
+  
+    # -
+    # I think there is scizophrenia caused by the framework not
+    # committing to "deny unless access allowed" vs. "allow unless
+    # access denied".  I think the principal of least surprise would
+    # dictate we allow unless specifically denied, and I'm almost
+    # ready to commit to that.
+  
+    # -
+    # There are also issues when a use has one role vs. many roles.
+    # When there is one role, things are easy.
+    # When they have multiple roles, do we deny if _any_ of them are
+    # denied, or allow unless _all_ are denied?  I think POLS would
+    # say allow unless all denied... but then, which return block do
+    # we return?  Perhaps something simple like "the first one defined". 
+    #
+    # -
+    # as its own gem though, stonepath acl would need a name... hmm...
+    # what do you call something near a stonepath that restricts access
+    # in certain directions?  a stonewall!
+    #
+    # -
+    # defining things nested like state/role makes certain sense (as would
+    # role/state), but it makes answering some questions hard... for instance:
+    # "What are all the permissions that managers have? and "what are all the
+    # access_restrictions on the "in_process" state?  You have to look across
+    # several tasks.  PErhaps a rake task could help generate a report with
+    # this info for auditing purposes. 
+    stonepath_acl do |acl|
+
+       acl.guard_method :save
+       acl.guard_method :name=
+       acl.guard_method :name
+       acl.guard_method :regarding=
+       acl.guard_method :regarding
+       acl.guard_method :description
+       acl.guard_method :description=
+       acl.method_group :modifiers, [:save, :name=, :regarding=, :description=]
+       acl.method_group :accessors, [:name, :regarding, :description]
+
+       acl.for_state :in_process do |state|
+         state.access_for_role :manager do |role|
+           role.allow_method :name  #allow works if we are in deny first mode.
+         end
+
+         state.access_for_role :peon do |role|
+           role.deny_method :name=
+           role.deny_method :regarding=
+           role.deny_method(:description){  #value of block is returned.  might this need to be a proc?
+             "#{user.name}, You do not have access to look at the description, you peon!"
+           }
+         end
+
+         state.access_for_role :assistant_manager do |role|
+           role.check_method_access :method_symbol do
+             # you can implement conditional logic here.
+             # maybe you want to defer the true/false
+             # access decision and check some attribute of
+             # the user.
+             return false #your conditional answer.
+           end
+         end
+       end
+
+       acl.for_state :completed do |state|
+         state.access_for_role :manager do |role|
+           role.deny_method_group :modifiers
+         end
+
+         state.access_for_role :peon do |role|
+           role.deny_method_group :modifiers
+           role.deny_method_group :accessors
+         end
+
+       end
+     end
+
+
+
+
+
+in memory, the acl can be unrolled to a data structure like:
+[method][role][pivot]
+[method][role][pivot] = true | false
+
+
+
+class Person < ActiveRecord::Base
+  include StoneWall
+  
+  stonewall do |acl|
+      acl.guard :age
+      acl.guard :favorite_color
+      acl.method_group :privacy_factors, [:age, :favorite_color]
+      acl.varies_on :aasm_state
+    
+      acl.action :edit
+      acl.action :print
+      acl.action :subscribe_to
+      
+      role :manager do |manager|
+        manager.methods :privacy_factors
+        manager.actions [:edit, :print, :subscribe_to]
+      end
+    
+      role :clerk do |clerk|
+        clerk.variant :data_entry do |data_entry|
+          data_entry.methods :age
+          data_entry.actions :edit
+        end
+      end
+    end
+    
+    stonewall.permissions do |permissions|
+      permissions.add :edit |user, post| do
+        post.owner == user || user.is_an_admin?
+      end
+    end
+      
+end
+
+
+class Person < ActiveRecord::Base
+  include StoneWall
+  
+  stonewall do
+    varies_on :aasm_state    
+    guard :age
+    guard :favorite_color
+    method_group :privacy_factors, [:age, :favorite_color]
+      
+    role :manager do
+      allowed_methods :privacy_factors
+    end
+
+    role :clerk do
+      variant :data_entry do
+        allowed_method :age
+      end
+    end
+
+    action :edit do |person, user|
+      person.owner == user || user.is_administrator?
+    end
+
+    action :print do |person, user|
+      person.complete? && user.is_ogc_attorney?
+    end 
+  end
+end
+
+
+user.may_edit_person? person
+
+
+
+

data/lib/stonewall/access_controller.rb

@@ -0,0 +1,58 @@
+module StoneWall
+
+  # a word of caution, use this framework to guard 'normal user space' methods
+  # only - don't try to guard meta stuff like 'send'.  If you have ever seen
+  # 'Being John Malkovich', you can understand why.
+  class AccessController
+    attr_reader :guarded_class
+    attr_reader :variant_field
+    attr_accessor :actions
+    attr_accessor :guarded_methods
+    attr_accessor :method_groups
+
+    # the matrix is the money-shot of the access controller.  You can set it
+    # through add_grant, and query it through 'granted', but you can also
+    # access the data structure directly if you want to avoid the dsl.
+    # It is in the format [role][varient][member]
+    attr_accessor :matrix
+
+    def initialize(guarded_class)
+      @guarded_class = guarded_class
+      @guarded_methods = Array.new
+      @actions = Hash.new
+      @matrix = Hash.new
+      @method_groups = Hash.new
+    end
+
+    def set_variant_field(field)
+      if @variant_field.nil?
+        @variant_field = field
+      else
+        raise "no redefinition of variant field"
+      end
+    end
+
+    def add_grant(r, v, m)
+      @matrix[r] ||= Hash.new
+      @matrix[r][v] ||= Array.new
+      @matrix[r][v] << m
+    end
+
+    def granted?(r, v, m)
+      matrix[r] && matrix[r][v] && matrix[r][v].include?(m)
+    end
+
+    # --------------
+    # This is 1/3rd of the magic in this gem.  Every method you guard is
+    # checked by this method. It looks at the matrix of permissions you built
+    # in the dsl and allows or denies based on the guarded object, the user,
+    # and the method being accessed.   #should we fail secure?
+    def allowed?(guarded_object, user, method)
+      return true if (guarded_object.nil? || user.nil? || method.nil?)
+      v = variant_field ? guarded_object.send(variant_field).to_sym : :all
+      user.stonepath_role_info.detect do |r|
+        granted?(r, v, method)
+      end || false
+    end
+  end
+end

data/lib/stonewall/helpers.rb

@@ -0,0 +1,24 @@
+module StoneWall
+  module Helpers
+
+    def self.symbolize_role(role)
+      [String, Symbol].include?(role.class) ? role.to_sym : role.name.to_sym
+    end
+
+    # --------------
+    # This is 1/3rd of the magic in this gem.  We earlier built a
+    # 'schpoo_with_stonepath' method on your class, and now we use
+    # alias_method_chain to wrap your original 'schpoo' method.
+    # You will have no hope of understanding this if you don't understand
+    # alias_method_chain, so go memorize that documentation.
+    # We have to do this after ActoveRecord synthesizes the attribute methods
+    # with a call to 'define_attribute_methods'; you'll see some magic in the
+    # base.instance_eval in the other file to make that magic happen.
+    def self.fix_aliases_for(guarded_class)
+      guarded_class.stonewall.guarded_methods.each do |m|
+        guarded_class.send(:alias_method_chain, m, :stonewall) 
+      end
+    end
+
+  end
+end

data/lib/stonewall/parser.rb

@@ -0,0 +1,60 @@
+module StoneWall
+  class Parser
+    def initialize(parent, role = :all, variant = :all)
+      @parent, @role, @variant = parent, role, variant
+      @method_groups = Hash.new
+    end
+
+    def allowed_method(method)
+      @parent.stonewall.add_grant(@role, @variant, method)
+    end
+
+    def allowed_methods(method_names)
+      @parent.stonewall.method_groups[method_names].each do |m|
+        allowed_method m
+      end
+    end
+
+    def method_group(name, methods)
+      @parent.stonewall.method_groups[name] = methods
+    end
+
+    def varies_on(field)
+      @parent.stonewall.set_variant_field(field)
+    end
+
+    def action(action_name, &guard)
+      @parent.stonewall.actions[action_name] = guard 
+    end
+
+    def role(role_name)
+      yield Parser.new(@parent, role_name)
+    end
+
+    def variant(variant_name)
+      yield Parser.new(@parent, @role, variant_name)
+    end
+
+    def guard(method)
+      @parent.stonewall.guarded_methods << method
+      aliased_target, punctuation = method.to_s.sub(/([?!=])$/, ''), $1
+      checked_method = "#{aliased_target}_with_stonewall#{punctuation}"
+      unchecked_method = "#{aliased_target}_without_stonewall#{punctuation}"    
+      # --------------
+      # This method is defined on the guarded class, so it is callable on
+      # objects of that class.  This is 1/3rd of the magic of this gem-
+      # if you declare 'schpoo' a guarded method, we generate this
+      # 'schpoo_with_stonewall' method. Elsewhere, we use alias_method_chain
+      # to wrap your original 'schpoo' method.
+      @parent.send(:define_method, checked_method) do |*args|
+        if stonewall.allowed?(self, User.current, method)
+          self.send(unchecked_method, *args)
+        else
+          raise "Access Violation"
+        end
+      end
+      # -------------- end of bizzaro meta-juju
+    end
+
+  end
+end

data/lib/stonewall/stonewall.rb

@@ -0,0 +1,37 @@
+module StoneWall
+  def self.included(base)
+    base.instance_eval do
+      def stonewall()
+        require File.expand_path(File.dirname(__FILE__)) +
+                  "/access_controller.rb"
+        require File.expand_path(File.dirname(__FILE__)) +
+                  "/parser.rb"
+        require File.expand_path(File.dirname(__FILE__)) +
+                  "/helpers.rb"
+        require File.expand_path(File.dirname(__FILE__)) +
+                  "/user_extensions.rb"
+        cattr_accessor :stonewall
+        self.stonewall = StoneWall::AccessController.new(self)
+        yield StoneWall::Parser.new(self)
+      end
+
+      # --------------
+      # This is 1/3rd of the magic in this gem.  After ActiceRecord defines
+      # the classes attribute methods, we come along and alias all of the
+      # guarded methods defined in the dsl in the class.
+      def self.define_attribute_methods_with_stonewall
+        define_attribute_methods_without_stonewall
+        StoneWall::Helpers.fix_aliases_for(self)
+      end
+
+      class << self
+        alias_method_chain :define_attribute_methods, :stonewall
+      end
+    end
+
+    # mimicking the send method, we want to ask permission first with send?
+    def send?(method, user = User.current)
+      self.class.stonewall.allowed?(self, user, method)
+    end
+  end
+end

data/lib/stonewall/user_extensions.rb

@@ -0,0 +1,48 @@
+module StoneWall
+  module UserExtensions
+    require File.expand_path(File.dirname(__FILE__)) + "/helpers.rb"
+
+    # This is the ugliest method in the whole gem.
+    # You have a lot of freedom in how you implement your role system, and
+    # I have to adapt to that.  You can have:
+    #  - role as a string on your class
+    #  - role as a singular has_one or belongs_to relationship
+    #  - your user can has_many :roles, and they can be any object you want.
+    # The only thing we require is that, if your role is a separate object,
+    # it responds to a 'name' method with a string or a symbol that matches
+    # the symbol you use when defining the permissions in your dsl.
+    def stonepath_role_info
+      return @role_symbols if @role_symbols
+      @role_symbols = Array.new
+      if self.respond_to?(:role)
+        @role_symbols << StoneWall::Helpers.symbolize_role(role)
+      end
+
+      if self.respond_to?(:roles)
+        roles.each do |role|
+          @role_symbols << StoneWall::Helpers.symbolize_role(role)
+        end
+      end
+      @role_symbols
+    end
+
+    # I like Aegis so much, I stole their idea for this part of the gem. I
+    # hope you don't mind guys, but I really need an ACL that triggers off
+    # of object state!
+    def may_send?(object, method)
+      object.class.stonewall.allowed?(object, self, method)
+    end
+
+    def method_missing_with_stonewall(symb, *args)
+      method_name = symb.to_s
+      if method_name =~ /^may_(.+?)[\!\?]$/
+        args.first.class.stonewall.actions[$1.to_sym].call(args.first, self)
+      else
+        method_missing_without_stonewall(symb, *args)
+      end
+    end
+
+    alias_method_chain :method_missing, :stonewall
+
+  end
+end

data/lib/stonewall.rb

@@ -0,0 +1,6 @@
+$:.unshift(File.dirname(__FILE__)) unless
+  $:.include?(File.dirname(__FILE__)) ||
+  $:.include?(File.expand_path(File.dirname(__FILE__)))
+
+require File.expand_path(File.dirname(__FILE__)) + "/stonewall/stonewall.rb"
+require File.expand_path(File.dirname(__FILE__)) + "/stonewall/user_extensions.rb"

data/test/helper.rb

@@ -0,0 +1,10 @@
+require 'rubygems'
+require 'test/unit'
+require 'shoulda'
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+require 'stonewall'
+
+class Test::Unit::TestCase
+end

data/test/test_stonewall.rb

@@ -0,0 +1,7 @@
+require 'helper'
+
+class TestStonewall < Test::Unit::TestCase
+  should "probably rename this file and start testing for real" do
+    flunk "hey buddy, you should probably rename this file and start testing for real"
+  end
+end

metadata

@@ -0,0 +1,100 @@
+--- !ruby/object:Gem::Specification 
+name: stonewall
+version: !ruby/object:Gem::Version 
+  version: 0.0.1
+platform: ruby
+authors: 
+- bokmann
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2010-03-20 00:00:00 -04:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: activerecord
+  type: :runtime
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: 2.0.0
+    version: 
+- !ruby/object:Gem::Dependency 
+  name: sentient_user
+  type: :runtime
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: 0.1.0
+    version: 
+- !ruby/object:Gem::Dependency 
+  name: thoughtbot-shoulda
+  type: :development
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: "0"
+    version: 
+description: The acl from StoneWall, now as a shiny new gem!
+email: dbock@codesherpas.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- LICENSE
+- README.rdoc
+files: 
+- .document
+- .gitignore
+- LICENSE
+- README.rdoc
+- Rakefile
+- VERSION
+- design_notes.txt
+- lib/stonewall.rb
+- lib/stonewall/access_controller.rb
+- lib/stonewall/helpers.rb
+- lib/stonewall/parser.rb
+- lib/stonewall/stonewall.rb
+- lib/stonewall/user_extensions.rb
+- test/helper.rb
+- test/test_stonewall.rb
+has_rdoc: true
+homepage: http://github.com/bokmann/stonewall
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.5
+signing_key: 
+specification_version: 3
+summary: extracting the acl constructs from stonepath
+test_files: 
+- test/helper.rb
+- test/test_stonewall.rb