Diff
Modified: branches/authorization_new/app/controllers/experiments_controller.rb (2079 => 2080)
--- branches/authorization_new/app/controllers/experiments_controller.rb 2009-02-02 17:28:18 UTC (rev 2079)
+++ branches/authorization_new/app/controllers/experiments_controller.rb 2009-02-03 11:11:53 UTC (rev 2080)
@@ -102,8 +102,7 @@
def find_experiment_auth
experiment = Experiment.find(:first, :conditions => ["id = ?", params[:id]])
- # experiments don't use policy-based authorization, hence original authorization mechanism can be left unchanged
- if experiment and experiment.authorized?(action_name, current_user)
+ if experiment and Authorization.is_authorized?(action_name, nil, experiment, current_user)
@experiment = experiment
else
error("Experiment not found or action not authorized", "is invalid (not authorized)")
Modified: branches/authorization_new/app/controllers/jobs_controller.rb (2079 => 2080)
--- branches/authorization_new/app/controllers/jobs_controller.rb 2009-02-02 17:28:18 UTC (rev 2079)
+++ branches/authorization_new/app/controllers/jobs_controller.rb 2009-02-03 11:11:53 UTC (rev 2080)
@@ -23,16 +23,14 @@
end
def show
- # runners / runnables don't use policy-based authorization, hence original authorization method can be left unchanged
- unless @job.runnable.authorized?(action_name, current_user)
+ unless Authorization.is_authorized?(action_name, nil, @job, current_user)
flash[:error] = "<p>You will not be able to submit this Job, but you can still see the details of it."
flash[:error] = "<p>The runnable item (address@hidden) is not authorized - you need download priviledges to run it.</p>"
end
# TODO: check that runnable version still exists
- # runners / runnables don't use policy-based authorization, hence original authorization method can be left unchanged
- unless @job.runner.authorized?(action_name, current_user)
+ unless Authorization.is_authorized?(action_name, nil, @job, current_user)
flash[:error] = "You will not be able to submit this Job, but you can still see the details of it." unless flash[:error]
flash[:error] += "<p>The runner is not authorized - you need to either own it or be part of a Group that owns it.</p>"
end
@@ -100,8 +98,7 @@
end
end
- # runners / runnables don't use policy-based authorization, hence original authorization method can be left unchanged
- if !runnable or !runnable.authorized?('download', user)
+ if not runnable or not Authorization.is_authorized?('download', nil, runnable, user)
success = false
@job.errors.add(:runnable_id, "not valid or not authorized")
else
@@ -115,8 +112,7 @@
# Check runner is a valid and authorized one
# (for now we can assume it's a TavernaEnactor)
runner = TavernaEnactor.find(:first, :conditions => ["id = ?", params[:job][:runner_id]])
- # runners / runnables don't use policy-based authorization, hence original authorization method can be left unchanged
- if !runner or !runner.authorized?('execute', user)
+ if not runner or not Authorization.is_authorized?('execute', nil, runner, user)
success = false
@job.errors.add(:runner_id, "not valid or not authorized")
end
@@ -217,14 +213,12 @@
errors_text = ''
# Authorize the runnable and runner
- # runners / runnables don't use policy-based authorization, hence original authorization method can be left unchanged
- unless @job.runnable.authorized?(action_name, current_user)
+ unless Authorization.is_authorized?(action_name, nil, @job, current_user)
success = false;
errors_text += "<p>The runnable item (address@hidden) is not authorized - you need download priviledges to run it.</p>"
end
- # runners / runnables don't use policy-based authorization, hence original authorization method can be left unchanged
- unless @job.runner.authorized?(action_name, current_user)
+ unless Authorization.is_authorized?(action_name, nil, @job, current_user)
success = false;
errors_text += "<p>The runner is not authorized - you need to either own it or be part of a Group that owns it.</p>"
end
@@ -317,8 +311,7 @@
job.experiment = Experiment.new(:title => Experiment.default_title(user), :contributor => user)
elsif params[:change_experiment] == 'existing'
experiment = Experiment.find(params[:change_experiment_id])
- # experiments don't use policy-based authorization, hence original authorization method can be left unchanged
- if experiment and experiment.authorized?('edit', user)
+ if experiment and Authorization.is_authorized?('edit', nil, experiment, user)
job.experiment = experiment
else
flash[:error] = "Job could not be created because could not assign the parent Experiment."
@@ -344,8 +337,7 @@
def find_experiment_auth
experiment = Experiment.find(:first, :conditions => ["id = ?", params[:experiment_id]])
- # experiments don't use policy-based authorization, hence original authorization method can be left unchanged
- if experiment and experiment.authorized?(action_name, current_user)
+ if experiment and Authorization.is_authorized?(action_name, nil, experiment, current_user)
@experiment = experiment
else
# New and Create actions are allowed to run outside of the context of an Experiment
@@ -362,8 +354,7 @@
def find_job_auth
job = Job.find(:first, :conditions => ["id = ?", params[:id]])
- # jobs don't use policy-based authorization, hence original authorization method can be left unchanged
- if job and job.experiment.id == @experiment.id and job.authorized?(action_name, current_user)
+ if job and job.experiment.id == @experiment.id and Authorization.is_authorized?(action_name, nil, job, current_user)
@job = job
else
error("Job not found or action not authorized", "is invalid (not authorized)")
Modified: branches/authorization_new/app/controllers/runners_controller.rb (2079 => 2080)
--- branches/authorization_new/app/controllers/runners_controller.rb 2009-02-02 17:28:18 UTC (rev 2079)
+++ branches/authorization_new/app/controllers/runners_controller.rb 2009-02-03 11:11:53 UTC (rev 2080)
@@ -112,8 +112,7 @@
def find_runner_auth
runner = TavernaEnactor.find(:first, :conditions => ["id = ?", params[:id]])
- # runners / runnables don't use policy-based authorization, hence original authorization method can be left unchanged
- if runner and runner.authorized?(action_name, current_user)
+ if runner and Authorization.is_authorized?(action_name, nil, runner, current_user)
@runner = runner
else
error("Runner not found or action not authorized", "is invalid (not authorized)")
Modified: branches/authorization_new/app/models/contribution.rb (2079 => 2080)
--- branches/authorization_new/app/models/contribution.rb 2009-02-02 17:28:18 UTC (rev 2079)
+++ branches/authorization_new/app/models/contribution.rb 2009-02-03 11:11:53 UTC (rev 2080)
@@ -82,11 +82,6 @@
policy.admin?(c_utor)
end
- # is c_utor authorized to perform action_name (using the policy)
- def authorized?(action_name, c_utor=nil)
- policy.nil? ? Policy._default(self.contributor, self).authorized?(action_name, self, c_utor) : policy.authorized?(action_name, self, c_utor)
- end
-
# is c_utor the owner of this contribution
def owner?(c_utor)
#contributor_id.to_i == c_utor.id.to_i and contributor_type.to_s == c_utor.class.to_s
Modified: branches/authorization_new/app/models/experiment.rb (2079 => 2080)
--- branches/authorization_new/app/models/experiment.rb 2009-02-02 17:28:18 UTC (rev 2079)
+++ branches/authorization_new/app/models/experiment.rb 2009-02-03 11:11:53 UTC (rev 2080)
@@ -42,22 +42,4 @@
experiments = Experiment.find_by_contributor('User', user.id)
return experiments + Experiment.find_by_groups(user)
end
-
- # Note: at the moment (Feb 2008), Experiments (and associated Jobs) are private to the owner, if a User owns it,
- # OR accessible by all members of a Group, if a Group owns it.
- def authorized?(action_name, c_utor=nil)
- return false if c_utor.nil?
-
- # Cannot ask authorization for a 'Network' contributor
- return false if c_utor.class.to_s == 'Network'
-
- case self.contributor_type.to_s
- when "User"
- return self.contributor_id.to_i == c_utor.id.to_i
- when "Network"
- return self.contributor.member?(c_utor.id)
- else
- return false
- end
- end
end
Modified: branches/authorization_new/app/models/job.rb (2079 => 2080)
--- branches/authorization_new/app/models/job.rb 2009-02-02 17:28:18 UTC (rev 2079)
+++ branches/authorization_new/app/models/job.rb 2009-02-03 11:11:53 UTC (rev 2080)
@@ -34,11 +34,6 @@
return s
end
- def authorized?(action_name, c_utor=nil)
- # Use authorization logic from parent Experiment
- return self.experiment.authorized?(action_name, c_utor)
- end
-
def last_status
if self[:last_status].nil?
return "not yet submitted"
Modified: branches/authorization_new/app/models/network.rb (2079 => 2080)
--- branches/authorization_new/app/models/network.rb 2009-02-02 17:28:18 UTC (rev 2079)
+++ branches/authorization_new/app/models/network.rb 2009-02-03 11:11:53 UTC (rev 2080)
@@ -68,10 +68,6 @@
owner.name
end
- def authorized?(action_name, contributor=nil)
- return true
- end
-
# has_many :relationships_completed, #accepted (by others)
# :class_name => "Relationship",
# :foreign_key => :network_id,
Modified: branches/authorization_new/app/models/policy.rb (2079 => 2080)
--- branches/authorization_new/app/models/policy.rb 2009-02-02 17:28:18 UTC (rev 2079)
+++ branches/authorization_new/app/models/policy.rb 2009-02-03 11:11:53 UTC (rev 2080)
@@ -18,99 +18,6 @@
validates_presence_of :contributor, :name
- def authorized?(action_name, c_ution=nil, c_utor=nil)
-
- if c_ution
- # return false unless correct policy for contribution
- return false unless c_ution.policy.id.to_i == id.to_i
- end
-
- # ======= Authorization logic continues... ======
-
- # Authenticated system sets current_user to 0 if not logged in
- c_utor = nil if c_utor == 0
-
- # false unless action can be categorized
- return false unless category = categorize(action_name)
-
- # Bit of hack for update permissions - 'view' and 'download' is authorized if 'edit' is authorized
- return true if ['download', 'view'].include?(category) and authorized?('edit', c_ution, c_utor)
-
-
- authorized_by_user_permissions = false
- authorized_by_policy = false
- authorized_by_group_permissions = false
-
- unless c_utor.nil?
- # being owner of the contribution / admin of the policy is the most important -
- # if this is the case, no further checks are required: access is authorized
- if c_ution
- # true if owner of contribution or administrator of contribution.policy
- return true if (c_ution.owner?(c_utor) or c_ution.admin?(c_utor))
- else
- # true if administrator of self
- return true if admin?(c_utor)
- end
-
-
- # c_utor is not the owner of the item, to which policy is attached;
- # next thing - obtain all the permissions that are relevant to
- # c_utor: either through individual or through group permissions
- user_permissions, group_permissions = all_permissions_for_contributor(c_utor)
-
- # DEBUG
- #logger.error "==================================================="
- #logger.error "user_permissions -> " + user_permissions.length.to_s
- #logger.error user_permissions.to_sentence
- #logger.error "group_permissions -> " + group_permissions.length.to_s
- #logger.error group_permissions.to_sentence
- #logger.error "==================================================="
- # END OF DEBUG
-
-
- # individual ('user') permissions override any other settings
- # (if several are found, which shouldn't be the case, all are collapsed into
- # one with the highest access rights)
- unless user_permissions.empty?
- user_permissions.each do |p|
- authorized_by_user_permissions = true if p.attributes["#{category}"]
- end
- return authorized_by_user_permissions
- end
-
-
- # no user permissions found, need to check what is allowed by policy
- # (check 'protected' settings first)
- if c_ution
- # true if contribution.contributor and contributor are related and policy[category_protected]
- authorized_by_policy = true if (c_ution.contributor.protected? c_utor and protected?(category))
- else
- # true if policy.contributor and contributor are related and policy[category_protected]
- authorized_by_policy = true if (self.contributor.protected? c_utor and protected?(category))
- end
- return authorized_by_policy if authorized_by_policy
-
-
- # not authorized by protected settings; check public policy settings
- authorized_by_policy = public?(category)
- return authorized_by_policy if authorized_by_policy
-
-
- # not authorized by policy at all, check the group permissions
- # (for the groups, where c_utor is a member or admin of)
- unless group_permissions.empty?
- group_permissions.each do |p|
- authorized_by_group_permissions = true if p.attributes["#{category}"]
- end
- return authorized_by_group_permissions if authorized_by_group_permissions
- end
- end
-
- # no other cases matched OR c_utor is unknown - apply public policy settings
- # true if policy[category_public]
- return public?(category)
- end
-
def admin?(c_utor)
return false unless c_utor
@@ -118,7 +25,6 @@
end
# THIS IS THE DEFAULT POLICY (see /app/views/policies/_list_form.rhtml)
- # IT IS CALLED IN contribution.rb::authorized? ; application.rb::update_policy()
def self._default(c_utor, c_ution=nil)
rtn = Policy.new(:name => "A default policy", # "anyone can view and download and no one else can edit"
:contributor => c_utor,
Modified: branches/authorization_new/app/models/taverna_enactor.rb (2079 => 2080)
--- branches/authorization_new/app/models/taverna_enactor.rb 2009-02-02 17:28:18 UTC (rev 2079)
+++ branches/authorization_new/app/models/taverna_enactor.rb 2009-02-03 11:11:53 UTC (rev 2080)
@@ -45,29 +45,6 @@
return runners + TavernaEnactor.find_by_groups(user)
end
- # Note: at the moment (Feb 2008), updates and deletes are only allowed by the creator of the TavernaEnactor
- # OR the administrator of the Group that owns the TavernaEnactor.
- # For all other actions, only creator OR members of the Group that owns the TavernaEnactor are authorized.
- def authorized?(action_name, c_utor=nil)
- return false if c_utor.nil?
-
- # Cannot ask authorization for a 'Network' contributor
- return false if c_utor.class.to_s == 'Network'
-
- case self.contributor_type.to_s
- when "User"
- return self.contributor_id.to_i == c_utor.id.to_i
- when "Network"
- if ['edit','update','delete'].include?(action_name.downcase)
- return self.contributor.owner?(c_utor.id)
- else
- return self.contributor.member?(c_utor.id)
- end
- else
- return false
- end
- end
-
def service_valid?
service_client.service_valid?
end
Modified: branches/authorization_new/app/views/experiments/_table.rhtml (2079 => 2080)
--- branches/authorization_new/app/views/experiments/_table.rhtml 2009-02-02 17:28:18 UTC (rev 2079)
+++ branches/authorization_new/app/views/experiments/_table.rhtml 2009-02-03 11:11:53 UTC (rev 2080)
@@ -33,8 +33,7 @@
</td>
<td class="actions" style="width: 80px;">
<%= icon "show", experiment_path(experiment), nil, nil, "View" %>
- <% # experiments use non policy-based authorization mechanism, so it's better to leave the experiment-specific authorization mechanism -%>
- <% if experiment.authorized?("edit", logged_in? ? current_user : nil) %>
+ <% if Authorization.is_authorized?('edit', nil, experiment, current_user) %>
<%= icon('edit', edit_experiment_path(experiment), nil, nil, 'Edit') %>
<% end %>
<%= icon "job", new_job_path(experiment), nil, nil, "New Job" %>
Modified: branches/authorization_new/app/views/experiments/show.rhtml (2079 => 2080)
--- branches/authorization_new/app/views/experiments/show.rhtml 2009-02-02 17:28:18 UTC (rev 2079)
+++ branches/authorization_new/app/views/experiments/show.rhtml 2009-02-03 11:11:53 UTC (rev 2080)
@@ -1,7 +1,6 @@
<% t "#{h @experiment.title}" -%>
-<% # experiments don't use policy-based authorization mechanism, so it's better to keep the experiment-specific authorization -%>
-<% if @experiment.authorized?('edit', current_user) -%>
+<% if Authorization.is_authorized?('edit', nil, @experiment, current_user) -%>
<ul class="sectionIcons">
<li><%= icon('edit', edit_experiment_path(@experiment), nil, nil, 'Edit Experiment') %></li>
</ul>
@@ -67,4 +66,4 @@
<p class="none_text">No jobs have been created as part of this Experiment.</p>
<% end -%>
</div>
-</div>
\ No newline at end of file
+</div>
Modified: branches/authorization_new/app/views/jobs/_table.rhtml (2079 => 2080)
--- branches/authorization_new/app/views/jobs/_table.rhtml 2009-02-02 17:28:18 UTC (rev 2079)
+++ branches/authorization_new/app/views/jobs/_table.rhtml 2009-02-03 11:11:53 UTC (rev 2080)
@@ -45,8 +45,7 @@
<td class="actions" style="width: 80px;">
<%= icon "show", job_url(job.experiment, job), nil, nil, "View" %>
<% if false -%>
- <% # jobs don't use policy-based authorization mechanism, so it's better to keep job-specific authorization -%>
- <% if job.authorized?("edit", logged_in? ? current_user : nil) -%>
+ <% if Authorization.is_authorized?('edit', nil, job, current_user) -%>
<%= icon('edit', edit_job_path(job.experiment, job), nil, nil, 'Edit') %>
<% end -%>
<% end -%>
Modified: branches/authorization_new/app/views/runners/_table.rhtml (2079 => 2080)
--- branches/authorization_new/app/views/runners/_table.rhtml 2009-02-02 17:28:18 UTC (rev 2079)
+++ branches/authorization_new/app/views/runners/_table.rhtml 2009-02-03 11:11:53 UTC (rev 2080)
@@ -35,8 +35,7 @@
</td>
<td class="actions" style="width: 80px;">
<%= icon "show", runner_path(runner), nil, nil, "View" %>
- <% # runners don't use policy-based authorization, so it's better to keep the runner-specific authorization -%>
- <% if runner.authorized?("edit", logged_in? ? current_user : nil) %>
+ <% if Authorization.is_authorized?('edit', nil, runner, current_user) %>
<%= icon('edit', edit_runner_path(runner), nil, nil, 'Edit') %>
<% end %>
</td>
Modified: branches/authorization_new/app/views/runners/show.rhtml (2079 => 2080)
--- branches/authorization_new/app/views/runners/show.rhtml 2009-02-02 17:28:18 UTC (rev 2079)
+++ branches/authorization_new/app/views/runners/show.rhtml 2009-02-03 11:11:53 UTC (rev 2080)
@@ -1,7 +1,6 @@
<% t "address@hidden - #{h @runner.title}" -%>
-<% # runners don't use policy-based authorization, so it's better to keep the runner-specific authorization -%>
-<% if @runner.authorized?('edit', current_user) -%>
+<% if Authorization.is_authorized?('edit', nil, @runner, current_user) -%>
<ul class="sectionIcons">
<li><%= icon('edit', edit_runner_path(@runner), nil, nil, 'Edit Runner') %></li>
</ul>
Modified: branches/authorization_new/lib/acts_as_contributable.rb (2079 => 2080)
--- branches/authorization_new/lib/acts_as_contributable.rb 2009-02-02 17:28:18 UTC (rev 2079)
+++ branches/authorization_new/lib/acts_as_contributable.rb 2009-02-03 11:11:53 UTC (rev 2080)
@@ -62,10 +62,7 @@
end
module InstanceMethods
- def authorized?(action_name, contributor=nil)
- Authorized.is_authorized?(action_name, nil, contribution, contributor)
- end
-
+
# the owner of the contribution record for this contributable
def owner?(c_utor)
contribution.owner?(c_utor)
Modified: branches/authorization_new/lib/acts_as_contributor.rb (2079 => 2080)
--- branches/authorization_new/lib/acts_as_contributor.rb 2009-02-02 17:28:18 UTC (rev 2079)
+++ branches/authorization_new/lib/acts_as_contributor.rb 2009-02-03 11:11:53 UTC (rev 2080)
@@ -70,16 +70,6 @@
false
end
- # first method in the authorization chain
- # Mib::Acts::Contributor.authorized? --> Mib::Acts::Contributable.authorized? --> Contribution.authorized? --> Policy.authorized? --> Permission[s].authorized? --> true / false
- def authorized?(action_name, contributable)
- if contributable.kind_of? Mib::Acts::Contributable
- return contributable.authorized?(action_name, self)
- else
- return false
- end
- end
-
def contribution_tags
tags = contribution_tags!
Modified: branches/authorization_new/lib/authorization.rb (2079 => 2080)
--- branches/authorization_new/lib/authorization.rb 2009-02-02 17:28:18 UTC (rev 2079)
+++ branches/authorization_new/lib/authorization.rb 2009-02-03 11:11:53 UTC (rev 2080)
@@ -5,6 +5,47 @@
module Authorization
+ # Authorization logic collected from enactment code
+
+ # Note: at the moment (Feb 2008), Experiments (and associated Jobs) are
+ # private to the owner, if a User owns it, OR accessible by all members of a
+ # Group, if a Group owns it.
+
+ def Authorization.experiment_authorized?(experiment, action_name, user)
+ return false if user.nil?
+
+ case experiment.contributor_type.to_s
+ when "User"
+ return experiment.contributor_id.to_i == user.id.to_i
+ when "Network"
+ return experiment.contributor.member?(user.id)
+ else
+ return false
+ end
+ end
+
+ def Authorization.job_authorized?(job, action_name, user)
+ # Use authorization logic from parent Experiment
+ return Authorization.experiment_authorized?(job.experiment, action_name, user)
+ end
+
+ def Authorization.runner_authorized?(runner, action_name, user)
+ return false if user.nil?
+
+ case runner.contributor_type.to_s
+ when "User"
+ return runner.contributor_id.to_i == user.id.to_i
+ when "Network"
+ if ['edit','update','delete'].include?(action_name.downcase)
+ return runner.contributor.owner?(user.id)
+ else
+ return runner.contributor.member?(user.id)
+ end
+ else
+ return false
+ end
+ end
+
# 1) action_name - name of the action that is about to happen with the "thing"
# 2) thing_type - class name of the thing that needs to be authorized;
# use NIL as a value of this parameter if an instance of the object to be authorized is supplied as "thing";
@@ -200,18 +241,26 @@
is_authorized = true
end
- when "Experiment", "Job", "TavernaEnactor", "Runner"
- # user instance is absolutely required for this - so find it, if not yet available
- unless user_instance
- user_instance = get_user(user_id)
- end
+ when "Experiment"
+
+ user_instance = get_user(user_id) unless user_instance
+
+ # "action_name" used to work with original action name, rather than classification made inside the module
+ is_authorized = Authorization.experiment_authorized?(thing_instance, action_name, user)
+
+ when "TavernaEnactor", "Runner"
+
+ user_instance = get_user(user_id) unless user_instance
+
+ # "action_name" used to work with original action name, rather than classification made inside the module
+ is_authorized = Authorization.runner_authorized?(thing_instance, action_name, user)
+
+ when "Job"
+
+ user_instance = get_user(user_id) unless user_instance
- # "thing_instance" was already found previously;
- # neither of these "thing" types uses policy-based authorization, hence use
- # the existing <thing>.authorized?() method
- #
# "action_name" used to work with original action name, rather than classification made inside the module
- is_authorized = thing_instance.authorized?(action_name, user)
+ is_authorized = Authorization.job_authorized?(thing_instance, action_name, user)
else
# don't recognise the kind of "thing" that is being authorized, so
Modified: branches/authorization_new/lib/rest.rb (2079 => 2080)
--- branches/authorization_new/lib/rest.rb 2009-02-02 17:28:18 UTC (rev 2079)
+++ branches/authorization_new/lib/rest.rb 2009-02-03 11:11:53 UTC (rev 2080)
@@ -540,9 +540,9 @@
# runner = TavernaEnactor.find_by_id(runner_bits[1].to_i)
# runnable = Workflow.find_by_id(runnable_bits[1].to_i)
#
-# return rest_error_response(400, 'Bad Request') if experiment.nil? or not experiment.authorized?("edit", user)
-# return rest_error_response(400, 'Bad Request') if runner.nil? or not runner.authorized?("download", user)
-# return rest_error_response(400, 'Bad Request') if runnable.nil? or not runnable.authorized?("view", user)
+# return rest_error_response(400, 'Bad Request') if experiment.nil? or not Authorization.is_authorized?('edit', nil, experiment, user)
+# return rest_error_response(400, 'Bad Request') if runner.nil? or not Authorization.is_authorized?('download', nil, runner, user)
+# return rest_error_response(400, 'Bad Request') if runnable.nil? or not Authorization.is_authorized?('view', nil, runnable, user)
#
# puts "#{params[:job]}"
#
@@ -587,7 +587,7 @@
root['type' ] = query['type'] if query['type']
# filter out ones they are not allowed to get
- results = results.select do |r| r.respond_to?('contribution') == false or r.authorized?('index', user) end
+ results = results.select do |r| r.respond_to?('contribution') == false or Authorization.is_authorized?('index', nil, r, user) end
results.each do |result|
root << rest_reference(result, query)
@@ -711,9 +711,10 @@
#
# return rest_error_response(404, 'Resource Not Found') if resource.nil?
#
-# # this will have to be replaced with Authorization.is_authorized?() if it comes into use at some point
+# FIXME: The following respond_to? would not work anymore
+#
# if resource.respond_to?('authorized?')
-# return rest_error_response(403, 'Not Authorized') if not resource.authorized?('edit', user)
+# return rest_error_response(403, 'Not Authorized') if not Authorization.is_authorized?('edit', nil, resource, user)
# end
#
# end