def self.apply_change (engine, change)
case change[0]
when :add_role
role_symbol = change[1]
if engine.roles.include?(role_symbol)
false
else
engine.roles << role_symbol
true
end
when :add_privilege
privilege, context, role = change[1,3]
role = Role.for_sym(role.to_sym, engine)
privilege = Privilege.for_sym(privilege.to_sym, engine)
if ([privilege] + privilege.ancestors).any? {|ancestor_privilege| ([role] + role.ancestors).any? {|ancestor_role| !ancestor_role.rules_for_permission(ancestor_privilege, context).empty?}}
false
else
engine.auth_rules << AuthorizationRule.new(role.to_sym,
[privilege.to_sym], [context])
true
end
when :remove_privilege
privilege, context, role = change[1,3]
role = Role.for_sym(role.to_sym, engine)
privilege = Privilege.for_sym(privilege.to_sym, engine)
rules_with_priv = role.rules_for_permission(privilege, context)
if rules_with_priv.empty?
false
else
rules_with_priv.each do |rule|
rule.rule.privileges.delete(privilege.to_sym)
engine.auth_rules.delete(rule.rule) if rule.rule.privileges.empty?
end
true
end
end
end