RubyGems - zuul - Versions diffs - 0.1.1 → 0.2.0 - Mend

zuul 0.1.1 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (80) hide show

data/lib/generators/zuul/orm_helpers.rb +21 -0
data/lib/generators/zuul/permission_generator.rb +57 -0
data/lib/generators/zuul/permission_role_generator.rb +40 -0
data/lib/generators/zuul/permission_subject_generator.rb +40 -0
data/lib/generators/zuul/role_generator.rb +58 -0
data/lib/generators/zuul/role_subject_generator.rb +40 -0
data/lib/generators/zuul/subject_generator.rb +39 -0
data/lib/generators/zuul/templates/permission.rb +18 -0
data/lib/generators/zuul/templates/permission_existing.rb +25 -0
data/lib/generators/zuul/templates/permission_role.rb +17 -0
data/lib/generators/zuul/templates/permission_role_existing.rb +24 -0
data/lib/generators/zuul/templates/permission_subject.rb +17 -0
data/lib/generators/zuul/templates/permission_subject_existing.rb +24 -0
data/lib/generators/zuul/templates/role.rb +20 -0
data/lib/generators/zuul/templates/role_existing.rb +27 -0
data/lib/generators/zuul/templates/role_subject.rb +17 -0
data/lib/generators/zuul/templates/role_subject_existing.rb +24 -0
data/lib/tasks/zuul.rake +56 -0
data/lib/zuul.rb +14 -5
data/lib/zuul/action_controller.rb +108 -0
data/lib/zuul/action_controller/dsl.rb +384 -0
data/lib/zuul/action_controller/evaluators.rb +60 -0
data/lib/zuul/active_record.rb +338 -0
data/lib/zuul/active_record/context.rb +38 -0
data/lib/zuul/active_record/permission.rb +31 -0
data/lib/zuul/active_record/permission_role.rb +29 -0
data/lib/zuul/active_record/permission_subject.rb +29 -0
data/lib/zuul/active_record/role.rb +117 -0
data/lib/zuul/active_record/role_subject.rb +29 -0
data/lib/zuul/active_record/scope.rb +71 -0
data/lib/zuul/active_record/subject.rb +239 -0
data/lib/zuul/configuration.rb +149 -0
data/lib/zuul/context.rb +53 -0
data/lib/zuul/exceptions.rb +3 -0
data/lib/zuul/exceptions/access_denied.rb +9 -0
data/lib/zuul/exceptions/invalid_context.rb +9 -0
data/lib/zuul/exceptions/undefined_scope.rb +9 -0
data/lib/zuul/railtie.rb +5 -0
data/lib/zuul/version.rb +3 -0
data/lib/zuul_viz.rb +195 -0
data/spec/db/schema.rb +172 -0
data/spec/spec_helper.rb +25 -0
data/spec/support/capture_stdout.rb +12 -0
data/spec/support/models.rb +167 -0
data/spec/zuul/active_record/context_spec.rb +55 -0
data/spec/zuul/active_record/permission_role_spec.rb +84 -0
data/spec/zuul/active_record/permission_spec.rb +174 -0
data/spec/zuul/active_record/permission_subject_spec.rb +84 -0
data/spec/zuul/active_record/role_spec.rb +694 -0
data/spec/zuul/active_record/role_subject_spec.rb +84 -0
data/spec/zuul/active_record/scope_spec.rb +75 -0
data/spec/zuul/active_record/subject_spec.rb +1186 -0
data/spec/zuul/active_record_spec.rb +624 -0
data/spec/zuul/configuration_spec.rb +254 -0
data/spec/zuul/context_spec.rb +128 -0
data/spec/zuul_spec.rb +15 -0
metadata +181 -70
data/.document +0 -5
data/.gitignore +0 -23
data/LICENSE +0 -20
data/README.rdoc +0 -65
data/Rakefile +0 -54
data/VERSION +0 -1
data/lib/zuul/restrict_access.rb +0 -104
data/lib/zuul/valid_roles.rb +0 -37
data/spec/rails_root/app/controllers/application_controller.rb +0 -2
data/spec/rails_root/app/models/user.rb +0 -8
data/spec/rails_root/config/boot.rb +0 -110
data/spec/rails_root/config/database.yml +0 -5
data/spec/rails_root/config/environment.rb +0 -7
data/spec/rails_root/config/environments/test.rb +0 -7
data/spec/rails_root/config/initializers/session_store.rb +0 -15
data/spec/rails_root/config/routes.rb +0 -4
data/spec/rails_root/db/test.sqlite3 +0 -0
data/spec/rails_root/log/test.log +0 -5388
data/spec/rails_root/spec/controllers/require_user_spec.rb +0 -138
data/spec/rails_root/spec/controllers/restrict_access_spec.rb +0 -64
data/spec/rails_root/spec/models/user_spec.rb +0 -37
data/spec/rails_root/spec/spec_helper.rb +0 -34
data/zuul.gemspec +0 -78

data/spec/zuul/active_record/role_subject_spec.rb ADDED Viewed

@@ -0,0 +1,84 @@
+require 'spec_helper'
+describe "Zuul::ActiveRecord::RoleSubject" do
+  before(:each) do
+    Role.acts_as_authorization_role
+  end
+  describe "accessible attributes" do
+    it "should allow mass assignment of role class foreign key" do
+      ru = RoleUser.new(:role_id => 1)
+      ru.role_id.should == 1
+    end
+    it "should allow mass assignment of subject class foreign key" do
+      ru = RoleUser.new(:user_id => 1)
+      ru.user_id.should == 1
+    end
+    it "should allow mass assignment of :context" do
+      context = Context.create(:name => "Test Context")
+      ru = RoleUser.new(:context => context)
+      ru.context_type.should == 'Context'
+      ru.context_id.should == context.id
+    end
+    it "should allow mass assignment of :context_type" do
+      ru = RoleUser.new(:context_type => 'Context')
+      ru.context_type.should == 'Context'
+    end
+    it "should allow mass assignment of :context_id" do
+      ru = RoleUser.new(:context_id => 1)
+      ru.context_id.should == 1
+    end
+  end
+  context "validations for core role fields" do
+    it "should validate presence of role class foreign key" do
+      ru = RoleUser.new()
+      ru.valid?.should be_false
+      ru.errors.keys.should include(:role_id)
+    end
+    it "should validate presence of subject class foreign key" do
+      ru = RoleUser.new()
+      ru.valid?.should be_false
+      ru.errors.keys.should include(:user_id)
+    end
+    it "should validate uniqueness of role class foreign key scoped to context_type, context_id and the subject class foreign key" do
+      RoleUser.create(:role_id => 1, :user_id => 1)
+      ru = RoleUser.create(:role_id => 1, :user_id => 1)
+      ru.valid?.should be_false
+      ru.errors.keys.should include(:role_id)
+      RoleUser.create(:role_id => 1, :user_id => 1, :context_type => 'Context').valid?.should be_true
+      ru = RoleUser.create(:role_id => 1, :user_id => 1, :context_type => 'Context')
+      ru.valid?.should be_false
+      ru.errors.keys.should include(:role_id)
+      RoleUser.create(:role_id => 1, :user_id => 1, :context_type => 'Context', :context_id => 1).valid?.should be_true
+      ru = RoleUser.create(:role_id => 1, :user_id => 1, :context_type => 'Context', :context_id => 1)
+      ru.valid?.should be_false
+      ru.errors.keys.should include(:role_id)
+    end
+    it "should validate numericality of role class foreign key with integers only" do
+      ru = RoleUser.new(:role_id => 'a', :user_id => 1)
+      ru.valid?.should be_false
+      ru.errors.keys.should include(:role_id)
+      ru.role_id = 1.3
+      ru.valid?.should be_false
+      ru.errors.keys.should include(:role_id)
+    end
+  end
+  it "should provide the model with belongs_to associations for roles and subjects" do
+    RoleUser.reflections.keys.should include(:role)
+    RoleUser.reflections.keys.should include(:user)
+    ru = RoleUser.create(:role_id => 1, :use_id => 1)
+    ru.should respond_to(:role)
+    ru.should respond_to(:user)
+  end
+end

data/spec/zuul/active_record/scope_spec.rb ADDED Viewed

@@ -0,0 +1,75 @@
+require 'spec_helper'
+describe "Zuul::ActiveRecord::Scope" do
+  it "should require an auth config to be initialized" do
+    scope = Zuul::ActiveRecord::Scope.new(Zuul::Configuration.new)
+    scope.should be_an_instance_of(Zuul::ActiveRecord::Scope)
+  end
+  context "class reflections" do
+    before(:each) do
+      @scope = Zuul::ActiveRecord::Scope.new(Zuul::Configuration.new)
+    end
+    context "class type methods" do
+      it "should define *_class_name methods for each of the class types" do
+        Zuul::Configuration::DEFAULT_AUTHORIZATION_CLASSES.keys.each do |class_type|
+          @scope.should respond_to("#{class_type.to_s.gsub(/_class$/,'').singularize}_class_name")
+        end
+      end
+      it "should define *_class methods for each of the class types" do
+        Zuul::Configuration::DEFAULT_AUTHORIZATION_CLASSES.keys.each do |class_type|
+          @scope.should respond_to("#{class_type.to_s.gsub(/_class$/,'').singularize}_class")
+        end
+      end
+      it "should define *_table_name methods for each of the class types" do
+        Zuul::Configuration::DEFAULT_AUTHORIZATION_CLASSES.keys.each do |class_type|
+          @scope.should respond_to("#{class_type.to_s.gsub(/_class$/,'').singularize}_table_name")
+        end
+      end
+      it "should define *_foreign_key methods for each of the primary class types" do
+        Zuul::Configuration::PRIMARY_AUTHORIZATION_CLASSES.keys.each do |class_type|
+          @scope.should respond_to("#{class_type.to_s.gsub(/_class$/,'').singularize}_foreign_key")
+        end
+      end
+      it "should alias pluralized versions of each method" do
+        Zuul::Configuration::DEFAULT_AUTHORIZATION_CLASSES.keys.each do |class_type|
+          @scope.should respond_to("#{class_type.to_s.gsub(/_class$/,'').pluralize}_class_name")
+          @scope.should respond_to("#{class_type.to_s.gsub(/_class$/,'').pluralize}_class")
+          @scope.should respond_to("#{class_type.to_s.gsub(/_class$/,'').pluralize}_table_name")
+        end
+        Zuul::Configuration::PRIMARY_AUTHORIZATION_CLASSES.keys.each do |class_type|
+          @scope.should respond_to("#{class_type.to_s.gsub(/_class$/,'').pluralize}_foreign_key")
+        end
+      end
+    end
+    context "class name methods" do
+      it "should alias class name methods to the class type equivalent" do
+        Zuul::Configuration::DEFAULT_AUTHORIZATION_CLASSES.keys.each do |class_type|
+          @scope.should respond_to("#{@scope.config.send(class_type).to_s.singularize}_class_name")
+          @scope.should respond_to("#{@scope.config.send(class_type).to_s.singularize}_class")
+          @scope.should respond_to("#{@scope.config.send(class_type).to_s.singularize}_table_name")
+        end
+        Zuul::Configuration::PRIMARY_AUTHORIZATION_CLASSES.keys.each do |class_type|
+          @scope.should respond_to("#{@scope.config.send(class_type).to_s.singularize}_foreign_key")
+        end
+      end
+      it "should alias plurlized versions of each method" do
+        Zuul::Configuration::DEFAULT_AUTHORIZATION_CLASSES.keys.each do |class_type|
+          @scope.should respond_to("#{@scope.config.send(class_type).to_s.underscore.pluralize}_class_name")
+          @scope.should respond_to("#{@scope.config.send(class_type).to_s.underscore.pluralize}_class")
+          @scope.should respond_to("#{@scope.config.send(class_type).to_s.underscore.pluralize}_table_name")
+        end
+        Zuul::Configuration::PRIMARY_AUTHORIZATION_CLASSES.keys.each do |class_type|
+          @scope.should respond_to("#{@scope.config.send(class_type).to_s.underscore.pluralize}_foreign_key")
+        end
+      end
+    end
+  end
+end

data/spec/zuul/active_record/subject_spec.rb ADDED Viewed

@@ -0,0 +1,1186 @@
+require 'spec_helper'
+describe "Zuul::ActiveRecord::Subject" do
+  it "should extend the model with RoleMethods" do
+    User.acts_as_authorization_subject
+    User.ancestors.include?(Zuul::ActiveRecord::Subject::RoleMethods).should == true
+  end
+  it "should extend the model with PermissionMethods if permissions are enabled" do
+    User.acts_as_authorization_subject
+    User.ancestors.include?(Zuul::ActiveRecord::Subject::PermissionMethods).should == true
+  end
+  it "should not extend the model with PermissionMethods if permissions are disabled" do
+    User.acts_as_authorization_subject :with_permissions => false
+    User.ancestors.include?(Zuul::ActiveRecord::Subject::PermissionMethods).should be_false
+  end
+  describe "RoleMethods" do
+    before(:each) do
+      User.acts_as_authorization_subject
+      Role.acts_as_authorization_role
+    end
+    it "should provide the model with has_many associations for role_subjects and roles" do
+      user = User.create(:name => "Test User")
+      User.reflections.keys.should include(:role_users)
+      User.reflections.keys.should include(:roles)
+      user.should respond_to(:role_users)
+      user.should respond_to(:roles)
+    end
+    it "should use the reflection classes to create the has_many associations" do
+      Soldier.acts_as_authorization_subject :role_class => :rank, :with_permissions => false
+      Rank.acts_as_authorization_role :subject_class => :soldier, :with_permissions => false
+      soldier = Soldier.create(:name => "Test User")
+      Soldier.reflections.keys.should include(:rank_soldiers)
+      Soldier.reflections.keys.should include(:ranks)
+      soldier.should respond_to(:rank_soldiers)
+      soldier.should respond_to(:ranks)
+    end
+    describe "assign_role" do
+      before(:each) do
+        @user = User.create(:name => "Test User")
+      end
+      it "should require a role object or slug" do
+        expect { @user.assign_role }.to raise_exception
+      end
+      it "should accept an optional context" do
+        role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        expect { @user.assign_role(:admin, nil) }.to_not raise_exception
+      end
+      it "should use nil context when none is provided" do
+        role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        role_user = @user.assign_role(:admin)
+        role_user.id.should_not be_nil
+        role_user.context_type.should be_nil
+      end
+      it "should use the context when one is provided" do
+        role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        context = Context.create(:name => "Test Context")
+        class_role_user = @user.assign_role(role, Context)
+        class_role_user.id.should_not be_nil
+        class_role_user.context_type.should == 'Context'
+        class_role_user.context_id.should be_nil
+        inst_role_user = @user.assign_role(role, context)
+        inst_role_user.id.should_not be_nil
+        inst_role_user.context_type.should == 'Context'
+        inst_role_user.context_id.should == context.id
+      end
+      it "should use target_role to lookup the closest contextual match when a role slug is provided" do
+        context = Context.create(:name => "Test Context")
+        nil_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        class_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context')
+        inst_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context', :context_id => context.id)
+        nil_role_user = @user.assign_role(:admin, nil)
+        nil_role_user.id.should_not be_nil
+        nil_role_user.context_type.should be_nil
+        nil_role_user.context_id.should be_nil
+        nil_role_user.role.id.should == nil_role.id
+        class_role_user = @user.assign_role(:admin, Context)
+        class_role_user.id.should_not be_nil
+        class_role_user.context_type.should == 'Context'
+        class_role_user.context_id.should be_nil
+        class_role_user.role.id.should == class_role.id
+        inst_role_user = @user.assign_role(:admin, context)
+        inst_role_user.id.should_not be_nil
+        inst_role_user.context_type.should == 'Context'
+        inst_role_user.context_id.should == context.id
+        inst_role_user.role.id.should == inst_role.id
+      end
+      it "should use the role object when one is provided" do
+        context = Context.create(:name => "Test Context")
+        nil_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        class_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context')
+        inst_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context', :context_id => context.id)
+        class_role_user = @user.assign_role(nil_role, Context)
+        class_role_user.id.should_not be_nil
+        class_role_user.context_type.should == 'Context'
+        class_role_user.context_id.should be_nil
+        class_role_user.role.id.should == nil_role.id
+        inst_role_user = @user.assign_role(nil_role, context)
+        inst_role_user.id.should_not be_nil
+        inst_role_user.context_type.should == 'Context'
+        inst_role_user.context_id.should == context.id
+        inst_role_user.role.id.should == nil_role.id
+      end
+      it "should fail and return false if the provided role is nil" do
+        @user.assign_role(nil).should be_false
+        @user.assign_role(nil, Context).should be_false
+      end
+      it "should fail and return false if the provided role cannot be used within the provided context" do
+        context = Context.create(:name => "Test Context")
+        class_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context')
+        inst_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context', :context_id => context.id)
+        @user.assign_role(class_role, nil).should be_false
+        @user.assign_role(inst_role, nil).should be_false
+        @user.assign_role(inst_role, Context).should be_false
+      end
+      it "should create the role_subjects record to link the subject to the provided role" do
+        role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        @user.assign_role(role)
+        RoleUser.where(:user_id => @user.id, :role_id => role.id).count.should == 1
+      end
+      it "should fail and return false if the provided role is already assigned in the provided context" do
+        role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        context = Context.create(:name => "Test Context")
+        @user.assign_role(role)
+        @user.assign_role(role).should be_false
+        @user.assign_role(role, Context)
+        @user.assign_role(role, Context).should be_false
+        @user.assign_role(role, context)
+        @user.assign_role(role, context).should be_false
+      end
+      context "when forcing context" do
+        it "should not go up the context chain to find the role when a role slug is provided" do
+          context = Context.create(:name => "Test Context")
+          nil_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+          nil_role_user = @user.assign_role(:admin, nil, true)
+          nil_role_user.id.should_not be_nil
+          nil_role_user.context_type.should be_nil
+          nil_role_user.context_id.should be_nil
+          nil_role_user.role.id.should == nil_role.id
+          @user.assign_role(:admin, Context, true).should be_false
+          class_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context')
+          class_role_user = @user.assign_role(:admin, Context, true)
+          class_role_user.id.should_not be_nil
+          class_role_user.context_type.should == 'Context'
+          class_role_user.context_id.should be_nil
+          class_role_user.role.id.should == class_role.id
+          @user.assign_role(:admin, context, true).should be_false
+          inst_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context', :context_id => context.id)
+          inst_role_user = @user.assign_role(:admin, context, true)
+          inst_role_user.id.should_not be_nil
+          inst_role_user.context_type.should == 'Context'
+          inst_role_user.context_id.should == context.id
+          inst_role_user.role.id.should == inst_role.id
+        end
+      end
+    end
+    describe "unassign_role" do
+      before(:each) do
+        @user = User.create(:name => "Test User")
+      end
+      it "should require a role object or slug" do
+        expect { @user.unassign_role }.to raise_exception
+      end
+      it "should accept an optional context" do
+        role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        expect { @user.unassign_role(:admin, nil) }.to_not raise_exception
+      end
+      it "should use nil context when none is provided" do
+        role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        @user.assign_role(:admin, nil)
+        @user.assign_role(:admin, Context)
+        unassigned = @user.unassign_role(:admin)
+        unassigned.should be_an_instance_of(RoleUser)
+        roles = RoleUser.where(:user_id => @user.id, :role_id => role.id)
+        roles.length.should == 1
+        roles[0].context_type.should == 'Context'
+      end
+      it "should use target_role to lookup the closest contextual match when a role slug is provided" do
+        context = Context.create(:name => "Test Context")
+        nil_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        class_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context')
+        inst_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context', :context_id => context.id)
+        @user.assign_role(nil_role, nil)
+        @user.assign_role(class_role, Context)
+        @user.assign_role(nil_role, Context)
+        @user.assign_role(inst_role, context)
+        @user.assign_role(class_role, context)
+        @user.unassign_role(:admin, context).role_id.should == inst_role.id
+        @user.unassign_role(:admin, context).should be_false
+        @user.unassign_role(:admin, Context).role_id.should == class_role.id
+        @user.unassign_role(:admin, Context).should be_false
+      end
+      it "should use the role object when one is provided" do
+        context = Context.create(:name => "Test Context")
+        nil_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        class_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context')
+        inst_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context', :context_id => context.id)
+        @user.assign_role(nil_role, nil)
+        @user.assign_role(class_role, Context)
+        @user.assign_role(nil_role, Context)
+        @user.assign_role(inst_role, context)
+        @user.assign_role(class_role, context)
+        @user.unassign_role(class_role, context).role_id.should == class_role.id
+        @user.unassign_role(inst_role, context).role_id.should == inst_role.id
+        @user.unassign_role(nil_role, Context).role_id.should == nil_role.id
+        @user.unassign_role(class_role, Context).role_id.should == class_role.id
+      end
+      it "should fail and return false if the provided role is nil" do
+        @user.unassign_role(nil).should be_false
+        @user.unassign_role(nil, Context).should be_false
+      end
+      it "should remove the role_subjects record that links the subject to the provided role" do
+        role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        @user.assign_role(role)
+        RoleUser.where(:user_id => @user.id, :role_id => role.id).count.should == 1
+        @user.unassign_role(role)
+        RoleUser.where(:user_id => @user.id, :role_id => role.id).count.should == 0
+      end
+      it "should fail and return false if the provided role is not assigned in the provided context" do
+        context = Context.create(:name => "Test Context")
+        nil_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        class_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context')
+        inst_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context', :context_id => context.id)
+        @user.assign_role(nil_role, Context)
+        @user.assign_role(class_role, context)
+        @user.unassign_role(inst_role, context).should be_false
+        @user.unassign_role(nil_role, nil).should be_false
+        @user.unassign_role(class_role, Context).should be_false
+      end
+      context "when forcing context" do
+        it "should not go up the context chain to find the role when a role slug is provided" do
+          context = Context.create(:name => "Test Context")
+          nil_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+          class_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context')
+          inst_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context', :context_id => context.id)
+          @user.assign_role(nil_role, nil)
+          @user.assign_role(class_role, Context)
+          @user.assign_role(nil_role, Context)
+          @user.assign_role(inst_role, context)
+          @user.assign_role(class_role, context)
+          @user.unassign_role(:admin, context, true).role_id.should == inst_role.id
+          inst_role.destroy
+          @user.unassign_role(:admin, context, true).should be_false
+          @user.unassign_role(:admin, Context, true).role_id.should == class_role.id
+          class_role.destroy
+          @user.unassign_role(:admin, Context, true).should be_false
+        end
+      end
+    end
+    describe "has_role?" do
+      before(:each) do
+        @user = User.create(:name => "Test User")
+      end
+      it "should require a role object or slug" do
+        expect { @user.has_role? }.to raise_exception
+      end
+      it "should accept an optional context" do
+        role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        expect { @user.has_role?(:admin, nil) }.to_not raise_exception
+      end
+      it "should use nil context when none is provided" do
+        role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        @user.assign_role(:admin, Context)
+        @user.has_role?(:admin).should be_false
+        @user.assign_role(:admin, nil)
+        @user.has_role?(:admin).should be_true
+      end
+      it "should use target_role to lookup the closest contextual match when a role slug is provided" do
+        context = Context.create(:name => "Test Context")
+        nil_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        class_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context')
+        inst_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context', :context_id => context.id)
+        @user.assign_role(nil_role, Context)
+        @user.assign_role(class_role, context)
+        @user.has_role?(:admin, Context).should be_false
+        @user.has_role?(:admin, context).should be_false
+        @user.assign_role(class_role, Context)
+        @user.assign_role(inst_role, context)
+        @user.has_role?(:admin, Context).should be_true
+        @user.has_role?(:admin, context).should be_true
+      end
+      it "should use the role object when one is provided" do
+        context = Context.create(:name => "Test Context")
+        nil_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        class_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context')
+        inst_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context', :context_id => context.id)
+        @user.assign_role(nil_role, Context)
+        @user.assign_role(class_role, context)
+        @user.has_role?(nil_role, Context).should be_true
+        @user.has_role?(class_role, context).should be_true
+        @user.has_role?(class_role, Context).should be_false
+        @user.has_role?(inst_role, context).should be_false
+        @user.assign_role(class_role, Context)
+        @user.assign_role(inst_role, context)
+        @user.has_role?(class_role, Context).should be_true
+        @user.has_role?(inst_role, context).should be_true
+      end
+      it "should return false if the provided role is nil" do
+        @user.has_role?(nil).should be_false
+        @user.has_role?(nil, Context).should be_false
+      end
+      it "should look up the context chain for the assigned role" do
+        context = Context.create(:name => "Test Context")
+        role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        @user.assign_role(role, nil)
+        @user.has_role?(:admin, Context).should be_true
+        @user.has_role?(:admin, context).should be_true
+        @user.unassign_role(role, nil)
+        @user.assign_role(role, Context)
+        @user.has_role?(:admin, context).should be_true
+      end
+      it "should return false if the provided role is not assigned to the subject within the context chain" do
+        context = Context.create(:name => "Test Context")
+        role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        @user.has_role?(role, context).should be_false
+        @user.has_role?(:admin, Context).should be_false
+        @user.has_role?(role, nil).should be_false
+        @user.assign_role(:admin, context)
+        @user.has_role?(:admin, context).should_not be_false
+        @user.has_role?(role, Context).should be_false
+        @user.has_role?(:admin, nil).should be_false
+        @user.assign_role(:admin, Context)
+        @user.has_role?(:admin, context).should_not be_false
+        @user.has_role?(role, Context).should_not be_false
+        @user.has_role?(role, nil).should be_false
+      end
+      context "when forcing context" do
+        it "should not go up the context chain to find the role when a role slug is provided" do
+          context = Context.create(:name => "Test Context")
+          nil_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+          @user.assign_role(nil_role, Context)
+          @user.has_role?(:admin, Context, false).should be_true
+          @user.has_role?(:admin, Context, true).should be_false
+          class_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context')
+          @user.assign_role(class_role, context)
+          @user.has_role?(:admin, context, false).should be_true
+          @user.has_role?(:admin, context, true).should be_false
+        end
+      end
+    end
+    describe "has_role_or_higher?" do
+      before(:each) do
+        @user = User.create(:name => "Test User")
+      end
+      it "should require a role object or slug" do
+        expect { @user.has_role_or_higher? }.to raise_exception
+      end
+      it "should accept an optional context" do
+        role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        expect { @user.has_role_or_higher?(:admin, nil) }.to_not raise_exception
+      end
+      it "should use nil context when none is provided" do
+        admin_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        mod_role = Role.create(:name => 'Moderator', :slug => 'moderator', :level => 80)
+        @user.assign_role(:admin, Context)
+        @user.has_role_or_higher?(:admin).should be_false
+        @user.has_role_or_higher?(:moderator).should be_false
+        @user.assign_role(:admin, nil)
+        @user.has_role_or_higher?(:admin).should be_true
+        @user.has_role_or_higher?(:moderator).should be_true
+      end
+      it "should use target_role to lookup the closest contextual match when a role slug is provided" do
+        context = Context.create(:name => "Test Context")
+        nil_admin = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        class_admin = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context')
+        inst_admin = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context', :context_id => context.id)
+        nil_mod = Role.create(:name => 'Moderator', :slug => 'moderator', :level => 80)
+        class_mod = Role.create(:name => 'Moderator', :slug => 'moderator', :level => 80, :context_type => 'Context')
+        inst_mod = Role.create(:name => 'Moderator', :slug => 'moderator', :level => 80, :context_type => 'Context', :context_id => context.id)
+        @user.assign_role(nil_admin, Context)
+        @user.assign_role(class_admin, context)
+        @user.has_role_or_higher?(:admin, Context).should be_false
+        @user.has_role_or_higher?(:moderator, Context).should be_false
+        @user.has_role_or_higher?(:admin, context).should be_false
+        @user.has_role_or_higher?(:moderator, context).should be_false
+        @user.assign_role(class_admin, Context)
+        @user.assign_role(inst_admin, context)
+        @user.has_role_or_higher?(:admin, Context).should be_true
+        @user.has_role_or_higher?(:moderator, Context).should be_true
+        @user.has_role_or_higher?(:admin, context).should be_true
+        @user.has_role_or_higher?(:moderator, context).should be_true
+      end
+      it "should use the role object when one is provided" do
+        context = Context.create(:name => "Test Context")
+        nil_admin = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        class_admin = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context')
+        inst_admin = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context', :context_id => context.id)
+        nil_mod = Role.create(:name => 'Moderator', :slug => 'moderator', :level => 80)
+        class_mod = Role.create(:name => 'Moderator', :slug => 'moderator', :level => 80, :context_type => 'Context')
+        inst_mod = Role.create(:name => 'Moderator', :slug => 'moderator', :level => 80, :context_type => 'Context', :context_id => context.id)
+        @user.assign_role(nil_admin, Context)
+        @user.assign_role(class_admin, context)
+        @user.has_role_or_higher?(nil_admin, Context).should be_true
+        @user.has_role_or_higher?(nil_mod, Context).should be_true
+        @user.has_role_or_higher?(class_admin, context).should be_true
+        @user.has_role_or_higher?(class_mod, context).should be_true
+        @user.has_role_or_higher?(class_admin, Context).should be_false
+        @user.has_role_or_higher?(class_mod, Context).should be_false
+        @user.has_role_or_higher?(inst_admin, context).should be_false
+        @user.has_role_or_higher?(inst_mod, context).should be_false
+        @user.assign_role(class_admin, Context)
+        @user.assign_role(inst_admin, context)
+        @user.has_role_or_higher?(class_admin, Context).should be_true
+        @user.has_role_or_higher?(class_mod, Context).should be_true
+        @user.has_role_or_higher?(inst_admin, context).should be_true
+        @user.has_role_or_higher?(inst_mod, context).should be_true
+      end
+      it "should return false if the provided role is nil" do
+        @user.has_role_or_higher?(nil).should be_false
+        @user.has_role_or_higher?(nil, Context).should be_false
+      end
+      it "should return true if the subject has the provided role via has_role?" do
+        context = Context.create(:name => "Test Context")
+        admin_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        mod_role = Role.create(:name => 'Moderator', :slug => 'moderator', :level => 80)
+        @user.assign_role(admin_role, nil)
+        @user.has_role_or_higher?(:admin, nil).should be_true
+      end
+      it "should look up the context chain for an assigned role with a level >= that of the provided role" do
+        context = Context.create(:name => "Test Context")
+        admin_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        mod_role = Role.create(:name => 'Moderator', :slug => 'moderator', :level => 80)
+        @user.assign_role(admin_role, nil)
+        @user.has_role_or_higher?(:admin, Context).should be_true
+        @user.has_role_or_higher?(:moderator, Context).should be_true
+        @user.has_role_or_higher?(:admin, context).should be_true
+        @user.has_role_or_higher?(:moderator, context).should be_true
+        @user.unassign_role(admin_role, nil)
+        @user.assign_role(admin_role, Context)
+        @user.has_role_or_higher?(:admin, context).should be_true
+        @user.has_role_or_higher?(:moderator, context).should be_true
+      end
+      it "should return false if a role with a level >= that of the provided role is not assigned to the subject within the context chain" do
+        context = Context.create(:name => "Test Context")
+        admin_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        mod_role = Role.create(:name => 'Moderator', :slug => 'moderator', :level => 80)
+        @user.has_role_or_higher?(admin_role, context).should be_false
+        @user.has_role_or_higher?(admin_role, context).should be_false
+        @user.has_role_or_higher?(:admin, Context).should be_false
+        @user.has_role_or_higher?(:moderator, Context).should be_false
+        @user.has_role_or_higher?(admin_role, nil).should be_false
+        @user.has_role_or_higher?(mod_role, nil).should be_false
+        @user.assign_role(:admin, context)
+        @user.has_role_or_higher?(:admin, context).should_not be_false
+        @user.has_role_or_higher?(:moderator, context).should_not be_false
+        @user.has_role_or_higher?(admin_role, Context).should be_false
+        @user.has_role_or_higher?(mod_role, Context).should be_false
+        @user.has_role_or_higher?(:admin, nil).should be_false
+        @user.has_role_or_higher?(:moderator, nil).should be_false
+        @user.assign_role(:admin, Context)
+        @user.has_role_or_higher?(:admin, context).should_not be_false
+        @user.has_role_or_higher?(:moderator, context).should_not be_false
+        @user.has_role_or_higher?(admin_role, Context).should_not be_false
+        @user.has_role_or_higher?(mod_role, Context).should_not be_false
+        @user.has_role_or_higher?(admin_role, nil).should be_false
+        @user.has_role_or_higher?(mod_role, nil).should be_false
+      end
+      context "when forcing context" do
+        it "should not go up the context chain to find the role when a role slug is provided" do
+          context = Context.create(:name => "Test Context")
+          nil_admin = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+          nil_mod = Role.create(:name => 'Moderator', :slug => 'moderator', :level => 80)
+          @user.assign_role(nil_admin, Context)
+          @user.has_role_or_higher?(:admin, Context, false).should be_true
+          @user.has_role_or_higher?(:admin, Context, true).should be_false
+          @user.has_role_or_higher?(:moderator, Context, false).should be_true
+          @user.has_role_or_higher?(:moderator, Context, true).should be_false
+          class_admin = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context')
+          class_mod = Role.create(:name => 'Moderator', :slug => 'moderator', :level => 80, :context_type => 'Context')
+          @user.assign_role(class_admin, context)
+          @user.has_role_or_higher?(:admin, context, false).should be_true
+          @user.has_role_or_higher?(:admin, context, true).should be_false
+          @user.has_role_or_higher?(:moderator, context, false).should be_true
+          @user.has_role_or_higher?(:moderator, context, true).should be_false
+        end
+      end
+    end
+    describe "highest_role" do
+      before(:each) do
+        @user = User.create(:name => "Test User")
+      end
+      it "should accept an optional context" do
+        expect { @user.highest_role(nil) }.to_not raise_exception
+      end
+      it "should use nil context when none is provided" do
+        admin_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        @user.assign_role(admin_role, nil)
+        @user.highest_role.id.should == admin_role.id
+      end
+      it "should return nil if no roles are assigned to the subject within the provided context" do
+        admin_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        @user.highest_role(nil).should be_nil
+        @user.highest_role(Context).should be_nil
+        @user.assign_role(admin_role, nil)
+        @user.highest_role(nil).id.should == admin_role.id
+        @user.highest_role(Context).id.should == admin_role.id
+      end
+      it "should return the role with the highest level that is assigned to the subject within the provided context" do
+        admin_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        mod_role = Role.create(:name => 'Moderator', :slug => 'moderator', :level => 80)
+        @user.assign_role(admin_role, nil)
+        @user.assign_role(mod_role, nil)
+        @user.assign_role(mod_role, Context)
+        @user.highest_role(nil).id.should == admin_role.id
+        @user.highest_role(Context).id.should == admin_role.id
+        @user.assign_role(admin_role, Context)
+        @user.highest_role(Context).id.should == admin_role.id
+      end
+      context "when forcing context" do
+        it "should only evaluate roles that match the context exactly" do
+          admin_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+          mod_role = Role.create(:name => 'Moderator', :slug => 'moderator', :level => 80)
+          @user.assign_role(admin_role, nil)
+          @user.assign_role(mod_role, nil)
+          @user.highest_role(nil).id.should == admin_role.id
+          @user.highest_role(Context).id.should == admin_role.id
+          @user.highest_role(Context, true).should be_nil
+        end
+      end
+    end
+    describe "roles_for" do
+      before(:each) do
+        @user = User.create(:name => "Test User")
+      end
+      it "should accept an optional context" do
+        expect { @user.roles_for(nil) }.to_not raise_exception
+      end
+      it "should use nil context when none is provided" do
+        admin_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        @user.assign_role(admin_role, Context)
+        @user.roles_for.length.should == 0
+        @user.assign_role(admin_role, nil)
+        @user.roles_for.length.should == 1
+      end
+      it "should return an empty association array if no roles are assigned to the subject within the provided context" do
+        context = Context.create(:name => "Test Context")
+        role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        @user.assign_role(role, context)
+        @user.roles_for(nil).length.should == 0
+        @user.roles_for(Context).length.should == 0
+      end
+      it "should return all roles assigned to the subject within the provided context" do
+        nil_admin = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        class_admin = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context')
+        class_mod = Role.create(:name => 'Moderator', :slug => 'moderator', :level => 80, :context_type => 'Context')
+        @user.assign_role(nil_admin, Context)
+        @user.assign_role(class_admin, Context)
+        @user.assign_role(class_mod, Context)
+        @user.roles_for(Context).length.should == 3
+      end
+      context "when forcing context" do
+        it "should only return roles that match the context exactly" do
+          admin_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+          mod_role = Role.create(:name => 'Moderator', :slug => 'moderator', :level => 80)
+          @user.assign_role(admin_role, nil)
+          @user.assign_role(mod_role, nil)
+          @user.roles_for(nil).length.should == 2
+          @user.roles_for(Context).length.should == 2
+          @user.roles_for(Context, true).length.should == 0
+        end
+      end
+    end
+    describe "roles_for?" do
+      before(:each) do
+        @user = User.create(:name => "Test User")
+      end
+      it "should accept an optional context" do
+        expect { @user.roles_for?(nil) }.to_not raise_exception
+      end
+      it "should use nil context when none is provided" do
+        admin_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        @user.assign_role(admin_role, Context)
+        @user.roles_for?.should be_false
+        @user.assign_role(admin_role, nil)
+        @user.roles_for?.should be_true
+      end
+      it "should return false if no roles are assigned to the subject within the provided context" do
+        context = Context.create(:name => "Test Context")
+        role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        @user.assign_role(role, context)
+        @user.roles_for?(nil).should be_false
+        @user.roles_for?(Context).should be_false
+      end
+      it "should return true if any roles are assigned to the subject within the provided context" do
+        nil_admin = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        class_admin = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context')
+        class_mod = Role.create(:name => 'Moderator', :slug => 'moderator', :level => 80, :context_type => 'Context')
+        @user.assign_role(nil_admin, Context)
+        @user.assign_role(class_admin, Context)
+        @user.assign_role(class_mod, Context)
+        @user.roles_for?(Context).should be_true
+      end
+      context "when forcing context" do
+        it "should only evaluate roles that match the context exactly" do
+          admin_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+          @user.assign_role(admin_role, nil)
+          @user.roles_for?(nil).should be_true
+          @user.roles_for?(Context).should be_true
+          @user.roles_for?(Context, true).should be_false
+        end
+      end
+    end
+  end
+  describe "PermissionMethods" do
+    before(:each) do
+      User.acts_as_authorization_subject
+      Role.acts_as_authorization_role
+      Permission.acts_as_authorization_permission
+    end
+    it "should provide the model with has_many associations for permission_subjects and permissions" do
+      user = User.create(:name => "Test User")
+      User.reflections.keys.should include(:permission_users)
+      User.reflections.keys.should include(:permissions)
+      user.should respond_to(:permission_users)
+      user.should respond_to(:permissions)
+    end
+    it "should use the reflection classes to create the has_many associations" do
+      Soldier.acts_as_authorization_subject :permission_class => :skill, :role_class => :rank
+      Skill.acts_as_authorization_permission :subject_class => :soldier, :role_class => :rank
+      soldier = Soldier.create(:name => "Test User")
+      Soldier.reflections.keys.should include(:skill_soldiers)
+      Soldier.reflections.keys.should include(:skills)
+      soldier.should respond_to(:skill_soldiers)
+      soldier.should respond_to(:skills)
+    end
+    describe "assign_permission" do
+      before(:each) do
+        @user = User.create(:name => "Test User")
+      end
+      it "should require a permission object or slug" do
+        expect { @user.assign_permission }.to raise_exception
+      end
+      it "should accept an optional context" do
+        permission = Permission.create(:name => 'Edit', :slug => 'edit')
+        expect { @user.assign_permission(:edit, nil) }.to_not raise_exception
+      end
+      it "should use nil context when none is provided" do
+        permission = Permission.create(:name => 'Edit', :slug => 'edit')
+        permission_user = @user.assign_permission(:edit)
+        permission_user.id.should_not be_nil
+        permission_user.context_type.should be_nil
+      end
+      it "should use the context when one is provided" do
+        permission = Permission.create(:name => 'Edit', :slug => 'edit')
+        context = Context.create(:name => "Test Context")
+        class_permission_user = @user.assign_permission(permission, Context)
+        class_permission_user.id.should_not be_nil
+        class_permission_user.context_type.should == 'Context'
+        class_permission_user.context_id.should be_nil
+        inst_permission_user = @user.assign_permission(permission, context)
+        inst_permission_user.id.should_not be_nil
+        inst_permission_user.context_type.should == 'Context'
+        inst_permission_user.context_id.should == context.id
+      end
+      it "should use target_permission to lookup the closest contextual match when a permission slug is provided" do
+        context = Context.create(:name => "Test Context")
+        nil_permission = Permission.create(:name => 'Edit', :slug => 'edit')
+        class_permission = Permission.create(:name => 'Edit', :slug => 'edit', :context_type => 'Context')
+        inst_permission = Permission.create(:name => 'Edit', :slug => 'edit', :context_type => 'Context', :context_id => context.id)
+        nil_permission_user = @user.assign_permission(:edit, nil)
+        nil_permission_user.id.should_not be_nil
+        nil_permission_user.context_type.should be_nil
+        nil_permission_user.context_id.should be_nil
+        nil_permission_user.permission.id.should == nil_permission.id
+        class_permission_user = @user.assign_permission(:edit, Context)
+        class_permission_user.id.should_not be_nil
+        class_permission_user.context_type.should == 'Context'
+        class_permission_user.context_id.should be_nil
+        class_permission_user.permission.id.should == class_permission.id
+        inst_permission_user = @user.assign_permission(:edit, context)
+        inst_permission_user.id.should_not be_nil
+        inst_permission_user.context_type.should == 'Context'
+        inst_permission_user.context_id.should == context.id
+        inst_permission_user.permission.id.should == inst_permission.id
+      end
+      it "should use the permission object when one is provided" do
+        context = Context.create(:name => "Test Context")
+        nil_permission = Permission.create(:name => 'Edit', :slug => 'edit')
+        class_permission = Permission.create(:name => 'Edit', :slug => 'edit', :context_type => 'Context')
+        inst_permission = Permission.create(:name => 'Edit', :slug => 'edit', :context_type => 'Context', :context_id => context.id)
+        class_permission_user = @user.assign_permission(nil_permission, Context)
+        class_permission_user.id.should_not be_nil
+        class_permission_user.context_type.should == 'Context'
+        class_permission_user.context_id.should be_nil
+        class_permission_user.permission.id.should == nil_permission.id
+        inst_permission_user = @user.assign_permission(nil_permission, context)
+        inst_permission_user.id.should_not be_nil
+        inst_permission_user.context_type.should == 'Context'
+        inst_permission_user.context_id.should == context.id
+        inst_permission_user.permission.id.should == nil_permission.id
+      end
+      it "should fail and return false if the provided permission is nil" do
+        @user.assign_permission(nil).should be_false
+        @user.assign_permission(nil, Context).should be_false
+      end
+      it "should fail and return false if the provided permission cannot be used within the provided context" do
+        context = Context.create(:name => "Test Context")
+        class_permission = Permission.create(:name => 'Edit', :slug => 'edit', :context_type => 'Context')
+        inst_permission = Permission.create(:name => 'Edit', :slug => 'edit', :context_type => 'Context', :context_id => context.id)
+        @user.assign_permission(class_permission, nil).should be_false
+        @user.assign_permission(inst_permission, nil).should be_false
+        @user.assign_permission(inst_permission, Context).should be_false
+      end
+      it "should create the permission_subjects record to link the subject to the provided permission" do
+        permission = Permission.create(:name => 'Edit', :slug => 'edit')
+        @user.assign_permission(permission)
+        PermissionUser.where(:user_id => @user.id, :permission_id => permission.id).count.should == 1
+      end
+      it "should fail and return false if the provided permission is already assigned in the provided context" do
+        permission = Permission.create(:name => 'Edit', :slug => 'edit')
+        context = Context.create(:name => "Test Context")
+        @user.assign_permission(permission)
+        @user.assign_permission(permission).should be_false
+        @user.assign_permission(permission, Context)
+        @user.assign_permission(permission, Context).should be_false
+        @user.assign_permission(permission, context)
+        @user.assign_permission(permission, context).should be_false
+      end
+      context "when forcing context" do
+        it "should not go up the context chain to find the permission when a permission slug is provided" do
+          context = Context.create(:name => "Test Context")
+          nil_permission = Permission.create(:name => 'Edit', :slug => 'edit')
+          nil_permission_user = @user.assign_permission(:edit, nil)
+          nil_permission_user.id.should_not be_nil
+          nil_permission_user.context_type.should be_nil
+          nil_permission_user.context_id.should be_nil
+          nil_permission_user.permission.id.should == nil_permission.id
+          @user.assign_permission(:edit, Context, true).should be_false
+          class_permission = Permission.create(:name => 'Edit', :slug => 'edit', :context_type => 'Context')
+          class_permission_user = @user.assign_permission(:edit, Context, true)
+          class_permission_user.id.should_not be_nil
+          class_permission_user.context_type.should == 'Context'
+          class_permission_user.context_id.should be_nil
+          class_permission_user.permission.id.should == class_permission.id
+          @user.assign_permission(:edit, context, true).should be_false
+          inst_permission = Permission.create(:name => 'Edit', :slug => 'edit', :context_type => 'Context', :context_id => context.id)
+          inst_permission_user = @user.assign_permission(:edit, context, true)
+          inst_permission_user.id.should_not be_nil
+          inst_permission_user.context_type.should == 'Context'
+          inst_permission_user.context_id.should == context.id
+          inst_permission_user.permission.id.should == inst_permission.id
+        end
+      end
+    end
+    describe "unassign_permission" do
+      before(:each) do
+        @user = User.create(:name => "Test User")
+      end
+      it "should require a permission object or slug" do
+        expect { @user.unassign_permission }.to raise_exception
+      end
+      it "should accept an optional context" do
+        permission = Permission.create(:name => 'Edit', :slug => 'edit')
+        expect { @user.unassign_permission(:edit, nil) }.to_not raise_exception
+      end
+      it "should use nil context when none is provided" do
+        permission = Permission.create(:name => 'Edit', :slug => 'edit')
+        @user.assign_permission(:edit, nil)
+        @user.assign_permission(:edit, Context)
+        unassigned = @user.unassign_permission(:edit)
+        unassigned.should be_an_instance_of(PermissionUser)
+        permissions = PermissionUser.where(:user_id => @user.id, :permission_id => permission.id)
+        permissions.length.should == 1
+        permissions[0].context_type.should == 'Context'
+      end
+      it "should use target_permission to lookup the closest contextual match when a permission slug is provided" do
+        context = Context.create(:name => "Test Context")
+        nil_permission = Permission.create(:name => 'Edit', :slug => 'edit')
+        class_permission = Permission.create(:name => 'Edit', :slug => 'edit', :context_type => 'Context')
+        inst_permission = Permission.create(:name => 'Edit', :slug => 'edit', :context_type => 'Context', :context_id => context.id)
+        @user.assign_permission(nil_permission, nil)
+        @user.assign_permission(class_permission, Context)
+        @user.assign_permission(nil_permission, Context)
+        @user.assign_permission(inst_permission, context)
+        @user.assign_permission(class_permission, context)
+        @user.unassign_permission(:edit, context).permission_id.should == inst_permission.id
+        @user.unassign_permission(:edit, context).should be_false
+        @user.unassign_permission(:edit, Context).permission_id.should == class_permission.id
+        @user.unassign_permission(:edit, Context).should be_false
+      end
+      it "should use the permission object when one is provided" do
+        context = Context.create(:name => "Test Context")
+        nil_permission = Permission.create(:name => 'Edit', :slug => 'edit')
+        class_permission = Permission.create(:name => 'Edit', :slug => 'edit', :context_type => 'Context')
+        inst_permission = Permission.create(:name => 'Edit', :slug => 'edit', :context_type => 'Context', :context_id => context.id)
+        @user.assign_permission(nil_permission, nil)
+        @user.assign_permission(class_permission, Context)
+        @user.assign_permission(nil_permission, Context)
+        @user.assign_permission(inst_permission, context)
+        @user.assign_permission(class_permission, context)
+        @user.unassign_permission(class_permission, context).permission_id.should == class_permission.id
+        @user.unassign_permission(inst_permission, context).permission_id.should == inst_permission.id
+        @user.unassign_permission(nil_permission, Context).permission_id.should == nil_permission.id
+        @user.unassign_permission(class_permission, Context).permission_id.should == class_permission.id
+      end
+      it "should fail and return false if the provided permission is nil" do
+        @user.unassign_permission(nil).should be_false
+        @user.unassign_permission(nil, Context).should be_false
+      end
+      it "should remove the permission_subjects record that links the subject to the provided permission" do
+        permission = Permission.create(:name => 'Edit', :slug => 'edit')
+        @user.assign_permission(permission)
+        PermissionUser.where(:user_id => @user.id, :permission_id => permission.id).count.should == 1
+        @user.unassign_permission(permission)
+        PermissionUser.where(:user_id => @user.id, :permission_id => permission.id).count.should == 0
+      end
+      it "should fail and return false if the provided permission is not assigned in the provided context" do
+        context = Context.create(:name => "Test Context")
+        nil_permission = Permission.create(:name => 'Edit', :slug => 'edit')
+        class_permission = Permission.create(:name => 'Edit', :slug => 'edit', :context_type => 'Context')
+        inst_permission = Permission.create(:name => 'Edit', :slug => 'edit', :context_type => 'Context', :context_id => context.id)
+        @user.assign_permission(nil_permission, Context)
+        @user.assign_permission(class_permission, context)
+        @user.unassign_permission(inst_permission, context).should be_false
+        @user.unassign_permission(nil_permission, nil).should be_false
+        @user.unassign_permission(class_permission, Context).should be_false
+      end
+      context "when forcing context" do
+        it "should not go up the context chain to find the permission when a permission slug is provided" do
+          context = Context.create(:name => "Test Context")
+          nil_permission = Permission.create(:name => 'Edit', :slug => 'edit')
+          class_permission = Permission.create(:name => 'Edit', :slug => 'edit', :context_type => 'Context')
+          inst_permission = Permission.create(:name => 'Edit', :slug => 'edit', :context_type => 'Context', :context_id => context.id)
+          @user.assign_permission(nil_permission, nil)
+          @user.assign_permission(class_permission, Context)
+          @user.assign_permission(nil_permission, Context)
+          @user.assign_permission(inst_permission, context)
+          @user.assign_permission(class_permission, context)
+          @user.unassign_permission(:edit, context, true).permission_id.should == inst_permission.id
+          inst_permission.destroy
+          @user.unassign_permission(:edit, context, true).should be_false
+          @user.unassign_permission(:edit, Context, true).permission_id.should == class_permission.id
+          class_permission.destroy
+          @user.unassign_permission(:edit, Context, true).should be_false
+        end
+      end
+    end
+    describe "has_permission?" do
+      before(:each) do
+        @user = User.create(:name => "Test User")
+      end
+      it "should require a permission object or slug" do
+        expect { @user.has_permission? }.to raise_exception
+      end
+      it "should accept an optional context" do
+        permission = Permission.create(:name => 'Edit', :slug => 'edit')
+        expect { @user.has_permission?(:edit, nil) }.to_not raise_exception
+      end
+      it "should use nil context when none is provided" do
+        permission = Permission.create(:name => 'Edit', :slug => 'edit')
+        @user.assign_permission(:edit, Context)
+        @user.has_permission?(:edit).should be_false
+        @user.assign_permission(:edit, nil)
+        @user.has_permission?(:edit).should be_true
+      end
+      it "should use target_permission to lookup the closest contextual match when a permission slug is provided" do
+        context = Context.create(:name => "Test Context")
+        nil_permission = Permission.create(:name => 'Edit', :slug => 'edit')
+        class_permission = Permission.create(:name => 'Edit', :slug => 'edit', :context_type => 'Context')
+        inst_permission = Permission.create(:name => 'Edit', :slug => 'edit', :context_type => 'Context', :context_id => context.id)
+        @user.assign_permission(nil_permission, Context)
+        @user.assign_permission(class_permission, context)
+        @user.has_permission?(:edit, Context).should be_false
+        @user.has_permission?(:edit, context).should be_false
+        @user.assign_permission(class_permission, Context)
+        @user.assign_permission(inst_permission, context)
+        @user.has_permission?(:edit, Context).should be_true
+        @user.has_permission?(:edit, context).should be_true
+      end
+      it "should use the permission object when one is provided" do
+        context = Context.create(:name => "Test Context")
+        nil_permission = Permission.create(:name => 'Edit', :slug => 'edit')
+        class_permission = Permission.create(:name => 'Edit', :slug => 'edit', :context_type => 'Context')
+        inst_permission = Permission.create(:name => 'Edit', :slug => 'edit', :context_type => 'Context', :context_id => context.id)
+        @user.assign_permission(nil_permission, Context)
+        @user.assign_permission(class_permission, context)
+        @user.has_permission?(nil_permission, Context).should be_true
+        @user.has_permission?(class_permission, context).should be_true
+        @user.has_permission?(class_permission, Context).should be_false
+        @user.has_permission?(inst_permission, context).should be_false
+        @user.assign_permission(class_permission, Context)
+        @user.assign_permission(inst_permission, context)
+        @user.has_permission?(class_permission, Context).should be_true
+        @user.has_permission?(inst_permission, context).should be_true
+      end
+      it "should return false if the provided permission is nil" do
+        @user.has_permission?(nil).should be_false
+        @user.has_permission?(nil, Context).should be_false
+      end
+      it "should look up the context chain for the assigned permission" do
+        context = Context.create(:name => "Test Context")
+        permission = Permission.create(:name => 'Edit', :slug => 'edit')
+        @user.assign_permission(permission, nil)
+        @user.has_permission?(:edit, Context).should be_true
+        @user.has_permission?(:edit, context).should be_true
+        @user.unassign_permission(permission, nil)
+        @user.assign_permission(permission, Context)
+        @user.has_permission?(:edit, context).should be_true
+      end
+      it "should return false if the provided permission is not assigned to the subject within the context chain" do
+        context = Context.create(:name => "Test Context")
+        permission = Permission.create(:name => 'Edit', :slug => 'edit')
+        @user.has_permission?(permission, context).should be_false
+        @user.has_permission?(:edit, Context).should be_false
+        @user.has_permission?(permission, nil).should be_false
+        @user.assign_permission(:edit, context)
+        @user.has_permission?(:edit, context).should_not be_false
+        @user.has_permission?(permission, Context).should be_false
+        @user.has_permission?(:edit, nil).should be_false
+        @user.assign_permission(:edit, Context)
+        @user.has_permission?(:edit, context).should_not be_false
+        @user.has_permission?(permission, Context).should_not be_false
+        @user.has_permission?(permission, nil).should be_false
+      end
+      context "when forcing context" do
+        it "should not go up the context chain to find the permission when a permission slug is provided" do
+          context = Context.create(:name => "Test Context")
+          nil_permission = Permission.create(:name => 'Edit', :slug => 'edit')
+          @user.assign_permission(nil_permission, Context)
+          @user.has_permission?(:edit, Context, false).should be_true
+          @user.has_permission?(:edit, Context, true).should be_false
+          class_permission = Permission.create(:name => 'Edit', :slug => 'edit', :context_type => 'Context')
+          @user.assign_permission(class_permission, context)
+          @user.has_permission?(:edit, context, false).should be_true
+          @user.has_permission?(:edit, context, true).should be_false
+        end
+      end
+    end
+    describe "permissions_for" do
+      before(:each) do
+        @user = User.create(:name => "Test User")
+      end
+      it "should accept an optional context" do
+        expect { @user.permissions_for(nil) }.to_not raise_exception
+      end
+      it "should use nil context when none is provided" do
+        edit_permission = Permission.create(:name => 'Edit', :slug => 'edit')
+        @user.assign_permission(edit_permission, Context)
+        @user.permissions_for.length.should == 0
+        @user.assign_permission(edit_permission, nil)
+        @user.permissions_for.length.should == 1
+      end
+      it "should return an empty association array if no permissions are assigned to the subject within the provided context" do
+        context = Context.create(:name => "Test Context")
+        permission = Permission.create(:name => 'Edit', :slug => 'edit')
+        @user.assign_permission(permission, context)
+        @user.permissions_for(nil).length.should == 0
+        @user.permissions_for(Context).length.should == 0
+      end
+      it "should return all permissions assigned to the subject within the provided context" do
+        nil_edit = Permission.create(:name => 'Edit', :slug => 'edit')
+        class_edit = Permission.create(:name => 'Edit', :slug => 'edit', :context_type => 'Context')
+        class_view = Permission.create(:name => 'View', :slug => 'view', :context_type => 'Context')
+        @user.assign_permission(nil_edit, Context)
+        @user.assign_permission(class_edit, Context)
+        @user.assign_permission(class_view, Context)
+        @user.permissions_for(Context).length.should == 3
+      end
+      context "when forcing context" do
+        it "should only return permissions that match the context exactly" do
+          edit_permission = Permission.create(:name => 'Edit', :slug => 'edit')
+          view_permission = Permission.create(:name => 'View', :slug => 'view')
+          @user.assign_permission(edit_permission, nil)
+          @user.assign_permission(view_permission, nil)
+          @user.permissions_for(nil).length.should == 2
+          @user.permissions_for(Context).length.should == 2
+          @user.permissions_for(Context, true).length.should == 0
+        end
+      end
+    end
+    describe "permissions_for?" do
+      before(:each) do
+        @user = User.create(:name => "Test User")
+      end
+      it "should accept an optional context" do
+        expect { @user.permissions_for?(nil) }.to_not raise_exception
+      end
+      it "should use nil context when none is provided" do
+        edit_permission = Permission.create(:name => 'Edit', :slug => 'edit')
+        @user.assign_permission(edit_permission, Context)
+        @user.permissions_for?.should be_false
+        @user.assign_permission(edit_permission, nil)
+        @user.permissions_for?.should be_true
+      end
+      it "should return false if no permissions are assigned to the subject within the provided context" do
+        context = Context.create(:name => "Test Context")
+        permission = Permission.create(:name => 'Edit', :slug => 'edit')
+        @user.assign_permission(permission, context)
+        @user.permissions_for?(nil).should be_false
+        @user.permissions_for?(Context).should be_false
+      end
+      it "should return true if any permissions are assigned to the subject within the provided context" do
+        nil_edit = Permission.create(:name => 'Edit', :slug => 'edit')
+        class_edit = Permission.create(:name => 'Edit', :slug => 'edit', :context_type => 'Context')
+        class_view = Permission.create(:name => 'View', :slug => 'view', :context_type => 'Context')
+        @user.assign_permission(nil_edit, Context)
+        @user.assign_permission(class_edit, Context)
+        @user.assign_permission(class_view, Context)
+        @user.permissions_for?(Context).should be_true
+      end
+      context "when forcing context" do
+        it "should only evaluate permissions that match the context exactly" do
+          edit_permission = Permission.create(:name => 'Edit', :slug => 'edit')
+          @user.assign_permission(edit_permission, nil)
+          @user.permissions_for?(nil).should be_true
+          @user.permissions_for?(Context).should be_true
+          @user.permissions_for?(Context, true).should be_false
+        end
+      end
+    end
+  end
+end