def permit! (privilege, options = {})
return true if Authorization.ignore_access_control
options = {
:object => nil,
:skip_attribute_test => false,
:context => nil
}.merge(options)
privilege = privilege.is_a?( Array ) ?
privilege.flatten.collect { |priv| priv.to_sym } :
privilege.to_sym
if options[:object].respond_to?( :proxy_reflection ) && options[:object].respond_to?( :new )
options[:object] = options[:object].new
end
options[:context] ||= options[:object] && (
options[:object].class.respond_to?(:decl_auth_context) ?
options[:object].class.decl_auth_context :
options[:object].class.name.tableize.to_sym
) rescue NoMethodError
user, roles, privileges = user_roles_privleges_from_options(privilege, options)
return true if roles.is_a?(Array) and not (roles & @omnipotent_roles).empty?
attr_validator = AttributeValidator.new(self, user, options[:object], privilege, options[:context])
rules = matching_auth_rules(roles, privileges, options[:context])
if rules.empty?
raise NotAuthorized, "No matching rules found for #{privilege} for #{user.inspect} " +
"(roles #{roles.inspect}, privileges #{privileges.inspect}, " +
"context #{options[:context].inspect})."
end
unless rules.any? {|rule| rule.validate?(attr_validator, options[:skip_attribute_test])}
raise AttributeAuthorizationError, "#{privilege} not allowed for #{user.inspect} on #{(options[:object] || options[:context]).inspect}."
end
true
end