RubyGems - zuul - Versions diffs - 0.1.1 → 0.2.0 - Mend

zuul 0.1.1 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (80) hide show

data/lib/generators/zuul/orm_helpers.rb +21 -0
data/lib/generators/zuul/permission_generator.rb +57 -0
data/lib/generators/zuul/permission_role_generator.rb +40 -0
data/lib/generators/zuul/permission_subject_generator.rb +40 -0
data/lib/generators/zuul/role_generator.rb +58 -0
data/lib/generators/zuul/role_subject_generator.rb +40 -0
data/lib/generators/zuul/subject_generator.rb +39 -0
data/lib/generators/zuul/templates/permission.rb +18 -0
data/lib/generators/zuul/templates/permission_existing.rb +25 -0
data/lib/generators/zuul/templates/permission_role.rb +17 -0
data/lib/generators/zuul/templates/permission_role_existing.rb +24 -0
data/lib/generators/zuul/templates/permission_subject.rb +17 -0
data/lib/generators/zuul/templates/permission_subject_existing.rb +24 -0
data/lib/generators/zuul/templates/role.rb +20 -0
data/lib/generators/zuul/templates/role_existing.rb +27 -0
data/lib/generators/zuul/templates/role_subject.rb +17 -0
data/lib/generators/zuul/templates/role_subject_existing.rb +24 -0
data/lib/tasks/zuul.rake +56 -0
data/lib/zuul.rb +14 -5
data/lib/zuul/action_controller.rb +108 -0
data/lib/zuul/action_controller/dsl.rb +384 -0
data/lib/zuul/action_controller/evaluators.rb +60 -0
data/lib/zuul/active_record.rb +338 -0
data/lib/zuul/active_record/context.rb +38 -0
data/lib/zuul/active_record/permission.rb +31 -0
data/lib/zuul/active_record/permission_role.rb +29 -0
data/lib/zuul/active_record/permission_subject.rb +29 -0
data/lib/zuul/active_record/role.rb +117 -0
data/lib/zuul/active_record/role_subject.rb +29 -0
data/lib/zuul/active_record/scope.rb +71 -0
data/lib/zuul/active_record/subject.rb +239 -0
data/lib/zuul/configuration.rb +149 -0
data/lib/zuul/context.rb +53 -0
data/lib/zuul/exceptions.rb +3 -0
data/lib/zuul/exceptions/access_denied.rb +9 -0
data/lib/zuul/exceptions/invalid_context.rb +9 -0
data/lib/zuul/exceptions/undefined_scope.rb +9 -0
data/lib/zuul/railtie.rb +5 -0
data/lib/zuul/version.rb +3 -0
data/lib/zuul_viz.rb +195 -0
data/spec/db/schema.rb +172 -0
data/spec/spec_helper.rb +25 -0
data/spec/support/capture_stdout.rb +12 -0
data/spec/support/models.rb +167 -0
data/spec/zuul/active_record/context_spec.rb +55 -0
data/spec/zuul/active_record/permission_role_spec.rb +84 -0
data/spec/zuul/active_record/permission_spec.rb +174 -0
data/spec/zuul/active_record/permission_subject_spec.rb +84 -0
data/spec/zuul/active_record/role_spec.rb +694 -0
data/spec/zuul/active_record/role_subject_spec.rb +84 -0
data/spec/zuul/active_record/scope_spec.rb +75 -0
data/spec/zuul/active_record/subject_spec.rb +1186 -0
data/spec/zuul/active_record_spec.rb +624 -0
data/spec/zuul/configuration_spec.rb +254 -0
data/spec/zuul/context_spec.rb +128 -0
data/spec/zuul_spec.rb +15 -0
metadata +181 -70
data/.document +0 -5
data/.gitignore +0 -23
data/LICENSE +0 -20
data/README.rdoc +0 -65
data/Rakefile +0 -54
data/VERSION +0 -1
data/lib/zuul/restrict_access.rb +0 -104
data/lib/zuul/valid_roles.rb +0 -37
data/spec/rails_root/app/controllers/application_controller.rb +0 -2
data/spec/rails_root/app/models/user.rb +0 -8
data/spec/rails_root/config/boot.rb +0 -110
data/spec/rails_root/config/database.yml +0 -5
data/spec/rails_root/config/environment.rb +0 -7
data/spec/rails_root/config/environments/test.rb +0 -7
data/spec/rails_root/config/initializers/session_store.rb +0 -15
data/spec/rails_root/config/routes.rb +0 -4
data/spec/rails_root/db/test.sqlite3 +0 -0
data/spec/rails_root/log/test.log +0 -5388
data/spec/rails_root/spec/controllers/require_user_spec.rb +0 -138
data/spec/rails_root/spec/controllers/restrict_access_spec.rb +0 -64
data/spec/rails_root/spec/models/user_spec.rb +0 -37
data/spec/rails_root/spec/spec_helper.rb +0 -34
data/zuul.gemspec +0 -78

data/lib/zuul/active_record/permission_role.rb ADDED Viewed

@@ -0,0 +1,29 @@
+module Zuul
+  module ActiveRecord
+    module PermissionRole
+      def self.included(base)
+        base.send :extend, ClassMethods
+        base.send :include, ContextMethods # defined in lib/zuul/active_record.rb
+      end
+      module ClassMethods
+        def self.extended(base)
+          base.send :attr_accessible, :context, :context_id, :context_type, base.auth_scope.permission_foreign_key.to_sym, base.auth_scope.role_foreign_key.to_sym
+          add_validations base
+          add_associations base
+        end
+        def self.add_validations(base)
+          base.send :validates_presence_of, base.auth_scope.permission_foreign_key.to_sym, base.auth_scope.role_foreign_key.to_sym
+          base.send :validates_uniqueness_of, base.auth_scope.permission_foreign_key.to_sym, :scope => [base.auth_scope.role_foreign_key.to_sym, :context_id, :context_type], :case_sensitive => false
+          base.send :validates_numericality_of, base.auth_scope.permission_foreign_key.to_sym, base.auth_scope.role_foreign_key.to_sym, :only_integer => true
+        end
+        def self.add_associations(base)
+          base.send :belongs_to, base.auth_scope.permission_class_name.underscore.to_sym
+          base.send :belongs_to, base.auth_scope.role_class_name.underscore.to_sym
+        end
+      end
+    end
+  end
+end

data/lib/zuul/active_record/permission_subject.rb ADDED Viewed

@@ -0,0 +1,29 @@
+module Zuul
+  module ActiveRecord
+    module PermissionSubject
+      def self.included(base)
+        base.send :extend, ClassMethods
+        base.send :include, ContextMethods # defined in lib/zuul/active_record.rb
+      end
+      module ClassMethods
+        def self.extended(base)
+          base.send :attr_accessible, :context, :context_id, :context_type, base.auth_scope.permission_foreign_key.to_sym, base.auth_scope.subject_foreign_key.to_sym
+          add_validations base
+          add_associations base
+        end
+        def self.add_validations(base)
+          base.send :validates_presence_of, base.auth_scope.permission_foreign_key.to_sym, base.auth_scope.subject_foreign_key.to_sym
+          base.send :validates_uniqueness_of, base.auth_scope.permission_foreign_key.to_sym, :scope => [base.auth_scope.subject_foreign_key.to_sym, :context_id, :context_type], :case_sensitive => false
+          base.send :validates_numericality_of, base.auth_scope.permission_foreign_key.to_sym, base.auth_scope.subject_foreign_key.to_sym, :only_integer => true
+        end
+        def self.add_associations(base)
+          base.send :belongs_to, base.auth_scope.permission_class_name.underscore.to_sym
+          base.send :belongs_to, base.auth_scope.subject_class_name.underscore.to_sym
+        end
+      end
+    end
+  end
+end

data/lib/zuul/active_record/role.rb ADDED Viewed

@@ -0,0 +1,117 @@
+module Zuul
+  module ActiveRecord
+    module Role
+      def self.included(base)
+        base.send :extend, ClassMethods
+        base.send :include, ContextMethods # defined in lib/zuul/active_record.rb
+        base.send :include, PermissionMethods if base.auth_scope.config.with_permissions
+      end
+      module ClassMethods
+        def self.extended(base)
+          base.send :attr_accessible, :context_id, :context_type, :level, :slug
+          add_validations base
+          add_associations base
+        end
+        def self.add_validations(base)
+          base.send :validates_presence_of, :level, :slug
+          base.send :validates_uniqueness_of, :slug, :scope => [:context_id, :context_type], :case_sensitive => false
+          base.send :validates_format_of, :slug, :with => /\A[a-z0-9_]+\Z/
+          base.send :validates_uniqueness_of, :level, :scope => [:context_id, :context_type]
+          base.send :validates_numericality_of, :level, :only_integer => true
+        end
+        def self.add_associations(base)
+          base.send :has_many, base.auth_scope.role_subjects_table_name.to_sym
+          base.send :has_many, base.auth_scope.subjects_table_name.to_sym, :through => base.auth_scope.role_subjects_table_name.to_sym
+          if base.auth_scope.config.with_permissions
+            base.send :has_many, base.auth_scope.permission_roles_table_name.to_sym
+            base.send :has_many, base.auth_scope.permissions_table_name.to_sym, :through => base.auth_scope.permission_roles_table_name.to_sym
+          end
+        end
+      end
+      module PermissionMethods
+        # Assigns a permission to a role within the provided context.
+        #
+        # If a Permission object is provided it's used directly, otherwise if a
+        # permission slug is provided, the permission is looked up in the context
+        # chain by target_permission.
+        def assign_permission(permission, context=nil, force_context=nil)
+          auth_scope do
+            context = Zuul::Context.parse(context)
+            target = target_permission(permission, context, force_context)
+            return false unless verify_target_context(target, context, force_context) && verify_target_context(self, context, false) && permission_role_class.where(role_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id).limit(1).first.nil?
+            return permission_role_class.create(role_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id)
+          end
+        end
+        # Removes a permission from a role within the provided context.
+        #
+        # If a Permission object is provided it's used directly, otherwise if a
+        # permission slug is provided, the permission is looked up in the context
+        # chain by target_permission.
+        def unassign_permission(permission, context=nil, force_context=nil)
+          auth_scope do
+            context = Zuul::Context.parse(context)
+            target = target_permission(permission, context, force_context)
+            return false if target.nil?
+            assigned_permission = permission_role_class.where(role_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id).limit(1).first
+            return false if assigned_permission.nil?
+            return assigned_permission.destroy
+          end
+        end
+        alias_method :remove_permission, :unassign_permission
+        # Checks whether a role has a permission within the provided context.
+        #
+        # If a Permission object is provided it's used directly, otherwise if a
+        # permission slug is provided, the permission is looked up in the context
+        # chain by target_permission.
+        #
+        # The assigned context behaves the same way, in that if the permission is not found
+        # to belong to the role with the specified context, we look up the context chain.
+        #
+        # TODO add options to force context, not go up the chain
+        def has_permission?(permission, context=nil, force_context=nil)
+          auth_scope do
+            force_context ||= config.force_context
+            context = Zuul::Context.parse(context)
+            target = target_permission(permission, context, force_context)
+            return false if target.nil?
+            return true unless (context.id.nil? && !force_context) || permission_role_class.where(role_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id).first.nil?
+            unless force_context
+              return true unless context.class_name.nil? || permission_role_class.where(role_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => nil).first.nil?
+              return !permission_role_class.where(role_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => nil, :context_id => nil).first.nil?
+            end
+          end
+        end
+        alias_method :permission?, :has_permission?
+        alias_method :can?, :has_permission?
+        alias_method :allowed_to?, :has_permission?
+        # Returns all permissions possessed by the role within the provided context.
+        def permissions_for(context=nil, force_context=nil)
+          auth_scope do
+            force_context ||= config.force_context
+            context = Zuul::Context.parse(context)
+            if force_context
+              return permission_class.joins(permission_roles_table_name.to_sym).where(permission_roles_table_name.to_sym => {role_foreign_key.to_sym => id, :context_type => context.class_name, :context_id => context.id})
+            else
+              return permission_class.joins("LEFT JOIN #{permission_roles_table_name} ON #{permission_roles_table_name}.#{permission_foreign_key} = #{permissions_table_name}.id").where("#{permission_roles_table_name}.#{role_foreign_key} = ? AND (#{permission_roles_table_name}.context_type #{sql_is_or_equal(context.class_name)} ? OR #{permission_roles_table_name}.context_type IS NULL) AND (#{permission_roles_table_name}.context_id #{sql_is_or_equal(context.id)} ? OR #{permission_roles_table_name}.context_id IS NULL)", id, context.class_name, context.id)
+            end
+          end
+        end
+        # Check whether the role possesses any permissions within the specified context.
+        def permissions_for?(context=nil, force_context=nil)
+          permissions_for(context, force_context).count > 0
+        end
+      end
+    end
+  end
+end

data/lib/zuul/active_record/role_subject.rb ADDED Viewed

@@ -0,0 +1,29 @@
+module Zuul
+  module ActiveRecord
+    module RoleSubject
+      def self.included(base)
+        base.send :extend, ClassMethods
+        base.send :include, ContextMethods # defined in lib/zuul/active_record.rb
+      end
+      module ClassMethods
+        def self.extended(base)
+          base.send :attr_accessible, :context, :context_id, :context_type, base.auth_scope.role_foreign_key.to_sym, base.auth_scope.subject_foreign_key.to_sym
+          add_validations base
+          add_associations base
+        end
+        def self.add_validations(base)
+          base.send :validates_presence_of, base.auth_scope.role_foreign_key.to_sym, base.auth_scope.subject_foreign_key.to_sym
+          base.send :validates_uniqueness_of, base.auth_scope.role_foreign_key.to_sym, :scope => [base.auth_scope.subject_foreign_key.to_sym, :context_id, :context_type], :case_sensitive => false
+          base.send :validates_numericality_of, base.auth_scope.role_foreign_key.to_sym, base.auth_scope.subject_foreign_key.to_sym, :only_integer => true
+        end
+        def self.add_associations(base)
+          base.send :belongs_to, base.auth_scope.role_class_name.underscore.to_sym
+          base.send :belongs_to, base.auth_scope.subject_class_name.underscore.to_sym
+        end
+      end
+    end
+  end
+end

data/lib/zuul/active_record/scope.rb ADDED Viewed

@@ -0,0 +1,71 @@
+module Zuul
+  module ActiveRecord
+    class Scope
+      attr_reader :config, :name
+      protected
+      def initialize(config)
+        @config = config
+        @name = @config.scope
+        define_reflection_methods
+        super()
+      end
+      # Define dynamic reflection methods that reference the config to be used for subjects, roles, permissions and their associations.
+      def define_reflection_methods
+        # *_class_name, *_class, *_table_name methods for all classes
+        @config.classes.to_h.each do |class_type,class_name|
+          class_type_name = class_type.to_s.gsub(/_class$/,'').singularize
+          class_eval do
+            # def CLASS_TYPE_class_name
+            define_method "#{class_type_name}_class_name" do
+              if @config.send(class_type).is_a?(Class)
+                @config.send(class_type).name
+              else
+                @config.send(class_type).to_s.camelize
+              end
+            end
+            alias_method "#{class_type_name.pluralize}_class_name", "#{class_type_name}_class_name"
+            # def CLASS_TYPE_class
+            define_method "#{class_type_name}_class" do
+              "::#{send("#{class_type_name}_class_name")}".constantize
+            end
+            alias_method "#{class_type_name.pluralize}_class", "#{class_type_name}_class"
+            # def CLASS_TYPE_table_name
+            define_method "#{class_type_name}_table_name" do
+              send("#{class_type_name}_class").table_name
+            end
+            alias_method "#{class_type_name.pluralize}_table_name", "#{class_type_name}_table_name"
+            unless class_type.to_s.underscore == "#{class_name.to_s.underscore}_class"
+              ["_class_name", "_class", "_table_name"].each do |suffix|
+                alias_method "#{class_name.to_s.underscore.singularize}#{suffix}", "#{class_type_name}#{suffix}"
+                alias_method "#{class_name.to_s.underscore.pluralize}#{suffix}", "#{class_name.to_s.underscore.singularize}#{suffix}"
+              end
+            end
+          end
+        end
+        # *_foreign_key method for primary classes
+        @config.primary_classes.to_h.each do |class_type,class_name|
+          class_type_name = class_type.to_s.gsub(/_class$/,'').singularize
+          class_eval do
+            # def CLASS_TYPE_foreign_key
+            define_method "#{class_type_name}_foreign_key" do
+              "#{send("#{class_type_name}_table_name").singularize}_#{send("#{class_type_name}_class").primary_key}"
+            end
+            alias_method "#{class_type.to_s.gsub(/_class$/,"").pluralize}_foreign_key", "#{class_type.to_s.gsub(/_class$/,"").singularize}_foreign_key"
+            unless class_type.to_s.underscore == "#{class_name.to_s.underscore}_class"
+              alias_method "#{class_name.to_s.underscore.singularize}_foreign_key", "#{class_type.to_s.gsub(/_class$/,"").singularize}_foreign_key" # CLASS_NAME_foreign_key
+              alias_method "#{class_name.to_s.underscore.pluralize}_foreign_key", "#{class_name.to_s.underscore.singularize}_foreign_key"
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/zuul/active_record/subject.rb ADDED Viewed

@@ -0,0 +1,239 @@
+module Zuul
+  module ActiveRecord
+    module Subject
+      def self.included(base)
+        base.send :include, RoleMethods
+        base.send(:include, PermissionMethods) if base.auth_scope.config.with_permissions
+      end
+      module RoleMethods
+        def self.included(base)
+          base.send :extend, ClassMethods
+          base.send :include, InstanceMethods
+        end
+        module ClassMethods
+          def self.extended(base)
+            base.send :has_many, base.auth_scope.role_subjects_table_name.to_sym
+            base.send :has_many, base.auth_scope.roles_table_name.to_sym, :through => base.auth_scope.role_subjects_table_name.to_sym
+          end
+        end
+        module InstanceMethods
+          # Assigns a role to a subject within the provided context.
+          #
+          # If a Role object is provided it's used directly, otherwise if a role slug
+          # is provided, the role is looked up in the context chain by target_role.
+          def assign_role(role, context=nil, force_context=nil)
+            auth_scope do
+              context = Zuul::Context.parse(context)
+              target = target_role(role, context, force_context)
+              return false unless verify_target_context(target, context, force_context) && role_subject_class.where(subject_foreign_key.to_sym => id, role_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id).limit(1).first.nil?
+              return role_subject_class.create(subject_foreign_key.to_sym => id, role_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id)
+            end
+          end
+          # Removes a role from a subject within the provided context.
+          #
+          # If a Role object is provided it's used directly, otherwise if a role slug
+          # is provided, the role is looked up in the context chain by target_role.
+          def unassign_role(role, context=nil, force_context=nil)
+            auth_scope do
+              context = Zuul::Context.parse(context)
+              target = target_role(role, context, force_context)
+              return false if target.nil?
+              assigned_role = role_subject_class.where(subject_foreign_key.to_sym => id, role_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id).limit(1).first
+              return false if assigned_role.nil?
+              return assigned_role.destroy
+            end
+          end
+          alias_method :remove_role, :unassign_role
+          # Checks whether a subject has a role within the provided context.
+          #
+          # If a Role object is provided it's used directly, otherwise if a role slug
+          # is provided, the role is looked up in the context chain by target_role.
+          #
+          # The assigned context behaves the same way, in that if the role is not found
+          # to belong to the subject with the specified context, we look up the context chain.
+          def has_role?(role, context=nil, force_context=nil)
+            auth_scope do
+              force_context ||= config.force_context
+              context = Zuul::Context.parse(context)
+              target = target_role(role, context, force_context)
+              return false if target.nil?
+              return true unless (context.id.nil? && !force_context) || role_subject_class.joins(role_class_name.underscore.to_sym).where(subject_foreign_key.to_sym => id, role_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id).first.nil?
+              return false if force_context
+              return true unless context.class_name.nil? || role_subject_class.where(subject_foreign_key.to_sym => id, role_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => nil).first.nil?
+              return !role_subject_class.where(subject_foreign_key.to_sym => id, role_foreign_key.to_sym => target.id, :context_type => nil, :context_id => nil).first.nil?
+            end
+          end
+          alias_method :role?, :has_role?
+          # Checks whether a subject has the specified role or a role with a level greather than
+          # that of the specified role, within the provided context.
+          #
+          # If a Role object is provided it's used directly, otherwise if a role slug
+          # is provided, the role is looked up in the context chain by target_role.
+          #
+          # The assigned context behaves the same way, in that if a matching role is not found
+          # to belong to the subject with the specified context, we look up the context chain.
+          def has_role_or_higher?(role, context=nil, force_context=nil)
+            auth_scope do
+              context = Zuul::Context.parse(context)
+              target = target_role(role, context, force_context)
+              return false if target.nil?
+              return true if has_role?(target, context, force_context)
+              return true unless context.id.nil? || role_subject_class.joins(role_class_name.underscore.to_sym).where(subject_foreign_key.to_sym => id, :context_type => context.class_name, :context_id => context.id).where("#{roles_table_name}.level >= ? AND #{roles_table_name}.context_type #{sql_is_or_equal(target.context_type)} ? AND #{roles_table_name}.context_id #{sql_is_or_equal(target.context_id)} ?", target.level, target.context_type, target.context_id).first.nil?
+              return true unless context.class_name.nil? || role_subject_class.joins(role_class_name.underscore.to_sym).where(subject_foreign_key.to_sym => id, :context_type => context.class_name, :context_id => nil).where("#{roles_table_name}.level >= ? AND #{roles_table_name}.context_type #{sql_is_or_equal(target.context_type)} ? AND #{roles_table_name}.context_id #{sql_is_or_equal(target.context_id)} ?", target.level, target.context_type, target.context_id).first.nil?
+              return !role_subject_class.joins(role_class_name.underscore.to_sym).where(subject_foreign_key.to_sym => id, :context_type => nil, :context_id => nil).where("#{roles_table_name}.level >= ? AND #{roles_table_name}.context_type #{sql_is_or_equal(target.context_type)} ? AND #{roles_table_name}.context_id #{sql_is_or_equal(target.context_id)} ?", target.level, target.context_type, target.context_id).first.nil?
+            end
+          end
+          alias_method :role_or_higher?, :has_role_or_higher?
+          alias_method :at_least_role?, :has_role_or_higher?
+          # Returns the highest level role a subject possesses within the provided context.
+          #
+          # This includes any roles found by looking up the context chain.
+          def highest_role(context=nil, force_context=nil)
+            return nil unless roles_for?(context, force_context)
+            roles_for(context, force_context).order(:level).reverse_order.limit(1).first
+          end
+          # Returns all roles possessed by the subject within the provided context.
+          #
+          # This includes all roles found by looking up the context chain.
+          def roles_for(context=nil, force_context=nil)
+            auth_scope do
+              force_context ||= config.force_context
+              context = Zuul::Context.parse(context)
+              if force_context
+                return role_class.joins(role_subjects_table_name.to_sym).where("#{role_subjects_table_name}.#{subject_foreign_key} = ? AND #{role_subjects_table_name}.context_type #{sql_is_or_equal(context.class_name)} ? AND #{role_subjects_table_name}.context_id #{sql_is_or_equal(context.id)} ?", id, context.class_name, context.id)
+              else
+                return role_class.joins(role_subjects_table_name.to_sym).where("#{role_subjects_table_name}.#{subject_foreign_key} = ? AND ((#{role_subjects_table_name}.context_type #{sql_is_or_equal(context.class_name)} ? OR #{role_subjects_table_name}.context_type IS NULL) AND (#{role_subjects_table_name}.context_id #{sql_is_or_equal(context.id)} ? OR #{role_subjects_table_name}.context_id IS NULL))", id, context.class_name, context.id)
+              end
+            end
+          end
+          # Check whether the subject possesses any roles within the specified context.
+          #
+          # This includes any roles found by looking up the context chain.
+          def roles_for?(context=nil, force_context=nil)
+            roles_for(context, force_context).count > 0
+          end
+        end
+      end
+      module PermissionMethods
+        def self.included(base)
+          base.send :extend, ClassMethods
+          base.send :include, InstanceMethods
+        end
+        module ClassMethods
+          def self.extended(base)
+            base.send :has_many, base.auth_scope.permission_subjects_table_name.to_sym
+            base.send :has_many, base.auth_scope.permissions_table_name.to_sym, :through => base.auth_scope.permission_subjects_table_name.to_sym
+          end
+        end
+        module InstanceMethods
+          # Assigns a permission to a subject within the provided context.
+          #
+          # If a Permission object is provided it's used directly, otherwise if a
+          # permission slug is provided, the permission is looked up in the context
+          # chain by target_permission.
+          def assign_permission(permission, context=nil, force_context=nil)
+            auth_scope do
+              context = Zuul::Context.parse(context)
+              target = target_permission(permission, context, force_context)
+              return false unless verify_target_context(target, context, force_context) && permission_subject_class.where(subject_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id).limit(1).first.nil?
+              return permission_subject_class.create(subject_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id)
+            end
+          end
+          # Removes a permission from a subject within the provided context.
+          #
+          # If a Permission object is provided it's used directly, otherwise if a
+          # permission slug is provided, the permission is looked up in the context
+          # chain by target_permission.
+          def unassign_permission(permission, context=nil, force_context=nil)
+            auth_scope do
+              context = Zuul::Context.parse(context)
+              target = target_permission(permission, context, force_context)
+              return false if target.nil?
+              assigned_permission = permission_subject_class.where(subject_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id).limit(1).first
+              return false if assigned_permission.nil?
+              return assigned_permission.destroy
+            end
+          end
+          alias_method :remove_permission, :unassign_permission
+          # Checks whether a subject has a permission within the provided context.
+          #
+          # If a Permission object is provided it's used directly, otherwise if a
+          # permission slug is provided, the permission is looked up in the context
+          # chain by target_permission.
+          #
+          # The assigned context behaves the same way, in that if the permission is not found
+          # to belong to the subject with the specified context, we look up the context chain.
+          #
+          # Permissions belonging to roles possessed by the subject are also included.
+          def has_permission?(permission, context=nil, force_context=nil)
+            auth_scope do
+              force_context ||= config.force_context
+              context = Zuul::Context.parse(context)
+              target = target_permission(permission, context, force_context)
+              return false if target.nil?
+              return true unless (context.id.nil? && !force_context) || permission_subject_class.where(subject_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id).first.nil?
+              unless force_context
+                return true unless context.class_name.nil? || permission_subject_class.where(subject_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => nil).first.nil?
+                return true unless permission_subject_class.where(subject_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => nil, :context_id => nil).first.nil?
+              end
+              return true unless (context.id.nil? && !force_context) || permission_role_class.where(role_foreign_key.to_sym => roles_for(context).map(&:id), permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id).first.nil?
+              return false if force_context
+              return true unless context.class_name.nil? || permission_role_class.where(role_foreign_key.to_sym => roles_for(context).map(&:id), permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => nil).first.nil?
+              return !permission_role_class.where(role_foreign_key.to_sym => roles_for(context).map(&:id), permission_foreign_key.to_sym => target.id, :context_type => nil, :context_id => nil).first.nil?
+            end
+          end
+          alias_method :permission?, :has_permission?
+          alias_method :can?, :has_permission?
+          alias_method :allowed_to?, :has_permission?
+          # Returns all permissions possessed by the subject within the provided context.
+          #
+          # This includes permissions assigned directly to the subject or any roles possessed by
+          # the subject, as well as all permissions found by looking up the context chain.
+          def permissions_for(context=nil, force_context=nil)
+            auth_scope do
+              force_context ||= config.force_context
+              context = Zuul::Context.parse(context)
+              if force_context
+                return permission_class.joins("LEFT JOIN #{permission_roles_table_name} ON #{permission_roles_table_name}.#{permission_foreign_key} = #{permissions_table_name}.id LEFT JOIN #{permission_subjects_table_name} ON #{permission_subjects_table_name}.#{permission_foreign_key} = #{permissions_table_name}.id").where("(#{permission_subjects_table_name}.#{subject_foreign_key} = ? AND #{permission_subjects_table_name}.context_type #{sql_is_or_equal(context.class_name)} ? AND #{permission_subjects_table_name}.context_id #{sql_is_or_equal(context.id)} ?) OR (#{permission_roles_table_name}.#{role_foreign_key} IN (?) AND #{permission_roles_table_name}.context_type #{sql_is_or_equal(context.class_name)} ? AND #{permission_roles_table_name}.context_id #{sql_is_or_equal(context.id)} ?)", id, context.class_name, context.id, roles_for(context).map(&:id), context.class_name, context.id)
+              else
+                return permission_class.joins("LEFT JOIN #{permission_roles_table_name} ON #{permission_roles_table_name}.#{permission_foreign_key} = #{permissions_table_name}.id LEFT JOIN #{permission_subjects_table_name} ON #{permission_subjects_table_name}.#{permission_foreign_key} = #{permissions_table_name}.id").where("(#{permission_subjects_table_name}.#{subject_foreign_key} = ? AND (#{permission_subjects_table_name}.context_type #{sql_is_or_equal(context.class_name)} ? OR #{permission_subjects_table_name}.context_type IS NULL) AND (#{permission_subjects_table_name}.context_id #{sql_is_or_equal(context.id)} ? OR #{permission_subjects_table_name}.context_id IS NULL)) OR (#{permission_roles_table_name}.#{role_foreign_key} IN (?) AND (#{permission_roles_table_name}.context_type #{sql_is_or_equal(context.class_name)} ? OR #{permission_roles_table_name}.context_type IS NULL) AND (#{permission_roles_table_name}.context_id #{sql_is_or_equal(context.id)} ? OR #{permission_roles_table_name}.context_id IS NULL))", id, context.class_name, context.id, roles_for(context).map(&:id), context.class_name, context.id)
+              end
+            end
+          end
+          # Check whether the subject possesses any permissions within the specified context.
+          #
+          # This includes permissions assigned directly to the subject or any roles possessed by
+          # the subject, as well as all permissions found by looking up the context chain.
+          def permissions_for?(context=nil, force_context=nil)
+            permissions_for(context, force_context).count > 0
+          end
+        end
+      end
+    end
+  end
+end