RubyGems - zeiv-declarative_authorization - Versions diffs - 1.0.0.pre - Mend

zeiv-declarative_authorization 1.0.0.pre

Files changed (52) hide show

checksums.yaml +7 -0
data/CHANGELOG +189 -0
data/MIT-LICENSE +20 -0
data/README.rdoc +632 -0
data/Rakefile +53 -0
data/app/controllers/authorization_rules_controller.rb +258 -0
data/app/controllers/authorization_usages_controller.rb +22 -0
data/app/helpers/authorization_rules_helper.rb +218 -0
data/app/views/authorization_rules/_change.erb +58 -0
data/app/views/authorization_rules/_show_graph.erb +44 -0
data/app/views/authorization_rules/_suggestions.erb +48 -0
data/app/views/authorization_rules/change.html.erb +169 -0
data/app/views/authorization_rules/graph.dot.erb +68 -0
data/app/views/authorization_rules/graph.html.erb +47 -0
data/app/views/authorization_rules/index.html.erb +17 -0
data/app/views/authorization_usages/index.html.erb +36 -0
data/authorization_rules.dist.rb +20 -0
data/config/routes.rb +20 -0
data/garlic_example.rb +20 -0
data/init.rb +5 -0
data/lib/declarative_authorization.rb +19 -0
data/lib/declarative_authorization/adapters/active_record.rb +13 -0
data/lib/declarative_authorization/adapters/active_record/base_extensions.rb +0 -0
data/lib/declarative_authorization/adapters/active_record/obligation_scope_builder.rb +0 -0
data/lib/declarative_authorization/authorization.rb +798 -0
data/lib/declarative_authorization/development_support/analyzer.rb +261 -0
data/lib/declarative_authorization/development_support/change_analyzer.rb +253 -0
data/lib/declarative_authorization/development_support/change_supporter.rb +620 -0
data/lib/declarative_authorization/development_support/development_support.rb +243 -0
data/lib/declarative_authorization/helper.rb +68 -0
data/lib/declarative_authorization/in_controller.rb +703 -0
data/lib/declarative_authorization/in_model.rb +188 -0
data/lib/declarative_authorization/maintenance.rb +210 -0
data/lib/declarative_authorization/obligation_scope.rb +361 -0
data/lib/declarative_authorization/rails_legacy.rb +22 -0
data/lib/declarative_authorization/railsengine.rb +6 -0
data/lib/declarative_authorization/reader.rb +546 -0
data/lib/generators/authorization/install/install_generator.rb +77 -0
data/lib/generators/authorization/rules/rules_generator.rb +14 -0
data/lib/generators/authorization/rules/templates/authorization_rules.rb +27 -0
data/lib/tasks/authorization_tasks.rake +89 -0
data/test/authorization_test.rb +1124 -0
data/test/controller_filter_resource_access_test.rb +575 -0
data/test/controller_test.rb +480 -0
data/test/database.yml +3 -0
data/test/dsl_reader_test.rb +178 -0
data/test/helper_test.rb +247 -0
data/test/maintenance_test.rb +46 -0
data/test/model_test.rb +2008 -0
data/test/schema.sql +56 -0
data/test/test_helper.rb +255 -0
metadata +95 -0

@@ -0,0 +1,2008 @@
+require 'test_helper'
+require File.join(File.dirname(__FILE__), %w{.. lib declarative_authorization in_model})
+ActiveRecord::Base.send :include, Authorization::AuthorizationInModel
+#ActiveRecord::Base.logger = Logger.new(STDOUT)
+options = {:adapter => 'sqlite3', :timeout => 500, :database => ':memory:'}
+ActiveRecord::Base.establish_connection(options)
+ActiveRecord::Base.configurations = { 'sqlite3_ar_integration' => options }
+ActiveRecord::Base.connection
+File.read(File.dirname(__FILE__) + "/schema.sql").split(';').each do |sql|
+  ActiveRecord::Base.connection.execute(sql) unless sql.blank?
+end
+class TestModel < ActiveRecord::Base
+  has_many :test_attrs
+  has_many :test_another_attrs, :class_name => "TestAttr", :foreign_key => :test_another_model_id
+  has_many :test_attr_throughs, :through => :test_attrs
+  has_one :test_attr_has_one, :class_name => "TestAttr"
+  has_many :branches
+  # :conditions is deprecated in Rails 4.1
+  if Rails.version >= '4'
+    has_many :test_attrs_with_attr, lambda { where(:attr => 1) }, :class_name => "TestAttr"
+    has_many :test_attr_throughs_with_attr, lambda { where("test_attrs.attr = 1") }, :through => :test_attrs,
+      :class_name => "TestAttrThrough", :source => :test_attr_throughs
+    has_one :test_attr_throughs_with_attr_and_has_one, lambda { where("test_attrs.attr = 1") }, :through => :test_attrs,
+      :class_name => "TestAttrThrough", :source => :test_attr_throughs
+  else
+    has_many :test_attrs_with_attr, :class_name => "TestAttr", :conditions => {:attr => 1}
+    has_many :test_attr_throughs_with_attr, :through => :test_attrs,
+      :class_name => "TestAttrThrough", :source => :test_attr_throughs,
+      :conditions => "test_attrs.attr = 1"
+    has_one :test_attr_throughs_with_attr_and_has_one, :through => :test_attrs,
+      :class_name => "TestAttrThrough", :source => :test_attr_throughs,
+      :conditions => "test_attrs.attr = 1"
+  end
+  if Rails.version < '4'
+    attr_accessible :content, :test_attr_through_id, :country_id
+  end
+  # TODO currently not working in Rails 3
+  if Rails.version < "3"
+    has_and_belongs_to_many :test_attr_throughs_habtm, :join_table => :test_attrs,
+        :class_name => "TestAttrThrough"
+  end
+  if Rails.version < "3"
+    named_scope :with_content, :conditions => "test_models.content IS NOT NULL"
+  elsif Rails.version < "4"
+    scope :with_content, :conditions => "test_models.content IS NOT NULL"
+  else
+    scope :with_content, lambda { where("test_models.content IS NOT NULL") }
+  end
+  # Primary key test
+  # :primary_key only available from Rails 2.2
+  unless Rails.version < "2.2"
+    has_many :test_attrs_with_primary_id, :class_name => "TestAttr",
+      :primary_key => :test_attr_through_id, :foreign_key => :test_attr_through_id
+    has_many :test_attr_throughs_with_primary_id,
+      :through => :test_attrs_with_primary_id, :class_name => "TestAttrThrough",
+      :source => :n_way_join_item
+  end
+  # for checking for unnecessary queries
+  mattr_accessor :query_count
+  def self.find(*args)
+    self.query_count ||= 0
+    self.query_count += 1
+    super(*args)
+  end
+end
+class NWayJoinItem < ActiveRecord::Base
+  has_many :test_attrs
+  has_many :others, :through => :test_attrs, :source => :n_way_join_item
+end
+class TestAttr < ActiveRecord::Base
+  belongs_to :test_model
+  belongs_to :test_another_model, :class_name => "TestModel", :foreign_key => :test_another_model_id
+  belongs_to :test_a_third_model, :class_name => "TestModel", :foreign_key => :test_a_third_model_id
+  belongs_to :n_way_join_item
+  belongs_to :test_attr
+  belongs_to :branch
+  belongs_to :company
+  has_many :test_attr_throughs
+  has_many :test_model_security_model_with_finds
+  attr_reader :role_symbols
+  if Rails.version < '4'
+    attr_accessible :test_model, :test_another_model, :attr, :branch, :company, :test_attr,
+  	  :test_a_third_model, :n_way_join_item, :n_way_join_item_id, :test_attr_through_id,
+  	  :test_model_id, :test_another_model_id
+  end
+  def initialize (*args)
+    @role_symbols = []
+    super(*args)
+  end
+end
+class TestAttrThrough < ActiveRecord::Base
+  belongs_to :test_attr
+end
+class TestModelSecurityModel < ActiveRecord::Base
+  has_many :test_attrs
+  using_access_control
+  if Rails.version < '4'
+    attr_accessible :attr, :attr_2, :test_attrs
+  end
+end
+class TestModelSecurityModelWithFind < ActiveRecord::Base
+  if Rails.version < "3.2"
+    set_table_name "test_model_security_models"
+  else
+    self.table_name = "test_model_security_models"
+  end
+  has_many :test_attrs
+  belongs_to :test_attr
+  using_access_control :include_read => true,
+    :context => :test_model_security_models
+  if Rails.version < '4'
+    attr_accessible :test_attr, :attr
+  end
+end
+class Branch < ActiveRecord::Base
+  has_many :test_attrs
+  belongs_to :company
+  belongs_to :test_model
+  if Rails.version < '4'
+    attr_accessible :name, :company, :test_model
+  end
+end
+class Company < ActiveRecord::Base
+  has_many :test_attrs
+  has_many :branches
+  belongs_to :country
+  if Rails.version < '4'
+    attr_accessible :name, :country, :country_id
+  end
+end
+class SmallCompany < Company
+  def self.decl_auth_context
+    :companies
+  end
+end
+class Country < ActiveRecord::Base
+  has_many :test_models
+  has_many :companies
+  if Rails.version < '4'
+    attr_accessible :name
+  end
+end
+class NamedScopeModelTest < Test::Unit::TestCase
+  def test_multiple_deep_ored_belongs_to
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_model => {:test_attrs => contains {user}}
+            if_attribute :test_another_model => {:test_attrs => contains {user}}
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_model_2 = TestModel.create!
+    test_attr_1 = TestAttr.create! :test_model_id => test_model_1.id,
+                      :test_another_model_id => test_model_2.id
+    user = MockUser.new(:test_role, :id => test_attr_1)
+    if Rails.version >= '4'
+      assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).references(:test_attrs, :test_attrs_test_models, :test_attrs_test_models_2).length
+    else
+      assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
+    end
+    TestAttr.delete_all
+    TestModel.delete_all
+  end
+  def test_with_belongs_to_and_has_many_with_contains
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_model => { :test_attrs => contains { user.test_attr_value } }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_attr_1 = TestAttr.create!
+    test_model_1 = TestModel.create!
+    test_model_1.test_attrs.create!
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.test_attrs.first.id )
+    assert_equal 1, TestAttr.with_permissions_to( :read, :context => :test_attrs, :user => user ).length
+    assert_equal 1, TestAttr.with_permissions_to( :read, :user => user ).length
+    assert_raise Authorization::NotAuthorized do
+      TestAttr.with_permissions_to( :update_test_attrs, :user => user )
+    end
+    TestAttr.delete_all
+    TestModel.delete_all
+  end
+  def test_with_nested_has_many
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :companies, :to => :read do
+            if_attribute :branches => { :test_attrs => { :attr => is { user.test_attr_value } } }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    allowed_company = Company.create!
+    allowed_company.branches.create!.test_attrs.create!(:attr => 1)
+    allowed_company.branches.create!.test_attrs.create!(:attr => 2)
+    prohibited_company = Company.create!
+    prohibited_company.branches.create!.test_attrs.create!(:attr => 3)
+    user = MockUser.new(:test_role, :test_attr_value => 1)
+    prohibited_user = MockUser.new(:test_role, :test_attr_value => 4)
+    assert_equal 1, Company.with_permissions_to(:read, :user => user).length
+    assert_equal 0, Company.with_permissions_to(:read, :user => prohibited_user).length
+    Company.delete_all
+    Branch.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_nested_has_many_through
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attr_throughs => { :test_attr => { :attr => is { user.test_attr_value } } }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    TestModel.delete_all
+    TestAttrThrough.delete_all
+    TestAttr.delete_all
+    allowed_model = TestModel.create!
+    allowed_model.test_attrs.create!(:attr => 1).test_attr_throughs.create!
+    allowed_model.test_attrs.create!(:attr => 2).test_attr_throughs.create!
+    prohibited_model = TestModel.create!
+    prohibited_model.test_attrs.create!(:attr => 3).test_attr_throughs.create!
+    user = MockUser.new(:test_role, :test_attr_value => 1)
+    prohibited_user = MockUser.new(:test_role, :test_attr_value => 4)
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    assert_equal 0, TestModel.with_permissions_to(:read, :user => prohibited_user).length
+    TestModel.delete_all
+    TestAttrThrough.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_is
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => is { user.test_attr_value }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    TestModel.create!
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
+    assert_equal 1, TestModel.with_permissions_to(:read,
+      :context => :test_models, :user => user).length
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    assert_raise Authorization::NotAuthorized do
+      TestModel.with_permissions_to(:update_test_models, :user => user)
+    end
+    TestModel.delete_all
+  end
+  def test_named_scope_on_proxy
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :id => is { user.test_attr_value }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_attr_1 = test_model_1.test_attrs.create!
+    test_model_1.test_attrs.create!
+    TestAttr.create!
+    user = MockUser.new(:test_role, :test_attr_value => test_attr_1.id)
+    assert_equal 1, test_model_1.test_attrs.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_named_scope_on_named_scope
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attr_through_id => 1
+          end
+          has_permission_on :test_attrs, :to => :read do
+            if_permitted_to :read, :test_model
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    country = Country.create!
+    model_1 = TestModel.create!(:test_attr_through_id => 1, :content => "Content")
+    country.test_models << model_1
+    TestModel.create!(:test_attr_through_id => 1)
+    TestModel.create!(:test_attr_through_id => 2, :content => "Content")
+    user = MockUser.new(:test_role)
+    # TODO implement query_count for Rails 3
+    TestModel.query_count = 0
+    assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
+    assert_equal 1, TestModel.query_count if Rails.version < "3"
+    TestModel.query_count = 0
+    assert_equal 1, TestModel.with_content.with_permissions_to(:read, :user => user).length
+    assert_equal 1, TestModel.query_count if Rails.version < "3"
+    TestModel.query_count = 0
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).with_content.length if Rails.version < "4"
+    assert_equal 1, TestModel.query_count if Rails.version < "3"
+    TestModel.query_count = 0
+    assert_equal 1, country.test_models.with_permissions_to(:read, :user => user).length
+    assert_equal 1, TestModel.query_count if Rails.version < "3"
+    TestModel.delete_all
+    Country.delete_all
+  end
+  def test_with_modified_context
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :companies, :to => :read do
+            if_attribute :id => is { user.test_company_id }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_company = SmallCompany.create!
+    user = MockUser.new(:test_role, :test_company_id => test_company.id)
+    assert_equal 1, SmallCompany.with_permissions_to(:read,
+      :user => user).length
+    SmallCompany.delete_all
+  end
+  def test_with_is_nil
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :content => nil
+          end
+        end
+        role :test_role_not_nil do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :content => is_not { nil }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_model_2 = TestModel.create! :content => "Content"
+    assert_equal test_model_1, TestModel.with_permissions_to(:read,
+      :context => :test_models, :user => MockUser.new(:test_role)).first
+    assert_equal test_model_2, TestModel.with_permissions_to(:read,
+      :context => :test_models, :user => MockUser.new(:test_role_not_nil)).first
+    TestModel.delete_all
+  end
+  def test_with_not_is
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => is_not { user.test_attr_value }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    TestModel.delete_all
+    test_model_1 = TestModel.create!
+    TestModel.create!
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+  end
+  def test_with_lt
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => lt { user.test_attr_value }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    TestModel.create!
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id + 1)
+    assert_equal 1, TestModel.with_permissions_to(:read,
+      :context => :test_models, :user => user).length
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    assert_raise Authorization::NotAuthorized do
+      TestModel.with_permissions_to(:update_test_models, :user => user)
+    end
+    TestModel.delete_all
+  end
+  def test_with_lte
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => lte { user.test_attr_value }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    2.times { TestModel.create! }
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id + 1)
+    assert_equal 2, TestModel.with_permissions_to(:read,
+      :context => :test_models, :user => user).length
+    assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
+    assert_raise Authorization::NotAuthorized do
+      TestModel.with_permissions_to(:update_test_models, :user => user)
+    end
+    TestModel.delete_all
+  end
+  def test_with_gt
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => gt { user.test_attr_value }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    TestModel.create!
+    test_model_1 = TestModel.create!
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id - 1)
+    assert_equal 1, TestModel.with_permissions_to(:read,
+      :context => :test_models, :user => user).length
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    assert_raise Authorization::NotAuthorized do
+      TestModel.with_permissions_to(:update_test_models, :user => user)
+    end
+    TestModel.delete_all
+  end
+  def test_with_gte
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => gte { user.test_attr_value }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    2.times { TestModel.create! }
+    test_model_1 = TestModel.create!
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id - 1)
+    assert_equal 2, TestModel.with_permissions_to(:read,
+      :context => :test_models, :user => user).length
+    assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
+    assert_raise Authorization::NotAuthorized do
+      TestModel.with_permissions_to(:update_test_models, :user => user)
+    end
+    TestModel.delete_all
+  end
+  def test_with_empty_obligations
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    TestModel.create!
+    user = MockUser.new(:test_role)
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    assert_raise Authorization::NotAuthorized do
+      TestModel.with_permissions_to(:update, :user => user)
+    end
+    TestModel.delete_all
+  end
+  def test_multiple_obligations
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => is { user.test_attr_value }
+          end
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => is { user.test_attr_value_2 }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_model_2 = TestModel.create!
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id,
+                        :test_attr_value_2 => test_model_2.id)
+    assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+  end
+  def test_multiple_roles
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :attr => [1,2]
+          end
+        end
+        role :test_role_2 do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :attr => [2,3]
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    TestAttr.create! :attr => 1
+    TestAttr.create! :attr => 2
+    TestAttr.create! :attr => 3
+    user = MockUser.new(:test_role)
+    assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).length
+    TestAttr.delete_all
+  end
+  def test_multiple_and_empty_obligations
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => is { user.test_attr_value }
+          end
+          has_permission_on :test_models, :to => :read
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    TestModel.create!
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
+    assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+  end
+  def test_multiple_attributes
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => is { user.test_attr_value }, :content => "bla"
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create! :content => 'bla'
+    TestModel.create! :content => 'bla'
+    TestModel.create!
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+  end
+  def test_multiple_belongs_to
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_model => is {user}
+            if_attribute :test_another_model => is {user}
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_attr_1 = TestAttr.create! :test_model_id => 1, :test_another_model_id => 2
+    user = MockUser.new(:test_role, :id => 1)
+    assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
+    TestAttr.delete_all
+  end
+  def test_with_is_and_priv_hierarchy
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      privileges do
+        privilege :read do
+          includes :list, :show
+        end
+      end
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => is { user.test_attr_value }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    TestModel.create!
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
+    assert_equal 1, TestModel.with_permissions_to(:list,
+      :context => :test_models, :user => user).length
+    assert_equal 1, TestModel.with_permissions_to(:list, :user => user).length
+    TestModel.delete_all
+  end
+  def test_with_is_and_belongs_to
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_model => is { user.test_model }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_model_1.test_attrs.create!
+    TestModel.create!.test_attrs.create!
+    user = MockUser.new(:test_role, :test_model => test_model_1)
+    assert_equal 1, TestAttr.with_permissions_to(:read,
+      :context => :test_attrs, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_deep_attribute
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_model => {:id => is { user.test_model_id } }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_model_1.test_attrs.create!
+    TestModel.create!.test_attrs.create!
+    user = MockUser.new(:test_role, :test_model_id => test_model_1.id)
+    assert_equal 1, TestAttr.with_permissions_to(:read,
+      :context => :test_attrs, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_anded_rules
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read, :join_by => :and do
+            if_attribute :test_model => is { user.test_model }
+            if_attribute :attr => 1
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_model_1.test_attrs.create!(:attr => 1)
+    TestModel.create!.test_attrs.create!(:attr => 1)
+    TestModel.create!.test_attrs.create!
+    user = MockUser.new(:test_role, :test_model => test_model_1)
+    assert_equal 1, TestAttr.with_permissions_to(:read,
+      :context => :test_attrs, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_contains
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attrs => contains { user }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_model_2 = TestModel.create!
+    test_model_1.test_attrs.create!
+    test_model_1.test_attrs.create!
+    test_model_2.test_attrs.create!
+    user = MockUser.new(:test_role,
+                        :id => test_model_1.test_attrs.first.id)
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    if Rails.version < '3'
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).find(:all, :conditions => {:id => test_model_1.id} ).length
+    else
+      assert_equal 1, TestModel.with_permissions_to(:read, :user => user).where(:id => test_model_1.id).length
+    end
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_does_not_contain
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attrs => does_not_contain { user }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_model_2 = TestModel.create!
+    test_model_1.test_attrs.create!
+    test_model_2.test_attrs.create!
+    user = MockUser.new(:test_role,
+                        :id => test_model_1.test_attrs.first.id)
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_contains_conditions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attrs_with_attr => contains { user }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_model_2 = TestModel.create!
+    test_model_1.test_attrs_with_attr.create!
+    test_model_1.test_attrs.create!(:attr => 2)
+    test_model_2.test_attrs_with_attr.create!
+    test_model_2.test_attrs.create!(:attr => 2)
+    #assert_equal 1, test_model_1.test_attrs_with_attr.length
+    user = MockUser.new(:test_role,
+                        :id => test_model_1.test_attrs.first.id)
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    user = MockUser.new(:test_role,
+                        :id => test_model_1.test_attrs.last.id)
+    assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  # TODO fails in Rails 3 because TestModel.scoped.joins(:test_attr_throughs_with_attr)
+  # does not work
+  if Rails.version < "3"
+    def test_with_contains_through_conditions
+      reader = Authorization::Reader::DSLReader.new
+      reader.parse %{
+        authorization do
+          role :test_role do
+            has_permission_on :test_models, :to => :read do
+              if_attribute :test_attr_throughs_with_attr => contains { user }
+            end
+          end
+        end
+      }
+      Authorization::Engine.instance(reader)
+      test_model_1 = TestModel.create!
+      test_model_2 = TestModel.create!
+      test_model_1.test_attrs.create!(:attr => 1).test_attr_throughs.create!
+      test_model_1.test_attrs.create!(:attr => 2).test_attr_throughs.create!
+      test_model_2.test_attrs.create!(:attr => 1).test_attr_throughs.create!
+      test_model_2.test_attrs.create!(:attr => 2).test_attr_throughs.create!
+      #assert_equal 1, test_model_1.test_attrs_with_attr.length
+      user = MockUser.new(:test_role,
+                          :id => test_model_1.test_attr_throughs.first.id)
+      assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+      user = MockUser.new(:test_role,
+                          :id => test_model_1.test_attr_throughs.last.id)
+      assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
+      TestModel.delete_all
+      TestAttrThrough.delete_all
+      TestAttr.delete_all
+    end
+  end
+  if Rails.version < "3"
+    def test_with_contains_habtm
+      reader = Authorization::Reader::DSLReader.new
+      reader.parse %{
+        authorization do
+          role :test_role do
+            has_permission_on :test_models, :to => :read do
+              if_attribute :test_attr_throughs_habtm => contains { user.test_attr_through_id }
+            end
+          end
+        end
+      }
+      Authorization::Engine.instance(reader)
+      # TODO habtm currently not working in Rails 3
+      test_model_1 = TestModel.create!
+      test_model_2 = TestModel.create!
+      test_attr_through_1 = TestAttrThrough.create!
+      test_attr_through_2 = TestAttrThrough.create!
+      TestAttr.create! :test_model_id => test_model_1.id, :test_attr_through_id => test_attr_through_1.id
+      TestAttr.create! :test_model_id => test_model_2.id, :test_attr_through_id => test_attr_through_2.id
+      user = MockUser.new(:test_role,
+                          :test_attr_through_id => test_model_1.test_attr_throughs_habtm.first.id)
+      assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+      assert_equal test_model_1, TestModel.with_permissions_to(:read, :user => user)[0]
+      TestModel.delete_all
+      TestAttrThrough.delete_all
+      TestAttr.delete_all
+    end
+  end
+  # :primary_key not available in Rails prior to 2.2
+  if Rails.version > "2.2"
+    def test_with_contains_through_primary_key
+      reader = Authorization::Reader::DSLReader.new
+      reader.parse %{
+        authorization do
+          role :test_role do
+            has_permission_on :test_models, :to => :read do
+              if_attribute :test_attr_throughs_with_primary_id => contains { user }
+            end
+          end
+        end
+      }
+      Authorization::Engine.instance(reader)
+      TestModel.delete_all
+      TestAttrThrough.delete_all
+      TestAttr.delete_all
+      test_attr_through_1 = TestAttrThrough.create!
+      test_item = NWayJoinItem.create!
+      test_model_1 = TestModel.create!(:test_attr_through_id => test_attr_through_1.id)
+      test_attr_1 = TestAttr.create!(:test_attr_through_id => test_attr_through_1.id,
+          :n_way_join_item_id => test_item.id)
+      user = MockUser.new(:test_role,
+                          :id => test_attr_through_1.id)
+      assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+      TestModel.delete_all
+      TestAttrThrough.delete_all
+      TestAttr.delete_all
+    end
+  end
+  def test_with_intersects_with
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attrs => intersects_with { user.test_attrs }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_model_2 = TestModel.create!
+    test_model_1.test_attrs.create!
+    test_model_1.test_attrs.create!
+    test_model_1.test_attrs.create!
+    test_model_2.test_attrs.create!
+    user = MockUser.new(:test_role,
+                        :test_attrs => [test_model_1.test_attrs.first, TestAttr.create!])
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    user = MockUser.new(:test_role,
+                        :test_attrs => [TestAttr.create!])
+    assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_is_and_has_one
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do :test_attr_has_one
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attr_has_one => is { user.test_attr }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_attr_1 = test_model_1.test_attrs.create!
+    TestModel.create!.test_attrs.create!
+    user = MockUser.new(:test_role, :test_attr => test_attr_1)
+    assert_equal 1, TestModel.with_permissions_to(:read,
+      :context => :test_models, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  # TODO fails in Rails 3 because TestModel.scoped.joins(:test_attr_throughs_with_attr)
+  # does not work
+  if Rails.version < "3"
+    def test_with_is_and_has_one_through_conditions
+      reader = Authorization::Reader::DSLReader.new
+      reader.parse %{
+        authorization do
+          role :test_role do
+            has_permission_on :test_models, :to => :read do
+              if_attribute :test_attr_throughs_with_attr_and_has_one => is { user }
+            end
+          end
+        end
+      }
+      Authorization::Engine.instance(reader)
+      test_model_1 = TestModel.create!
+      test_model_2 = TestModel.create!
+      test_model_1.test_attrs.create!(:attr => 1).test_attr_throughs.create!
+      test_model_1.test_attrs.create!(:attr => 2).test_attr_throughs.create!
+      test_model_2.test_attrs.create!(:attr => 1).test_attr_throughs.create!
+      test_model_2.test_attrs.create!(:attr => 2).test_attr_throughs.create!
+      #assert_equal 1, test_model_1.test_attrs_with_attr.length
+      user = MockUser.new(:test_role,
+                          :id => test_model_1.test_attr_throughs.first.id)
+      assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+      user = MockUser.new(:test_role,
+                          :id => test_model_1.test_attr_throughs.last.id)
+      assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
+      TestModel.delete_all
+      TestAttr.delete_all
+      TestAttrThrough.delete_all
+    end
+  end
+  def test_with_is_in
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_model => is_in { [user.test_model, user.test_model_2] }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_model_2 = TestModel.create!
+    test_model_1.test_attrs.create!
+    TestModel.create!.test_attrs.create!
+    user = MockUser.new(:test_role, :test_model => test_model_1,
+      :test_model_2 => test_model_2)
+    assert_equal 1, TestAttr.with_permissions_to(:read,
+      :context => :test_attrs, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_not_is_in
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_model => is_not_in { [user.test_model, user.test_model_2] }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    TestModel.delete_all
+    TestAttr.delete_all
+    test_model_1 = TestModel.create!
+    test_model_2 = TestModel.create!
+    test_model_1.test_attrs.create!
+    TestModel.create!.test_attrs.create!
+    user = MockUser.new(:test_role, :test_model => test_model_1,
+      :test_model_2 => test_model_2)
+    assert_equal 1, TestAttr.with_permissions_to(:read,
+      :context => :test_attrs, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_if_permitted_to
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attrs => contains { user }
+          end
+          has_permission_on :test_attrs, :to => :read do
+            if_permitted_to :read, :test_model
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_attr_1 = test_model_1.test_attrs.create!
+    user = MockUser.new(:test_role, :id => test_attr_1.id)
+    assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_anded_if_permitted_to
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :base_role do
+          has_permission_on :test_attrs, :to => :read, :join_by => :and do
+            if_permitted_to :read, :test_model
+            if_attribute :attr => 1
+          end
+        end
+        role :first_role do
+          includes :base_role
+          has_permission_on :test_models, :to => :read do
+            if_attribute :content => "first test"
+          end
+        end
+        role :second_role do
+          includes :base_role
+          has_permission_on :test_models, :to => :read do
+            if_attribute :country_id => 2
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!(:content => "first test")
+    test_model_1.test_attrs.create!(:attr => 1)
+    test_model_for_second_role = TestModel.create!(:country_id => 2)
+    test_model_for_second_role.test_attrs.create!(:attr => 1)
+    test_model_for_second_role.test_attrs.create!(:attr => 2)
+    user = MockUser.new(:first_role)
+    assert Authorization::Engine.instance.permit?(:read, :object => test_model_1.test_attrs.first, :user => user)
+    assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
+    user_with_both_roles = MockUser.new(:first_role, :second_role)
+    assert Authorization::Engine.instance.permit?(:read, :object => test_model_1.test_attrs.first, :user => user_with_both_roles)
+    assert Authorization::Engine.instance.permit?(:read, :object => test_model_for_second_role.test_attrs.first, :user => user_with_both_roles)
+    #p Authorization::Engine.instance.obligations(:read, :user => user_with_both_roles, :context => :test_attrs)
+    if Rails.version >= '4'
+      assert_equal 2, TestAttr.with_permissions_to(:read, :user => user_with_both_roles).references(:test_attrs, :test_models).length
+    else
+      assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
+    end
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_if_permitted_to_with_no_child_permissions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :another_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attrs => contains { user }
+          end
+        end
+        role :additional_if_attribute do
+          has_permission_on :test_attrs, :to => :read do
+            if_permitted_to :read, :test_model
+            if_attribute :test_model => {:test_attrs => contains { user }}
+          end
+        end
+        role :only_permitted_to do
+          has_permission_on :test_attrs, :to => :read do
+            if_permitted_to :read, :test_model
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_attr_1 = test_model_1.test_attrs.create!
+    user = MockUser.new(:only_permitted_to, :another_role, :id => test_attr_1.id)
+    also_allowed_user = MockUser.new(:additional_if_attribute, :id => test_attr_1.id)
+    non_allowed_user = MockUser.new(:only_permitted_to, :id => test_attr_1.id)
+    assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
+    assert_equal 1, TestAttr.with_permissions_to(:read, :user => also_allowed_user).length
+    assert_raise Authorization::NotAuthorized do
+      TestAttr.with_permissions_to(:read, :user => non_allowed_user).find(:all)
+    end
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_if_permitted_to_with_context_from_model
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_another_attrs => contains { user }
+          end
+          has_permission_on :test_attrs, :to => :read do
+            if_permitted_to :read, :test_another_model
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_attr_1 = test_model_1.test_another_attrs.create!
+    user = MockUser.new(:test_role, :id => test_attr_1.id)
+    non_allowed_user = MockUser.new(:test_role, :id => 111)
+    assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
+    assert_equal 0, TestAttr.with_permissions_to(:read, :user => non_allowed_user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_has_many_if_permitted_to
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_permitted_to :read, :test_attrs
+          end
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :attr => is { user.id }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_attr_1 = test_model_1.test_attrs.create!(:attr => 111)
+    user = MockUser.new(:test_role, :id => test_attr_1.attr)
+    non_allowed_user = MockUser.new(:test_role, :id => 333)
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    assert_equal 0, TestModel.with_permissions_to(:read, :user => non_allowed_user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_deep_has_many_if_permitted_to
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :branches, :to => :read do
+            if_attribute :name => "A Branch"
+          end
+          has_permission_on :companies, :to => :read do
+            if_permitted_to :read, :test_attrs => :branch
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    readable_company = Company.create!
+    readable_company.test_attrs.create!(:branch => Branch.create!(:name => "A Branch"))
+    forbidden_company = Company.create!
+    forbidden_company.test_attrs.create!(:branch => Branch.create!(:name => "Different Branch"))
+    user = MockUser.new(:test_role)
+    assert_equal 1, Company.with_permissions_to(:read, :user => user).length
+    Company.delete_all
+    Branch.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_if_permitted_to_and_empty_obligations
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read
+          has_permission_on :test_attrs, :to => :read do
+            if_permitted_to :read, :test_model
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_attr_1 = test_model_1.test_attrs.create!
+    user = MockUser.new(:test_role)
+    assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_if_permitted_to_nil
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attrs => contains { user }
+          end
+          has_permission_on :test_attrs, :to => :read do
+            if_permitted_to :read, :test_model
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_attr_1 = TestAttr.create!
+    user = MockUser.new(:test_role, :id => test_attr_1.id)
+    assert_equal 0, TestAttr.with_permissions_to(:read, :user => user).length
+    TestAttr.delete_all
+  end
+  def test_with_if_permitted_to_self
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attrs => contains { user }
+          end
+          has_permission_on :test_models, :to => :update do
+            if_permitted_to :read
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_attr_1 = test_model_1.test_attrs.create!
+    test_attr_2 = TestAttr.create!
+    user = MockUser.new(:test_role, :id => test_attr_1.id)
+    assert_equal 1, TestModel.with_permissions_to(:update, :user => user).length
+    TestAttr.delete_all
+    TestModel.delete_all
+  end
+  def test_with_has_many_and_reoccuring_tables
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_another_model => { :content => 'test_1_2' },
+                :test_model => { :content => 'test_1_1' }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_attr_1 = TestAttr.create!(
+        :test_model => TestModel.create!(:content => 'test_1_1'),
+        :test_another_model => TestModel.create!(:content => 'test_1_2')
+      )
+    test_attr_2 = TestAttr.create!(
+        :test_model => TestModel.create!(:content => 'test_2_1'),
+        :test_another_model => TestModel.create!(:content => 'test_2_2')
+      )
+    user = MockUser.new(:test_role)
+    assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_ored_rules_and_reoccuring_tables
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_another_model => { :content => 'test_1_2' },
+                :test_model => { :content => 'test_1_1' }
+          end
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_another_model => { :content => 'test_2_2' },
+                :test_model => { :test_attrs => contains {user.test_attr} }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_attr_1 = TestAttr.create!(
+        :test_model => TestModel.create!(:content => 'test_1_1'),
+        :test_another_model => TestModel.create!(:content => 'test_1_2')
+      )
+    test_attr_2 = TestAttr.create!(
+        :test_model => TestModel.create!(:content => 'test_2_1'),
+        :test_another_model => TestModel.create!(:content => 'test_2_2')
+      )
+    test_attr_2.test_model.test_attrs.create!
+    user = MockUser.new(:test_role, :test_attr => test_attr_2.test_model.test_attrs.last)
+    if Rails.version >= '4'
+      assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).references(:test_attrs, :test_models, :test_models_test_attrs, :test_attrs_test_models).length
+    else
+      assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).length
+    end
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_many_ored_rules_and_reoccuring_tables
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :branch => { :company => { :country => {
+                :test_models => contains { user.test_model }
+              }} }
+            if_attribute :company => { :country => {
+                :test_models => contains { user.test_model }
+              }}
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    country = Country.create!(:name => 'country_1')
+    country.test_models.create!
+    test_attr_1 = TestAttr.create!(
+        :branch => Branch.create!(:name => 'branch_1',
+            :company => Company.create!(:name => 'company_1',
+                :country => country))
+      )
+    test_attr_2 = TestAttr.create!(
+        :company => Company.create!(:name => 'company_2',
+            :country => country)
+      )
+    user = MockUser.new(:test_role, :test_model => country.test_models.first)
+    if Rails.version >= '4'
+      assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).references(:test_attrs, :test_models, :test_models_countries).length
+    else
+      assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).length
+    end
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+end
+class ModelTest < Test::Unit::TestCase
+  def test_permit_with_has_one_raises_no_name_error
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do :test_attr_has_one
+        role :test_role do
+          has_permission_on :test_attrs, :to => :update do
+            if_attribute :id => is { user.test_attr.id }
+          end
+        end
+      end
+    }
+    instance = Authorization::Engine.instance(reader)
+    test_model = TestModel.create!
+    test_attr = test_model.create_test_attr_has_one
+    assert !test_attr.new_record?
+    user = MockUser.new(:test_role, :test_attr => test_attr)
+    assert_nothing_raised do
+      assert instance.permit?(:update, :user => user, :object => test_model.test_attr_has_one)
+    end
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_model_security_write_allowed
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+            if_attribute :attr => is { 1 }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    Authorization.current_user = MockUser.new(:test_role)
+    assert(object = TestModelSecurityModel.create)
+    assert_nothing_raised { object.update_attributes(:attr_2 => 2) }
+    object.reload
+    assert_equal 2, object.attr_2
+    object.destroy
+    assert_raise ActiveRecord::RecordNotFound do
+      TestModelSecurityModel.find(object.id)
+    end
+  end
+  def test_model_security_write_not_allowed_no_privilege
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+            if_attribute :attr => is { 1 }
+          end
+        end
+        role :test_role_restricted do
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    Authorization.current_user = MockUser.new(:test_role)
+    assert(object = TestModelSecurityModel.create)
+    Authorization.current_user = MockUser.new(:test_role_restricted)
+    assert_raise Authorization::NotAuthorized do
+      object.update_attributes(:attr_2 => 2)
+    end
+  end
+  def test_model_security_write_not_allowed_wrong_attribute_value
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role_unrestricted do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+          end
+        end
+        role :test_role do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+            if_attribute :attr => is { 1 }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    Authorization.current_user = MockUser.new(:test_role)
+    assert(object = TestModelSecurityModel.create)
+    assert_raise Authorization::AttributeAuthorizationError do
+      TestModelSecurityModel.create :attr => 2
+    end
+    object = TestModelSecurityModel.create
+    assert_raise Authorization::AttributeAuthorizationError do
+      object.update_attributes(:attr => 2)
+    end
+    object.reload
+    assert_nothing_raised do
+      object.update_attributes(:attr_2 => 1)
+    end
+    assert_raise Authorization::AttributeAuthorizationError do
+      object.update_attributes(:attr => 2)
+    end
+  end
+  def test_model_security_with_and_without_find_restrictions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role_unrestricted do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+          end
+        end
+        role :test_role do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+            if_attribute :attr => is { 1 }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    Authorization.current_user = MockUser.new(:test_role_unrestricted)
+    object = TestModelSecurityModel.create :attr => 2
+    object_with_find = TestModelSecurityModelWithFind.create :attr => 2
+    Authorization.current_user = MockUser.new(:test_role)
+    assert_nothing_raised do
+      object.class.find(object.id)
+    end
+    assert_raise Authorization::AttributeAuthorizationError do
+      object_with_find.class.find(object_with_find.id)
+    end
+  end
+  def test_model_security_with_read_restrictions_and_exists
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+            if_attribute :test_attr => is { user.test_attr }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_attr = TestAttr.create
+    Authorization.current_user = MockUser.new(:test_role, :test_attr => test_attr)
+    object_with_find = TestModelSecurityModelWithFind.create :test_attr => test_attr
+    assert_nothing_raised do
+      object_with_find.class.find(object_with_find.id)
+    end
+    assert_equal 1, test_attr.test_model_security_model_with_finds.length
+    # Raises error since AR does not populate the object
+    #assert test_attr.test_model_security_model_with_finds.exists?(object_with_find)
+  end
+  def test_model_security_delete_unallowed
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role_unrestricted do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+          end
+        end
+        role :test_role do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+            if_attribute :attr => is { 1 }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    Authorization.current_user = MockUser.new(:test_role_unrestricted)
+    object = TestModelSecurityModel.create :attr => 2
+    Authorization.current_user = MockUser.new(:test_role)
+    assert_raise Authorization::AttributeAuthorizationError do
+      object.destroy
+    end
+  end
+  def test_model_security_changing_critical_attribute_unallowed
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role_unrestricted do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+          end
+        end
+        role :test_role do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+            if_attribute :attr => is { 1 }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    Authorization.current_user = MockUser.new(:test_role_unrestricted)
+    object = TestModelSecurityModel.create :attr => 2
+    Authorization.current_user = MockUser.new(:test_role)
+    # TODO before not checked yet
+    #assert_raise Authorization::AuthorizationError do
+    #  object.update_attributes(:attr => 1)
+    #end
+  end
+  def test_model_security_no_role_unallowed
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+      end
+    }
+    Authorization::Engine.instance(reader)
+    Authorization.current_user = MockUser.new(:test_role_2)
+    assert_raise Authorization::NotAuthorized do
+      TestModelSecurityModel.create
+    end
+  end
+  def test_model_security_with_assoc
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_model_security_models do
+            to :create, :update, :delete
+            if_attribute :test_attrs => contains { user }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_attr = TestAttr.create
+    test_attr.role_symbols << :test_role
+    Authorization.current_user = test_attr
+    assert(object = TestModelSecurityModel.create(:test_attrs => [test_attr]))
+    assert_nothing_raised do
+      object.update_attributes(:attr_2 => 2)
+    end
+    without_access_control do
+      object.reload
+    end
+    assert_equal 2, object.attr_2
+    object.destroy
+    assert_raise ActiveRecord::RecordNotFound do
+      TestModelSecurityModel.find(object.id)
+    end
+  end
+  def test_model_security_with_update_attrbributes
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_model_security_models, :to => :update do
+            if_attribute :test_attrs => { :branch => is { user.branch }}
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    params = {
+      :model_data => { :attr => 11 }
+    }
+    test_attr = TestAttr.create!(:branch => Branch.create!)
+    test_model = without_access_control do
+      TestModelSecurityModel.create!(:test_attrs => [test_attr])
+    end
+    with_user MockUser.new(:test_role, :branch => test_attr.branch) do
+      assert_nothing_raised do
+        test_model.update_attributes(params[:model_data])
+      end
+    end
+    without_access_control do
+      assert_equal params[:model_data][:attr], test_model.reload.attr
+    end
+    TestAttr.delete_all
+    TestModelSecurityModel.delete_all
+    Branch.delete_all
+  end
+  def test_using_access_control
+    assert !TestModel.using_access_control?
+    assert TestModelSecurityModel.using_access_control?
+  end
+  def test_authorization_permit_association_proxy
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_model => {:content => "content" }
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.instance(reader)
+    test_model = TestModel.create(:content => "content")
+    assert engine.permit?(:read, :object => test_model.test_attrs,
+                          :user => MockUser.new(:test_role))
+    assert !engine.permit?(:read, :object => TestAttr.new,
+                          :user => MockUser.new(:test_role))
+    TestModel.delete_all
+  end
+  def test_authorization_permit_nested_association_proxy
+   reader = Authorization::Reader::DSLReader.new
+   reader.parse %{
+     authorization do
+       role :test_role do
+         has_permission_on :branches, :to => :read do
+           if_attribute :test_model => { :test_attrs => {:attr => 1 } }
+         end
+       end
+     end
+   }
+   engine = Authorization::Engine.instance(reader)
+   test_model = TestModel.create!
+   test_model.test_attrs.create!(:attr => 0)
+   test_attr = test_model.test_attrs.create!(:attr => 1)
+   test_model.test_attrs.create!(:attr => 3)
+   test_branch = Branch.create!(:test_model => test_model)
+   test_model_2 = TestModel.create!
+   test_attr_2 = test_model_2.test_attrs.create!(:attr => 2)
+   test_branch_2 = Branch.create!(:test_model => test_model_2)
+   test_model_3 = TestModel.create!
+   test_branch_3 = Branch.create!(:test_model => test_model_3)
+   assert engine.permit?(:read, :object => test_branch,
+                         :user => MockUser.new(:test_role))
+   assert !engine.permit?(:read, :object => test_branch_2,
+                         :user => MockUser.new(:test_role))
+   assert !engine.permit?(:read, :object => test_branch_3,
+                         :user => MockUser.new(:test_role))
+   TestModel.delete_all
+   Branch.delete_all
+   TestAttr.delete_all
+  end
+  def test_multiple_roles_with_has_many_through
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role_1 do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attr_throughs => contains {user.test_attr_through_id},
+                :content => 'test_1'
+          end
+        end
+        role :test_role_2 do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attr_throughs_2 => contains {user.test_attr_through_2_id},
+                :content => 'test_2'
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    TestModel.delete_all
+    TestAttr.delete_all
+    TestAttrThrough.delete_all
+    test_model_1 = TestModel.create! :content => 'test_1'
+    test_model_2 = TestModel.create! :content => 'test_2'
+    test_model_1.test_attrs.create!.test_attr_throughs.create!
+    test_model_2.test_attrs.create!.test_attr_throughs.create!
+    user = MockUser.new(:test_role_1, :test_role_2,
+        :test_attr_through_id => test_model_1.test_attr_throughs.first.id,
+        :test_attr_through_2_id => test_model_2.test_attr_throughs.first.id)
+    if Rails.version >= '4'
+      assert_equal 2, TestModel.with_permissions_to(:read, :user => user).references(:test_models, :test_attr_throughs).length
+    else
+      assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
+    end
+    TestModel.delete_all
+    TestAttr.delete_all
+    TestAttrThrough.delete_all
+  end
+  def test_model_permitted_to
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :companies, :to => :read do
+            if_attribute :name => "company_1"
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    user = MockUser.new(:test_role)
+    allowed_read_company = Company.new(:name => 'company_1')
+    prohibited_company = Company.new(:name => 'company_2')
+    assert allowed_read_company.permitted_to?(:read, :user => user)
+    assert !allowed_read_company.permitted_to?(:update, :user => user)
+    assert !prohibited_company.permitted_to?(:read, :user => user)
+    executed_block = false
+    allowed_read_company.permitted_to?(:read, :user => user) do
+      executed_block = true
+    end
+    assert executed_block
+    executed_block = false
+    prohibited_company.permitted_to?(:read, :user => user) do
+      executed_block = true
+    end
+    assert !executed_block
+    assert_nothing_raised do
+      allowed_read_company.permitted_to!(:read, :user => user)
+    end
+    assert_raise Authorization::NotAuthorized do
+      prohibited_company.permitted_to!(:update, :user => user)
+    end
+    assert_raise Authorization::AttributeAuthorizationError do
+      prohibited_company.permitted_to!(:read, :user => user)
+    end
+  end
+  def test_model_permitted_to_with_modified_context
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :companies, :to => :read
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    user = MockUser.new(:test_role)
+    allowed_read_company = SmallCompany.new(:name => 'small_company_1')
+    assert allowed_read_company.permitted_to?(:read, :user => user)
+    assert !allowed_read_company.permitted_to?(:update, :user => user)
+  end
+end