From 33b3e5a6008d306ad0d04e0b0b151b195b5f5985 Mon Sep 17 00:00:00 2001
From: John Bintz <john@coswellproductions.com>
Date: Fri, 22 Jun 2012 15:40:15 -0400
Subject: [PATCH] stupid simple support for a granular permissions system based
 on a content types table. h@xx

---
 .../locomotive/content_entries_controller.rb       |  7 +++++++
 app/models/locomotive/ability.rb                   | 14 +++++++++++++-
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/app/controllers/locomotive/content_entries_controller.rb b/app/controllers/locomotive/content_entries_controller.rb
index 50a26b02..044485ce 100644
--- a/app/controllers/locomotive/content_entries_controller.rb
+++ b/app/controllers/locomotive/content_entries_controller.rb
@@ -22,26 +22,31 @@ module Locomotive
 
     def show
       @content_entry = @content_type.entries.find(params[:id])
+      authorize! params[:action].to_sym, @content_entry
       respond_with @content_entry
     end
 
     def new
       @content_entry = @content_type.entries.build
+      authorize! params[:action].to_sym, @content_entry
       respond_with @content_entry
     end
 
     def create
       @content_entry = @content_type.entries.create(params[:content_entry])
+      authorize! params[:action].to_sym, @content_entry
       respond_with @content_entry, :location => edit_content_entry_url(@content_type.slug, @content_entry._id)
     end
 
     def edit
       @content_entry = @content_type.entries.find(params[:id])
+      authorize! params[:action].to_sym, @content_entry
       respond_with @content_entry
     end
 
     def update
       @content_entry = @content_type.entries.find(params[:id])
+      authorize! params[:action].to_sym, @content_entry
       @content_entry.update_attributes(params[:content_entry])
       respond_with @content_entry, :location => edit_content_entry_url(@content_type.slug, @content_entry._id)
     end
@@ -51,8 +56,10 @@ module Locomotive
       respond_with @content_type
     end
 
+
     def destroy
       @content_entry = @content_type.entries.find(params[:id])
+      authorize! params[:action].to_sym, @content_entry
       @content_entry.destroy
       respond_with @content_entry, :location => content_entries_url(@content_type.slug)
     end
diff --git a/app/models/locomotive/ability.rb b/app/models/locomotive/ability.rb
index f5f841f4..2e78629b 100644
--- a/app/models/locomotive/ability.rb
+++ b/app/models/locomotive/ability.rb
@@ -32,7 +32,19 @@ module Locomotive
       can :touch, [Page, ThemeAsset]
       can :sort, Page
 
-      can :manage, [ContentEntry, ContentAsset]
+      can :manage, [ContentEntry, ContentAsset] do |entry|
+        result = true
+
+        if perm_defs = ContentType.where(:slug => 'permissions').first
+          perms = perm_defs.entries.where(:user_email => @account.email).collect(&:types).collect { |types| types.split(',') }.flatten
+
+          if !perms.empty?
+            result = perms.any? { |perm| perm == entry.content_type.slug }
+          end
+        end
+
+        result
+      end
 
       can :touch, Site do |site|
         site == @site