RubyGems - zeiv-declarative_authorization - Versions diffs - 1.0.0.pre - Mend

zeiv-declarative_authorization 1.0.0.pre

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (52) hide show

checksums.yaml +7 -0
data/CHANGELOG +189 -0
data/MIT-LICENSE +20 -0
data/README.rdoc +632 -0
data/Rakefile +53 -0
data/app/controllers/authorization_rules_controller.rb +258 -0
data/app/controllers/authorization_usages_controller.rb +22 -0
data/app/helpers/authorization_rules_helper.rb +218 -0
data/app/views/authorization_rules/_change.erb +58 -0
data/app/views/authorization_rules/_show_graph.erb +44 -0
data/app/views/authorization_rules/_suggestions.erb +48 -0
data/app/views/authorization_rules/change.html.erb +169 -0
data/app/views/authorization_rules/graph.dot.erb +68 -0
data/app/views/authorization_rules/graph.html.erb +47 -0
data/app/views/authorization_rules/index.html.erb +17 -0
data/app/views/authorization_usages/index.html.erb +36 -0
data/authorization_rules.dist.rb +20 -0
data/config/routes.rb +20 -0
data/garlic_example.rb +20 -0
data/init.rb +5 -0
data/lib/declarative_authorization.rb +19 -0
data/lib/declarative_authorization/adapters/active_record.rb +13 -0
data/lib/declarative_authorization/adapters/active_record/base_extensions.rb +0 -0
data/lib/declarative_authorization/adapters/active_record/obligation_scope_builder.rb +0 -0
data/lib/declarative_authorization/authorization.rb +798 -0
data/lib/declarative_authorization/development_support/analyzer.rb +261 -0
data/lib/declarative_authorization/development_support/change_analyzer.rb +253 -0
data/lib/declarative_authorization/development_support/change_supporter.rb +620 -0
data/lib/declarative_authorization/development_support/development_support.rb +243 -0
data/lib/declarative_authorization/helper.rb +68 -0
data/lib/declarative_authorization/in_controller.rb +703 -0
data/lib/declarative_authorization/in_model.rb +188 -0
data/lib/declarative_authorization/maintenance.rb +210 -0
data/lib/declarative_authorization/obligation_scope.rb +361 -0
data/lib/declarative_authorization/rails_legacy.rb +22 -0
data/lib/declarative_authorization/railsengine.rb +6 -0
data/lib/declarative_authorization/reader.rb +546 -0
data/lib/generators/authorization/install/install_generator.rb +77 -0
data/lib/generators/authorization/rules/rules_generator.rb +14 -0
data/lib/generators/authorization/rules/templates/authorization_rules.rb +27 -0
data/lib/tasks/authorization_tasks.rake +89 -0
data/test/authorization_test.rb +1124 -0
data/test/controller_filter_resource_access_test.rb +575 -0
data/test/controller_test.rb +480 -0
data/test/database.yml +3 -0
data/test/dsl_reader_test.rb +178 -0
data/test/helper_test.rb +247 -0
data/test/maintenance_test.rb +46 -0
data/test/model_test.rb +2008 -0
data/test/schema.sql +56 -0
data/test/test_helper.rb +255 -0
metadata +95 -0

data/test/model_test.rb ADDED

@@ -0,0 +1,2008 @@
+require 'test_helper'
+require File.join(File.dirname(__FILE__), %w{.. lib declarative_authorization in_model})
+ActiveRecord::Base.send :include, Authorization::AuthorizationInModel
+#ActiveRecord::Base.logger = Logger.new(STDOUT)
+options = {:adapter => 'sqlite3', :timeout => 500, :database => ':memory:'}
+ActiveRecord::Base.establish_connection(options)
+ActiveRecord::Base.configurations = { 'sqlite3_ar_integration' => options }
+ActiveRecord::Base.connection
+File.read(File.dirname(__FILE__) + "/schema.sql").split(';').each do |sql|
+  ActiveRecord::Base.connection.execute(sql) unless sql.blank?
+end
+class TestModel < ActiveRecord::Base
+  has_many :test_attrs
+  has_many :test_another_attrs, :class_name => "TestAttr", :foreign_key => :test_another_model_id
+  has_many :test_attr_throughs, :through => :test_attrs
+  has_one :test_attr_has_one, :class_name => "TestAttr"
+  has_many :branches
+  # :conditions is deprecated in Rails 4.1
+  if Rails.version >= '4'
+    has_many :test_attrs_with_attr, lambda { where(:attr => 1) }, :class_name => "TestAttr"
+    has_many :test_attr_throughs_with_attr, lambda { where("test_attrs.attr = 1") }, :through => :test_attrs,
+      :class_name => "TestAttrThrough", :source => :test_attr_throughs
+    has_one :test_attr_throughs_with_attr_and_has_one, lambda { where("test_attrs.attr = 1") }, :through => :test_attrs,
+      :class_name => "TestAttrThrough", :source => :test_attr_throughs
+  else
+    has_many :test_attrs_with_attr, :class_name => "TestAttr", :conditions => {:attr => 1}
+    has_many :test_attr_throughs_with_attr, :through => :test_attrs,
+      :class_name => "TestAttrThrough", :source => :test_attr_throughs,
+      :conditions => "test_attrs.attr = 1"
+    has_one :test_attr_throughs_with_attr_and_has_one, :through => :test_attrs,
+      :class_name => "TestAttrThrough", :source => :test_attr_throughs,
+      :conditions => "test_attrs.attr = 1"
+  end
+  if Rails.version < '4'
+    attr_accessible :content, :test_attr_through_id, :country_id
+  end
+  # TODO currently not working in Rails 3
+  if Rails.version < "3"
+    has_and_belongs_to_many :test_attr_throughs_habtm, :join_table => :test_attrs,
+        :class_name => "TestAttrThrough"
+  end
+  if Rails.version < "3"
+    named_scope :with_content, :conditions => "test_models.content IS NOT NULL"
+  elsif Rails.version < "4"
+    scope :with_content, :conditions => "test_models.content IS NOT NULL"
+  else
+    scope :with_content, lambda { where("test_models.content IS NOT NULL") }
+  end
+  # Primary key test
+  # :primary_key only available from Rails 2.2
+  unless Rails.version < "2.2"
+    has_many :test_attrs_with_primary_id, :class_name => "TestAttr",
+      :primary_key => :test_attr_through_id, :foreign_key => :test_attr_through_id
+    has_many :test_attr_throughs_with_primary_id,
+      :through => :test_attrs_with_primary_id, :class_name => "TestAttrThrough",
+      :source => :n_way_join_item
+  end
+  # for checking for unnecessary queries
+  mattr_accessor :query_count
+  def self.find(*args)
+    self.query_count ||= 0
+    self.query_count += 1
+    super(*args)
+  end
+end
+class NWayJoinItem < ActiveRecord::Base
+  has_many :test_attrs
+  has_many :others, :through => :test_attrs, :source => :n_way_join_item
+end
+class TestAttr < ActiveRecord::Base
+  belongs_to :test_model
+  belongs_to :test_another_model, :class_name => "TestModel", :foreign_key => :test_another_model_id
+  belongs_to :test_a_third_model, :class_name => "TestModel", :foreign_key => :test_a_third_model_id
+  belongs_to :n_way_join_item
+  belongs_to :test_attr
+  belongs_to :branch
+  belongs_to :company
+  has_many :test_attr_throughs
+  has_many :test_model_security_model_with_finds
+  attr_reader :role_symbols
+  if Rails.version < '4'
+    attr_accessible :test_model, :test_another_model, :attr, :branch, :company, :test_attr,
+  	  :test_a_third_model, :n_way_join_item, :n_way_join_item_id, :test_attr_through_id,
+  	  :test_model_id, :test_another_model_id
+  end
+  def initialize (*args)
+    @role_symbols = []
+    super(*args)
+  end
+end
+class TestAttrThrough < ActiveRecord::Base
+  belongs_to :test_attr
+end
+class TestModelSecurityModel < ActiveRecord::Base
+  has_many :test_attrs
+  using_access_control
+  if Rails.version < '4'
+    attr_accessible :attr, :attr_2, :test_attrs
+  end
+end
+class TestModelSecurityModelWithFind < ActiveRecord::Base
+  if Rails.version < "3.2"
+    set_table_name "test_model_security_models"
+  else
+    self.table_name = "test_model_security_models"
+  end
+  has_many :test_attrs
+  belongs_to :test_attr
+  using_access_control :include_read => true,
+    :context => :test_model_security_models
+  if Rails.version < '4'
+    attr_accessible :test_attr, :attr
+  end
+end
+class Branch < ActiveRecord::Base
+  has_many :test_attrs
+  belongs_to :company
+  belongs_to :test_model
+  if Rails.version < '4'
+    attr_accessible :name, :company, :test_model
+  end
+end
+class Company < ActiveRecord::Base
+  has_many :test_attrs
+  has_many :branches
+  belongs_to :country
+  if Rails.version < '4'
+    attr_accessible :name, :country, :country_id
+  end
+end
+class SmallCompany < Company
+  def self.decl_auth_context
+    :companies
+  end
+end
+class Country < ActiveRecord::Base
+  has_many :test_models
+  has_many :companies
+  if Rails.version < '4'
+    attr_accessible :name
+  end
+end
+class NamedScopeModelTest < Test::Unit::TestCase
+  def test_multiple_deep_ored_belongs_to
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_model => {:test_attrs => contains {user}}
+            if_attribute :test_another_model => {:test_attrs => contains {user}}
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_model_2 = TestModel.create!
+    test_attr_1 = TestAttr.create! :test_model_id => test_model_1.id,
+                      :test_another_model_id => test_model_2.id
+    user = MockUser.new(:test_role, :id => test_attr_1)
+    if Rails.version >= '4'
+      assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).references(:test_attrs, :test_attrs_test_models, :test_attrs_test_models_2).length
+    else
+      assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
+    end
+    TestAttr.delete_all
+    TestModel.delete_all
+  end
+  def test_with_belongs_to_and_has_many_with_contains
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_model => { :test_attrs => contains { user.test_attr_value } }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_attr_1 = TestAttr.create!
+    test_model_1 = TestModel.create!
+    test_model_1.test_attrs.create!
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.test_attrs.first.id )
+    assert_equal 1, TestAttr.with_permissions_to( :read, :context => :test_attrs, :user => user ).length
+    assert_equal 1, TestAttr.with_permissions_to( :read, :user => user ).length
+    assert_raise Authorization::NotAuthorized do
+      TestAttr.with_permissions_to( :update_test_attrs, :user => user )
+    end
+    TestAttr.delete_all
+    TestModel.delete_all
+  end
+  def test_with_nested_has_many
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :companies, :to => :read do
+            if_attribute :branches => { :test_attrs => { :attr => is { user.test_attr_value } } }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    allowed_company = Company.create!
+    allowed_company.branches.create!.test_attrs.create!(:attr => 1)
+    allowed_company.branches.create!.test_attrs.create!(:attr => 2)
+    prohibited_company = Company.create!
+    prohibited_company.branches.create!.test_attrs.create!(:attr => 3)
+    user = MockUser.new(:test_role, :test_attr_value => 1)
+    prohibited_user = MockUser.new(:test_role, :test_attr_value => 4)
+    assert_equal 1, Company.with_permissions_to(:read, :user => user).length
+    assert_equal 0, Company.with_permissions_to(:read, :user => prohibited_user).length
+    Company.delete_all
+    Branch.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_nested_has_many_through
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attr_throughs => { :test_attr => { :attr => is { user.test_attr_value } } }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    TestModel.delete_all
+    TestAttrThrough.delete_all
+    TestAttr.delete_all
+    allowed_model = TestModel.create!
+    allowed_model.test_attrs.create!(:attr => 1).test_attr_throughs.create!
+    allowed_model.test_attrs.create!(:attr => 2).test_attr_throughs.create!
+    prohibited_model = TestModel.create!
+    prohibited_model.test_attrs.create!(:attr => 3).test_attr_throughs.create!
+    user = MockUser.new(:test_role, :test_attr_value => 1)
+    prohibited_user = MockUser.new(:test_role, :test_attr_value => 4)
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    assert_equal 0, TestModel.with_permissions_to(:read, :user => prohibited_user).length
+    TestModel.delete_all
+    TestAttrThrough.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_is
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => is { user.test_attr_value }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    TestModel.create!
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
+    assert_equal 1, TestModel.with_permissions_to(:read,
+      :context => :test_models, :user => user).length
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    assert_raise Authorization::NotAuthorized do
+      TestModel.with_permissions_to(:update_test_models, :user => user)
+    end
+    TestModel.delete_all
+  end
+  def test_named_scope_on_proxy
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :id => is { user.test_attr_value }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_attr_1 = test_model_1.test_attrs.create!
+    test_model_1.test_attrs.create!
+    TestAttr.create!
+    user = MockUser.new(:test_role, :test_attr_value => test_attr_1.id)
+    assert_equal 1, test_model_1.test_attrs.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_named_scope_on_named_scope
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attr_through_id => 1
+          end
+          has_permission_on :test_attrs, :to => :read do
+            if_permitted_to :read, :test_model
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    country = Country.create!
+    model_1 = TestModel.create!(:test_attr_through_id => 1, :content => "Content")
+    country.test_models << model_1
+    TestModel.create!(:test_attr_through_id => 1)
+    TestModel.create!(:test_attr_through_id => 2, :content => "Content")
+    user = MockUser.new(:test_role)
+    # TODO implement query_count for Rails 3
+    TestModel.query_count = 0
+    assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
+    assert_equal 1, TestModel.query_count if Rails.version < "3"
+    TestModel.query_count = 0
+    assert_equal 1, TestModel.with_content.with_permissions_to(:read, :user => user).length
+    assert_equal 1, TestModel.query_count if Rails.version < "3"
+    TestModel.query_count = 0
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).with_content.length if Rails.version < "4"
+    assert_equal 1, TestModel.query_count if Rails.version < "3"
+    TestModel.query_count = 0
+    assert_equal 1, country.test_models.with_permissions_to(:read, :user => user).length
+    assert_equal 1, TestModel.query_count if Rails.version < "3"
+    TestModel.delete_all
+    Country.delete_all
+  end
+  def test_with_modified_context
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :companies, :to => :read do
+            if_attribute :id => is { user.test_company_id }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_company = SmallCompany.create!
+    user = MockUser.new(:test_role, :test_company_id => test_company.id)
+    assert_equal 1, SmallCompany.with_permissions_to(:read,
+      :user => user).length
+    SmallCompany.delete_all
+  end
+  def test_with_is_nil
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :content => nil
+          end
+        end
+        role :test_role_not_nil do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :content => is_not { nil }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_model_2 = TestModel.create! :content => "Content"
+    assert_equal test_model_1, TestModel.with_permissions_to(:read,
+      :context => :test_models, :user => MockUser.new(:test_role)).first
+    assert_equal test_model_2, TestModel.with_permissions_to(:read,
+      :context => :test_models, :user => MockUser.new(:test_role_not_nil)).first
+    TestModel.delete_all
+  end
+  def test_with_not_is
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => is_not { user.test_attr_value }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    TestModel.delete_all
+    test_model_1 = TestModel.create!
+    TestModel.create!
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+  end
+  def test_with_lt
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => lt { user.test_attr_value }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    TestModel.create!
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id + 1)
+    assert_equal 1, TestModel.with_permissions_to(:read,
+      :context => :test_models, :user => user).length
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    assert_raise Authorization::NotAuthorized do
+      TestModel.with_permissions_to(:update_test_models, :user => user)
+    end
+    TestModel.delete_all
+  end
+  def test_with_lte
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => lte { user.test_attr_value }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    2.times { TestModel.create! }
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id + 1)
+    assert_equal 2, TestModel.with_permissions_to(:read,
+      :context => :test_models, :user => user).length
+    assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
+    assert_raise Authorization::NotAuthorized do
+      TestModel.with_permissions_to(:update_test_models, :user => user)
+    end
+    TestModel.delete_all
+  end
+  def test_with_gt
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => gt { user.test_attr_value }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    TestModel.create!
+    test_model_1 = TestModel.create!
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id - 1)
+    assert_equal 1, TestModel.with_permissions_to(:read,
+      :context => :test_models, :user => user).length
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    assert_raise Authorization::NotAuthorized do
+      TestModel.with_permissions_to(:update_test_models, :user => user)
+    end
+    TestModel.delete_all
+  end
+  def test_with_gte
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => gte { user.test_attr_value }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    2.times { TestModel.create! }
+    test_model_1 = TestModel.create!
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id - 1)
+    assert_equal 2, TestModel.with_permissions_to(:read,
+      :context => :test_models, :user => user).length
+    assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
+    assert_raise Authorization::NotAuthorized do
+      TestModel.with_permissions_to(:update_test_models, :user => user)
+    end
+    TestModel.delete_all
+  end
+  def test_with_empty_obligations
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    TestModel.create!
+    user = MockUser.new(:test_role)
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    assert_raise Authorization::NotAuthorized do
+      TestModel.with_permissions_to(:update, :user => user)
+    end
+    TestModel.delete_all
+  end
+  def test_multiple_obligations
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => is { user.test_attr_value }
+          end
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => is { user.test_attr_value_2 }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_model_2 = TestModel.create!
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id,
+                        :test_attr_value_2 => test_model_2.id)
+    assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+  end
+  def test_multiple_roles
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :attr => [1,2]
+          end
+        end
+        role :test_role_2 do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :attr => [2,3]
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    TestAttr.create! :attr => 1
+    TestAttr.create! :attr => 2
+    TestAttr.create! :attr => 3
+    user = MockUser.new(:test_role)
+    assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).length
+    TestAttr.delete_all
+  end
+  def test_multiple_and_empty_obligations
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => is { user.test_attr_value }
+          end
+          has_permission_on :test_models, :to => :read
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    TestModel.create!
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
+    assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+  end
+  def test_multiple_attributes
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => is { user.test_attr_value }, :content => "bla"
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create! :content => 'bla'
+    TestModel.create! :content => 'bla'
+    TestModel.create!
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+  end
+  def test_multiple_belongs_to
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_model => is {user}
+            if_attribute :test_another_model => is {user}
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_attr_1 = TestAttr.create! :test_model_id => 1, :test_another_model_id => 2
+    user = MockUser.new(:test_role, :id => 1)
+    assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
+    TestAttr.delete_all
+  end
+  def test_with_is_and_priv_hierarchy
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      privileges do
+        privilege :read do
+          includes :list, :show
+        end
+      end
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => is { user.test_attr_value }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    TestModel.create!
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
+    assert_equal 1, TestModel.with_permissions_to(:list,
+      :context => :test_models, :user => user).length
+    assert_equal 1, TestModel.with_permissions_to(:list, :user => user).length
+    TestModel.delete_all
+  end
+  def test_with_is_and_belongs_to
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_model => is { user.test_model }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_model_1.test_attrs.create!
+    TestModel.create!.test_attrs.create!
+    user = MockUser.new(:test_role, :test_model => test_model_1)
+    assert_equal 1, TestAttr.with_permissions_to(:read,
+      :context => :test_attrs, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_deep_attribute
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_model => {:id => is { user.test_model_id } }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_model_1.test_attrs.create!
+    TestModel.create!.test_attrs.create!
+    user = MockUser.new(:test_role, :test_model_id => test_model_1.id)
+    assert_equal 1, TestAttr.with_permissions_to(:read,
+      :context => :test_attrs, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_anded_rules
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read, :join_by => :and do
+            if_attribute :test_model => is { user.test_model }
+            if_attribute :attr => 1
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_model_1.test_attrs.create!(:attr => 1)
+    TestModel.create!.test_attrs.create!(:attr => 1)
+    TestModel.create!.test_attrs.create!
+    user = MockUser.new(:test_role, :test_model => test_model_1)
+    assert_equal 1, TestAttr.with_permissions_to(:read,
+      :context => :test_attrs, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_contains
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attrs => contains { user }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_model_2 = TestModel.create!
+    test_model_1.test_attrs.create!
+    test_model_1.test_attrs.create!
+    test_model_2.test_attrs.create!
+    user = MockUser.new(:test_role,
+                        :id => test_model_1.test_attrs.first.id)
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    if Rails.version < '3'
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).find(:all, :conditions => {:id => test_model_1.id} ).length
+    else
+      assert_equal 1, TestModel.with_permissions_to(:read, :user => user).where(:id => test_model_1.id).length
+    end
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_does_not_contain
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attrs => does_not_contain { user }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_model_2 = TestModel.create!
+    test_model_1.test_attrs.create!
+    test_model_2.test_attrs.create!
+    user = MockUser.new(:test_role,
+                        :id => test_model_1.test_attrs.first.id)
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_contains_conditions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attrs_with_attr => contains { user }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_model_2 = TestModel.create!
+    test_model_1.test_attrs_with_attr.create!
+    test_model_1.test_attrs.create!(:attr => 2)
+    test_model_2.test_attrs_with_attr.create!
+    test_model_2.test_attrs.create!(:attr => 2)
+    #assert_equal 1, test_model_1.test_attrs_with_attr.length
+    user = MockUser.new(:test_role,
+                        :id => test_model_1.test_attrs.first.id)
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    user = MockUser.new(:test_role,
+                        :id => test_model_1.test_attrs.last.id)
+    assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  # TODO fails in Rails 3 because TestModel.scoped.joins(:test_attr_throughs_with_attr)
+  # does not work
+  if Rails.version < "3"
+    def test_with_contains_through_conditions
+      reader = Authorization::Reader::DSLReader.new
+      reader.parse %{
+        authorization do
+          role :test_role do
+            has_permission_on :test_models, :to => :read do
+              if_attribute :test_attr_throughs_with_attr => contains { user }
+            end
+          end
+        end
+      }
+      Authorization::Engine.instance(reader)
+      test_model_1 = TestModel.create!
+      test_model_2 = TestModel.create!
+      test_model_1.test_attrs.create!(:attr => 1).test_attr_throughs.create!
+      test_model_1.test_attrs.create!(:attr => 2).test_attr_throughs.create!
+      test_model_2.test_attrs.create!(:attr => 1).test_attr_throughs.create!
+      test_model_2.test_attrs.create!(:attr => 2).test_attr_throughs.create!
+      #assert_equal 1, test_model_1.test_attrs_with_attr.length
+      user = MockUser.new(:test_role,
+                          :id => test_model_1.test_attr_throughs.first.id)
+      assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+      user = MockUser.new(:test_role,
+                          :id => test_model_1.test_attr_throughs.last.id)
+      assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
+      TestModel.delete_all
+      TestAttrThrough.delete_all
+      TestAttr.delete_all
+    end
+  end
+  if Rails.version < "3"
+    def test_with_contains_habtm
+      reader = Authorization::Reader::DSLReader.new
+      reader.parse %{
+        authorization do
+          role :test_role do
+            has_permission_on :test_models, :to => :read do
+              if_attribute :test_attr_throughs_habtm => contains { user.test_attr_through_id }
+            end
+          end
+        end
+      }
+      Authorization::Engine.instance(reader)
+      # TODO habtm currently not working in Rails 3
+      test_model_1 = TestModel.create!
+      test_model_2 = TestModel.create!
+      test_attr_through_1 = TestAttrThrough.create!
+      test_attr_through_2 = TestAttrThrough.create!
+      TestAttr.create! :test_model_id => test_model_1.id, :test_attr_through_id => test_attr_through_1.id
+      TestAttr.create! :test_model_id => test_model_2.id, :test_attr_through_id => test_attr_through_2.id
+      user = MockUser.new(:test_role,
+                          :test_attr_through_id => test_model_1.test_attr_throughs_habtm.first.id)
+      assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+      assert_equal test_model_1, TestModel.with_permissions_to(:read, :user => user)[0]
+      TestModel.delete_all
+      TestAttrThrough.delete_all
+      TestAttr.delete_all
+    end
+  end
+  # :primary_key not available in Rails prior to 2.2
+  if Rails.version > "2.2"
+    def test_with_contains_through_primary_key
+      reader = Authorization::Reader::DSLReader.new
+      reader.parse %{
+        authorization do
+          role :test_role do
+            has_permission_on :test_models, :to => :read do
+              if_attribute :test_attr_throughs_with_primary_id => contains { user }
+            end
+          end
+        end
+      }
+      Authorization::Engine.instance(reader)
+      TestModel.delete_all
+      TestAttrThrough.delete_all
+      TestAttr.delete_all
+      test_attr_through_1 = TestAttrThrough.create!
+      test_item = NWayJoinItem.create!
+      test_model_1 = TestModel.create!(:test_attr_through_id => test_attr_through_1.id)
+      test_attr_1 = TestAttr.create!(:test_attr_through_id => test_attr_through_1.id,
+          :n_way_join_item_id => test_item.id)
+      user = MockUser.new(:test_role,
+                          :id => test_attr_through_1.id)
+      assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+      TestModel.delete_all
+      TestAttrThrough.delete_all
+      TestAttr.delete_all
+    end
+  end
+  def test_with_intersects_with
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attrs => intersects_with { user.test_attrs }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_model_2 = TestModel.create!
+    test_model_1.test_attrs.create!
+    test_model_1.test_attrs.create!
+    test_model_1.test_attrs.create!
+    test_model_2.test_attrs.create!
+    user = MockUser.new(:test_role,
+                        :test_attrs => [test_model_1.test_attrs.first, TestAttr.create!])
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    user = MockUser.new(:test_role,
+                        :test_attrs => [TestAttr.create!])
+    assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_is_and_has_one
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do :test_attr_has_one
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attr_has_one => is { user.test_attr }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_attr_1 = test_model_1.test_attrs.create!
+    TestModel.create!.test_attrs.create!
+    user = MockUser.new(:test_role, :test_attr => test_attr_1)
+    assert_equal 1, TestModel.with_permissions_to(:read,
+      :context => :test_models, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  # TODO fails in Rails 3 because TestModel.scoped.joins(:test_attr_throughs_with_attr)
+  # does not work
+  if Rails.version < "3"
+    def test_with_is_and_has_one_through_conditions
+      reader = Authorization::Reader::DSLReader.new
+      reader.parse %{
+        authorization do
+          role :test_role do
+            has_permission_on :test_models, :to => :read do
+              if_attribute :test_attr_throughs_with_attr_and_has_one => is { user }
+            end
+          end
+        end
+      }
+      Authorization::Engine.instance(reader)
+      test_model_1 = TestModel.create!
+      test_model_2 = TestModel.create!
+      test_model_1.test_attrs.create!(:attr => 1).test_attr_throughs.create!
+      test_model_1.test_attrs.create!(:attr => 2).test_attr_throughs.create!
+      test_model_2.test_attrs.create!(:attr => 1).test_attr_throughs.create!
+      test_model_2.test_attrs.create!(:attr => 2).test_attr_throughs.create!
+      #assert_equal 1, test_model_1.test_attrs_with_attr.length
+      user = MockUser.new(:test_role,
+                          :id => test_model_1.test_attr_throughs.first.id)
+      assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+      user = MockUser.new(:test_role,
+                          :id => test_model_1.test_attr_throughs.last.id)
+      assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
+      TestModel.delete_all
+      TestAttr.delete_all
+      TestAttrThrough.delete_all
+    end
+  end
+  def test_with_is_in
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_model => is_in { [user.test_model, user.test_model_2] }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_model_2 = TestModel.create!
+    test_model_1.test_attrs.create!
+    TestModel.create!.test_attrs.create!
+    user = MockUser.new(:test_role, :test_model => test_model_1,
+      :test_model_2 => test_model_2)
+    assert_equal 1, TestAttr.with_permissions_to(:read,
+      :context => :test_attrs, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_not_is_in
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_model => is_not_in { [user.test_model, user.test_model_2] }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    TestModel.delete_all
+    TestAttr.delete_all
+    test_model_1 = TestModel.create!
+    test_model_2 = TestModel.create!
+    test_model_1.test_attrs.create!
+    TestModel.create!.test_attrs.create!
+    user = MockUser.new(:test_role, :test_model => test_model_1,
+      :test_model_2 => test_model_2)
+    assert_equal 1, TestAttr.with_permissions_to(:read,
+      :context => :test_attrs, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_if_permitted_to
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attrs => contains { user }
+          end
+          has_permission_on :test_attrs, :to => :read do
+            if_permitted_to :read, :test_model
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_attr_1 = test_model_1.test_attrs.create!
+    user = MockUser.new(:test_role, :id => test_attr_1.id)
+    assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_anded_if_permitted_to
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :base_role do
+          has_permission_on :test_attrs, :to => :read, :join_by => :and do
+            if_permitted_to :read, :test_model
+            if_attribute :attr => 1
+          end
+        end
+        role :first_role do
+          includes :base_role
+          has_permission_on :test_models, :to => :read do
+            if_attribute :content => "first test"
+          end
+        end
+        role :second_role do
+          includes :base_role
+          has_permission_on :test_models, :to => :read do
+            if_attribute :country_id => 2
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!(:content => "first test")
+    test_model_1.test_attrs.create!(:attr => 1)
+    test_model_for_second_role = TestModel.create!(:country_id => 2)
+    test_model_for_second_role.test_attrs.create!(:attr => 1)
+    test_model_for_second_role.test_attrs.create!(:attr => 2)
+    user = MockUser.new(:first_role)
+    assert Authorization::Engine.instance.permit?(:read, :object => test_model_1.test_attrs.first, :user => user)
+    assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
+    user_with_both_roles = MockUser.new(:first_role, :second_role)
+    assert Authorization::Engine.instance.permit?(:read, :object => test_model_1.test_attrs.first, :user => user_with_both_roles)
+    assert Authorization::Engine.instance.permit?(:read, :object => test_model_for_second_role.test_attrs.first, :user => user_with_both_roles)
+    #p Authorization::Engine.instance.obligations(:read, :user => user_with_both_roles, :context => :test_attrs)
+    if Rails.version >= '4'
+      assert_equal 2, TestAttr.with_permissions_to(:read, :user => user_with_both_roles).references(:test_attrs, :test_models).length
+    else
+      assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
+    end
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_if_permitted_to_with_no_child_permissions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :another_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attrs => contains { user }
+          end
+        end
+        role :additional_if_attribute do
+          has_permission_on :test_attrs, :to => :read do
+            if_permitted_to :read, :test_model
+            if_attribute :test_model => {:test_attrs => contains { user }}
+          end
+        end
+        role :only_permitted_to do
+          has_permission_on :test_attrs, :to => :read do
+            if_permitted_to :read, :test_model
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_attr_1 = test_model_1.test_attrs.create!
+    user = MockUser.new(:only_permitted_to, :another_role, :id => test_attr_1.id)
+    also_allowed_user = MockUser.new(:additional_if_attribute, :id => test_attr_1.id)
+    non_allowed_user = MockUser.new(:only_permitted_to, :id => test_attr_1.id)
+    assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
+    assert_equal 1, TestAttr.with_permissions_to(:read, :user => also_allowed_user).length
+    assert_raise Authorization::NotAuthorized do
+      TestAttr.with_permissions_to(:read, :user => non_allowed_user).find(:all)
+    end
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_if_permitted_to_with_context_from_model
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_another_attrs => contains { user }
+          end
+          has_permission_on :test_attrs, :to => :read do
+            if_permitted_to :read, :test_another_model
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_attr_1 = test_model_1.test_another_attrs.create!
+    user = MockUser.new(:test_role, :id => test_attr_1.id)
+    non_allowed_user = MockUser.new(:test_role, :id => 111)
+    assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
+    assert_equal 0, TestAttr.with_permissions_to(:read, :user => non_allowed_user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_has_many_if_permitted_to
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_permitted_to :read, :test_attrs
+          end
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :attr => is { user.id }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_attr_1 = test_model_1.test_attrs.create!(:attr => 111)
+    user = MockUser.new(:test_role, :id => test_attr_1.attr)
+    non_allowed_user = MockUser.new(:test_role, :id => 333)
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    assert_equal 0, TestModel.with_permissions_to(:read, :user => non_allowed_user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_deep_has_many_if_permitted_to
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :branches, :to => :read do
+            if_attribute :name => "A Branch"
+          end
+          has_permission_on :companies, :to => :read do
+            if_permitted_to :read, :test_attrs => :branch
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    readable_company = Company.create!
+    readable_company.test_attrs.create!(:branch => Branch.create!(:name => "A Branch"))
+    forbidden_company = Company.create!
+    forbidden_company.test_attrs.create!(:branch => Branch.create!(:name => "Different Branch"))
+    user = MockUser.new(:test_role)
+    assert_equal 1, Company.with_permissions_to(:read, :user => user).length
+    Company.delete_all
+    Branch.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_if_permitted_to_and_empty_obligations
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read
+          has_permission_on :test_attrs, :to => :read do
+            if_permitted_to :read, :test_model
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_attr_1 = test_model_1.test_attrs.create!
+    user = MockUser.new(:test_role)
+    assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_if_permitted_to_nil
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attrs => contains { user }
+          end
+          has_permission_on :test_attrs, :to => :read do
+            if_permitted_to :read, :test_model
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_attr_1 = TestAttr.create!
+    user = MockUser.new(:test_role, :id => test_attr_1.id)
+    assert_equal 0, TestAttr.with_permissions_to(:read, :user => user).length
+    TestAttr.delete_all
+  end
+  def test_with_if_permitted_to_self
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attrs => contains { user }
+          end
+          has_permission_on :test_models, :to => :update do
+            if_permitted_to :read
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_attr_1 = test_model_1.test_attrs.create!
+    test_attr_2 = TestAttr.create!
+    user = MockUser.new(:test_role, :id => test_attr_1.id)
+    assert_equal 1, TestModel.with_permissions_to(:update, :user => user).length
+    TestAttr.delete_all
+    TestModel.delete_all
+  end
+  def test_with_has_many_and_reoccuring_tables
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_another_model => { :content => 'test_1_2' },
+                :test_model => { :content => 'test_1_1' }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_attr_1 = TestAttr.create!(
+        :test_model => TestModel.create!(:content => 'test_1_1'),
+        :test_another_model => TestModel.create!(:content => 'test_1_2')
+      )
+    test_attr_2 = TestAttr.create!(
+        :test_model => TestModel.create!(:content => 'test_2_1'),
+        :test_another_model => TestModel.create!(:content => 'test_2_2')
+      )
+    user = MockUser.new(:test_role)
+    assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_ored_rules_and_reoccuring_tables
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_another_model => { :content => 'test_1_2' },
+                :test_model => { :content => 'test_1_1' }
+          end
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_another_model => { :content => 'test_2_2' },
+                :test_model => { :test_attrs => contains {user.test_attr} }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_attr_1 = TestAttr.create!(
+        :test_model => TestModel.create!(:content => 'test_1_1'),
+        :test_another_model => TestModel.create!(:content => 'test_1_2')
+      )
+    test_attr_2 = TestAttr.create!(
+        :test_model => TestModel.create!(:content => 'test_2_1'),
+        :test_another_model => TestModel.create!(:content => 'test_2_2')
+      )
+    test_attr_2.test_model.test_attrs.create!
+    user = MockUser.new(:test_role, :test_attr => test_attr_2.test_model.test_attrs.last)
+    if Rails.version >= '4'
+      assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).references(:test_attrs, :test_models, :test_models_test_attrs, :test_attrs_test_models).length
+    else
+      assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).length
+    end
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_many_ored_rules_and_reoccuring_tables
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :branch => { :company => { :country => {
+                :test_models => contains { user.test_model }
+              }} }
+            if_attribute :company => { :country => {
+                :test_models => contains { user.test_model }
+              }}
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    country = Country.create!(:name => 'country_1')
+    country.test_models.create!
+    test_attr_1 = TestAttr.create!(
+        :branch => Branch.create!(:name => 'branch_1',
+            :company => Company.create!(:name => 'company_1',
+                :country => country))
+      )
+    test_attr_2 = TestAttr.create!(
+        :company => Company.create!(:name => 'company_2',
+            :country => country)
+      )
+    user = MockUser.new(:test_role, :test_model => country.test_models.first)
+    if Rails.version >= '4'
+      assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).references(:test_attrs, :test_models, :test_models_countries).length
+    else
+      assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).length
+    end
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+end
+class ModelTest < Test::Unit::TestCase
+  def test_permit_with_has_one_raises_no_name_error
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do :test_attr_has_one
+        role :test_role do
+          has_permission_on :test_attrs, :to => :update do
+            if_attribute :id => is { user.test_attr.id }
+          end
+        end
+      end
+    }
+    instance = Authorization::Engine.instance(reader)
+    test_model = TestModel.create!
+    test_attr = test_model.create_test_attr_has_one
+    assert !test_attr.new_record?
+    user = MockUser.new(:test_role, :test_attr => test_attr)
+    assert_nothing_raised do
+      assert instance.permit?(:update, :user => user, :object => test_model.test_attr_has_one)
+    end
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_model_security_write_allowed
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+            if_attribute :attr => is { 1 }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    Authorization.current_user = MockUser.new(:test_role)
+    assert(object = TestModelSecurityModel.create)
+    assert_nothing_raised { object.update_attributes(:attr_2 => 2) }
+    object.reload
+    assert_equal 2, object.attr_2
+    object.destroy
+    assert_raise ActiveRecord::RecordNotFound do
+      TestModelSecurityModel.find(object.id)
+    end
+  end
+  def test_model_security_write_not_allowed_no_privilege
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+            if_attribute :attr => is { 1 }
+          end
+        end
+        role :test_role_restricted do
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    Authorization.current_user = MockUser.new(:test_role)
+    assert(object = TestModelSecurityModel.create)
+    Authorization.current_user = MockUser.new(:test_role_restricted)
+    assert_raise Authorization::NotAuthorized do
+      object.update_attributes(:attr_2 => 2)
+    end
+  end
+  def test_model_security_write_not_allowed_wrong_attribute_value
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role_unrestricted do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+          end
+        end
+        role :test_role do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+            if_attribute :attr => is { 1 }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    Authorization.current_user = MockUser.new(:test_role)
+    assert(object = TestModelSecurityModel.create)
+    assert_raise Authorization::AttributeAuthorizationError do
+      TestModelSecurityModel.create :attr => 2
+    end
+    object = TestModelSecurityModel.create
+    assert_raise Authorization::AttributeAuthorizationError do
+      object.update_attributes(:attr => 2)
+    end
+    object.reload
+    assert_nothing_raised do
+      object.update_attributes(:attr_2 => 1)
+    end
+    assert_raise Authorization::AttributeAuthorizationError do
+      object.update_attributes(:attr => 2)
+    end
+  end
+  def test_model_security_with_and_without_find_restrictions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role_unrestricted do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+          end
+        end
+        role :test_role do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+            if_attribute :attr => is { 1 }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    Authorization.current_user = MockUser.new(:test_role_unrestricted)
+    object = TestModelSecurityModel.create :attr => 2
+    object_with_find = TestModelSecurityModelWithFind.create :attr => 2
+    Authorization.current_user = MockUser.new(:test_role)
+    assert_nothing_raised do
+      object.class.find(object.id)
+    end
+    assert_raise Authorization::AttributeAuthorizationError do
+      object_with_find.class.find(object_with_find.id)
+    end
+  end
+  def test_model_security_with_read_restrictions_and_exists
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+            if_attribute :test_attr => is { user.test_attr }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_attr = TestAttr.create
+    Authorization.current_user = MockUser.new(:test_role, :test_attr => test_attr)
+    object_with_find = TestModelSecurityModelWithFind.create :test_attr => test_attr
+    assert_nothing_raised do
+      object_with_find.class.find(object_with_find.id)
+    end
+    assert_equal 1, test_attr.test_model_security_model_with_finds.length
+    # Raises error since AR does not populate the object
+    #assert test_attr.test_model_security_model_with_finds.exists?(object_with_find)
+  end
+  def test_model_security_delete_unallowed
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role_unrestricted do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+          end
+        end
+        role :test_role do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+            if_attribute :attr => is { 1 }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    Authorization.current_user = MockUser.new(:test_role_unrestricted)
+    object = TestModelSecurityModel.create :attr => 2
+    Authorization.current_user = MockUser.new(:test_role)
+    assert_raise Authorization::AttributeAuthorizationError do
+      object.destroy
+    end
+  end
+  def test_model_security_changing_critical_attribute_unallowed
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role_unrestricted do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+          end
+        end
+        role :test_role do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+            if_attribute :attr => is { 1 }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    Authorization.current_user = MockUser.new(:test_role_unrestricted)
+    object = TestModelSecurityModel.create :attr => 2
+    Authorization.current_user = MockUser.new(:test_role)
+    # TODO before not checked yet
+    #assert_raise Authorization::AuthorizationError do
+    #  object.update_attributes(:attr => 1)
+    #end
+  end
+  def test_model_security_no_role_unallowed
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+      end
+    }
+    Authorization::Engine.instance(reader)
+    Authorization.current_user = MockUser.new(:test_role_2)
+    assert_raise Authorization::NotAuthorized do
+      TestModelSecurityModel.create
+    end
+  end
+  def test_model_security_with_assoc
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_model_security_models do
+            to :create, :update, :delete
+            if_attribute :test_attrs => contains { user }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_attr = TestAttr.create
+    test_attr.role_symbols << :test_role
+    Authorization.current_user = test_attr
+    assert(object = TestModelSecurityModel.create(:test_attrs => [test_attr]))
+    assert_nothing_raised do
+      object.update_attributes(:attr_2 => 2)
+    end
+    without_access_control do
+      object.reload
+    end
+    assert_equal 2, object.attr_2
+    object.destroy
+    assert_raise ActiveRecord::RecordNotFound do
+      TestModelSecurityModel.find(object.id)
+    end
+  end
+  def test_model_security_with_update_attrbributes
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_model_security_models, :to => :update do
+            if_attribute :test_attrs => { :branch => is { user.branch }}
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    params = {
+      :model_data => { :attr => 11 }
+    }
+    test_attr = TestAttr.create!(:branch => Branch.create!)
+    test_model = without_access_control do
+      TestModelSecurityModel.create!(:test_attrs => [test_attr])
+    end
+    with_user MockUser.new(:test_role, :branch => test_attr.branch) do
+      assert_nothing_raised do
+        test_model.update_attributes(params[:model_data])
+      end
+    end
+    without_access_control do
+      assert_equal params[:model_data][:attr], test_model.reload.attr
+    end
+    TestAttr.delete_all
+    TestModelSecurityModel.delete_all
+    Branch.delete_all
+  end
+  def test_using_access_control
+    assert !TestModel.using_access_control?
+    assert TestModelSecurityModel.using_access_control?
+  end
+  def test_authorization_permit_association_proxy
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_model => {:content => "content" }
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.instance(reader)
+    test_model = TestModel.create(:content => "content")
+    assert engine.permit?(:read, :object => test_model.test_attrs,
+                          :user => MockUser.new(:test_role))
+    assert !engine.permit?(:read, :object => TestAttr.new,
+                          :user => MockUser.new(:test_role))
+    TestModel.delete_all
+  end
+  def test_authorization_permit_nested_association_proxy
+   reader = Authorization::Reader::DSLReader.new
+   reader.parse %{
+     authorization do
+       role :test_role do
+         has_permission_on :branches, :to => :read do
+           if_attribute :test_model => { :test_attrs => {:attr => 1 } }
+         end
+       end
+     end
+   }
+   engine = Authorization::Engine.instance(reader)
+   test_model = TestModel.create!
+   test_model.test_attrs.create!(:attr => 0)
+   test_attr = test_model.test_attrs.create!(:attr => 1)
+   test_model.test_attrs.create!(:attr => 3)
+   test_branch = Branch.create!(:test_model => test_model)
+   test_model_2 = TestModel.create!
+   test_attr_2 = test_model_2.test_attrs.create!(:attr => 2)
+   test_branch_2 = Branch.create!(:test_model => test_model_2)
+   test_model_3 = TestModel.create!
+   test_branch_3 = Branch.create!(:test_model => test_model_3)
+   assert engine.permit?(:read, :object => test_branch,
+                         :user => MockUser.new(:test_role))
+   assert !engine.permit?(:read, :object => test_branch_2,
+                         :user => MockUser.new(:test_role))
+   assert !engine.permit?(:read, :object => test_branch_3,
+                         :user => MockUser.new(:test_role))
+   TestModel.delete_all
+   Branch.delete_all
+   TestAttr.delete_all
+  end
+  def test_multiple_roles_with_has_many_through
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role_1 do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attr_throughs => contains {user.test_attr_through_id},
+                :content => 'test_1'
+          end
+        end
+        role :test_role_2 do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attr_throughs_2 => contains {user.test_attr_through_2_id},
+                :content => 'test_2'
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    TestModel.delete_all
+    TestAttr.delete_all
+    TestAttrThrough.delete_all
+    test_model_1 = TestModel.create! :content => 'test_1'
+    test_model_2 = TestModel.create! :content => 'test_2'
+    test_model_1.test_attrs.create!.test_attr_throughs.create!
+    test_model_2.test_attrs.create!.test_attr_throughs.create!
+    user = MockUser.new(:test_role_1, :test_role_2,
+        :test_attr_through_id => test_model_1.test_attr_throughs.first.id,
+        :test_attr_through_2_id => test_model_2.test_attr_throughs.first.id)
+    if Rails.version >= '4'
+      assert_equal 2, TestModel.with_permissions_to(:read, :user => user).references(:test_models, :test_attr_throughs).length
+    else
+      assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
+    end
+    TestModel.delete_all
+    TestAttr.delete_all
+    TestAttrThrough.delete_all
+  end
+  def test_model_permitted_to
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :companies, :to => :read do
+            if_attribute :name => "company_1"
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    user = MockUser.new(:test_role)
+    allowed_read_company = Company.new(:name => 'company_1')
+    prohibited_company = Company.new(:name => 'company_2')
+    assert allowed_read_company.permitted_to?(:read, :user => user)
+    assert !allowed_read_company.permitted_to?(:update, :user => user)
+    assert !prohibited_company.permitted_to?(:read, :user => user)
+    executed_block = false
+    allowed_read_company.permitted_to?(:read, :user => user) do
+      executed_block = true
+    end
+    assert executed_block
+    executed_block = false
+    prohibited_company.permitted_to?(:read, :user => user) do
+      executed_block = true
+    end
+    assert !executed_block
+    assert_nothing_raised do
+      allowed_read_company.permitted_to!(:read, :user => user)
+    end
+    assert_raise Authorization::NotAuthorized do
+      prohibited_company.permitted_to!(:update, :user => user)
+    end
+    assert_raise Authorization::AttributeAuthorizationError do
+      prohibited_company.permitted_to!(:read, :user => user)
+    end
+  end
+  def test_model_permitted_to_with_modified_context
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :companies, :to => :read
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    user = MockUser.new(:test_role)
+    allowed_read_company = SmallCompany.new(:name => 'small_company_1')
+    assert allowed_read_company.permitted_to?(:read, :user => user)
+    assert !allowed_read_company.permitted_to?(:update, :user => user)
+  end
+end