zuul 0.1.1 → 0.2.0

data/spec/zuul/active_record_spec.rb

@@ -0,0 +1,624 @@
+require 'spec_helper'
+
+describe "Zuul::ActiveRecord" do
+
+  def prep_dummy
+    Dummy.send :include, Zuul::ActiveRecord
+    Dummy.send :instance_variable_set, :@auth_config, Zuul::Configuration.new
+    Dummy.send :instance_variable_set, :@auth_scopes, {:default => Zuul::ActiveRecord::Scope.new(Zuul::Configuration.new)}
+    Dummy.send :include, Zuul::ActiveRecord::AuthorizationMethods
+  end
+
+  it "should extend ActiveRecord::Base with Zuul::ActiveRecord" do
+    ActiveRecord::Base.ancestors.include?(Zuul::ActiveRecord).should be_true
+  end
+
+  it "should provide the acts_as_authorization_* and acts_as_authorization_*? methods" do
+    [:subject, :role, :permission, :context].each do |type|
+      ActiveRecord::Base.respond_to?("acts_as_authorization_#{type.to_s}").should be_true
+      ActiveRecord::Base.respond_to?("acts_as_authorization_#{type.to_s}?").should be_true
+      Dummy.new.respond_to?("acts_as_authorization_#{type.to_s}").should be_false
+      Dummy.new.respond_to?("acts_as_authorization_#{type.to_s}?").should be_true 
+    end
+  end
+
+  describe "acts_as_authorization_*" do
+    it "should extend the model with Zuul::ActiveRecord::AuthorizationMethods" do
+      User.acts_as_authorization_subject
+      Role.acts_as_authorization_role
+      Permission.acts_as_authorization_permission
+      Context.acts_as_authorization_context
+      [User, Role, Permission, Context].each do |model|
+        model.ancestors.include?(Zuul::ActiveRecord::AuthorizationMethods).should be_true
+      end
+    end
+
+    # TODO maybe move these into 4 different specs for each method?
+    it "should allow passing class arguments to be used with reflections" do
+      Soldier.acts_as_authorization_subject :role_class => Rank, :permission_class => Skill
+      Soldier.auth_scope.role_class.should == Rank
+      Soldier.auth_scope.permission_class.should == Skill
+
+      Rank.acts_as_authorization_role :subject_class => Soldier, :permission_class => Skill
+      Rank.auth_scope.subject_class.should == Soldier
+      Rank.auth_scope.permission_class.should == Skill
+
+      Skill.acts_as_authorization_permission :subject_class => Soldier, :role_class => Rank
+      Skill.auth_scope.subject_class.should == Soldier
+      Skill.auth_scope.role_class.should == Rank
+
+      Weapon.acts_as_authorization_context :permission_class => Skill
+      Weapon.auth_scope.permission_class.should == Skill
+    end
+
+    it "should allow class arguments to be provided as classes, strings or symbols" do
+      Soldier.acts_as_authorization_subject :role_class => Rank, :permission_class => "Skill"
+      Soldier.auth_scope.role_class.should == Rank
+      Soldier.auth_scope.permission_class.should == Skill
+      Rank.acts_as_authorization_role :subject_class => :soldier, :permission_class => "skill"
+      Rank.auth_scope.subject_class.should == Soldier
+      Rank.auth_scope.permission_class.should == Skill
+      Skill.acts_as_authorization_permission :subject_class => Soldier, :role_class => :Rank
+      Skill.auth_scope.subject_class.should == Soldier
+      Skill.auth_scope.role_class.should == Rank
+      Weapon.acts_as_authorization_context :permission_class => Skill
+      Weapon.auth_scope.permission_class.should == Skill
+    end
+
+    it "should allow using namespaced classes" do
+      ZuulModels::User.acts_as_authorization_subject :role_class => ZuulModels::Role, :permission_class => "ZuulModels::Permission"
+      ZuulModels::User.auth_scope.role_class.should == ZuulModels::Role
+      ZuulModels::User.auth_scope.permission_class.should == ZuulModels::Permission
+      ZuulModels::User.auth_scope.role_subject_class.should == ZuulModels::RoleUser
+      ZuulModels::User.auth_scope.permission_subject_class.should == ZuulModels::PermissionUser
+      ZuulModels::User.auth_scope.permission_role_class.should == ZuulModels::PermissionRole
+
+      ZuulModels::Role.acts_as_authorization_role :subject_class => ZuulModels::User, :permission_class => ZuulModels::Permission
+      ZuulModels::Role.auth_scope.subject_class.should == ZuulModels::User
+      ZuulModels::Role.auth_scope.permission_class.should == ZuulModels::Permission
+      ZuulModels::Role.auth_scope.role_subject_class.should == ZuulModels::RoleUser
+      ZuulModels::Role.auth_scope.permission_subject_class.should == ZuulModels::PermissionUser
+      ZuulModels::Role.auth_scope.permission_role_class.should == ZuulModels::PermissionRole
+      
+      ZuulModels::Permission.acts_as_authorization_permission :subject_class => "ZuulModels::User", :role_class => ZuulModels::Role
+      ZuulModels::Permission.auth_scope.subject_class.should == ZuulModels::User
+      ZuulModels::Permission.auth_scope.role_class.should == ZuulModels::Role
+      ZuulModels::Permission.auth_scope.role_subject_class.should == ZuulModels::RoleUser
+      ZuulModels::Permission.auth_scope.permission_subject_class.should == ZuulModels::PermissionUser
+      ZuulModels::Permission.auth_scope.permission_role_class.should == ZuulModels::PermissionRole
+    end
+
+  end
+  
+  describe "acts_as_authorization_*?" do
+    it "should return false by default" do
+      [User, Role, Permission, Context].each do |model|
+        [:subject, :role, :permission, :context].each do |type|
+          model.send("acts_as_authorization_#{type.to_s}?").should be_false
+          model.new.send("acts_as_authorization_#{type.to_s}?").should be_false
+        end
+      end
+    end
+
+    it "should return true if the model acts_as_authorization_*" do
+      User.acts_as_authorization_subject
+      User.acts_as_authorization_subject?.should be_true
+      User.new.acts_as_authorization_subject?.should be_true
+
+      Role.acts_as_authorization_role
+      Role.acts_as_authorization_role?.should be_true
+      Role.new.acts_as_authorization_role?.should be_true
+      
+      Permission.acts_as_authorization_permission
+      Permission.acts_as_authorization_permission?.should be_true
+      Permission.new.acts_as_authorization_permission?.should be_true
+      
+      Context.acts_as_authorization_context
+      Context.acts_as_authorization_context?.should be_true
+      Context.new.acts_as_authorization_context?.should be_true
+    end
+    
+    it "should return the same value from instances and their classes" do
+      User.acts_as_authorization_subject
+      Role.acts_as_authorization_role
+      Permission.acts_as_authorization_permission
+      Context.acts_as_authorization_context
+      [User, Role, Permission, Context].each do |model|
+        [:subject, :role, :permission, :context].each do |type|
+          model.new.send("acts_as_authorization_#{type.to_s}?").should == model.send("acts_as_authorization_#{type.to_s}?")
+        end
+      end
+    end
+  end
+
+  describe "acts_as_authorization_subject" do
+    it "should extend the model with Zuul::ActiveRecord::Subject" do
+      User.acts_as_authorization_subject
+      User.ancestors.include?(Zuul::ActiveRecord::Subject).should be_true
+    end
+
+    it "should extend the model with Zuul::ActiveRecord::Subject:RoleMethods" do
+      User.acts_as_authorization_subject
+      User.ancestors.include?(Zuul::ActiveRecord::Subject::RoleMethods).should be_true
+    end
+    
+    it "should extend the model with Zuul::ActiveRecord::Subject:PermissionMethods if permissions enabled" do
+      User.acts_as_authorization_subject
+      User.ancestors.include?(Zuul::ActiveRecord::Subject::PermissionMethods).should be_true
+    end
+    
+    it "should not extend the model with Zuul::ActiveRecord::Subject:PermissionMethods if permissions disabled" do
+      User.acts_as_authorization_subject :with_permissions => false
+      User.ancestors.include?(Zuul::ActiveRecord::Subject::PermissionMethods).should be_false
+    end
+  end
+
+  describe "acts_as_authorization_role" do
+    it "should extend the model with Zuul::ActiveRecord::Role" do
+      Role.acts_as_authorization_role
+      Role.ancestors.include?(Zuul::ActiveRecord::Role).should be_true
+    end
+    
+    it "should extend the model with Zuul::ActiveRecord::ContextMethods" do
+      Role.acts_as_authorization_role
+      Role.ancestors.include?(Zuul::ActiveRecord::ContextMethods).should be_true
+    end
+    
+    it "should extend the model with Zuul::ActiveRecord::Role::PermissionMethods if permissions enabled" do
+      Role.acts_as_authorization_role
+      Role.ancestors.include?(Zuul::ActiveRecord::Role::PermissionMethods).should be_true
+    end
+    
+    it "should not extend the model with Zuul::ActiveRecord::Role::PermissionMethods if permissions disabled" do
+      Role.acts_as_authorization_role :with_permissions => false
+      Role.ancestors.include?(Zuul::ActiveRecord::Role::PermissionMethods).should be_false
+    end
+  end
+
+  describe "acts_as_authorization_permission" do
+    it "should extend the model with Zuul::ActiveRecord::Permission" do
+      Permission.acts_as_authorization_permission
+      Permission.ancestors.include?(Zuul::ActiveRecord::Permission).should be_true
+    end
+    
+    it "should extend the model with Zuul::ActiveRecord::ContextMethods" do
+      Permission.acts_as_authorization_permission
+      Permission.ancestors.include?(Zuul::ActiveRecord::ContextMethods).should be_true
+    end
+  end
+
+  describe "acts_as_authorization_context" do
+    it "should extend the model with Zuul::ActiveRecord::Context" do
+      Context.acts_as_authorization_context
+      Context.ancestors.include?(Zuul::ActiveRecord::Context).should be_true
+    end
+  end
+
+  describe "AuthorizationMethods" do
+    describe "auth_scope" do
+      before(:each) do
+        Role.acts_as_authorization_role
+        Permission.acts_as_authorization_permission
+        User.acts_as_authorization_subject
+        Level.acts_as_authorization_role :permission_class => :ability
+        Ability.acts_as_authorization_permission :role_class => :level
+        User.acts_as_authorization_subject :scope => :character, :role_class => :level, :permission_class => :ability
+      end
+
+      context "class method" do
+        it "should return the requested scope" do
+          User.auth_scope.name.should == :default
+          User.auth_scope(:character).name.should == :character
+        end
+
+        it "should raise an exception if the scope doesn't exist" do
+          expect { User.auth_scope(:noscope) }.to raise_exception(Zuul::Exceptions::UndefinedScope)
+        end
+
+        context "when calling a method" do
+          it "should allow calling a method within the requested scope" do
+            User.instance_eval do
+              def scope_test_method
+                role_class_name
+              end
+            end
+            User.auth_scope(:character, :scope_test_method).should == User.auth_scope(:character).role_class_name
+          end
+
+          it "should allow calling a method with arguments within the requested scope" do
+            suffix = rand(100)*rand(100)
+            User.instance_eval do
+              def scope_test_method(suf)
+                "#{role_class_name}_#{suf}"
+              end
+            end
+            User.auth_scope(:character, :scope_test_method, suffix).should == "#{User.auth_scope(:character).role_class_name}_#{suffix}"
+          end
+        end
+        
+        context "when passing a block" do
+          it "should allow executing a block within the requested scope" do
+            User.auth_scope(:character) do
+              role_class_name
+            end.should == User.auth_scope(:character).role_class_name
+          end
+
+          it "should allow executing a block with arguments within the requested scope" do
+            suffix = rand(100)*rand(100)
+            User.auth_scope(:character, suffix) do |suf|
+              "#{role_class_name}_#{suf}"
+            end.should == "#{User.auth_scope(:character).role_class_name}_#{suffix}"
+          end
+        end
+      end
+
+      context "instance method" do
+        before(:each) do
+          @user = User.create(:name => "Tester")
+        end
+
+        it "should return the requested scope" do
+          @user.auth_scope.name.should == :default
+          @user.auth_scope(:character).name.should == :character
+        end
+
+        it "should raise an exception if the scope doesn't exist" do
+          expect { @user.auth_scope(:noscope) }.to raise_exception(Zuul::Exceptions::UndefinedScope)
+        end
+
+        context "when calling a method" do
+          it "should allow calling a method within the requested scope" do
+            @user.instance_eval do
+              def scope_test_method
+                role_class_name
+              end
+            end
+            @user.auth_scope(:character, :scope_test_method).should == @user.auth_scope(:character).role_class_name
+          end
+
+          it "should allow calling a method with arguments within the requested scope" do
+            suffix = rand(100)*rand(100)
+            @user.instance_eval do
+              def scope_test_method(suf)
+                "#{role_class_name}_#{suf}"
+              end
+            end
+            @user.auth_scope(:character, :scope_test_method, suffix).should == "#{@user.auth_scope(:character).role_class_name}_#{suffix}"
+          end
+        end
+        
+        context "when passing a block" do
+          it "should allow executing a block within the requested scope" do
+            @user.auth_scope(:character) do
+              role_class_name
+            end.should == @user.auth_scope(:character).role_class_name
+          end
+
+          it "should allow executing a block with arguments within the requested scope" do
+            suffix = rand(100)*rand(100)
+            @user.auth_scope(:character, suffix) do |suf|
+              "#{role_class_name}_#{suf}"
+            end.should == "#{@user.auth_scope(:character).role_class_name}_#{suffix}"
+          end
+        end
+      end
+    end
+
+    describe "target_role" do
+      before(:each) do
+        prep_dummy
+      end
+
+      it "should require a role object or slug and a context" do
+        expect { Dummy.new.target_role }.to raise_exception
+        expect { Dummy.new.target_role(:role) }.to raise_exception
+        expect { Dummy.new.target_role(:role, nil) }.to_not raise_exception
+      end
+
+      it "should accept a role object" do
+        expect { Dummy.new.target_role(Role.new, nil) }.to_not raise_exception
+      end
+
+      it "should accept a string or symbol" do
+        expect { Dummy.new.target_role(:role, nil) }.to_not raise_exception
+        expect { Dummy.new.target_role('role', nil) }.to_not raise_exception
+      end
+
+      it "should allow forcing context" do
+        expect { Dummy.new.target_role(:role, nil, true) }.to_not raise_exception
+        expect { Dummy.new.target_role('role', nil, false) }.to_not raise_exception
+      end
+      
+      context "when looking up a role" do
+        it "should just return the role object if one is passed" do
+          role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+          Dummy.new.target_role(role, nil).should === role
+        end
+
+        it "should use the defined role_class for the lookup" do
+          role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+          Dummy.new.target_role(:admin, nil).should be_an_instance_of(Role)
+          # TODO add another example that uses different role class
+        end
+
+        it "should use the provided slug for the lookup" do
+          role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+          Dummy.new.target_role(:admin, nil).slug.should == 'admin'
+          Dummy.new.target_role('admin', nil).slug.should == 'admin'
+        end
+
+        it "should normalize symbols and strings to lowercase and underscored" do
+          role = Role.create(:name => 'My Cool Role', :slug => 'my_cool_role', :level => 40)
+          Dummy.new.target_role('MyCoolRole', nil).should == role
+          Dummy.new.target_role(:MyCoolRole, nil).should == role
+        end
+        
+        context "within a context" do
+          it "should go up the context chain to find roles" do
+            context = Context.create(:name => "Test Context")
+            nil_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+            Dummy.new.target_role(:admin, nil).should == nil_role
+            Dummy.new.target_role(:admin, Context).should == nil_role
+            Dummy.new.target_role(:admin, context).should == nil_role
+          end
+
+          it "should use the closest contextual match" do
+            context = Context.create(:name => "Test Context")
+            
+            nil_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+            Dummy.new.target_role(:admin, nil).should == nil_role
+            Dummy.new.target_role(:admin, Context).should == nil_role
+            Dummy.new.target_role(:admin, context).should == nil_role
+            
+            class_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context')
+            Dummy.new.target_role(:admin, nil).should == nil_role
+            Dummy.new.target_role(:admin, Context).should == class_role
+            Dummy.new.target_role(:admin, context).should == class_role
+            
+            inst_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context', :context_id => context.id)
+            Dummy.new.target_role(:admin, nil).should == nil_role
+            Dummy.new.target_role(:admin, Context).should == class_role
+            Dummy.new.target_role(:admin, context).should == inst_role
+          end
+
+          context "when forcing the context" do
+            it "should not go up the context chain" do
+              context = Context.create(:name => "Test Context")
+              
+              nil_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+              Dummy.new.target_role(:admin, nil, true).should == nil_role
+              Dummy.new.target_role(:admin, Context, true).should be_nil
+              Dummy.new.target_role(:admin, context, true).should be_nil
+              
+              class_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context')
+              Dummy.new.target_role(:admin, nil, true).should == nil_role
+              Dummy.new.target_role(:admin, Context, true).should == class_role
+              Dummy.new.target_role(:admin, context, true).should be_nil
+              
+              inst_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context', :context_id => context.id)
+              Dummy.new.target_role(:admin, nil, true).should == nil_role
+              Dummy.new.target_role(:admin, Context, true).should == class_role
+              Dummy.new.target_role(:admin, context, true).should == inst_role
+            end
+          end
+        end
+      end
+    end
+
+    describe "target_permission" do
+      before(:each) do
+        prep_dummy
+      end
+
+      it "should require a permission object or slug and a context" do
+        expect { Dummy.new.target_permission }.to raise_exception
+        expect { Dummy.new.target_permission(:permission) }.to raise_exception
+        expect { Dummy.new.target_permission(:permission, nil) }.to_not raise_exception
+      end
+
+      it "should accept a permission object" do
+        expect { Dummy.new.target_permission(Permission.new, nil) }.to_not raise_exception
+      end
+
+      it "should accept a string or symbol" do
+        expect { Dummy.new.target_permission(:permission, nil) }.to_not raise_exception
+        expect { Dummy.new.target_permission('permission', nil) }.to_not raise_exception
+      end
+
+      it "should allow forcing context" do
+        expect { Dummy.new.target_permission(:permission, nil, true) }.to_not raise_exception
+        expect { Dummy.new.target_permission('permission', nil, false) }.to_not raise_exception
+      end
+      
+      context "when looking up a permission" do
+        it "should just return the permission object if one is passed" do
+          permission = Permission.create(:name => 'Do Something', :slug => 'do_something')
+          Dummy.new.target_permission(permission, nil).should === permission
+        end
+
+        it "should use the defined permission_class for the lookup" do
+          permission = Permission.create(:name => 'Do Something', :slug => 'do_something')
+          Dummy.new.target_permission(:do_something, nil).should be_an_instance_of(Permission)
+          # TODO add another example that uses different permission class
+        end
+
+        it "should use the provided slug for the lookup" do
+          permission = Permission.create(:name => 'Do Something', :slug => 'do_something')
+          Dummy.new.target_permission(:do_something, nil).slug.should == 'do_something'
+          Dummy.new.target_permission('do_something', nil).slug.should == 'do_something'
+        end
+
+        it "should normalize symbols and strings to lowercase and underscored" do
+          permission = Permission.create(:name => 'My Cool Permission', :slug => 'my_cool_permission')
+          Dummy.new.target_permission('MyCoolPermission', nil).should == permission
+          Dummy.new.target_permission(:MyCoolPermission, nil).should == permission
+        end
+        
+        context "within a context" do
+          it "should go up the context chain to find permissions" do
+            context = Context.create(:name => "Test Context")
+            nil_permission = Permission.create(:name => 'Do Something', :slug => 'do_something')
+            Dummy.new.target_permission(:do_something, nil).should == nil_permission
+            Dummy.new.target_permission(:do_something, Context).should == nil_permission
+            Dummy.new.target_permission(:do_something, context).should == nil_permission
+          end
+
+          it "should use the closest contextual match" do
+            context = Context.create(:name => "Test Context")
+            
+            nil_permission = Permission.create(:name => 'Do Something', :slug => 'do_something')
+            Dummy.new.target_permission(:do_something, nil).should == nil_permission
+            Dummy.new.target_permission(:do_something, Context).should == nil_permission
+            Dummy.new.target_permission(:do_something, context).should == nil_permission
+            
+            class_permission = Permission.create(:name => 'Do Something', :slug => 'do_something', :context_type => 'Context')
+            Dummy.new.target_permission(:do_something, nil).should == nil_permission
+            Dummy.new.target_permission(:do_something, Context).should == class_permission
+            Dummy.new.target_permission(:do_something, context).should == class_permission
+            
+            inst_permission = Permission.create(:name => 'Do Something', :slug => 'do_something', :context_type => 'Context', :context_id => context.id)
+            Dummy.new.target_permission(:do_something, nil).should == nil_permission
+            Dummy.new.target_permission(:do_something, Context).should == class_permission
+            Dummy.new.target_permission(:do_something, context).should == inst_permission
+          end
+          
+          context "when forcing the context" do
+            it "should not go up the context chain" do
+              context = Context.create(:name => "Test Context")
+              
+              nil_permission = Permission.create(:name => 'Do Something', :slug => 'do_something')
+              Dummy.new.target_permission(:do_something, nil, true).should == nil_permission
+              Dummy.new.target_permission(:do_something, Context, true).should be_nil
+              Dummy.new.target_permission(:do_something, context, true).should be_nil
+              
+              class_permission = Permission.create(:name => 'Do Something', :slug => 'do_something', :context_type => 'Context')
+              Dummy.new.target_permission(:do_something, nil, true).should == nil_permission
+              Dummy.new.target_permission(:do_something, Context, true).should == class_permission
+              Dummy.new.target_permission(:do_something, context, true).should be_nil
+              
+              inst_permission = Permission.create(:name => 'Do Something', :slug => 'do_something', :context_type => 'Context', :context_id => context.id)
+              Dummy.new.target_permission(:do_something, nil, true).should == nil_permission
+              Dummy.new.target_permission(:do_something, Context, true).should == class_permission
+              Dummy.new.target_permission(:do_something, context, true).should == inst_permission
+            end
+          end
+        end
+      end
+    end
+
+    describe "verify_target_context" do
+      before(:each) do
+        Role.acts_as_authorization_role # this is to enable Role#context, can remove/rework this once those context methods are broken out
+        Permission.acts_as_authorization_permission # this is to enable Permission#context, can remove/rework this once those context methods are broken out
+        prep_dummy
+      end
+      
+      it "should require a target role or permission and a context" do
+        expect { Dummy.new.verify_target_context }.to raise_exception
+        expect { Dummy.new.verify_target_context(nil) }.to raise_exception
+      end
+
+      it "should accept a role or a permission as the target" do
+        role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+        permission = Permission.create(:name => 'Do Something', :slug => 'do_something')
+        Dummy.new.verify_target_context(role, nil).should be_true
+        Dummy.new.verify_target_context(permission, nil).should be_true
+      end
+
+      it "should return false if a nil target is provided" do
+        Dummy.new.verify_target_context(nil, nil).should be_false
+      end
+
+      it "should allow forcing context" do
+        expect { Dummy.new.verify_target_context(nil, nil, true) }.to_not raise_exception
+      end
+
+      context "when not forcing context" do
+        it "should allow nil context targets to be used within any other context" do
+          context = Context.create(:name => "Test Context")
+          role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+          permission = Permission.create(:name => 'Do Something', :slug => 'do_something')
+          Dummy.new.verify_target_context(role, nil).should be_true
+          Dummy.new.verify_target_context(role, Context).should be_true
+          Dummy.new.verify_target_context(role, context).should be_true
+          Dummy.new.verify_target_context(permission, nil).should be_true
+          Dummy.new.verify_target_context(permission, Context).should be_true
+          Dummy.new.verify_target_context(permission, context).should be_true
+        end
+
+        it "should allow class context targets to be used within the context of their class or any instances of their class" do
+          context = Context.create(:name => "Test Context")
+          role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context')
+          permission = Permission.create(:name => 'Do Something', :slug => 'do_something', :context_type => 'Context')
+          Dummy.new.verify_target_context(role, Context).should be_true
+          Dummy.new.verify_target_context(role, context).should be_true
+          Dummy.new.verify_target_context(permission, Context).should be_true
+          Dummy.new.verify_target_context(permission, context).should be_true
+        end
+
+        it "should allow instance targets to be used within their own instance context" do
+          context = Context.create(:name => "Test Context")
+          role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context', :context_id => context.id)
+          permission = Permission.create(:name => 'Do Something', :slug => 'do_something', :context_type => 'Context', :context_id => context.id)
+          Dummy.new.verify_target_context(role, context).should be_true
+          Dummy.new.verify_target_context(permission, context).should be_true
+        end
+        
+        it "should not allow class context targets to be used within any other class or nil contexts" do
+          role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context')
+          permission = Permission.create(:name => 'Do Something', :slug => 'do_something', :context_type => 'Context')
+          Dummy.new.verify_target_context(role, nil).should be_false
+          Dummy.new.verify_target_context(role, Weapon).should be_false
+          Dummy.new.verify_target_context(permission, nil).should be_false
+          Dummy.new.verify_target_context(permission, Weapon).should be_false
+        end
+        
+        it "should not allow instance context targets to be used within any other class or instance contexts or a nil context" do
+          context = Context.create(:name => "Test Context")
+          other_context = Context.create(:name => "Another Test Context")
+          role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context', :context_id => context.id)
+          permission = Permission.create(:name => 'Do Something', :slug => 'do_something', :context_type => 'Context', :context_id => context.id)
+          Dummy.new.verify_target_context(role, nil).should be_false
+          Dummy.new.verify_target_context(role, Context).should be_false
+          Dummy.new.verify_target_context(role, Weapon).should be_false
+          Dummy.new.verify_target_context(role, other_context).should be_false
+          Dummy.new.verify_target_context(permission, nil).should be_false
+          Dummy.new.verify_target_context(permission, Context).should be_false
+          Dummy.new.verify_target_context(permission, Weapon).should be_false
+          Dummy.new.verify_target_context(permission, other_context).should be_false
+        end
+      end
+
+      context "when forcing context" do
+        it "should only allow the target to be used within the provided context" do
+          context = Context.create(:name => "Test Context")
+          nil_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100)
+          class_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context')
+          inst_role = Role.create(:name => 'Admin', :slug => 'admin', :level => 100, :context_type => 'Context', :context_id => context.id)
+          Dummy.new.verify_target_context(nil_role, nil, true).should be_true
+          Dummy.new.verify_target_context(nil_role, Context, true).should be_false
+          Dummy.new.verify_target_context(nil_role, context, true).should be_false
+          Dummy.new.verify_target_context(class_role, nil, true).should be_false
+          Dummy.new.verify_target_context(class_role, Context, true).should be_true
+          Dummy.new.verify_target_context(class_role, context, true).should be_false
+          Dummy.new.verify_target_context(inst_role, nil, true).should be_false
+          Dummy.new.verify_target_context(inst_role, Context, true).should be_false
+          Dummy.new.verify_target_context(inst_role, context, true).should be_true
+          nil_permission = Permission.create(:name => 'Do Something', :slug => 'do_something')
+          class_permission = Permission.create(:name => 'Do Something', :slug => 'do_something', :context_type => 'Context')
+          inst_permission = Permission.create(:name => 'Do Something', :slug => 'do_something', :context_type => 'Context', :context_id => context.id)
+          Dummy.new.verify_target_context(nil_permission, nil, true).should be_true
+          Dummy.new.verify_target_context(nil_permission, Context, true).should be_false
+          Dummy.new.verify_target_context(nil_permission, context, true).should be_false
+          Dummy.new.verify_target_context(class_permission, nil, true).should be_false
+          Dummy.new.verify_target_context(class_permission, Context, true).should be_true
+          Dummy.new.verify_target_context(class_permission, context, true).should be_false
+          Dummy.new.verify_target_context(inst_permission, nil, true).should be_false
+          Dummy.new.verify_target_context(inst_permission, Context, true).should be_false
+          Dummy.new.verify_target_context(inst_permission, context, true).should be_true
+        end
+      end
+    end
+  end
+
+end