zuul 0.2.7 → 0.2.8

data/lib/zuul/active_record/context_accessors.rb

@@ -0,0 +1,23 @@
+module Zuul
+  module ActiveRecord
+    # These are included in roles & permissions objects and assigned roles & permissions objects
+    # to provide easy access to the context for that object.
+    module ContextAccessors
+      def self.included(base)
+        base.send :attr_accessible, :context if ::Zuul.should_whitelist?
+      end
+
+      # Return a Zuul::Context object representing the context for the role
+      def context
+        Zuul::Context.new context_type, context_id
+      end
+
+      # Parse a context into an Zuul::Context and set the type and id
+      def context=(context)
+        context = Zuul::Context.parse(context)
+        self.context_type = context.klass
+        self.context_id = context.id
+      end
+    end
+  end
+end

data/lib/zuul/active_record/permission.rb

@@ -3,14 +3,13 @@ module Zuul
     module Permission
       def self.included(base)
         base.send :extend, ClassMethods
-        base.send :include, ContextMethods # defined in lib/zuul/active_record.rb
+        base.send :include, ContextAccessors
         base.send :include, InstanceMethods
       end
 
       module ClassMethods
         def self.extended(base)
-          base.send :attr_accessible, :context, :context_id, :context_type, :slug if ::Zuul
-.should_whitelist?
+          base.send :attr_accessible, :context, :context_id, :context_type, :slug if ::Zuul.should_whitelist?
           add_validations base
           add_associations base
         end

data/lib/zuul/active_record/permission_role.rb

@@ -3,13 +3,12 @@ module Zuul
     module PermissionRole
       def self.included(base)
         base.send :extend, ClassMethods
-        base.send :include, ContextMethods # defined in lib/zuul/active_record.rb
+        base.send :include, ContextAccessors
       end
 
       module ClassMethods
         def self.extended(base)
-          base.send :attr_accessible, :context, :context_id, :context_type, base.auth_scope.permission_foreign_key.to_sym, base.auth_scope.role_foreign_key.to_sym if ::Zuul
-.should_whitelist?
+          base.send :attr_accessible, :context, :context_id, :context_type, base.auth_scope.permission_foreign_key.to_sym, base.auth_scope.role_foreign_key.to_sym if ::Zuul.should_whitelist?
           add_validations base
           add_associations base
         end

data/lib/zuul/active_record/permission_subject.rb

@@ -3,13 +3,12 @@ module Zuul
     module PermissionSubject
       def self.included(base)
         base.send :extend, ClassMethods
-        base.send :include, ContextMethods # defined in lib/zuul/active_record.rb
+        base.send :include, ContextAccessors
       end
 
       module ClassMethods
         def self.extended(base)
-          base.send :attr_accessible, :context, :context_id, :context_type, base.auth_scope.permission_foreign_key.to_sym, base.auth_scope.subject_foreign_key.to_sym if ::Zuul
-.should_whitelist?
+          base.send :attr_accessible, :context, :context_id, :context_type, base.auth_scope.permission_foreign_key.to_sym, base.auth_scope.subject_foreign_key.to_sym if ::Zuul.should_whitelist?
           add_validations base
           add_associations base
         end

data/lib/zuul/active_record/role.rb

@@ -3,15 +3,14 @@ module Zuul
     module Role
       def self.included(base)
         base.send :extend, ClassMethods
-        base.send :include, ContextMethods # defined in lib/zuul/active_record.rb
+        base.send :include, ContextAccessors
         base.send :include, InstanceMethods
         base.send :include, PermissionMethods if base.auth_scope.config.with_permissions
       end
 
       module ClassMethods
         def self.extended(base)
-          base.send :attr_accessible, :context_id, :context_type, :level, :slug if ::Zuul
-.should_whitelist?
+          base.send :attr_accessible, :context_id, :context_type, :level, :slug if ::Zuul.should_whitelist?
           add_validations base
           add_associations base
         end
@@ -53,9 +52,9 @@ module Zuul
           auth_scope do
             context = Zuul::Context.parse(context)
             target = target_permission(permission, context, force_context)
-            return false unless verify_target_context(target, context, force_context) && verify_target_context(self, context, false) && permission_role_class.where(role_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id).limit(1).first.nil?
+            return false unless verify_target_context(target, context, force_context) && verify_target_context(self, context, false)
 
-            return permission_role_class.create(role_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id)
+            return permission_role_class.find_or_create_by(role_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id)
           end
         end
 
@@ -70,7 +69,7 @@ module Zuul
             target = target_permission(permission, context, force_context)
             return false if target.nil?
 
-            assigned_permission = permission_role_class.where(role_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id).limit(1).first
+            assigned_permission = permission_role_for(target, context)
             return false if assigned_permission.nil?
             return assigned_permission.destroy
           end
@@ -85,20 +84,18 @@ module Zuul
         #
         # The assigned context behaves the same way, in that if the permission is not found
         # to belong to the role with the specified context, we look up the context chain.
-        #
-        # TODO add options to force context, not go up the chain
         def has_permission?(permission, context=nil, force_context=nil)
           auth_scope do
             force_context ||= config.force_context
             context = Zuul::Context.parse(context)
             target = target_permission(permission, context, force_context)
             return false if target.nil?
+            return permission_role_for?(target, context) if force_context
 
-            return true unless (context.id.nil? && !force_context) || permission_role_class.where(role_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id).first.nil?
-            unless force_context
-              return true unless context.class_name.nil? || permission_role_class.where(role_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => nil).first.nil?
-              return !permission_role_class.where(role_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => nil, :context_id => nil).first.nil?
-            end
+            return true if permission_role_for?(target, context)
+            return true if context.instance? && permission_role_for?(target, Zuul::Context.new(context.klass))
+            return true if !context.global? && permission_role_for?(target, Zuul::Context.new)
+            return false
           end
         end
         alias_method :permission?, :has_permission?
@@ -111,9 +108,9 @@ module Zuul
             force_context ||= config.force_context
             context = Zuul::Context.parse(context)
             if force_context
-              return permission_class.joins(permission_role_plural_key).where(permission_role_plural_key => {role_foreign_key.to_sym => id, :context_type => context.class_name, :context_id => context.id})
+              return role_permissions_for(context)
             else
-              return permission_class.joins("LEFT JOIN #{permission_roles_table_name} ON #{permission_roles_table_name}.#{permission_foreign_key} = #{permissions_table_name}.id").where("#{permission_roles_table_name}.#{role_foreign_key} = ? AND (#{permission_roles_table_name}.context_type #{sql_is_or_equal(context.class_name)} ? OR #{permission_roles_table_name}.context_type IS NULL) AND (#{permission_roles_table_name}.context_id #{sql_is_or_equal(context.id)} ? OR #{permission_roles_table_name}.context_id IS NULL)", id, context.class_name, context.id)
+              return role_permissions_within(context)
             end
           end
         end
@@ -122,6 +119,54 @@ module Zuul
         def permissions_for?(context=nil, force_context=nil)
           permissions_for(context, force_context).count > 0
         end
+
+        # Looks up a single permission_role based on the passed target and context
+        def permission_role_for(target, context)
+          auth_scope do
+            return permission_role_class.find_by(role_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id)
+          end
+        end
+
+        def permission_role_for?(target, context)
+          !permission_role_for(target, context).nil?
+        end
+
+        # Looks up all permissions for this role for the passed context
+        def role_permissions_for(context)
+          auth_scope do
+            return permission_class.joins(permission_role_plural_key).where(permission_role_plural_key => {role_foreign_key.to_sym => id, :context_type => context.class_name, :context_id => context.id})
+          end
+        end
+
+        def role_permissions_for?(context)
+          !role_permissions_for(context).empty?
+        end
+
+        # Looks up all permissions for this role within the passed context (within the context chain)
+        def role_permissions_within(context)
+          auth_scope do
+            return permission_class.joins("
+                LEFT JOIN #{permission_roles_table_name}
+                  ON #{permission_roles_table_name}.#{permission_foreign_key} = #{permissions_table_name}.id"
+              ).where("
+                #{permission_roles_table_name}.#{role_foreign_key} = ?
+                AND (
+                  #{permission_roles_table_name}.context_type #{sql_is_or_equal(context.class_name)} ?
+                  OR #{permission_roles_table_name}.context_type IS NULL
+                )
+                AND (
+                  #{permission_roles_table_name}.context_id #{sql_is_or_equal(context.id)} ?
+                  OR #{permission_roles_table_name}.context_id IS NULL
+                )",
+                id,
+                context.class_name,
+                context.id)
+          end
+        end
+
+        def role_permissions_within?(context)
+          !role_permissions_within(context).empty?
+        end
       end
     end
   end

data/lib/zuul/active_record/role_subject.rb

@@ -3,13 +3,12 @@ module Zuul
     module RoleSubject
       def self.included(base)
         base.send :extend, ClassMethods
-        base.send :include, ContextMethods # defined in lib/zuul/active_record.rb
+        base.send :include, ContextAccessors
       end
 
       module ClassMethods
         def self.extended(base)
-          base.send :attr_accessible, :context, :context_id, :context_type, base.auth_scope.role_foreign_key.to_sym, base.auth_scope.subject_foreign_key.to_sym if ::Zuul
-.should_whitelist?
+          base.send :attr_accessible, :context, :context_id, :context_type, base.auth_scope.role_foreign_key.to_sym, base.auth_scope.subject_foreign_key.to_sym if ::Zuul.should_whitelist?
           add_validations base
           add_associations base
         end

data/lib/zuul/active_record/scope.rb

@@ -9,10 +9,49 @@ module Zuul
         @config = config
         @name = @config.scope
         define_reflection_methods
-        super()
       end
 
       # Define dynamic reflection methods that reference the config to be used for subjects, roles, permissions and their associations.
+      #
+      # With a standard configuration, this defines the following methods:
+      #
+      # def subject_class                 : Subject
+      # def role_class                    : Role
+      # def permission_class              : Permission
+      # def role_subject_class            : RoleSubject
+      # def permission_role_class         : PermissionRole
+      #
+      # def subject_class_name            : 'Subject'
+      # def role_class_name               : 'Role'
+      # def permission_class_name         : 'Permission'
+      # def role_subject_class_name       : 'RoleSubject'
+      # def permission_role_class_name    : 'PermissionRole'
+      #
+      # def subject_table_name            : 'subjects'
+      # def role_table_name               : 'roles'
+      # def permission_table_name         : 'permissions'
+      # def role_subject_table_name       : 'role_subjects'
+      # def permission_role_table_name    : 'permission_roles'
+      #
+      # def subject_singular_key          : 'subject'
+      # def role_singular_key             : 'role'
+      # def permission_singular_key       : 'permission'
+      # def role_subject_singular_key     : 'role_subject'
+      # def permission_role_singular_key  : 'permission_role'
+      #
+      # def subject_plural_key            : 'subjects'
+      # def role_plural_key               : 'roles'
+      # def permission_plural_key         : 'permissions'
+      # def role_subject_plural_key       : 'role_subjects'
+      # def permission_role_plural_key    : 'permission_roles'
+      #
+      # def subject_foreign_key           : 'subject_id'
+      # def role_foreign_key              : 'role_id'
+      # def permission_foreign_key        : 'permission_id'
+      #
+      # All methods are also aliased to pluralized versions, so you can use `subject_class` or `subjects_class`, and
+      # when custom class names are used the methods are prefixed with those classes and aliased, so `user_class_name`
+      # is aliased to `subject_class_name`
       def define_reflection_methods
 
         # *_class_name, *_class, *_table_name methods for all classes
@@ -54,6 +93,7 @@ module Zuul
             end
             alias_method "#{class_type_name.pluralize}_plural_key", "#{class_type_name}_plural_key"
             
+            # These define aliases for custom class names, like user_class and user_table_name aliased to subject_class and subject_table_name
             unless class_type.to_s.underscore == "#{class_name.to_s.underscore}_class"
               %w(_class_name _class _table_name _singular_key _plural_key).each do |suffix|
                 alias_method "#{class_name.to_s.underscore.singularize}#{suffix}", "#{class_type_name}#{suffix}"

data/lib/zuul/active_record/subject.rb

@@ -28,9 +28,8 @@ module Zuul
             auth_scope do
               context = Zuul::Context.parse(context)
               target = target_role(role, context, force_context)
-              return false unless verify_target_context(target, context, force_context) && role_subject_class.where(subject_foreign_key.to_sym => id, role_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id).limit(1).first.nil?
-
-              return role_subject_class.create(subject_foreign_key.to_sym => id, role_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id)
+              return false unless verify_target_context(target, context, force_context)
+              return role_subject_class.find_or_create_by(subject_foreign_key.to_sym => id, role_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id)
             end
           end
 
@@ -43,8 +42,8 @@ module Zuul
               context = Zuul::Context.parse(context)
               target = target_role(role, context, force_context)
               return false if target.nil?
-            
-              assigned_role = role_subject_class.where(subject_foreign_key.to_sym => id, role_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id).limit(1).first
+
+              assigned_role = role_subject_for(target, context)
               return false if assigned_role.nil?
               return assigned_role.destroy
             end
@@ -64,11 +63,12 @@ module Zuul
               context = Zuul::Context.parse(context)
               target = target_role(role, context, force_context)
               return false if target.nil?
+              return role_subject_for?(target, context) if force_context
 
-              return true unless (context.id.nil? && !force_context) || role_subject_class.joins(role_table_name.singularize.to_sym).where(subject_foreign_key.to_sym => id, role_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id).first.nil?
-              return false if force_context
-              return true unless context.class_name.nil? || role_subject_class.where(subject_foreign_key.to_sym => id, role_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => nil).first.nil?
-              return !role_subject_class.where(subject_foreign_key.to_sym => id, role_foreign_key.to_sym => target.id, :context_type => nil, :context_id => nil).first.nil?
+              return true if role_subject_for?(target, context)
+              return true if context.instance? && role_subject_for?(target, Zuul::Context.new(context.klass))
+              return true if !context.global? && role_subject_for?(target, Zuul::Context.new)
+              return false
             end
           end
           alias_method :role?, :has_role?
@@ -86,12 +86,13 @@ module Zuul
               context = Zuul::Context.parse(context)
               target = target_role(role, context, force_context)
               return false if target.nil?
-              
               return true if has_role?(target, context, force_context)
-              
-              return true unless context.id.nil? || role_subject_class.joins(role_table_name.singularize.to_sym).where(subject_foreign_key.to_sym => id, :context_type => context.class_name, :context_id => context.id).where("#{roles_table_name}.level >= ? AND #{roles_table_name}.context_type #{sql_is_or_equal(target.context_type)} ? AND #{roles_table_name}.context_id #{sql_is_or_equal(target.context_id)} ?", target.level, target.context_type, target.context_id).first.nil?
-              return true unless context.class_name.nil? || role_subject_class.joins(role_table_name.singularize.to_sym).where(subject_foreign_key.to_sym => id, :context_type => context.class_name, :context_id => nil).where("#{roles_table_name}.level >= ? AND #{roles_table_name}.context_type #{sql_is_or_equal(target.context_type)} ? AND #{roles_table_name}.context_id #{sql_is_or_equal(target.context_id)} ?", target.level, target.context_type, target.context_id).first.nil?
-              return !role_subject_class.joins(role_table_name.singularize.to_sym).where(subject_foreign_key.to_sym => id, :context_type => nil, :context_id => nil).where("#{roles_table_name}.level >= ? AND #{roles_table_name}.context_type #{sql_is_or_equal(target.context_type)} ? AND #{roles_table_name}.context_id #{sql_is_or_equal(target.context_id)} ?", target.level, target.context_type, target.context_id).first.nil?
+              return role_subject_or_higher_for?(target, context) if force_context
+
+              return true if role_subject_or_higher_for?(target, context)
+              return true if context.instance? && role_subject_or_higher_for?(target, Zuul::Context.new(context.klass))
+              return true if !context.global? && role_subject_or_higher_for?(target, Zuul::Context.new)
+              return false
             end
           end
           alias_method :role_or_higher?, :has_role_or_higher?
@@ -113,19 +114,89 @@ module Zuul
               force_context ||= config.force_context
               context = Zuul::Context.parse(context)
               if force_context
-                return role_class.joins(role_subject_plural_key).where("#{role_subjects_table_name}.#{subject_foreign_key} = ? AND #{role_subjects_table_name}.context_type #{sql_is_or_equal(context.class_name)} ? AND #{role_subjects_table_name}.context_id #{sql_is_or_equal(context.id)} ?", id, context.class_name, context.id)
+                return subject_roles_for(context)
               else
-                return role_class.joins(role_subject_plural_key).where("#{role_subjects_table_name}.#{subject_foreign_key} = ? AND ((#{role_subjects_table_name}.context_type #{sql_is_or_equal(context.class_name)} ? OR #{role_subjects_table_name}.context_type IS NULL) AND (#{role_subjects_table_name}.context_id #{sql_is_or_equal(context.id)} ? OR #{role_subjects_table_name}.context_id IS NULL))", id, context.class_name, context.id)
+                return subject_roles_within(context)
               end
             end
           end
-          
+
           # Check whether the subject possesses any roles within the specified context.
           #
           # This includes any roles found by looking up the context chain.
           def roles_for?(context=nil, force_context=nil)
             roles_for(context, force_context).count > 0
           end
+
+          # Looks up a single role subject based on the passed target and context
+          def role_subject_for(target, context)
+            auth_scope do
+              return role_subject_class.joins(role_table_name.singularize.to_sym).find_by(subject_foreign_key.to_sym => id, role_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id)
+            end
+          end
+
+          def role_subject_for?(target, context)
+            !role_subject_for(target, context).nil?
+          end
+
+          # Looks up a single role subject with a level greather than or equal to the target level based on the passed target and context
+          def role_subject_or_higher_for(target, context)
+            auth_scope do
+              return role_subject_class.joins(role_table_name.singularize.to_sym).where(subject_foreign_key.to_sym => id, :context_type => context.class_name, :context_id => context.id).where("
+                #{roles_table_name}.level >= ?
+                AND #{roles_table_name}.context_type #{sql_is_or_equal(target.context_type)} ?
+                AND #{roles_table_name}.context_id #{sql_is_or_equal(target.context_id)} ?",
+                target.level,
+                target.context_type,
+                target.context_id).limit(1).first
+            end
+          end
+
+          def role_subject_or_higher_for?(target, context)
+            !role_subject_or_higher_for(target, context).nil?
+          end
+
+          # Looks up all roles for the subject for the passed context
+          def subject_roles_for(context)
+            auth_scope do
+              return role_class.joins(role_subject_plural_key).where("
+                #{role_subjects_table_name}.#{subject_foreign_key} = ?
+                AND #{role_subjects_table_name}.context_type #{sql_is_or_equal(context.class_name)} ?
+                AND #{role_subjects_table_name}.context_id #{sql_is_or_equal(context.id)} ?",
+                id,
+                context.class_name,
+                context.id)
+            end
+          end
+
+          def subject_roles_for?(context)
+            !subject_roles_for(context).empty?
+          end
+
+          # Looks up all roles for the subject within the passed context (within the context chain)
+          def subject_roles_within(context)
+            auth_scope do
+              return role_class.joins(role_subject_plural_key).where("
+                #{role_subjects_table_name}.#{subject_foreign_key} = ?
+                AND (
+                  (
+                    #{role_subjects_table_name}.context_type #{sql_is_or_equal(context.class_name)} ?
+                    OR #{role_subjects_table_name}.context_type IS NULL
+                  )
+                  AND (
+                    #{role_subjects_table_name}.context_id #{sql_is_or_equal(context.id)} ?
+                    OR #{role_subjects_table_name}.context_id IS NULL
+                  )
+                )",
+                id,
+                context.class_name,
+                context.id)
+            end
+          end
+
+          def subject_roles_within?(context)
+            !subject_roles_within(context).empty?
+          end
         end
       end
 
@@ -146,30 +217,29 @@ module Zuul
           # Assigns a permission to a subject within the provided context.
           #
           # If a Permission object is provided it's used directly, otherwise if a
-          # permission slug is provided, the permission is looked up in the context 
+          # permission slug is provided, the permission is looked up in the context
           # chain by target_permission.
           def assign_permission(permission, context=nil, force_context=nil)
             auth_scope do
               context = Zuul::Context.parse(context)
               target = target_permission(permission, context, force_context)
-              return false unless verify_target_context(target, context, force_context) && permission_subject_class.where(subject_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id).limit(1).first.nil?
-
-              return permission_subject_class.create(subject_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id)
+              return false unless verify_target_context(target, context, force_context)
+              return permission_subject_class.find_or_create_by(subject_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id)
             end
           end
 
           # Removes a permission from a subject within the provided context.
           #
           # If a Permission object is provided it's used directly, otherwise if a
-          # permission slug is provided, the permission is looked up in the context 
+          # permission slug is provided, the permission is looked up in the context
           # chain by target_permission.
           def unassign_permission(permission, context=nil, force_context=nil)
             auth_scope do
               context = Zuul::Context.parse(context)
               target = target_permission(permission, context, force_context)
               return false if target.nil?
-              
-              assigned_permission = permission_subject_class.where(subject_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id).limit(1).first
+
+              assigned_permission = permission_subject_for(target, context)
               return false if assigned_permission.nil?
               return assigned_permission.destroy
             end
@@ -179,7 +249,7 @@ module Zuul
           # Checks whether a subject has a permission within the provided context.
           #
           # If a Permission object is provided it's used directly, otherwise if a
-          # permission slug is provided, the permission is looked up in the context 
+          # permission slug is provided, the permission is looked up in the context
           # chain by target_permission.
           #
           # The assigned context behaves the same way, in that if the permission is not found
@@ -192,17 +262,12 @@ module Zuul
               context = Zuul::Context.parse(context)
               target = target_permission(permission, context, force_context)
               return false if target.nil?
+              return permission_role_or_subject_for?(target, context) if force_context
 
-              return true unless (context.id.nil? && !force_context) || permission_subject_class.where(subject_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id).first.nil?
-              unless force_context
-                return true unless context.class_name.nil? || permission_subject_class.where(subject_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => nil).first.nil?
-                return true unless permission_subject_class.where(subject_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => nil, :context_id => nil).first.nil?
-              end
-
-              return true unless (context.id.nil? && !force_context) || permission_role_class.where(role_foreign_key.to_sym => roles_for(context).map(&:id), permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id).first.nil?
-              return false if force_context
-              return true unless context.class_name.nil? || permission_role_class.where(role_foreign_key.to_sym => roles_for(context).map(&:id), permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => nil).first.nil?
-              return !permission_role_class.where(role_foreign_key.to_sym => roles_for(context).map(&:id), permission_foreign_key.to_sym => target.id, :context_type => nil, :context_id => nil).first.nil?
+              return true if permission_role_or_subject_for?(target, context)
+              return true if context.instance? && permission_role_or_subject_for?(target, Zuul::Context.new(context.klass))
+              return true if !context.global? && permission_role_or_subject_for?(target, Zuul::Context.new)
+              return false
             end
           end
           alias_method :permission?, :has_permission?
@@ -217,21 +282,130 @@ module Zuul
             auth_scope do
               force_context ||= config.force_context
               context = Zuul::Context.parse(context)
+              roles = roles_for(context)
               if force_context
-                return permission_class.joins("LEFT JOIN #{permission_roles_table_name} ON #{permission_roles_table_name}.#{permission_foreign_key} = #{permissions_table_name}.id LEFT JOIN #{permission_subjects_table_name} ON #{permission_subjects_table_name}.#{permission_foreign_key} = #{permissions_table_name}.id").where("(#{permission_subjects_table_name}.#{subject_foreign_key} = ? AND #{permission_subjects_table_name}.context_type #{sql_is_or_equal(context.class_name)} ? AND #{permission_subjects_table_name}.context_id #{sql_is_or_equal(context.id)} ?) OR (#{permission_roles_table_name}.#{role_foreign_key} IN (?) AND #{permission_roles_table_name}.context_type #{sql_is_or_equal(context.class_name)} ? AND #{permission_roles_table_name}.context_id #{sql_is_or_equal(context.id)} ?)", id, context.class_name, context.id, roles_for(context).map(&:id), context.class_name, context.id)
+                return role_and_subject_permissions_for(context, roles)
               else
-                return permission_class.joins("LEFT JOIN #{permission_roles_table_name} ON #{permission_roles_table_name}.#{permission_foreign_key} = #{permissions_table_name}.id LEFT JOIN #{permission_subjects_table_name} ON #{permission_subjects_table_name}.#{permission_foreign_key} = #{permissions_table_name}.id").where("(#{permission_subjects_table_name}.#{subject_foreign_key} = ? AND (#{permission_subjects_table_name}.context_type #{sql_is_or_equal(context.class_name)} ? OR #{permission_subjects_table_name}.context_type IS NULL) AND (#{permission_subjects_table_name}.context_id #{sql_is_or_equal(context.id)} ? OR #{permission_subjects_table_name}.context_id IS NULL)) OR (#{permission_roles_table_name}.#{role_foreign_key} IN (?) AND (#{permission_roles_table_name}.context_type #{sql_is_or_equal(context.class_name)} ? OR #{permission_roles_table_name}.context_type IS NULL) AND (#{permission_roles_table_name}.context_id #{sql_is_or_equal(context.id)} ? OR #{permission_roles_table_name}.context_id IS NULL))", id, context.class_name, context.id, roles_for(context).map(&:id), context.class_name, context.id)
+                return role_and_subject_permissions_within(context, roles)
               end
             end
           end
-          
+
           # Check whether the subject possesses any permissions within the specified context.
           #
           # This includes permissions assigned directly to the subject or any roles possessed by
           # the subject, as well as all permissions found by looking up the context chain.
           def permissions_for?(context=nil, force_context=nil)
-            permissions_for(context, force_context).count > 0
+            !permissions_for(context, force_context).empty?
+          end
+
+          # Looks up a permission subject based on the passed target and context
+          def permission_subject_for(target, context)
+            auth_scope do
+              return permission_subject_class.find_by(subject_foreign_key.to_sym => id, permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id)
+            end
+          end
+
+          def permission_subject_for?(target, context)
+            !permission_subject_for(target, context).nil?
+          end
+
+          # Looks up a permission role based on the passed target and context
+          def permission_role_for(target, context, proles=nil)
+            auth_scope do
+              proles ||= roles_for(context)
+              return permission_role_class.find_by(role_foreign_key.to_sym => proles.map(&:id), permission_foreign_key.to_sym => target.id, :context_type => context.class_name, :context_id => context.id)
+            end
+          end
+
+          def permission_role_for?(target, context, proles=nil)
+            !permission_role_for(target, context, proles).nil?
+          end
+
+          # Looks up a permission subject or role based on the passed target and context
+          def permission_role_or_subject_for(target, context, proles=nil)
+            permission_subject_for(target, context) || permission_role_for(target, context, proles)
           end
+
+          def permission_role_or_subject_for?(target, context, proles=nil)
+            !permission_role_or_subject_for(target, context, proles).nil?
+          end
+
+          def role_and_subject_permissions_for(context, proles=nil)
+            auth_scope do
+              return permission_class.joins("
+                  LEFT JOIN #{permission_roles_table_name}
+                    ON #{permission_roles_table_name}.#{permission_foreign_key} = #{permissions_table_name}.id
+                  LEFT JOIN #{permission_subjects_table_name}
+                    ON #{permission_subjects_table_name}.#{permission_foreign_key} = #{permissions_table_name}.id"
+                ).where("
+                  (
+                    #{permission_subjects_table_name}.#{subject_foreign_key} = ?
+                    AND #{permission_subjects_table_name}.context_type #{sql_is_or_equal(context.class_name)} ?
+                    AND #{permission_subjects_table_name}.context_id #{sql_is_or_equal(context.id)} ?
+                  )
+                  OR
+                  (
+                    #{permission_roles_table_name}.#{role_foreign_key} IN (?)
+                    AND #{permission_roles_table_name}.context_type #{sql_is_or_equal(context.class_name)} ?
+                    AND #{permission_roles_table_name}.context_id #{sql_is_or_equal(context.id)} ?
+                  )",
+                  id,
+                  context.class_name,
+                  context.id,
+                  (proles || roles_for(context)).map(&:id),
+                  context.class_name,
+                  context.id)
+            end
+          end
+
+          def role_and_subject_permissions_for?(context, proles=nil)
+            !role_and_subject_permissions_for(context, proles).empty?
+          end
+
+          def role_and_subject_permissions_within(context, proles=nil)
+            auth_scope do
+              return permission_class.joins("
+                  LEFT JOIN #{permission_roles_table_name}
+                  ON #{permission_roles_table_name}.#{permission_foreign_key} = #{permissions_table_name}.id
+                  LEFT JOIN #{permission_subjects_table_name}
+                  ON #{permission_subjects_table_name}.#{permission_foreign_key} = #{permissions_table_name}.id"
+                ).where("
+                  (
+                    #{permission_subjects_table_name}.#{subject_foreign_key} = ?
+                    AND (
+                      #{permission_subjects_table_name}.context_type #{sql_is_or_equal(context.class_name)} ?
+                      OR #{permission_subjects_table_name}.context_type IS NULL
+                    )
+                    AND (
+                      #{permission_subjects_table_name}.context_id #{sql_is_or_equal(context.id)} ?
+                      OR #{permission_subjects_table_name}.context_id IS NULL
+                    )
+                  )
+                  OR (
+                    #{permission_roles_table_name}.#{role_foreign_key} IN (?)
+                    AND (
+                      #{permission_roles_table_name}.context_type #{sql_is_or_equal(context.class_name)} ?
+                      OR #{permission_roles_table_name}.context_type IS NULL
+                    )
+                    AND (
+                      #{permission_roles_table_name}.context_id #{sql_is_or_equal(context.id)} ?
+                      OR #{permission_roles_table_name}.context_id IS NULL
+                    )
+                  )",
+                  id,
+                  context.class_name,
+                  context.id,
+                  (proles || roles_for(context)).map(&:id),
+                  context.class_name,
+                  context.id)
+            end
+          end
+
+          def role_and_subject_permissions_within?(context, proles=nil)
+            !role_and_subject_permissions_within(context, proles).empty?
+          end
+
         end
       end
     end