app/models/permission.rb in gb_mapfish_appserver-0.8.7 vs app/models/permission.rb in gb_mapfish_appserver-0.9.0

@@ -45,11 +45,11 @@
     end
 
     def role_can?(role_id, action, resource)
       ActiveRecord::Base.silence do
         can = if has_resource_list?
-          permitted_resources(role_id, action).include?(resource)
+          permitted_resources(role_id, action, resources).include?(resource)
         else
           permitted?(resource, permissions(role_id, action))
         end
         #Rails.logger.debug ">>>>>>>>>>>>>>>>>> role_can? role_id: #{role_id}, action: #{action}, resource: #{resource.name} -> #{can}"
         can
@@ -65,17 +65,19 @@
       end
       p
     end
 
     def roles_can?(roles, action, resource)
+      # find first permitted role if any
       roles.find { |role| role_can?(role.id, action, resource) }
     end
 
     def add_ability(ability, roles)
       ActiveRecord::Base.silence do
         actions.each do |action|
           if has_resource_list?
+            # use Rails cache
             ids = Rails.cache.fetch("permitted_resource_ids-#{action}-#{@resource_type_name}-roles-#{roles.collect(&:id).join(',')}") do
               permitted_resource_ids(roles, action)
             end
             #Rails.logger.debug ">>>>>>>>>>>> permitted_resource_ids with roles #{roles.collect(&:name).join(',')} can? #{action} #{@resource_type_name}: #{ids.inspect}"
             ability.can(action, @klass, :id => ids) unless ids.empty?
@@ -88,38 +90,41 @@
       end
     end
 
     protected
 
+    # higher sequence takes precedence
     def permitted?(resource, permissions)
       allow = false
       permissions.each do |permission|
         if permission.deny
+          # NOTE: permissions with higher sequence will override this, so deny permissions should have highest sequence
           allow = false if compare(resource, permission.resource)
         else
           allow ||= compare(resource, permission.resource)
         end
       end
       allow
     end
 
-    #All resource permissionsfor a given role_id + action
-    def permitted_resources(role_id, action)
+    #All resource permissions for a given role_id + action
+    def permitted_resources(role_id, action, resources_list)
       permissions = permissions(role_id, action)
-      resources.select do |r|
+      resources_list.select do |r|
         permitted?(r, permissions)
       end
     end
 
     #All permitted resources (ids) for given roles and a action
     def permitted_resource_ids(roles, action)
       ids = []
       return ids if !has_resource_list?
-      roles.each { |role| ids += permitted_resources(role.id, action).collect(&:id) }
+      resources_list = resources.all # load resources here to optimize loop below
+      roles.each { |role| ids += permitted_resources(role.id, action, resources_list).collect(&:id) }
       ids.sort.uniq
     end
 
-    #All permissions for a given role_id + action
+    #All permissions for a given role_id + action, ordered by sequence
     def permissions(role_id, action)
       Permission.where(:role_id => role_id,
         :resource_type => @resource_type_name, :action => action).order(
         'resource_type,role_id,sequence').all
     end