Implement :protect_global_roles global option

be9 · Aug 19, 2009 · 0219bcf · 0219bcf
1 parent 3a35db2
commit 0219bcf
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 3 deletions.
diff --git a/lib/acl9/config.rb b/lib/acl9/config.rb
@@ -3,6 +3,7 @@ module Acl9
     :default_role_class_name => 'Role',
     :default_subject_class_name => 'User',
     :default_subject_method => :current_user,
+    :protect_global_roles => false,
   }
 
   mattr_reader :config

diff --git a/lib/acl9/model_extensions/subject.rb b/lib/acl9/model_extensions/subject.rb
@@ -4,13 +4,38 @@ module Subject
       ##
       # Role check.
       #
-      # @return [Boolean] Returns true if +self+ has a role +role_name+ on +object+.
+      # There is a global option, +Acl9.config[:protect_global_roles]+, which governs
+      # this method behavior.
       #
+      # If protect_global_roles is +false+, an object role is automatically counted
+      # as global role. E.g.
+      #
+      #   Acl9.config[:protect_global_roles] = false
+      #   user.has_role!(:manager, @foo)
+      #   user.has_role?(:manager, @foo)  # => true
+      #   user.has_role?(:manager)        # => true
+      #
+      # In this case manager is anyone who "manages" at least one object.
+      #
+      # However, if protect_global_roles option set to +true+, you'll need to 
+      # explicitly grant global role with same name.
+      #
+      #   Acl9.config[:protect_global_roles] = true
+      #   user.has_role!(:manager, @foo)
+      #   user.has_role?(:manager)        # => false
+      #   user.has_role!(:manager)
+      #   user.has_role?(:manager)        # => true
+      #
+      # protect_global_roles option is +false+ by default as for now, but this 
+      # may change in future!
+      #
+      # @return [Boolean] Whether +self+ has a role +role_name+ on +object+.
       # @param [Symbol,String] role_name Role name
       # @param [Object] object Object to query a role on
+      #
       # @see Acl9::ModelExtensions::Object#accepts_role?
       def has_role?(role_name, object = nil)
-        !! if object.nil?
+        !! if object.nil? && !::Acl9.config[:protect_global_roles]
           self.role_objects.find_by_name(role_name.to_s) ||
           self.role_objects.member?(get_role(role_name, nil))
         else

diff --git a/test/roles_test.rb b/test/roles_test.rb
@@ -65,7 +65,7 @@ class RolesTest < Test::Unit::TestCase
     @foo.accepts_roles_by?(@user).should be_true
   end
 
-  it "shoud count object role also as global role" do
+  it "should count object role also as global role" do
     @user.has_role!('manager', @foo)
 
     @user.has_role?('manager').should be_true
@@ -76,6 +76,23 @@ class RolesTest < Test::Unit::TestCase
     @user.has_role?('manager', Foo).should be_false
   end
 
+  context "protect_global_roles=true" do
+    before do
+      @saved_option = Acl9.config[:protect_global_roles]
+      Acl9.config[:protect_global_roles] = true
+    end
+
+    it "should not count object role also as global role" do
+      @user.has_role!('manager', @foo)
+
+      @user.has_role?('manager').should be_false
+    end
+
+    after do
+      Acl9.config[:protect_global_roles] = @saved_option
+    end
+  end
+
   it "#has_role! with class" do
     @user.has_role!('user', Bar)