Antiarchitect/authorization_rules.rb

## authorization_rules.rb
  authorization do
    role :guest do
      has_permission_on :authorization_rules, :to => :read

      has_permission_on [:users, :favorites], :to => [:index]
      #USER
      has_permission_on :users, :to => :create
      has_permission_on :users, :to => [:show] do
        if_attribute :settings => {:show_profile => is {true}}
      end
      has_permission_on :users_posts, :to => :read do
        if_attribute :user => {:settings => {:show_blog => is {Accessible::PUBLIC}}}
      end
      has_permission_on [:questions, :posts, :galleries, :photos, :videos], :to => :read do
        if_attribute :public => is { true }  # либо не в группе, либо группа открытая
      end
      #GROUPS
      has_permission_on :groups, :to => :get_invites

      has_permission_on :groups, :to => :read do
        if_attribute :membership_type => is_not {Group::SECRET}
      end
      has_permission_on [:groups_posts, :groups_questions, :groups_galleries, :groups_videos], :to => [:read] do
        if_attribute :group => {:membership_type => is{Group::PUBLIC}}
      end
      #CITIES
      has_permission_on [:cities, :feedbacks], :to => [:read] do
        if_attribute :published => true
      end
      has_permission_on [:hotels, :restaurants, :generics], :to => [:read] do
        if_attribute :published => true, :city_published => true
      end
    end

    role :user do
      includes :guest

      ### User's objects
      has_permission_on :users, :to => :manage do
        if_attribute :id => is {user.id}
      end
      has_permission_on :users_blacklist, :to => [:index, :add_to_blacklist, :remove_from_blacklist]
      has_permission_on :users_messages, :users_posts, :to => :manage
      has_permission_on [:galleries,
                         :photos,
                         :questions,
                         :groups,
                         :videos,
                         :favorites,
                         :subscriptions,
                         :feedbacks,
                         :hotels,
                         :restaurants,
                         :generics,
                         :complaint], :to => [:create]
      has_permission_on [:galleries, :questions, :videos,:posts, :favorites, :subscriptions], :to => :manage do
        if_attribute :user => is {user}#, :group => is { nil }
      end
      has_permission_on :groups, :to => :manage do
        if_attribute :owner => is {user}
      end
      has_permission_on :groups_moderators, :to => :manage do
        if_attribute :group => {:owner => is{user}}
      end
      has_permission_on :photos, :to => :manage do
        if_attribute :gallery => { :user => is { user }}
      end
      has_permission_on [:hotels, :restaurants, :generics, :feedbacks], :to => [:manage] do
        if_attribute :user => is {user}, :published => false
      end

      ### Groups

      has_permission_on :groups, :to => [:read] do
        if_attribute :users => contains { user }, :membership_type => is { Group::SECRET }
      end
      has_permission_on :groups, :to => [:join] do
        if_attribute :users => does_not_contain { user }, :membership_type => is_not { Group::SECRET }
        if_attribute :id => is_in { user.groups.invite.map {|g| g.id} }#, :membership_type => is { Group::SECRET }
      end

      has_permission_on :groups, :to => [:leave] do
        if_attribute :users => contains { user }, :owner => is_not { user }
      end

      has_permission_on [:groups_posts, :groups_questions, :groups_galleries, :groups_videos], :to => [:create] do
        if_attribute :group => {:users => contains {user}}
      end
      has_permission_on [:groups_photos], :to => [:create] do
        if_attribute :gallery => {:group => {:users => contains {user}}}
      end
      has_permission_on [:groups_posts, :groups_questions, :groups_galleries, :groups_videos], :to => [:read] do
        if_attribute :group => {:membership_type => is_not { Group::SECRET }}
        if_attribute :group => {:users => contains { user }, :membership_type => is { Group::SECRET }}
      end
      has_permission_on [:groups_photos], :to => [:read] do
        if_attribute :gallery => {:group => {:users => contains {user}}}
      end
      has_permission_on [:questions, :galleries, :videos, :posts], :to => [:manage] do
        if_attribute :group => is_not {nil}, :group => {:moderator_users => contains {user}}
      end
      has_permission_on [:groups_posts, :groups_questions], :to => [:manage] do
        if_attribute :group => {:users => contains {user}}, :user => is {user}
      end

      ### Other users stuff
      has_permission_on :users_posts, :to => :read do
        if_attribute :user => {:settings => {:show_blog => is {Accessible::PUBLIC}}}
        if_attribute :user => {:settings => {:show_blog => is {Accessible::FRIENDS}}}, :user => is_in {user.friends}
      end

      has_permission_on :posts, :to => :read_logged do
        if_attribute :access_level => Accessible::PUBLIC, :group_type => is_not {Group::PUBLIC}, :group => {:users => contains { user }}
        if_attribute :access_level => Accessible::FRIENDS, :user => is_in {user.friends}
      end

      has_permission_on :answers, :to => [:create] do
        if_attribute :question => {:status => is {Question::OPEN}}
      end
      has_permission_on :answers, :to => [:update, :delete] do
        if_attribute :user => is { user }
      end
      has_permission_on :answers, :to => :delete do
        if_attribute :question => { :user => is { user }}
      end

      has_permission_on [:videos, :galleries], :to => :read do
        if_attribute :access_level => Accessible::PUBLIC
        if_attribute :access_level => Accessible::FRIENDS, :user => is_in {user.friends}
      end

      has_permission_on :photos, :to => :read do
        if_attribute :access_level => Accessible::PUBLIC
        if_attribute :access_level => Accessible::FRIENDS, :gallery => { :user => is_in { user.friends }}
      end

      has_permission_on :comments, :to => [:create, :reply] do
        if_attribute :permission_comment => is { true }
      end
      has_permission_on :comments, :to => [:update, :delete] do
        if_attribute :user => is { user }
      end
      has_permission_on :comments, :to => :delete do
        if_attribute :commentable => { :user => is {user}}
      end
      has_permission_on :votes, :to => [:create] do
        if_attribute :permission_vote => is { true }
      end

      #TODO delete this
      has_permission_on :subjects, :to => [:read, :manage]
    end

    role :admin do
      includes :user
      has_permission_on :users, :to => [:change_password, :update_password, :block, :unblock]
      has_permission_on [:users,
                        :user_posts,
                        :questions,
                        :answers,
                        :comments,
                        :complaint,
                        :admin_regions,
                        :admin_countries,
                        :admin_cities,
                        :admin_city_object_types,
                        :hotels,
                        :restaurants,
                        :generics,
                        :criteries,
                        :rating_coefficients], :to => :manage
    end
  end

privileges do
  privilege :read, :includes => [:index, :show]
  privilege :read_logged, :includes => :read
  privilege :create, :includes => :new
  privilege :update, :includes => :edit
  privilege :delete, :includes => :destroy
  privilege :manage, :includes => [:create, :read, :update, :delete, :read_logged]
  privilege :change_status, :includes => [:close, :open]
end

## messages_controller.rb
...
  def read
    @messages = current_user.read_messages_to_show.paginate(:page => params[:page], :per_page => per_page)

    respond_to do |format|
      format.html { render :action => "index" }
    end
  end

  def unread
    # поставлен метод read_messages_to_show вместо unread_messages_to_show, чтобы показать, что они ничем не отличаются.
    @messages = current_user.read_messages_to_show.paginate(:page => params[:page], :per_page => per_page)

    respond_to do |format|
      format.html { render :action => "index" }
    end
  end
...

## routes.rb
map.resources :messages, :controller => 'users/messages', :collection => [:sent, :read, :unread], :member => [:reply]
	authorization do
	role :guest do
	has_permission_on :authorization_rules, :to => :read

	has_permission_on [:users, :favorites], :to => [:index]
	#USER
	has_permission_on :users, :to => :create
	has_permission_on :users, :to => [:show] do
	if_attribute :settings => {:show_profile => is {true}}
	end
	has_permission_on :users_posts, :to => :read do
	if_attribute :user => {:settings => {:show_blog => is {Accessible::PUBLIC}}}
	end
	has_permission_on [:questions, :posts, :galleries, :photos, :videos], :to => :read do
	if_attribute :public => is { true } # либо не в группе, либо группа открытая
	end
	#GROUPS
	has_permission_on :groups, :to => :get_invites

	has_permission_on :groups, :to => :read do
	if_attribute :membership_type => is_not {Group::SECRET}
	end
	has_permission_on [:groups_posts, :groups_questions, :groups_galleries, :groups_videos], :to => [:read] do
	if_attribute :group => {:membership_type => is{Group::PUBLIC}}
	end
	#CITIES
	has_permission_on [:cities, :feedbacks], :to => [:read] do
	if_attribute :published => true
	end
	has_permission_on [:hotels, :restaurants, :generics], :to => [:read] do
	if_attribute :published => true, :city_published => true
	end
	end

	role :user do
	includes :guest

	### User's objects
	has_permission_on :users, :to => :manage do
	if_attribute :id => is {user.id}
	end
	has_permission_on :users_blacklist, :to => [:index, :add_to_blacklist, :remove_from_blacklist]
	has_permission_on :users_messages, :users_posts, :to => :manage
	has_permission_on [:galleries,
	:photos,
	:questions,
	:groups,
	:videos,
	:favorites,
	:subscriptions,
	:feedbacks,
	:hotels,
	:restaurants,
	:generics,
	:complaint], :to => [:create]
	has_permission_on [:galleries, :questions, :videos,:posts, :favorites, :subscriptions], :to => :manage do
	if_attribute :user => is {user}#, :group => is { nil }
	end
	has_permission_on :groups, :to => :manage do
	if_attribute :owner => is {user}
	end
	has_permission_on :groups_moderators, :to => :manage do
	if_attribute :group => {:owner => is{user}}
	end
	has_permission_on :photos, :to => :manage do
	if_attribute :gallery => { :user => is { user }}
	end
	has_permission_on [:hotels, :restaurants, :generics, :feedbacks], :to => [:manage] do
	if_attribute :user => is {user}, :published => false
	end

	### Groups

	has_permission_on :groups, :to => [:read] do
	if_attribute :users => contains { user }, :membership_type => is { Group::SECRET }
	end
	has_permission_on :groups, :to => [:join] do
	if_attribute :users => does_not_contain { user }, :membership_type => is_not { Group::SECRET }
	if_attribute :id => is_in { user.groups.invite.map {\|g\| g.id} }#, :membership_type => is { Group::SECRET }
	end

	has_permission_on :groups, :to => [:leave] do
	if_attribute :users => contains { user }, :owner => is_not { user }
	end

	has_permission_on [:groups_posts, :groups_questions, :groups_galleries, :groups_videos], :to => [:create] do
	if_attribute :group => {:users => contains {user}}
	end
	has_permission_on [:groups_photos], :to => [:create] do
	if_attribute :gallery => {:group => {:users => contains {user}}}
	end
	has_permission_on [:groups_posts, :groups_questions, :groups_galleries, :groups_videos], :to => [:read] do
	if_attribute :group => {:membership_type => is_not { Group::SECRET }}
	if_attribute :group => {:users => contains { user }, :membership_type => is { Group::SECRET }}
	end
	has_permission_on [:groups_photos], :to => [:read] do
	if_attribute :gallery => {:group => {:users => contains {user}}}
	end
	has_permission_on [:questions, :galleries, :videos, :posts], :to => [:manage] do
	if_attribute :group => is_not {nil}, :group => {:moderator_users => contains {user}}
	end
	has_permission_on [:groups_posts, :groups_questions], :to => [:manage] do
	if_attribute :group => {:users => contains {user}}, :user => is {user}
	end

	### Other users stuff
	has_permission_on :users_posts, :to => :read do
	if_attribute :user => {:settings => {:show_blog => is {Accessible::PUBLIC}}}
	if_attribute :user => {:settings => {:show_blog => is {Accessible::FRIENDS}}}, :user => is_in {user.friends}
	end

	has_permission_on :posts, :to => :read_logged do
	if_attribute :access_level => Accessible::PUBLIC, :group_type => is_not {Group::PUBLIC}, :group => {:users => contains { user }}
	if_attribute :access_level => Accessible::FRIENDS, :user => is_in {user.friends}
	end

	has_permission_on :answers, :to => [:create] do
	if_attribute :question => {:status => is {Question::OPEN}}
	end
	has_permission_on :answers, :to => [:update, :delete] do
	if_attribute :user => is { user }
	end
	has_permission_on :answers, :to => :delete do
	if_attribute :question => { :user => is { user }}
	end

	has_permission_on [:videos, :galleries], :to => :read do
	if_attribute :access_level => Accessible::PUBLIC
	if_attribute :access_level => Accessible::FRIENDS, :user => is_in {user.friends}
	end

	has_permission_on :photos, :to => :read do
	if_attribute :access_level => Accessible::PUBLIC
	if_attribute :access_level => Accessible::FRIENDS, :gallery => { :user => is_in { user.friends }}
	end

	has_permission_on :comments, :to => [:create, :reply] do
	if_attribute :permission_comment => is { true }
	end
	has_permission_on :comments, :to => [:update, :delete] do
	if_attribute :user => is { user }
	end
	has_permission_on :comments, :to => :delete do
	if_attribute :commentable => { :user => is {user}}
	end
	has_permission_on :votes, :to => [:create] do
	if_attribute :permission_vote => is { true }
	end

	#TODO delete this
	has_permission_on :subjects, :to => [:read, :manage]
	end

	role :admin do
	includes :user
	has_permission_on :users, :to => [:change_password, :update_password, :block, :unblock]
	has_permission_on [:users,
	:user_posts,
	:questions,
	:answers,
	:comments,
	:complaint,
	:admin_regions,
	:admin_countries,
	:admin_cities,
	:admin_city_object_types,
	:hotels,
	:restaurants,
	:generics,
	:criteries,
	:rating_coefficients], :to => :manage
	end
	end

	privileges do
	privilege :read, :includes => [:index, :show]
	privilege :read_logged, :includes => :read
	privilege :create, :includes => :new
	privilege :update, :includes => :edit
	privilege :delete, :includes => :destroy
	privilege :manage, :includes => [:create, :read, :update, :delete, :read_logged]
	privilege :change_status, :includes => [:close, :open]
	end
	...
	def read
	@messages = current_user.read_messages_to_show.paginate(:page => params[:page], :per_page => per_page)

	respond_to do \|format\|
	format.html { render :action => "index" }
	end
	end

	def unread
	# поставлен метод read_messages_to_show вместо unread_messages_to_show, чтобы показать, что они ничем не отличаются.
	@messages = current_user.read_messages_to_show.paginate(:page => params[:page], :per_page => per_page)

	respond_to do \|format\|
	format.html { render :action => "index" }
	end
	end
	...