uhees-declarative_authorization 0.3.1 → 0.3.2.2.1

data/lib/declarative_authorization/in_controller.rb

@@ -117,7 +117,36 @@ module Authorization
         end
       end
     end
-    
+
+    def load_controller_object (context) # :nodoc:
+      instance_var = :"@#{context.to_s.singularize}"
+      model = context.to_s.classify.constantize
+      instance_variable_set(instance_var, model.find(params[:id]))
+    end
+
+    def load_parent_controller_object (parent_context) # :nodoc:
+      instance_var = :"@#{parent_context.to_s.singularize}"
+      model = parent_context.to_s.classify.constantize
+      instance_variable_set(instance_var, model.find(params[:"#{parent_context.to_s.singularize}_id"]))
+    end
+
+    def new_controller_object_from_params (context, parent_context) # :nodoc:
+      model_or_proxy = parent_context ?
+           instance_variable_get(:"@#{parent_context.to_s.singularize}").send(context.to_sym) :
+           context.to_s.classify.constantize
+      instance_var = :"@#{context.to_s.singularize}"
+      instance_variable_set(instance_var,
+          model_or_proxy.new(params[context.to_s.singularize]))
+    end
+
+    def new_controller_object_for_collection (context, parent_context) # :nodoc:
+      model_or_proxy = parent_context ?
+           instance_variable_get(:"@#{parent_context.to_s.singularize}").send(context.to_sym) :
+           context.to_s.classify.constantize
+      instance_var = :"@#{context.to_s.singularize}"
+      instance_variable_set(instance_var, model_or_proxy.new)
+    end
+
     module ClassMethods
       #
       # Defines a filter to be applied according to the authorization of the
@@ -270,6 +299,202 @@ module Authorization
           end
         end
       end
+
+      # To DRY up the filter_access_to statements in restful controllers,
+      # filter_resource_access combines typical filter_access_to and
+      # before_filter calls, which set up the instance variables.
+      #
+      # The simplest case are top-level resource controllers with only the
+      # seven CRUD methods, e.g.
+      #   class CompanyController < ApplicationController
+      #     filter_resource_access
+      #
+      #     def index...
+      #   end
+      # Here, all CRUD actions are protected through a filter_access_to :all
+      # statement.  :+attribute_check+ is enabled for all actions except for
+      # the collection action :+index+.  To have an object for attribute checks
+      # available, filter_resource_access will set the instance variable
+      # @+company+ in before filters.  For the member actions (:+show+, :+edit+,
+      # :+update+, :+destroy+) @company is set to Company.find(params[:id]).
+      # For +new+ actions (:+new+, :+create+), filter_resource_access creates
+      # a new object from company parameters: Company.new(params[:company].
+      #
+      # For nested resources, the parent object may be loaded automatically.
+      #   class BranchController < ApplicationController
+      #     filter_resource_access :nested_in => :companies
+      #   end
+      # Again, the CRUD actions are protected.  Now, for all CRUD actions,
+      # the parent object @company is loaded from params[:company_id].  It is
+      # also used when creating @branch for +new+ actions.  Here, attribute_check
+      # is enabled for the collection :+index+ as well, checking attributes on a
+      # @company.branches.new method.
+      #
+      # In many cases, the default seven CRUD actions are not sufficient.  As in
+      # the resource definition for routing you may thus give additional member,
+      # new and collection methods.  The options allow you to specify the
+      # required privileges for each action by providing a hash or an array of
+      # pairs.  By default, for each action the action name is taken as privilege
+      # (action search in the example below requires the privilege :index
+      # :companies).  Any controller action that is not specified and does not
+      # belong to the seven CRUD actions is handled as a member method.
+      #   class CompanyController < ApplicationController
+      #     filter_resource_access :collection => [[:search, :index], :index],
+      #         :additional_member => {:mark_as_key_company => :update}
+      #   end
+      # The +additional_+* options add to the respective CRUD actions,
+      # the other options replace the respective CRUD actions.
+      # 
+      # You can override the default object loading by implementing any of the
+      # following instance methods on the controller.  Examples are given for the
+      # BranchController (with +nested_in+ set to :+companies+):
+      # [+new_branch_from_params+]
+      #   Used for +new+ actions.
+      # [+new_branch_for_collection+]
+      #   Used for +collection+ actions if the +nested_in+ option is set.
+      # [+load_branch+]
+      #   Used for +member+ actions.
+      # [+load_company+]
+      #   Used for all +new+, +member+, and +collection+ actions if the 
+      #   +nested_in+ option is set.
+      #
+      # All options:
+      # [:+member+]
+      #   Member methods are actions like +show+, which have an params[:id] from
+      #   which to load the controller object and assign it to @controller_name,
+      #   e.g. @+branch+.
+      #
+      #   By default, member actions are [:+show+, :+edit+, :+update+,
+      #   :+destroy+].  Also, any action not belonging to the seven CRUD actions
+      #   are handled as member actions.
+      #
+      #   There are three different syntax to specify member, collection and
+      #   new actions.
+      #   * Hash:  Lets you set the required privilege for each action:
+      #     {:+show+ => :+show+, :+mark_as_important+ => :+update+}
+      #   * Array of actions or pairs: [:+show+, [:+mark_as_important+, :+update+]],
+      #     with single actions requiring the privilege of the same name as the method.
+      #   * Single method symbol: :+show+
+      # [:+additional_member+]
+      #   Allows to add additional member actions to the default resource +member+
+      #   actions.
+      # [:+collection+]
+      #   Collection actions are like :+index+, actions without any controller object
+      #   to check attributes of.  If +nested_in+ is given, a new object is
+      #   created from the parent object, e.g. @company.branches.new.  Without
+      #   +nested_in+, attribute check is deactivated for these actions.  By
+      #   default, collection is set to :+index+.
+      # [:+additional_collection+]
+      #   Allows to add additional collaction actions to the default resource +collection+
+      #   actions.
+      # [:+new+]
+      #   +new+ methods are actions such as +new+ and +create+, which don't
+      #   receive a params[:id] to load an object from, but
+      #   a params[:controller_name_singular] hash with attributes for a new
+      #   object.  The attributes will be used here to create a new object and
+      #   check the object against the authorization rules.  The object is
+      #   assigned to @controller_name_singular, e.g. @branch.
+      #
+      #   If +nested_in+ is given, the new object
+      #   is created from the parent_object.controller_name
+      #   proxy, e.g. company.branches.new(params[:branch]).  By default,
+      #   +new+ is set to [:new, :create].
+      # [:+additional_new+]
+      #   Allows to add additional new actions to the default resource +new+ actions.
+      # [:+context+]
+      #   The context is used to determine the model to load objects from for the
+      #   before_filters and the context of privileges to use in authorization
+      #   checks.
+      # [:+nested_in+]
+      #   Specifies the parent controller if the resource is nested in another
+      #   one.  This is used to automatically load the parent object, e.g.
+      #   @+company+ from params[:company_id] for a BranchController nested in
+      #   a CompanyController.
+      # [:+no_attribute_check+]
+      #   Allows to set actions for which no attribute check should be perfomed.
+      #   See filter_access_to on details.  By default, with no +nested_in+,
+      #   +no_attribute_check+ is set to all collections.  If +nested_in+ is given
+      #   +no_attribute_check+ is empty by default.
+      #
+      def filter_resource_access(options = {})
+        options = {
+          :new        => [:new, :create],
+          :additional_new => nil,
+          :member     => [:show, :edit, :update, :destroy],
+          :additional_member => nil,
+          :collection => [:index],
+          :additional_collection => nil,
+          #:new_method_for_collection => nil,  # only symbol method name
+          #:new_method => nil,                 # only symbol method name
+          #:load_method => nil,                # only symbol method name
+          :no_attribute_check => nil,
+          :context    => nil,
+          :nested_in  => nil,
+        }.merge(options)
+
+        new_actions = actions_from_option(options[:new]).merge(
+            actions_from_option(options[:additional_new]))
+        members = actions_from_option(options[:member]).merge(
+            actions_from_option(options[:additional_member]))
+        collections = actions_from_option(options[:collection]).merge(
+            actions_from_option(options[:additional_collection]))
+
+        options[:no_attribute_check] ||= collections.keys unless options[:nested_in]
+
+        unless options[:nested_in].blank?
+          load_method = :"load_#{options[:nested_in].to_s.singularize}"
+          before_filter do |controller|
+            if controller.respond_to?(load_method)
+              controller.send(load_method)
+            else
+              controller.send(:load_parent_controller_object, options[:nested_in])
+            end
+          end
+
+          new_for_collection_method = :"new_#{controller_name.singularize}_for_collection"
+          before_filter :only => collections.keys do |controller|
+            # new_for_collection
+            if controller.respond_to?(new_for_collection_method)
+              controller.send(new_for_collection_method)
+            else
+              controller.send(:new_controller_object_for_collection,
+                  options[:context] || controller_name, options[:nested_in])
+            end
+          end
+        end
+
+        new_from_params_method = :"new_#{controller_name.singularize}_from_params"
+        before_filter :only => new_actions.keys do |controller|
+          # new_from_params
+          if controller.respond_to?(new_from_params_method)
+            controller.send(new_from_params_method)
+          else
+            controller.send(:new_controller_object_from_params,
+                options[:context] || controller_name, options[:nested_in])
+          end
+        end
+        load_method = :"load_#{controller_name.singularize}"
+        before_filter :only => members.keys do |controller|
+          # load controller object
+          if controller.respond_to?(load_method)
+            controller.send(load_method)
+          else
+            controller.send(:load_controller_object, options[:context] || controller_name)
+          end
+        end
+        filter_access_to :all, :attribute_check => true, :context => options[:context]
+
+        members.merge(new_actions).merge(collections).each do |action, privilege|
+          if action != privilege or (options[:no_attribute_check] and options[:no_attribute_check].include?(action))
+            filter_options = {
+              :context          => options[:context],
+              :attribute_check  => !options[:no_attribute_check] || !options[:no_attribute_check].include?(action)
+            }
+            filter_options[:require] = privilege if action != privilege
+            filter_access_to(action, filter_options)
+          end
+        end
+      end
       
       protected
       def filter_access_permissions # :nodoc:
@@ -285,6 +510,26 @@ module Authorization
       def filter_access_permissions? # :nodoc:
         class_variable_defined?(:@@declarative_authorization_permissions)
       end
+
+      def actions_from_option (option) # :nodoc:
+        case option
+        when nil
+          {}
+        when Symbol, String
+          {option.to_sym => option.to_sym}
+        when Hash
+          option
+        when Enumerable
+          option.each_with_object({}) do |action, hash|
+            if action.is_a?(Array)
+              raise "Unexpected option format: #{option.inspect}" if action.length != 2
+              hash[action.first] = action.last
+            else
+              hash[action.to_sym] = action.to_sym
+            end
+          end
+        end
+      end
     end
   end
   
@@ -356,8 +601,15 @@ module Authorization
         instance_var = :"@#{load_object_model.name.underscore}"
         object = contr.instance_variable_get(instance_var)
         unless object
-          # catch ActiveRecord::RecordNotFound?
-          object = load_object_model.find(contr.params[:id])
+          begin
+            object = load_object_model.find(contr.params[:id])
+          rescue ActiveRecord::RecordNotFound, RuntimeError
+            contr.logger.debug("filter_access_to tried to find " +
+                "#{load_object_model.inspect} from params[:id] " +
+                "(#{contr.params[:id].inspect}), because attribute_check is enabled " +
+                "and #{instance_var.to_s} isn't set.")
+            raise
+          end
           contr.instance_variable_set(instance_var, object)
         end
         object

data/lib/declarative_authorization/in_model.rb

@@ -8,7 +8,7 @@ module Authorization
 
     # If the user meets the given privilege, permitted_to? returns true
     # and yields to the optional block.
-    def permitted_to? (privilege, options = {} )
+    def permitted_to? (privilege, options = {}, &block)
       options = {
         :user =>  Authorization.current_user,
         :object => self
@@ -38,7 +38,16 @@ module Authorization
           options = args.last.is_a?(Hash) ? args.pop : {}
           privilege = (args[0] || :read).to_sym
           privileges = [privilege]
-          context = options[:context] || :"#{parent_scope.table_name}"
+          context =
+              if options[:context]
+                options[:context]
+              elsif parent_scope.respond_to?(:proxy_reflection)
+                parent_scope.proxy_reflection.klass.name.tableize.to_sym
+              elsif parent_scope.respond_to?(:decl_auth_context)
+                parent_scope.decl_auth_context
+              else
+                parent_scope.name.tableize.to_sym
+              end
           
           user = options[:user] || Authorization.current_user
 

data/lib/declarative_authorization/maintenance.rb

@@ -2,12 +2,6 @@
 require File.dirname(__FILE__) + '/authorization.rb'
 
 module Authorization
-  
-  def self.ignore_access_control (state = nil) # :nodoc:
-    Thread.current["ignore_access_control"] = state unless state.nil?
-    Thread.current["ignore_access_control"] || false
-  end
-  
   # Provides a few maintenance methods for modifying data without enforcing
   # authorization.
   module Maintenance
@@ -21,8 +15,8 @@ module Authorization
     #  without_access_control do
     #    SomeModel.find(:first).save
     #  end
-    def without_access_control
-      self.class.without_access_control
+    def without_access_control (&block)
+      Authorization::Maintenance.without_access_control(&block)
     end
 
     # A class method variant of without_access_control.  Thus, one can call

data/lib/declarative_authorization/obligation_scope.rb

@@ -107,9 +107,16 @@ module Authorization
     end
     
     # Returns the model associated with the given path.
-    def model_for( path )
-      reflection = reflection_for( path )
-      reflection.respond_to?( :klass ) ? reflection.klass : reflection
+    def model_for (path)
+      reflection = reflection_for(path)
+      
+      if reflection.respond_to?(:proxy_reflection)
+        reflection.proxy_reflection.klass
+      elsif reflection.respond_to?(:klass)
+        reflection.klass
+      else
+        reflection
+      end
     end
     
     # Returns the reflection corresponding to the given path.
@@ -125,10 +132,14 @@ module Authorization
     # Attempts to map a reflection for the given path.  Raises if already defined.
     def map_reflection_for( path )
       raise "reflection for #{path.inspect} already exists" unless reflections[path].nil?
-      
+
       reflection = path.empty? ? @proxy_scope : begin
         parent = reflection_for( path[0..-2] )
-        parent.klass.reflect_on_association( path.last )
+        if !parent.respond_to?(:proxy_reflection) and parent.respond_to?(:klass)
+          parent.klass.reflect_on_association( path.last )
+        else
+          parent.reflect_on_association( path.last )
+        end
       rescue
         parent.reflect_on_association( path.last )
       end
@@ -232,8 +243,8 @@ module Authorization
     end
 
     def attribute_value (value)
-      value.respond_to?( :descends_from_active_record? ) && value.descends_from_active_record? && value.id ||
-        value.is_a?( Array ) && value[0].respond_to?( :descends_from_active_record? ) && value[0].descends_from_active_record? && value.map( &:id ) ||
+      value.class.respond_to?(:descends_from_active_record?) && value.class.descends_from_active_record? && value.id ||
+        value.is_a?(Array) && value[0].class.respond_to?(:descends_from_active_record?) && value[0].class.descends_from_active_record? && value.map( &:id ) ||
         value
     end
     

data/lib/declarative_authorization/reader.rb

@@ -222,7 +222,10 @@ module Authorization
       #   Join operator to logically connect the constraint statements inside
       #   of the has_permission_on block.  May be :+and+ or :+or+.  Defaults to :+or+.
       #
-      def has_permission_on (context, options = {}, &block)
+      def has_permission_on (*args, &block)
+        options = args.extract_options!
+        context = args.flatten
+        
         raise DSLError, "has_permission_on only allowed in role blocks" if @current_role.nil?
         options = {:to => [], :join_by => :or}.merge(options)
         

data/test/authorization_test.rb

@@ -40,6 +40,7 @@ class AuthorizationTest < Test::Unit::TestCase
       authorization do
         role :test_role do
           has_permission_on [:permissions, :permissions_2], :to => :test
+          has_permission_on :permissions_4, :permissions_5, :to => :test
         end
       end
     }
@@ -50,6 +51,9 @@ class AuthorizationTest < Test::Unit::TestCase
       :user => MockUser.new(:test_role))
     assert !engine.permit?(:test, :context => :permissions_3, 
       :user => MockUser.new(:test_role))
+      
+    assert  engine.permit?(:test, :context => :permissions_4, :user => MockUser.new(:test_role))
+    assert  engine.permit?(:test, :context => :permissions_5, :user => MockUser.new(:test_role))
   end
   
   def test_obligations_without_conditions
@@ -551,8 +555,8 @@ class AuthorizationTest < Test::Unit::TestCase
   end
 
   class PermissionMock < MockDataObject
-    def self.table_name
-      "permissions"
+    def self.name
+      "Permission"
     end
   end
   def test_attribute_with_permissions

data/test/controller_filter_resource_access_test.rb

@@ -0,0 +1,394 @@
+require File.join(File.dirname(__FILE__), 'test_helper.rb')
+
+class BasicResource < MockDataObject
+  def self.name
+    "BasicResource"
+  end
+end
+class BasicResourcesController < MocksController
+  filter_resource_access
+  define_resource_actions
+end
+class BasicResourcesControllerTest < ActionController::TestCase
+  def test_basic_filter_index
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :index do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+
+    allowed_user = MockUser.new(:allowed_role)
+    request!(MockUser.new(:another_role), :index, reader)
+    assert !@controller.authorized?
+    request!(allowed_user, :index, reader)
+    assert @controller.authorized?
+  end
+
+  def test_basic_filter_show_with_id
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :show do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :show, reader, :id => "2")
+    assert !@controller.authorized?
+    request!(allowed_user, :show, reader, :id => "1", :clear => [:@basic_resource])
+    assert @controller.authorized?
+  end
+
+  def test_basic_filter_new_with_params
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :new do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :new, reader, :basic_resource => {:id => "2"})
+    assert !@controller.authorized?
+    request!(allowed_user, :new, reader, :basic_resource => {:id => "1"},
+        :clear => [:@basic_resource])
+    assert @controller.authorized?
+  end
+end
+
+
+class NestedResource < MockDataObject
+  def initialize (attributes = {})
+    if attributes[:id]
+      attributes[:parent_mock] ||= ParentMock.new(:id => attributes[:id])
+    end
+    super(attributes)
+  end
+  def self.name
+    "NestedResource"
+  end
+end
+class ParentMock < MockDataObject
+  def nested_resources
+    Class.new do
+      def initialize (parent_mock)
+        @parent_mock = parent_mock
+      end
+      def new (attributes = {})
+        NestedResource.new(attributes.merge(:parent_mock => @parent_mock))
+      end
+    end.new(self)
+  end
+
+  def == (other)
+    id == other.id
+  end
+  def self.name
+    "ParentMock"
+  end
+end
+class NestedResourcesController < MocksController
+  filter_resource_access :nested_in => :parent_mocks
+  define_resource_actions
+end
+class NestedResourcesControllerTest < ActionController::TestCase
+  def test_nested_filter_index
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :nested_resources, :to => :index do
+            if_attribute :parent_mock => is {ParentMock.find("1")}
+          end
+        end
+      end
+    }
+
+    allowed_user = MockUser.new(:allowed_role)
+    request!(MockUser.new(:another_role), :index, reader, :parent_mock_id => "2")
+    assert !@controller.authorized?
+    request!(allowed_user, :index, reader, :parent_mock_id => "2",
+        :clear => [:@nested_resource, :@parent_mock])
+    assert !@controller.authorized?
+    request!(allowed_user, :index, reader, :parent_mock_id => "1",
+        :clear => [:@nested_resource, :@parent_mock])
+    assert @controller.authorized?
+  end
+
+  def test_nested_filter_show_with_id
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :nested_resources, :to => :show do
+            if_attribute :parent_mock => is {ParentMock.find("1")}
+          end
+        end
+      end
+    }
+
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :show, reader, :id => "2", :parent_mock_id => "2")
+    assert !@controller.authorized?
+    request!(allowed_user, :show, reader, :id => "1", :parent_mock_id => "1",
+        :clear => [:@nested_resource, :@parent_mock])
+    assert @controller.authorized?
+  end
+
+  def test_nested_filter_new_with_params
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :nested_resources, :to => :new do
+            if_attribute :parent_mock => is {ParentMock.find("1")}
+          end
+        end
+      end
+    }
+
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :new, reader, :parent_mock_id => "2",
+        :nested_resource => {:id => "2"})
+    assert !@controller.authorized?
+    request!(allowed_user, :new, reader, :parent_mock_id => "1",
+        :nested_resource => {:id => "1"},
+        :clear => [:@nested_resource, :@parent_mock])
+    assert @controller.authorized?
+  end
+end
+
+
+class CustomMembersCollectionsResourceController < MocksController
+  def self.controller_name
+    "basic_resources"
+  end
+  filter_resource_access :member => [[:other_show, :read]],
+      :collection => {:search => :read}, :new => [:other_new]
+  define_action_methods :other_new, :search, :other_show
+end
+class CustomMembersCollectionsResourceControllerTest < ActionController::TestCase
+  def test_custom_members_filter_search
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :read do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+
+    request!(MockUser.new(:another_role), :search, reader)
+    assert !@controller.authorized?
+    request!(MockUser.new(:allowed_role), :search, reader)
+    assert @controller.authorized?
+  end
+
+  def test_custom_members_filter_other_show
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :read do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :other_show, reader, :id => "2")
+    assert !@controller.authorized?
+    request!(allowed_user, :other_show, reader, :id => "1", :clear => [:@basic_resource])
+    assert @controller.authorized?
+  end
+
+  def test_custom_members_filter_other_new
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :other_new do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :other_new, reader, :basic_resource => {:id => "2"})
+    assert !@controller.authorized?
+    request!(allowed_user, :other_new, reader, :basic_resource => {:id => "1"},
+        :clear => [:@basic_resource])
+    assert @controller.authorized?
+  end
+end
+
+
+class AdditionalMembersCollectionsResourceController < MocksController
+  def self.controller_name
+    "basic_resources"
+  end
+  filter_resource_access :additional_member => :other_show,
+      :additional_collection => [:search], :additional_new => {:other_new => :new}
+  define_resource_actions
+  define_action_methods :other_new, :search, :other_show
+end
+class AdditionalMembersCollectionsResourceControllerTest < ActionController::TestCase
+  def test_additional_members_filter_search_index
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => [:search, :index] do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+
+    request!(MockUser.new(:another_role), :search, reader)
+    assert !@controller.authorized?
+    request!(MockUser.new(:another_role), :index, reader)
+    assert !@controller.authorized?
+    request!(MockUser.new(:allowed_role), :search, reader)
+    assert @controller.authorized?
+    request!(MockUser.new(:allowed_role), :index, reader)
+    assert @controller.authorized?
+  end
+
+  def test_additional_members_filter_other_show
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => [:show, :other_show] do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :other_show, reader, :id => "2")
+    assert !@controller.authorized?
+    request!(allowed_user, :show, reader, :id => "2", :clear => [:@basic_resource])
+    assert !@controller.authorized?
+    request!(allowed_user, :other_show, reader, :id => "1", :clear => [:@basic_resource])
+    assert @controller.authorized?
+    request!(allowed_user, :show, reader, :id => "1", :clear => [:@basic_resource])
+    assert @controller.authorized?
+  end
+
+  def test_additional_members_filter_other_new
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :new do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :other_new, reader, :basic_resource => {:id => "2"})
+    assert !@controller.authorized?
+    request!(allowed_user, :new, reader, :basic_resource => {:id => "2"},
+        :clear => [:@basic_resource])
+    assert !@controller.authorized?
+
+    request!(allowed_user, :other_new, reader, :basic_resource => {:id => "1"},
+        :clear => [:@basic_resource])
+    assert @controller.authorized?
+    request!(allowed_user, :new, reader, :basic_resource => {:id => "1"},
+        :clear => [:@basic_resource])
+    assert @controller.authorized?
+  end
+end
+
+
+class CustomMethodsResourceController < MocksController
+  # not implemented yet
+end
+
+
+class ExplicitContextResourceController < MocksController
+  filter_resource_access :context => :basic_resources
+  define_resource_actions
+end
+class ExplicitContextResourceControllerTest < ActionController::TestCase
+  def test_explicit_context_filter_index
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :index do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+
+    allowed_user = MockUser.new(:allowed_role)
+    request!(MockUser.new(:another_role), :index, reader)
+    assert !@controller.authorized?
+    request!(allowed_user, :index, reader)
+    assert @controller.authorized?
+  end
+
+  def test_explicit_context_filter_show_with_id
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :show do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :show, reader, :id => "2")
+    assert !@controller.authorized?
+    request!(allowed_user, :show, reader, :id => "1", :clear => [:@basic_resource])
+    assert @controller.authorized?
+  end
+
+  def test_explicit_context_filter_new_with_params
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :new do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :new, reader, :basic_resource => {:id => "2"})
+    assert !@controller.authorized?
+    request!(allowed_user, :new, reader, :basic_resource => {:id => "1"},
+        :clear => [:@basic_resource])
+    assert @controller.authorized?
+  end
+end