jhoffner/gist:ddad1d3816ff2b725427

## gistfile1.rb
# Batcan Style
class Project
  # permission is enforced for all create/update/save calls. It is defined within the context of its own class and is only
  # called when this particular permission is checked.
	permission :save do |project, user|
		next true if user.admin?
		next true if project.owner == user
		next true if project.collaborators.include?(user)
		# at this point if we haven't returned true then we dont have permission. We are allowed to return a user readable
		# string here (not sure if CanCan has this capability, I don't see it in the docs)
		"Only admins, project owners and project collaborators can save this project"
	end

  # only enforced on create/update/save if due_date is modified
  # NOTE: I don't believe CanCan has this capability, but I may be wrong
	permission :save, :due_date do |project, user|
		next true if user.admin? or project.owner == user
		"Only admins and project owners can set the due date for this project"
	end
end


# CanCan Style
class Project
end

# permissions for all objects are defined within one large initialize script within the ability class.
# Imagine if there were 50 permissions defined within the system. Note that the collaborators check here would make a database
# call. What if we don't need to check this permission? We end up making the call for no reason.
class Ability
  include CanCan::Ability

  def initialize(user)
    alias_action :create, :update, :to => :save
    can :save Project do |project|
     user.admin? || project.owner == user || project.collaborators.include?(user)
    end
  end
end


### Usage:
project = Project.find('some-project')

## BatCan:

# can be called from anywhere in the code. Models, Specs, Rake Tasks... anywhere.
user.can? :save, project

## CanCan:

# can only be called from a controller.
can? :save, project
	# Batcan Style
	class Project
	# permission is enforced for all create/update/save calls. It is defined within the context of its own class and is only
	# called when this particular permission is checked.
	permission :save do \|project, user\|
	next true if user.admin?
	next true if project.owner == user
	next true if project.collaborators.include?(user)
	# at this point if we haven't returned true then we dont have permission. We are allowed to return a user readable
	# string here (not sure if CanCan has this capability, I don't see it in the docs)
	"Only admins, project owners and project collaborators can save this project"
	end

	# only enforced on create/update/save if due_date is modified
	# NOTE: I don't believe CanCan has this capability, but I may be wrong
	permission :save, :due_date do \|project, user\|
	next true if user.admin? or project.owner == user
	"Only admins and project owners can set the due date for this project"
	end
	end


	# CanCan Style
	class Project
	end

	# permissions for all objects are defined within one large initialize script within the ability class.
	# Imagine if there were 50 permissions defined within the system. Note that the collaborators check here would make a database
	# call. What if we don't need to check this permission? We end up making the call for no reason.
	class Ability
	include CanCan::Ability

	def initialize(user)
	alias_action :create, :update, :to => :save
	can :save Project do \|project\|
	user.admin? \|\| project.owner == user \|\| project.collaborators.include?(user)
	end
	end
	end


	### Usage:
	project = Project.find('some-project')

	## BatCan:

	# can be called from anywhere in the code. Models, Specs, Rake Tasks... anywhere.
	user.can? :save, project

	## CanCan:

	# can only be called from a controller.
	can? :save, project