RubyGems - zuul - Versions diffs - 0.1.1 → 0.2.0 - Mend

zuul 0.1.1 → 0.2.0

Files changed (80) hide show

data/lib/generators/zuul/orm_helpers.rb +21 -0
data/lib/generators/zuul/permission_generator.rb +57 -0
data/lib/generators/zuul/permission_role_generator.rb +40 -0
data/lib/generators/zuul/permission_subject_generator.rb +40 -0
data/lib/generators/zuul/role_generator.rb +58 -0
data/lib/generators/zuul/role_subject_generator.rb +40 -0
data/lib/generators/zuul/subject_generator.rb +39 -0
data/lib/generators/zuul/templates/permission.rb +18 -0
data/lib/generators/zuul/templates/permission_existing.rb +25 -0
data/lib/generators/zuul/templates/permission_role.rb +17 -0
data/lib/generators/zuul/templates/permission_role_existing.rb +24 -0
data/lib/generators/zuul/templates/permission_subject.rb +17 -0
data/lib/generators/zuul/templates/permission_subject_existing.rb +24 -0
data/lib/generators/zuul/templates/role.rb +20 -0
data/lib/generators/zuul/templates/role_existing.rb +27 -0
data/lib/generators/zuul/templates/role_subject.rb +17 -0
data/lib/generators/zuul/templates/role_subject_existing.rb +24 -0
data/lib/tasks/zuul.rake +56 -0
data/lib/zuul.rb +14 -5
data/lib/zuul/action_controller.rb +108 -0
data/lib/zuul/action_controller/dsl.rb +384 -0
data/lib/zuul/action_controller/evaluators.rb +60 -0
data/lib/zuul/active_record.rb +338 -0
data/lib/zuul/active_record/context.rb +38 -0
data/lib/zuul/active_record/permission.rb +31 -0
data/lib/zuul/active_record/permission_role.rb +29 -0
data/lib/zuul/active_record/permission_subject.rb +29 -0
data/lib/zuul/active_record/role.rb +117 -0
data/lib/zuul/active_record/role_subject.rb +29 -0
data/lib/zuul/active_record/scope.rb +71 -0
data/lib/zuul/active_record/subject.rb +239 -0
data/lib/zuul/configuration.rb +149 -0
data/lib/zuul/context.rb +53 -0
data/lib/zuul/exceptions.rb +3 -0
data/lib/zuul/exceptions/access_denied.rb +9 -0
data/lib/zuul/exceptions/invalid_context.rb +9 -0
data/lib/zuul/exceptions/undefined_scope.rb +9 -0
data/lib/zuul/railtie.rb +5 -0
data/lib/zuul/version.rb +3 -0
data/lib/zuul_viz.rb +195 -0
data/spec/db/schema.rb +172 -0
data/spec/spec_helper.rb +25 -0
data/spec/support/capture_stdout.rb +12 -0
data/spec/support/models.rb +167 -0
data/spec/zuul/active_record/context_spec.rb +55 -0
data/spec/zuul/active_record/permission_role_spec.rb +84 -0
data/spec/zuul/active_record/permission_spec.rb +174 -0
data/spec/zuul/active_record/permission_subject_spec.rb +84 -0
data/spec/zuul/active_record/role_spec.rb +694 -0
data/spec/zuul/active_record/role_subject_spec.rb +84 -0
data/spec/zuul/active_record/scope_spec.rb +75 -0
data/spec/zuul/active_record/subject_spec.rb +1186 -0
data/spec/zuul/active_record_spec.rb +624 -0
data/spec/zuul/configuration_spec.rb +254 -0
data/spec/zuul/context_spec.rb +128 -0
data/spec/zuul_spec.rb +15 -0
metadata +181 -70
data/.document +0 -5
data/.gitignore +0 -23
data/LICENSE +0 -20
data/README.rdoc +0 -65
data/Rakefile +0 -54
data/VERSION +0 -1
data/lib/zuul/restrict_access.rb +0 -104
data/lib/zuul/valid_roles.rb +0 -37
data/spec/rails_root/app/controllers/application_controller.rb +0 -2
data/spec/rails_root/app/models/user.rb +0 -8
data/spec/rails_root/config/boot.rb +0 -110
data/spec/rails_root/config/database.yml +0 -5
data/spec/rails_root/config/environment.rb +0 -7
data/spec/rails_root/config/environments/test.rb +0 -7
data/spec/rails_root/config/initializers/session_store.rb +0 -15
data/spec/rails_root/config/routes.rb +0 -4
data/spec/rails_root/db/test.sqlite3 +0 -0
data/spec/rails_root/log/test.log +0 -5388
data/spec/rails_root/spec/controllers/require_user_spec.rb +0 -138
data/spec/rails_root/spec/controllers/restrict_access_spec.rb +0 -64
data/spec/rails_root/spec/models/user_spec.rb +0 -37
data/spec/rails_root/spec/spec_helper.rb +0 -34
data/zuul.gemspec +0 -78

data/lib/zuul/active_record/permission_role.rb ADDED Viewed

@@ -0,0 +1,29 @@
+module Zuul
+  module ActiveRecord
+    module PermissionRole
+      def self.included(base)
+        base.send :extend, ClassMethods
+        base.send :include, ContextMethods # defined in lib/zuul/active_record.rb
+      end
+      module ClassMethods
+        def self.extended(base)
+          base.send :attr_accessible, :context, :context_id, :context_type, base.auth_scope.permission_foreign_key.to_sym, base.auth_scope.role_foreign_key.to_sym
+          add_validations base
+          add_associations base
+        end
+        def self.add_validations(base)
+          base.send :validates_presence_of, base.auth_scope.permission_foreign_key.to_sym, base.auth_scope.role_foreign_key.to_sym
+          base.send :validates_uniqueness_of, base.auth_scope.permission_foreign_key.to_sym, :scope => [base.auth_scope.role_foreign_key.to_sym, :context_id, :context_type], :case_sensitive => false
+          base.send :validates_numericality_of, base.auth_scope.permission_foreign_key.to_sym, base.auth_scope.role_foreign_key.to_sym, :only_integer => true
+        end
+        def self.add_associations(base)
+          base.send :belongs_to, base.auth_scope.permission_class_name.underscore.to_sym
+          base.send :belongs_to, base.auth_scope.role_class_name.underscore.to_sym
+        end
+      end
+    end
+  end
+end

data/lib/zuul/active_record/permission_subject.rb ADDED Viewed

@@ -0,0 +1,29 @@
+module Zuul
+  module ActiveRecord
+    module PermissionSubject
+      def self.included(base)
+        base.send :extend, ClassMethods
+        base.send :include, ContextMethods # defined in lib/zuul/active_record.rb
+      end
+      module ClassMethods
+        def self.extended(base)
+          base.send :attr_accessible, :context, :context_id, :context_type, base.auth_scope.permission_foreign_key.to_sym, base.auth_scope.subject_foreign_key.to_sym
+          add_validations base
+          add_associations base
+        end
+        def self.add_validations(base)
+          base.send :validates_presence_of, base.auth_scope.permission_foreign_key.to_sym, base.auth_scope.subject_foreign_key.to_sym
+          base.send :validates_uniqueness_of, base.auth_scope.permission_foreign_key.to_sym, :scope => [base.auth_scope.subject_foreign_key.to_sym, :context_id, :context_type], :case_sensitive => false
+          base.send :validates_numericality_of, base.auth_scope.permission_foreign_key.to_sym, base.auth_scope.subject_foreign_key.to_sym, :only_integer => true
+        end
+        def self.add_associations(base)
+          base.send :belongs_to, base.auth_scope.permission_class_name.underscore.to_sym
+          base.send :belongs_to, base.auth_scope.subject_class_name.underscore.to_sym
+        end
+      end
+    end
+  end
+end

data/lib/zuul/active_record/role.rb ADDED Viewed

@@ -0,0 +1,117 @@
+module Zuul
+  module ActiveRecord
+    module Role
+      def self.included(base)
+        base.send :extend, ClassMethods
+        base.send :include, ContextMethods # defined in lib/zuul/active_record.rb
+        base.send :include, PermissionMethods if base.auth_scope.config.with_permissions
+      end
+      module ClassMethods
+        def self.extended(base)
+          base.send :attr_accessible, :context_id, :context_type, :level, :slug
+          add_validations base
+          add_associations base
+        end
+        def self.add_validations(base)
+          base.send :validates_presence_of, :level, :slug
+          base.send :validates_uniqueness_of, :slug, :scope => [:context_id, :context_type], :case_sensitive => false
+          base.send :validates_format_of, :slug, :with => /\A[a-z0-9_]+\Z/
+          base.send :validates_uniqueness_of, :level, :scope => [:context_id, :context_type]
+          base.send :validates_numericality_of, :level, :only_integer => true
+        end
+        def self.add_associations(base)
+          base.send :has_many, base.auth_scope.role_subjects_table_name.to_sym
+          base.send :has_many, base.auth_scope.subjects_table_name.to_sym, :through => base.auth_scope.role_subjects_table_name.to_sym
+          if base.auth_scope.config.with_permissions
+            base.send :has_many, base.auth_scope.permission_roles_table_name.to_sym
+            base.send :has_many, base.auth_scope.permissions_table_name.to_sym, :through => base.auth_scope.permission_roles_table_name.to_sym
+          end
+        end
+      end
+      module PermissionMethods
+        # Assigns a permission to a role within the provided context.
+        #
+        # If a Permission object is provided it's used directly, otherwise if a
+        # permission slug is provided, the permission is looked up in the context
+        # chain by target_permission.
+        def assign_permission(permission, context=nil, force_context=nil)
+          auth_scope do
+            context = Zuul::Context.parse(context)
+            target = target_permission(permission, context, force_context)
+            return false unless verify_target_context(target, context, force_context) && verify_target_context(self, context, false) && permission_role_class.where(role_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id).limit(1).first.nil?
+            return permission_role_class.create(role_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id)
+          end
+        end
+        # Removes a permission from a role within the provided context.
+        #
+        # If a Permission object is provided it's used directly, otherwise if a
+        # permission slug is provided, the permission is looked up in the context
+        # chain by target_permission.
+        def unassign_permission(permission, context=nil, force_context=nil)
+          auth_scope do
+            context = Zuul::Context.parse(context)
+            target = target_permission(permission, context, force_context)
+            return false if target.nil?
+            assigned_permission = permission_role_class.where(role_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id).limit(1).first
+            return false if assigned_permission.nil?
+            return assigned_permission.destroy
+          end
+        end
+        alias_method :remove_permission, :unassign_permission
+        # Checks whether a role has a permission within the provided context.
+        #
+        # If a Permission object is provided it's used directly, otherwise if a
+        # permission slug is provided, the permission is looked up in the context
+        # chain by target_permission.
+        #
+        # The assigned context behaves the same way, in that if the permission is not found
+        # to belong to the role with the specified context, we look up the context chain.
+        #
+        # TODO add options to force context, not go up the chain
+        def has_permission?(permission, context=nil, force_context=nil)
+          auth_scope do
+            force_context ||= config.force_context
+            context = Zuul::Context.parse(context)
+            target = target_permission(permission, context, force_context)
+            return false if target.nil?
+            return true unless (context.id.nil? && !force_context) || permission_role_class.where(role_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id).first.nil?
+            unless force_context
+              return true unless context.class_name.nil? || permission_role_class.where(role_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => nil).first.nil?
+              return !permission_role_class.where(role_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => nil, :context_id => nil).first.nil?
+            end
+          end
+        end
+        alias_method :permission?, :has_permission?
+        alias_method :can?, :has_permission?
+        alias_method :allowed_to?, :has_permission?
+        # Returns all permissions possessed by the role within the provided context.
+        def permissions_for(context=nil, force_context=nil)
+          auth_scope do
+            force_context ||= config.force_context
+            context = Zuul::Context.parse(context)
+            if force_context
+              return permission_class.joins(permission_roles_table_name.to_sym).where(permission_roles_table_name.to_sym => {role_foreign_key.to_sym => id, :context_type => context.class_name, :context_id => context.id})
+            else
+              return permission_class.joins("LEFT JOIN #{permission_roles_table_name} ON #{permission_roles_table_name}.#{permission_foreign_key} = #{permissions_table_name}.id").where("#{permission_roles_table_name}.#{role_foreign_key} = ? AND (#{permission_roles_table_name}.context_type #{sql_is_or_equal(context.class_name)} ? OR #{permission_roles_table_name}.context_type IS NULL) AND (#{permission_roles_table_name}.context_id #{sql_is_or_equal(context.id)} ? OR #{permission_roles_table_name}.context_id IS NULL)", id, context.class_name, context.id)
+            end
+          end
+        end
+        # Check whether the role possesses any permissions within the specified context.
+        def permissions_for?(context=nil, force_context=nil)
+          permissions_for(context, force_context).count > 0
+        end
+      end
+    end
+  end
+end

data/lib/zuul/active_record/role_subject.rb ADDED Viewed

@@ -0,0 +1,29 @@
+module Zuul
+  module ActiveRecord
+    module RoleSubject
+      def self.included(base)
+        base.send :extend, ClassMethods
+        base.send :include, ContextMethods # defined in lib/zuul/active_record.rb
+      end
+      module ClassMethods
+        def self.extended(base)
+          base.send :attr_accessible, :context, :context_id, :context_type, base.auth_scope.role_foreign_key.to_sym, base.auth_scope.subject_foreign_key.to_sym
+          add_validations base
+          add_associations base
+        end
+        def self.add_validations(base)
+          base.send :validates_presence_of, base.auth_scope.role_foreign_key.to_sym, base.auth_scope.subject_foreign_key.to_sym
+          base.send :validates_uniqueness_of, base.auth_scope.role_foreign_key.to_sym, :scope => [base.auth_scope.subject_foreign_key.to_sym, :context_id, :context_type], :case_sensitive => false
+          base.send :validates_numericality_of, base.auth_scope.role_foreign_key.to_sym, base.auth_scope.subject_foreign_key.to_sym, :only_integer => true
+        end
+        def self.add_associations(base)
+          base.send :belongs_to, base.auth_scope.role_class_name.underscore.to_sym
+          base.send :belongs_to, base.auth_scope.subject_class_name.underscore.to_sym
+        end
+      end
+    end
+  end
+end

data/lib/zuul/active_record/scope.rb ADDED Viewed

@@ -0,0 +1,71 @@
+module Zuul
+  module ActiveRecord
+    class Scope
+      attr_reader :config, :name
+      protected
+      def initialize(config)
+        @config = config
+        @name = @config.scope
+        define_reflection_methods
+        super()
+      end
+      # Define dynamic reflection methods that reference the config to be used for subjects, roles, permissions and their associations.
+      def define_reflection_methods
+        # *_class_name, *_class, *_table_name methods for all classes
+        @config.classes.to_h.each do |class_type,class_name|
+          class_type_name = class_type.to_s.gsub(/_class$/,'').singularize
+          class_eval do
+            # def CLASS_TYPE_class_name
+            define_method "#{class_type_name}_class_name" do
+              if @config.send(class_type).is_a?(Class)
+                @config.send(class_type).name
+              else
+                @config.send(class_type).to_s.camelize
+              end
+            end
+            alias_method "#{class_type_name.pluralize}_class_name", "#{class_type_name}_class_name"
+            # def CLASS_TYPE_class
+            define_method "#{class_type_name}_class" do
+              "::#{send("#{class_type_name}_class_name")}".constantize
+            end
+            alias_method "#{class_type_name.pluralize}_class", "#{class_type_name}_class"
+            # def CLASS_TYPE_table_name
+            define_method "#{class_type_name}_table_name" do
+              send("#{class_type_name}_class").table_name
+            end
+            alias_method "#{class_type_name.pluralize}_table_name", "#{class_type_name}_table_name"
+            unless class_type.to_s.underscore == "#{class_name.to_s.underscore}_class"
+              ["_class_name", "_class", "_table_name"].each do |suffix|
+                alias_method "#{class_name.to_s.underscore.singularize}#{suffix}", "#{class_type_name}#{suffix}"
+                alias_method "#{class_name.to_s.underscore.pluralize}#{suffix}", "#{class_name.to_s.underscore.singularize}#{suffix}"
+              end
+            end
+          end
+        end
+        # *_foreign_key method for primary classes
+        @config.primary_classes.to_h.each do |class_type,class_name|
+          class_type_name = class_type.to_s.gsub(/_class$/,'').singularize
+          class_eval do
+            # def CLASS_TYPE_foreign_key
+            define_method "#{class_type_name}_foreign_key" do
+              "#{send("#{class_type_name}_table_name").singularize}_#{send("#{class_type_name}_class").primary_key}"
+            end
+            alias_method "#{class_type.to_s.gsub(/_class$/,"").pluralize}_foreign_key", "#{class_type.to_s.gsub(/_class$/,"").singularize}_foreign_key"
+            unless class_type.to_s.underscore == "#{class_name.to_s.underscore}_class"
+              alias_method "#{class_name.to_s.underscore.singularize}_foreign_key", "#{class_type.to_s.gsub(/_class$/,"").singularize}_foreign_key" # CLASS_NAME_foreign_key
+              alias_method "#{class_name.to_s.underscore.pluralize}_foreign_key", "#{class_name.to_s.underscore.singularize}_foreign_key"
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/zuul/active_record/subject.rb ADDED Viewed

@@ -0,0 +1,239 @@
+module Zuul
+  module ActiveRecord
+    module Subject
+      def self.included(base)
+        base.send :include, RoleMethods
+        base.send(:include, PermissionMethods) if base.auth_scope.config.with_permissions
+      end
+      module RoleMethods
+        def self.included(base)
+          base.send :extend, ClassMethods
+          base.send :include, InstanceMethods
+        end
+        module ClassMethods
+          def self.extended(base)
+            base.send :has_many, base.auth_scope.role_subjects_table_name.to_sym
+            base.send :has_many, base.auth_scope.roles_table_name.to_sym, :through => base.auth_scope.role_subjects_table_name.to_sym
+          end
+        end
+        module InstanceMethods
+          # Assigns a role to a subject within the provided context.
+          #
+          # If a Role object is provided it's used directly, otherwise if a role slug
+          # is provided, the role is looked up in the context chain by target_role.
+          def assign_role(role, context=nil, force_context=nil)
+            auth_scope do
+              context = Zuul::Context.parse(context)
+              target = target_role(role, context, force_context)
+              return false unless verify_target_context(target, context, force_context) && role_subject_class.where(subject_foreign_key.to_sym => id, role_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id).limit(1).first.nil?
+              return role_subject_class.create(subject_foreign_key.to_sym => id, role_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id)
+            end
+          end
+          # Removes a role from a subject within the provided context.
+          #
+          # If a Role object is provided it's used directly, otherwise if a role slug
+          # is provided, the role is looked up in the context chain by target_role.
+          def unassign_role(role, context=nil, force_context=nil)
+            auth_scope do
+              context = Zuul::Context.parse(context)
+              target = target_role(role, context, force_context)
+              return false if target.nil?
+              assigned_role = role_subject_class.where(subject_foreign_key.to_sym => id, role_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id).limit(1).first
+              return false if assigned_role.nil?
+              return assigned_role.destroy
+            end
+          end
+          alias_method :remove_role, :unassign_role
+          # Checks whether a subject has a role within the provided context.
+          #
+          # If a Role object is provided it's used directly, otherwise if a role slug
+          # is provided, the role is looked up in the context chain by target_role.
+          #
+          # The assigned context behaves the same way, in that if the role is not found
+          # to belong to the subject with the specified context, we look up the context chain.
+          def has_role?(role, context=nil, force_context=nil)
+            auth_scope do
+              force_context ||= config.force_context
+              context = Zuul::Context.parse(context)
+              target = target_role(role, context, force_context)
+              return false if target.nil?
+              return true unless (context.id.nil? && !force_context) || role_subject_class.joins(role_class_name.underscore.to_sym).where(subject_foreign_key.to_sym => id, role_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id).first.nil?
+              return false if force_context
+              return true unless context.class_name.nil? || role_subject_class.where(subject_foreign_key.to_sym => id, role_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => nil).first.nil?
+              return !role_subject_class.where(subject_foreign_key.to_sym => id, role_foreign_key.to_sym => target.id, :context_type => nil, :context_id => nil).first.nil?
+            end
+          end
+          alias_method :role?, :has_role?
+          # Checks whether a subject has the specified role or a role with a level greather than
+          # that of the specified role, within the provided context.
+          #
+          # If a Role object is provided it's used directly, otherwise if a role slug
+          # is provided, the role is looked up in the context chain by target_role.
+          #
+          # The assigned context behaves the same way, in that if a matching role is not found
+          # to belong to the subject with the specified context, we look up the context chain.
+          def has_role_or_higher?(role, context=nil, force_context=nil)
+            auth_scope do
+              context = Zuul::Context.parse(context)
+              target = target_role(role, context, force_context)
+              return false if target.nil?
+              return true if has_role?(target, context, force_context)
+              return true unless context.id.nil? || role_subject_class.joins(role_class_name.underscore.to_sym).where(subject_foreign_key.to_sym => id, :context_type => context.class_name, :context_id => context.id).where("#{roles_table_name}.level >= ? AND #{roles_table_name}.context_type #{sql_is_or_equal(target.context_type)} ? AND #{roles_table_name}.context_id #{sql_is_or_equal(target.context_id)} ?", target.level, target.context_type, target.context_id).first.nil?
+              return true unless context.class_name.nil? || role_subject_class.joins(role_class_name.underscore.to_sym).where(subject_foreign_key.to_sym => id, :context_type => context.class_name, :context_id => nil).where("#{roles_table_name}.level >= ? AND #{roles_table_name}.context_type #{sql_is_or_equal(target.context_type)} ? AND #{roles_table_name}.context_id #{sql_is_or_equal(target.context_id)} ?", target.level, target.context_type, target.context_id).first.nil?
+              return !role_subject_class.joins(role_class_name.underscore.to_sym).where(subject_foreign_key.to_sym => id, :context_type => nil, :context_id => nil).where("#{roles_table_name}.level >= ? AND #{roles_table_name}.context_type #{sql_is_or_equal(target.context_type)} ? AND #{roles_table_name}.context_id #{sql_is_or_equal(target.context_id)} ?", target.level, target.context_type, target.context_id).first.nil?
+            end
+          end
+          alias_method :role_or_higher?, :has_role_or_higher?
+          alias_method :at_least_role?, :has_role_or_higher?
+          # Returns the highest level role a subject possesses within the provided context.
+          #
+          # This includes any roles found by looking up the context chain.
+          def highest_role(context=nil, force_context=nil)
+            return nil unless roles_for?(context, force_context)
+            roles_for(context, force_context).order(:level).reverse_order.limit(1).first
+          end
+          # Returns all roles possessed by the subject within the provided context.
+          #
+          # This includes all roles found by looking up the context chain.
+          def roles_for(context=nil, force_context=nil)
+            auth_scope do
+              force_context ||= config.force_context
+              context = Zuul::Context.parse(context)
+              if force_context
+                return role_class.joins(role_subjects_table_name.to_sym).where("#{role_subjects_table_name}.#{subject_foreign_key} = ? AND #{role_subjects_table_name}.context_type #{sql_is_or_equal(context.class_name)} ? AND #{role_subjects_table_name}.context_id #{sql_is_or_equal(context.id)} ?", id, context.class_name, context.id)
+              else
+                return role_class.joins(role_subjects_table_name.to_sym).where("#{role_subjects_table_name}.#{subject_foreign_key} = ? AND ((#{role_subjects_table_name}.context_type #{sql_is_or_equal(context.class_name)} ? OR #{role_subjects_table_name}.context_type IS NULL) AND (#{role_subjects_table_name}.context_id #{sql_is_or_equal(context.id)} ? OR #{role_subjects_table_name}.context_id IS NULL))", id, context.class_name, context.id)
+              end
+            end
+          end
+          # Check whether the subject possesses any roles within the specified context.
+          #
+          # This includes any roles found by looking up the context chain.
+          def roles_for?(context=nil, force_context=nil)
+            roles_for(context, force_context).count > 0
+          end
+        end
+      end
+      module PermissionMethods
+        def self.included(base)
+          base.send :extend, ClassMethods
+          base.send :include, InstanceMethods
+        end
+        module ClassMethods
+          def self.extended(base)
+            base.send :has_many, base.auth_scope.permission_subjects_table_name.to_sym
+            base.send :has_many, base.auth_scope.permissions_table_name.to_sym, :through => base.auth_scope.permission_subjects_table_name.to_sym
+          end
+        end
+        module InstanceMethods
+          # Assigns a permission to a subject within the provided context.
+          #
+          # If a Permission object is provided it's used directly, otherwise if a
+          # permission slug is provided, the permission is looked up in the context
+          # chain by target_permission.
+          def assign_permission(permission, context=nil, force_context=nil)
+            auth_scope do
+              context = Zuul::Context.parse(context)
+              target = target_permission(permission, context, force_context)
+              return false unless verify_target_context(target, context, force_context) && permission_subject_class.where(subject_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id).limit(1).first.nil?
+              return permission_subject_class.create(subject_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id)
+            end
+          end
+          # Removes a permission from a subject within the provided context.
+          #
+          # If a Permission object is provided it's used directly, otherwise if a
+          # permission slug is provided, the permission is looked up in the context
+          # chain by target_permission.
+          def unassign_permission(permission, context=nil, force_context=nil)
+            auth_scope do
+              context = Zuul::Context.parse(context)
+              target = target_permission(permission, context, force_context)
+              return false if target.nil?
+              assigned_permission = permission_subject_class.where(subject_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id).limit(1).first
+              return false if assigned_permission.nil?
+              return assigned_permission.destroy
+            end
+          end
+          alias_method :remove_permission, :unassign_permission
+          # Checks whether a subject has a permission within the provided context.
+          #
+          # If a Permission object is provided it's used directly, otherwise if a
+          # permission slug is provided, the permission is looked up in the context
+          # chain by target_permission.
+          #
+          # The assigned context behaves the same way, in that if the permission is not found
+          # to belong to the subject with the specified context, we look up the context chain.
+          #
+          # Permissions belonging to roles possessed by the subject are also included.
+          def has_permission?(permission, context=nil, force_context=nil)
+            auth_scope do
+              force_context ||= config.force_context
+              context = Zuul::Context.parse(context)
+              target = target_permission(permission, context, force_context)
+              return false if target.nil?
+              return true unless (context.id.nil? && !force_context) || permission_subject_class.where(subject_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id).first.nil?
+              unless force_context
+                return true unless context.class_name.nil? || permission_subject_class.where(subject_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => nil).first.nil?
+                return true unless permission_subject_class.where(subject_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => nil, :context_id => nil).first.nil?
+              end
+              return true unless (context.id.nil? && !force_context) || permission_role_class.where(role_foreign_key.to_sym => roles_for(context).map(&:id), permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id).first.nil?
+              return false if force_context
+              return true unless context.class_name.nil? || permission_role_class.where(role_foreign_key.to_sym => roles_for(context).map(&:id), permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => nil).first.nil?
+              return !permission_role_class.where(role_foreign_key.to_sym => roles_for(context).map(&:id), permission_foreign_key.to_sym => target.id, :context_type => nil, :context_id => nil).first.nil?
+            end
+          end
+          alias_method :permission?, :has_permission?
+          alias_method :can?, :has_permission?
+          alias_method :allowed_to?, :has_permission?
+          # Returns all permissions possessed by the subject within the provided context.
+          #
+          # This includes permissions assigned directly to the subject or any roles possessed by
+          # the subject, as well as all permissions found by looking up the context chain.
+          def permissions_for(context=nil, force_context=nil)
+            auth_scope do
+              force_context ||= config.force_context
+              context = Zuul::Context.parse(context)
+              if force_context
+                return permission_class.joins("LEFT JOIN #{permission_roles_table_name} ON #{permission_roles_table_name}.#{permission_foreign_key} = #{permissions_table_name}.id LEFT JOIN #{permission_subjects_table_name} ON #{permission_subjects_table_name}.#{permission_foreign_key} = #{permissions_table_name}.id").where("(#{permission_subjects_table_name}.#{subject_foreign_key} = ? AND #{permission_subjects_table_name}.context_type #{sql_is_or_equal(context.class_name)} ? AND #{permission_subjects_table_name}.context_id #{sql_is_or_equal(context.id)} ?) OR (#{permission_roles_table_name}.#{role_foreign_key} IN (?) AND #{permission_roles_table_name}.context_type #{sql_is_or_equal(context.class_name)} ? AND #{permission_roles_table_name}.context_id #{sql_is_or_equal(context.id)} ?)", id, context.class_name, context.id, roles_for(context).map(&:id), context.class_name, context.id)
+              else
+                return permission_class.joins("LEFT JOIN #{permission_roles_table_name} ON #{permission_roles_table_name}.#{permission_foreign_key} = #{permissions_table_name}.id LEFT JOIN #{permission_subjects_table_name} ON #{permission_subjects_table_name}.#{permission_foreign_key} = #{permissions_table_name}.id").where("(#{permission_subjects_table_name}.#{subject_foreign_key} = ? AND (#{permission_subjects_table_name}.context_type #{sql_is_or_equal(context.class_name)} ? OR #{permission_subjects_table_name}.context_type IS NULL) AND (#{permission_subjects_table_name}.context_id #{sql_is_or_equal(context.id)} ? OR #{permission_subjects_table_name}.context_id IS NULL)) OR (#{permission_roles_table_name}.#{role_foreign_key} IN (?) AND (#{permission_roles_table_name}.context_type #{sql_is_or_equal(context.class_name)} ? OR #{permission_roles_table_name}.context_type IS NULL) AND (#{permission_roles_table_name}.context_id #{sql_is_or_equal(context.id)} ? OR #{permission_roles_table_name}.context_id IS NULL))", id, context.class_name, context.id, roles_for(context).map(&:id), context.class_name, context.id)
+              end
+            end
+          end
+          # Check whether the subject possesses any permissions within the specified context.
+          #
+          # This includes permissions assigned directly to the subject or any roles possessed by
+          # the subject, as well as all permissions found by looking up the context chain.
+          def permissions_for?(context=nil, force_context=nil)
+            permissions_for(context, force_context).count > 0
+          end
+        end
+      end
+    end
+  end
+end