New authorization

app/controllers/admin/authorizations_controller.rb

@@ -1,13 +1,13 @@
 class Admin::AuthorizationsController < OrbitBackendController
 
-  before_filter :admin_or_manager
+  prepend_before_filter :admin_or_manager
    
   def index
-    @module_apps ||= ModuleApp.where(is_authorizable: true).order_by([:title, :asc])
+    @module_apps ||= ModuleApp.any_of({is_authorizable: true}, {is_approvable: true}).order_by([:title, :asc])
     if @module_apps && @module_apps.include?(@module_app)
       if @type
         case @type
-        when 'category', 'approval'
+        when 'category_authorization', 'category_approval'
           if @module_app.has_category
             @objects = @module_app.categories
           else
@@ -18,12 +18,12 @@ class Admin::AuthorizationsController < OrbitBackendController
         end
         unless @objects.blank?
           @object ||= @objects.first
-          @users = @object.get_object_auth_by_title("#{@type}_#{@module_app.key}").auth_users
+          @users = @object.get_authorization_by_title("#{@type}_#{@module_app.key}").authorized_users rescue nil
         else
           @error = t(:no_data)
         end
       else
-        @users = @module_app.managing_users
+        @users = @module_app.managers
       end
     elsif @module_apps
       @module_app = @module_apps.first
@@ -33,35 +33,42 @@ class Admin::AuthorizationsController < OrbitBackendController
     end
   end
 
-  def add(users)
+  def add_roles
-    unless users.blank?
+    roles = Role.find(params[:role_ids]) rescue []
-      if @type
+    users = []
-        if @object
+    roles.each do |role|
-          object_auth = @object.get_object_auth_by_title("#{@type}_#{@module_app.key}")
+      users += role.users.all.entries
-          add_users_to_object_auth(object_auth, users)
-        else
-          @error = t(:no_data)
     end
-      else
+    unless roles.blank?
-        add_managers(users) unless users.blank?
+      authorization = get_or_create_authorization
+      add_roles_to_auth(authorization, roles) unless @error
     end
+    @users = authorization.authorized_users
+    render 'admin/authorizations/reload_users'
   end
-    @users = users 
+
-    render 'admin/authorizations/insert_users'
+  def add_sub_roles
+    sub_roles = SubRole.find(params[:sub_role_ids]) rescue []
+    users = []
+    sub_roles.each do |sub_role|
+      users += sub_role.users.all.entries
+    end
+    unless sub_roles.blank?
+      authorization = get_or_create_authorization
+      add_sub_roles_to_auth(authorization, sub_roles) unless @error
+    end
+    @users = authorization.authorized_users
+    render 'admin/authorizations/reload_users'
   end
 
   def add_users
     users = User.find(params[:user_ids]) rescue []
-    add(users)
+    unless users.blank?
+      authorization = get_or_create_authorization
+      add_users_to_auth(authorization, users) unless @error
     end
-
+    @users = authorization.authorized_users
-  def add_roles
+    render 'admin/authorizations/reload_users'
-    roles = Role.find(params[:role_ids]) rescue []
-    users = roles.inject([]) do |users, role|
-      users += role.users.all.entries
-      users
-    end
-    add(users)
   end
 
   def modal_select
@@ -70,63 +77,111 @@ class Admin::AuthorizationsController < OrbitBackendController
     if @type
       @object_id = @object.id if @object
       @sorted_users = roles.inject({}) do |users, role|
-        users[role] = role.users.where(admin: false).not_guest_user - existing_users - @module_app.managing_users
+        users[role] = role.users.where(admin: false) - existing_users - @module_app.managers
         users
       end
     else
       @sorted_users = roles.inject({}) do |users, role|
-        users[role] = role.users.where(admin: false).not_guest_user - existing_users
+        users[role] = role.users.where(admin: false) - existing_users
         users
       end
     end
   end
 
+  def remove_roles
+    roles = Role.find(params[:role_ids]) rescue []
+    unless roles.blank?
+      authorization = get_or_create_authorization
+      remove_roles_form_auth(authorization, roles)
+    end
+    @users = authorization.authorized_users
+    render 'admin/authorizations/reload_users'
+  end
+
+  def remove_sub_roles
+    sub_roles = SubRole.find(params[:sub_role_ids]) rescue []
+    unless sub_roles.blank?
+      authorization = get_or_create_authorization
+      remove_sub_roles_from_auth(authorization, sub_roles)
+    end
+    @users = authorization.authorized_users
+    render 'admin/authorizations/reload_users'
+  end
+
   def remove_users
     @users = User.find(params[:ids]) rescue []
     unless @users.blank?
-      if @type
+      authorization = get_or_create_authorization
-        if @object
+      remove_users_from_auth(authorization, @users)
-          object_auth = @object.get_object_auth_by_title("#{@type}_#{@module_app.key}")
-          remove_users_form_object_auth(object_auth, @users)
-        else
-          @error = t(:no_data)
     end
-      else
+    @users = authorization.authorized_users
-        remove_managers(@users)
+    render 'admin/authorizations/reload_users'
-      end
-    end
-    render 'admin/authorizations/remove_users'
   end
   
   protected
 
-  def add_managers(users)
+  def add_managers_to_auth(users)
-    users.each do |user|
+    @module_app.add_managers(users)
-      @module_app.assign_manager(user, current_user)
+  end
+
+  def add_roles_to_auth(authorization, roles)
+    authorization.add_roles(roles)
+  end
+
+  def add_sub_roles_to_auth(authorization, sub_roles)
+    authorization.add_sub_roles(sub_roles)
+  end
+
+  def add_users_to_auth(authorization, users)
+    authorization.add_users(users)
+  end
+
+  def get_or_create_authorization
+    case @type
+    when 'category_approval'
+      if @object
+        @object.auth_approval || @object.create_auth_approval(module_app_id: @module_app.id, title: "#{@type}_#{@module_app.key}")
+      else
+        @error = t(:no_data)
+      end
+    when 'category_authorization'
+      if @object
+        @object.auth_sub_manager || @object.create_auth_sub_manager(module_app_id: @module_app.id, title: "#{@type}_#{@module_app.key}")
+      else
+        @error = t(:no_data)
+      end
+    when nil
+      @module_app.auth_manager || @module_app.create_auth_manager(module_app_id: @module_app.id, title: "#{@type}_#{@module_app.key}")
+    else
+      auth = @object.get_authorization_by_title("#{@type}_#{@module_app.key}")
+      unless auth
+        auth = @object.create_auth_approval(module_app_id: @module_app.id, title: "#{@type}_#{@module_app.key}") if @type.include?('approval')
+        auth = @object.create_auth_sub_manager(module_app_id: @module_app.id, title: "#{@type}_#{@module_app.key}") if @type.include?('authorization')
+      end
+      auth
     end
   end
 
-  def add_users_to_object_auth(object_auth, users)
+  def remove_managers_from_auth(users)
-    users.each do |user|
+    @module_app.remove_manager(users)
-      object_auth.add_user_to_privilege_list(user)
-    end
   end
 
-  def remove_managers(users)
+  def remove_roles_form_auth(authorization, roles)
-    users.each do |user|
+    authorization.remove_roles(roles)
-      @module_app.remove_manager(user)
-    end
   end
 
-  def remove_users_form_object_auth(object_auth, users)
+  def remove_sub_roles_from_auth(authorization, sub_roles)
-    users.each do |user|
+    authorization.remove_sub_roles(sub_roles)
-      object_auth.remove_user_from_privilege_list(user)
   end
+
+  def remove_users_from_auth(authorization, users)
+    authorization.remove_users(users)
   end
 
   private
 
   def admin_or_manager
+    @override_can_use = true
     setup_vars   
     authenticate_user!
     user_is_manager?
@@ -136,7 +191,7 @@ class Admin::AuthorizationsController < OrbitBackendController
     @module_app = ModuleApp.first(conditions: {:key => params[:module]} ) if params[:module]
     @type = params[:type].underscore if params[:type]
     if @type
-      @klass = @type.classify.constantize rescue nil
+      @klass = @type.gsub('_authorization', '').gsub('_approval', '').classify.constantize rescue nil
       @object = @klass.find(params[:id]) rescue nil
     end
   end

app/controllers/admin/dashboards_controller.rb

@@ -4,6 +4,8 @@ class Admin::DashboardsController < OrbitBackendController
   #before_filter :authenticate_user!, :except => [:index]
 #  before_filter :is_admin?
 
+  prepend_before_filter :set_public
+
   layout "basic_back_end"
   
   def index

app/controllers/admin/users_new_interface_controller.rb

@@ -2,18 +2,9 @@ class Admin::UsersNewInterfaceController <  OrbitMemberController
 
   helper MemberHelper
   
-  # before_filter :authenticate_user!
-  # before_filter :set_attribute, :only => [:index, :show, :new, :edit]
-  
-  before_filter :force_order_for_visitor,:only=>[:index,:show]
-  before_filter :force_order_for_user,:except => [:index,:show]
   before_filter :set_attribute,:except => [:index,:show]
+  prepend_filter :set_public, :only => [:index, :show]
 
-  def setup_vars
-    # @app_title ||= controller_path.split('/')[1].singularize
-    # @module_app ||= ModuleApp.first(conditions: {:key => @app_title} )
-    # raise ModuleAppError, 'Can not find ModuleApp' if @module_app.nil?
-  end
 
   def index
     get_tags

app/controllers/orbit_backend_controller.rb

@@ -1,7 +1,6 @@
 class OrbitBackendController < ApplicationController
   include OrbitCategory::Categorizing
-  include OrbitCoreLib::AppBackendUtility
+  include OrbitCoreLib::Authorization
-  include OrbitCoreLib::PermissionUtility
   include OrbitTag::Tagging
   include AdminHelper
   include ApplicationHelper
@@ -10,12 +9,6 @@ class OrbitBackendController < ApplicationController
   
   layout "back_end"
 
-  def setup_vars
-    @app_title ||= controller_path.split('/')[1].singularize
-    @module_app ||= ModuleApp.first(conditions: {:key => @app_title} )
-    raise ModuleAppError, 'Can not find ModuleApp' if @module_app.nil?
-  end
-
   def get_statuses
     status = []
     status << 'is_top'
@@ -28,27 +21,4 @@ class OrbitBackendController < ApplicationController
     end
     status
   end
-
-  private
-
-  def force_order_for_visitor
-    check_backend_openness
-    setup_vars
-    set_current_user
-  end
-
-
-  def force_order_for_user
-    setup_vars
-    set_current_user
-    authenticate_user!
-    check_user_can_use
-  end
-
-  def check_user_can_use
-    unless check_permission
-      #redirect_to polymorphic_path(['panel',@app_title,'back_end','public'])
-      redirect_to root_url
-    end
-  end
 end

app/controllers/orbit_member_controller.rb

@@ -1,7 +1,6 @@
 class OrbitMemberController < ApplicationController
   include OrbitCategory::Categorizing
-  include OrbitCoreLib::AppBackendUtility
+  include OrbitCoreLib::Authorization
-  include OrbitCoreLib::PermissionUtility
   include OrbitTag::Tagging
   include AdminHelper
   include ApplicationHelper
@@ -10,12 +9,6 @@ class OrbitMemberController < ApplicationController
   
   layout "member"
 
-  def setup_vars
-    @app_title ||= controller_path.split('/')[1].singularize
-    @module_app ||= ModuleApp.first(conditions: {:key => @app_title} )
-    raise ModuleAppError, 'Can not find ModuleApp' if @module_app.nil?
-  end
-
   def get_statuses
     status = []
     status << 'is_top'
@@ -28,27 +21,4 @@ class OrbitMemberController < ApplicationController
     end
     status
   end
-
-  private
-
-  def force_order_for_visitor
-    check_backend_openness
-    setup_vars
-    set_current_user
-  end
-
-
-  def force_order_for_user
-    setup_vars
-    set_current_user
-    authenticate_user!
-    check_user_can_use
-  end
-
-  def check_user_can_use
-    unless check_permission
-      #redirect_to polymorphic_path(['panel',@app_title,'back_end','public'])
-      redirect_to root_url
-    end
-  end
 end

app/helpers/orbit_backend_helper.rb

@@ -321,9 +321,9 @@ module OrbitBackendHelper
   def is_authorized(object)
     autorized = @module_app.authorizable_models.inject(false) do |autorized, klass|
       if object.is_a?(klass.constantize)
-        autorized ||= object.cur_user_is_sub_manager_of("#{klass.underscore}_#{@module_app.key}")
+        autorized ||= object.user_can_sub_manage?(current_user)
       else
-        autorized ||= object.category.cur_user_is_sub_manager_of("category_#{@module_app.key}")
+        autorized ||= object.category.user_can_sub_manage?(current_user)
       end
       autorized
     end

app/models/auth/auth_approval.rb

@@ -0,0 +1,6 @@
+class AuthApproval < Authorization
+	field :title
+	
+	belongs_to :approval_authorizable, polymorphic: true
+	has_and_belongs_to_many :authorized_users, class_name: 'User', inverse_of: 'approving_apps'
+end

app/models/auth/auth_manager.rb

@@ -0,0 +1,4 @@
+class AuthManager < Authorization
+	# belongs_to :manager_authorizable, polymorphic: true
+	has_and_belongs_to_many :authorized_users, class_name: 'User', inverse_of: 'managing_apps'
+end

app/models/auth/auth_sub_manager.rb

@@ -0,0 +1,6 @@
+class AuthSubManager < Authorization
+	field :title
+
+	belongs_to :sub_manager_authorizable, polymorphic: true
+	has_and_belongs_to_many :authorized_users, class_name: 'User', inverse_of: 'sub_managing_apps'
+end

app/models/auth/authorization.rb

@@ -0,0 +1,108 @@
+class Authorization
+  include Mongoid::Document
+  include Mongoid::Timestamps
+
+  field :title
+
+  belongs_to :module_app
+
+  has_and_belongs_to_many :roles
+  has_and_belongs_to_many :sub_roles
+
+  delegate :update_auth_approval_users, :update_auth_manager_users, :update_auth_sub_manager_users, to: :module_app, prefix: true, allow_nil: true
+
+  after_save :update_module_app
+
+
+  def add_roles(roles)
+  	users = []
+  	roles = Array(roles)
+    add_operation(:roles, roles)
+    sub_roles = [] 
+    roles.each{|role| role.sub_roles.each{|sub_role| sub_roles << sub_role.id}}
+    add_operation(:sub_roles, sub_roles)
+    roles.each{|role| role.users.where(admin: false).each{|user| users << user}}
+		add_users(users, false)
+  end
+  
+  def add_sub_roles(sub_roles)
+  	users = []
+  	sub_roles = Array(sub_roles)
+    add_operation(:sub_roles, sub_roles)
+    sub_roles.each do |sub_role| 
+			self.roles << sub_role.role unless self.roles.include?(sub_role.role)
+    	sub_role.users.where(admin: false).each{|user| users << user}
+    end
+		add_users(users, false)
+  end
+  
+  def add_users(users, with_parents = true)
+  	users = Array(users)
+    add_operation(:authorized_users, users)
+    users.each do |user|
+    	user.roles.each do |role|
+	    	self.roles << role unless self.roles.include?(role)
+    	end
+    	user.sub_roles.each do |sub_role|
+	    	self.sub_roles << sub_role unless self.sub_roles.include?(sub_role)
+    	end
+    end if with_parents
+   	self.save
+  end
+
+  def remove_roles(roles)
+  	users = []
+  	sub_roles = []
+  	roles = Array(roles)
+  	remove_operation(:roles, roles)
+ 		roles.each do |role|
+ 			role.sub_roles.each{|sub_role| sub_roles << sub_role}
+ 			role.users.where(admin: false).each{|user| users << user}
+ 		end
+		remove_operation(:sub_role_ids, sub_roles)
+		remove_operation(:authorized_user_ids, users)
+		add_roles(self.roles)
+  end
+
+  def remove_sub_roles(sub_roles)
+  	users = []
+  	sub_roles = Array(sub_roles)
+  	remove_operation(:sub_roles, sub_roles)
+  	sub_roles.each do |sub_role|
+  		users << sub_role.users.where(admin: false)
+  	end
+		remove_operation(:authorized_user_ids, users)
+		add_roles(self.roles)
+  end
+
+  def remove_users(users)
+  	users = Array(users)
+  	remove_operation(:authorized_user_ids, users)
+   	self.save
+  end
+
+  protected
+
+  def add_operation(db_field, objs)
+   	objs.each do |obj|
+	   	self.send(db_field) << obj unless self.send(db_field).include?(obj)
+   	end
+  end  
+
+  def remove_operation(db_field, obj)
+    self.write_attribute(db_field, self.send(db_field) - obj.map{|y| y.id})
+  end
+
+  private
+
+  def update_module_app
+  	case self._type
+  	when "AuthApproval"
+  		self.module_app_update_auth_approval_users
+  	when "AuthManager"
+  		self.module_app_update_auth_manager_users
+  	when "AuthSubManager"
+  		self.module_app_update_auth_sub_manager_users
+  	end
+  end
+end

app/models/category.rb

@@ -1,7 +1,7 @@
 class Category
   include Mongoid::Document
   include Mongoid::Timestamps
-  include OrbitCoreLib::ObjectAuthable
+  include OrbitModel::Authorizable
 
   field :disable, type: Boolean, default: false
   field :title, localize: true

app/models/module_app.rb

@@ -1,16 +1,26 @@
 class ModuleApp
   include Mongoid::Document
   include Mongoid::Timestamps
-  include OrbitCoreLib::ObjectTokenUtility
+  # include OrbitCoreLib::ObjectTokenUtility
-  include OrbitApp::ModuleAppMembershipTools
+  # include OrbitApp::ModuleAppMembershipTools
 
+  field :auth_approval_users, type: Array, default: nil
+  field :auth_manager_users, type: Array, default: nil
+  field :auth_sub_manager_users, type: Array, default: nil
   field :key
   field :title
   field :sidebar_order,type: Integer,default: 0
 
+  has_one :auth_manager, dependent: :destroy
+  has_many :auth_approvals, dependent: :destroy
+  has_many :auth_sub_managers, dependent: :destroy
   has_many :categories, dependent: :destroy
   has_many :module_tags, dependent: :destroy
 
+  has_many :approvals #to remove
+
+  delegate :authorized_users, to: :auth_manager, prefix: true, allow_nil: true
+
   def refetch_setting!(reg)
     # %w{module_label category base_url version organization author intro update_info create_date}.each  do |field|
     #   self[field.to_sym] =  reg.send field 
@@ -24,6 +34,7 @@ class ModuleApp
     self[:has_category] = reg.get_has_category
     self[:is_approvable] = reg.get_is_approvable
     self[:is_authorizable] = reg.get_is_authorizable
+    self[:approvable_models] = reg.get_approvable_models
     self[:authorizable_models] = reg.get_authorizable_models
   end
 
@@ -168,4 +179,71 @@ class ModuleApp
     self.module_tags.map{|t| t.tag }
   end
 
+
+  # authorization
+  def update_auth_approval_users
+    user_ids = self.auth_approvals.inject([]) do |users, auth|
+      users += auth.authorized_users.map{|user| user.id}
+    end
+    update_attribute(:auth_approval_users, user_ids.uniq)
+  end
+
+  def update_auth_manager_users
+    update_attribute(:auth_manager_users, self.auth_manager_authorized_users.map{|user| user.id})
+  end
+
+  def update_auth_sub_manager_users
+    user_ids = self.auth_sub_managers.inject([]) do |users, auth|
+      users += auth.authorized_users.map{|user| user.id}
+    end
+    update_attribute(:auth_sub_manager_users, user_ids.uniq)
+  end
+
+  def managers
+    auth_manager_authorized_users || []
+  end
+
+  def user_can_manage?(user)
+    managers.include?(user)
+  end
+
+  def add_managers(users)
+    users = Array(users)
+    if auth_manager = self.auth_manager
+      auth_manager.update_attribute(:authorized_users, (auth_manager.authorized_users + users).uniq)
+    else
+      self.create_auth_manager(authorized_users: users)
+    end
+  end
+
+  def remove_managers(users)
+    users = Array(users)
+    users = users.delete_if{|user| user == current_user || is_admin?}
+    self.auth_manager.update_attribute(:authorized_users, auth_manager.authorized_users - users)
+  end
+
+  def is_manager?(user)
+    if user && !auth_manager_users.blank?
+      auth_manager_users.include?(user.id)
+    else
+      false
+    end
+  end
+  
+  def is_sub_manager?(user)
+    if user && !auth_sub_manager_users.blank?
+      auth_sub_manager_users.include?(user.id)
+    else
+      false
+    end
+  end
+  
+  def can_approve?(user)
+    if user && !auth_approval_users.blank?
+      auth_approval_users.include?(user.id)
+    else
+      false
+    end
+  end
+
 end

app/models/user/user.rb

@@ -19,12 +19,16 @@ class User
   field :cache_dept,type: Hash
   field :status_record,type: Hash
 
+  has_and_belongs_to_many :approving_apps, class_name: 'AuthApproval', inverse_of: 'authorized_users'
+  has_and_belongs_to_many :managing_apps, class_name: 'AuthManager', inverse_of: 'authorized_users'
+  has_and_belongs_to_many :sub_managing_apps, class_name: 'AuthSubManager', inverse_of: 'authorized_users'
+
   has_many :attribute_values, :autosave => true, :dependent => :destroy
   has_many :app_auths,as: :privilege_apps,:inverse_of => :privilege_lists
   has_many :blocked_apps,  :inverse_of => :blocked_users, :class_name => "AppAuth", :dependent => :destroy
   has_many :privilege_apps,  :inverse_of => :privilege_users, :class_name => "AppAuth", :dependent => :destroy
 
-  has_many :managing_apps,:class_name => "AppManager", :dependent => :destroy
+  # has_many :managing_apps,:class_name => "AppManager", :dependent => :destroy
   has_one :desktop, :autosave => true, :dependent => :destroy
   has_one :facebook, :autosave => true, :dependent => :destroy
   has_many :other_accounts, :autosave => true, :dependent => :destroy
@@ -273,8 +277,8 @@ class User
   end
 
   def managed_module_apps
-    self.managing_apps.inject([]) do |managed_apps, app_manager|
+    self.managing_apps.inject([]) do |managed_apps, auth_manager|
-      managed_apps << app_manager.managing_app unless app_manager.managing_app.blank?
+      managed_apps << auth_manager.module_app
       managed_apps
     end
   end

app/views/admin/authorizations/_user.html.erb

@@ -1,10 +1,10 @@
-<li class="filter-item selected_user <%= 'check-item' unless user == current_user || is_admin? %>" id="<%= user.id %>">
+<li class="filter-item selected_user <%= 'check-item' unless user == current_user || user.admin %>" id="<%= user.id %>">
   <label>
     <%= image_tag (user.avatar? ? user.avatar.thumb : 'menber-pic.png'), :class => "user-pic" %>
     <span class="user-name"><%= user.name %></span>
     <span><%= get_user_module_role(user) %></span>
   </label>
-  <% unless user == current_user || is_admin? %>
+  <% unless user == current_user || user.admin %>
   	<input type="checkbox">
   <% end %>
 </li>

app/views/admin/authorizations/index.html.erb

@@ -13,11 +13,13 @@
     </div>
   </div>
   <div class="mini-layout-body span10">
-    <%= link_to t(:module_authorization), admin_authorizations_path(@module_app.key) %>
+    <%= link_to t(:module_authorization), admin_authorizations_path(@module_app.key) if @module_app.is_authorizable %>
     <% @module_app.authorizable_models.each do |authorizable_model| %>
-      <%= link_to (authorizable_model.eql?('Category') ? t(:category_auth) : "#{authorizable_model.underscore.humanize.capitalize} #{t(:authorization_)}"), admin_authorizations_path(@module_app.key, type: authorizable_model.underscore) %>
+      <%= link_to (authorizable_model.eql?('Category') ? t(:category_auth) : "#{authorizable_model.underscore.humanize.capitalize} #{t(:authorization_)}"), admin_authorizations_path(@module_app.key, type: "#{authorizable_model.underscore}_authorization") %>
+    <% end %>
+    <% @module_app.approvable_models.each do |approvable_model| %>
+      <%= link_to (approvable_model.eql?('Category') ? t(:approval_) : "#{approvable_model.underscore.humanize.capitalize} #{t(:approval_)}"), admin_authorizations_path(@module_app.key, type: "#{approvable_model.underscore}_approval") %>
     <% end %>
-    <%= link_to t(:approval_), admin_authorizations_path(@module_app.key, type: 'approval') if @module_app.is_approvable %>
     <% if @error %>
       <%= @error %>
     <% else %>

app/views/admin/authorizations/insert_users.js.erb

@@ -1,2 +0,0 @@
-$("#card-list").append("<%= j render partial: 'user', collection: @users %>");
-$("#member-filter").modal('hide');

app/views/admin/authorizations/reload_users.js.erb

@@ -0,0 +1,2 @@
+$("#card-list").html("<%= j render partial: 'user', collection: @users %>");
+$("#member-filter").modal('hide');

config/application.rb

@@ -27,6 +27,7 @@ module Orbit
 
     # Custom directories with classes and modules you want to be autoloadable.
     # config.autoload_paths += %W(#{config.root}/extras)
+    config.autoload_paths += %W(#{config.root}/app/models/auth)
     config.autoload_paths += %W(#{config.root}/app/models/ckeditor)
     config.autoload_paths += %W(#{config.root}/app/models/design)
     config.autoload_paths += %W(#{config.root}/app/models/desktop)

lib/orbit_app/module/registration.rb

@@ -28,7 +28,7 @@ module OrbitApp
         end
 
         class DataSheet
-          attr_reader :name,:key,:base_path,:module_label,:data_count, :has_category, :has_tag, :authorizable_models, :is_approvable, :is_authorizable
+          attr_reader :name,:key,:base_path,:module_label,:data_count, :has_category, :has_tag, :approvable_models, :authorizable_models, :is_approvable, :is_authorizable
 
           def initialize(name, &block)
             @name = name
@@ -39,6 +39,7 @@ module OrbitApp
             @data_count = 1..15 # as default
             @has_category = nil
             @has_tag = nil
+            @approvable_models = []
             @authorizable_models = []
             @is_approvable = nil
             @is_authorizable = nil
@@ -145,8 +146,13 @@ module OrbitApp
               define_method(field){|var| instance_variable_set( "@" + field, var)}
           end
 
-          def approvable(link=true)
+          def approvable(link=true, &block)
             @is_approvable = {:with_link => link}
+            if block
+              block.call
+            else
+              approvable_on
+            end
           end
 
           def authorizable(link=true, &block)
@@ -158,6 +164,10 @@ module OrbitApp
             end
           end
 
+          def approvable_on(klass = 'Category')
+            @approvable_models << klass
+          end
+
           def authorizable_on(klass = 'Category')
             @authorizable_models << klass
           end
@@ -170,6 +180,10 @@ module OrbitApp
             @has_tag = true
           end
 
+          def get_approvable_models
+            @approvable_models
+          end
+
           def get_authorizable_models
             @authorizable_models
           end

lib/orbit_category/categorizing.rb

@@ -9,11 +9,11 @@ module OrbitCategory
       end
     end
 
-    def get_categories_for_form(func_authed_for_sub_manager = "category_#{@module_app.key}")
+    def get_categories_for_form
       categories = if is_manager? || is_admin?
         @module_app.categories.enabled
       elsif is_sub_manager?
-        @module_app.categories.enabled.authed_for_user(current_user, func_authed_for_sub_manager)
+        @module_app.categories.enabled.entries.delete_if{|category| !category.user_can_sub_manage?(current_user)}
       end
       if categories.empty?
         flash[:alert] = t(:no_category)

lib/orbit_core_lib.rb

@@ -140,30 +140,39 @@ module  OrbitCoreLib
     end
   end
 
-  module AppBackendUtility
+  module Authorization
+    def self.included(base)
+      base.class_eval do
+        before_filter :can_use
+      end
+    end
+
     def setup_vars
       @app_title ||= controller_path.split('/')[1].singularize
       @module_app ||= ModuleApp.first(conditions: {:key => @app_title} )
+      # raise ModuleAppError, 'Can not find ModuleApp' if @module_app.nil?
     end
 
     private
 
-    def force_order_for_visitor
+    def can_use
-      setup_vars
+      unless @override_can_use
-      set_current_user
+        check_backend_openness if @public
-    end
-
-
-    def force_order_for_user
         setup_vars
         set_current_user
+        unless @public
           authenticate_user!
           check_user_can_use
         end
+      end
+    end
+
+    def set_public
+      @public = true
+    end
 
     def check_user_can_use
-      unless check_permission
+      unless current_or_guest_user.admin? || @module_app.is_manager?(current_or_guest_user) || @module_app.is_sub_manager?(current_or_guest_user) || @module_app.can_approve?(current_or_guest_user)
-        #redirect_to polymorphic_path(['panel',@app_title,'back_end','public'])
         redirect_to root_url
       end
     end

lib/orbit_model/authorizable.rb

@@ -0,0 +1,55 @@
+module OrbitModel
+
+  module Authorizable
+
+    def self.included(base)
+      base.class_eval do
+        has_one :auth_approval, as: :approval_authorizable, dependent: :destroy
+        has_one :auth_sub_manager, as: :sub_manager_authorizable, dependent: :destroy
+        delegate :authorized_users, to: :auth_approval, prefix: true, allow_nil: true
+        delegate :authorized_users, to: :auth_sub_manager, prefix: true, allow_nil: true
+        send :include, InstanceMethods
+      end
+    end
+
+    module InstanceMethods
+
+    	# Normal case
+    	# Use of categories to define approval and sub-manager
+	    def approval_users
+	    	auth_approval_authorized_users
+	    end
+
+	    def sub_managers
+	    	auth_sub_manager_authorized_users
+	    end
+
+    	def user_can_approve?(user)
+    		approval_users.include?(user) if approval_users
+    	end
+
+    	def user_can_sub_manage?(user)
+    		sub_managers.include?(user) if sub_managers
+    	end
+
+    	# Specific case
+    	# Approval or sub-manager is defined on something else than categories
+	    def authorized_users_by_title(title)
+	    	approval_users if auth_approval && auth_approval.title.eql?(title)
+	    	sub_managers if auth_sub_manager && auth_sub_manager.title.eql?(title)
+	    end
+
+	    def get_authorization_by_title(title)
+	    	auth_approval if auth_approval && auth_approval.title.eql?(title)
+	    	auth_sub_manager if auth_sub_manager && auth_sub_manager.title.eql?(title)
+	    end
+
+    	def user_is_authorized_by_title?(user, title)
+    		authorized_users_by_title(title).include?(user)
+    	end
+
+    end
+    
+  end
+
+end

vendor/built_in_modules/announcement/app/controllers/panel/announcement/back_end/bulletins_controller.rb

@@ -3,11 +3,7 @@ class Panel::Announcement::BackEnd::BulletinsController < OrbitBackendController
 
   before_filter :clean_values, :only => [:create, :update]
 
-  #  before_filter :for_admin_only,:only => [:]
+  prepend_before_filter :set_public, :only => [:index, :show, :get_sorted_and_filtered_bulletins]
-  #  before_filter :for_app_manager,:only => [:index,:show,] 
-  before_filter :force_order_for_visitor,:only=>[:index,:show,:get_sorted_and_filtered_bulletins]
-  before_filter :force_order_for_user,:except => [:index,:show,:get_sorted_and_filtered_bulletins]
-  before_filter :for_app_sub_manager,:except => [:index,:show,:get_sorted_and_filtered_bulletins]
 
   before_filter :only => [ :new, :create, :edit, :update ] do |controller|
     @categories = get_categories_for_form

vendor/built_in_modules/page_content/app/controllers/panel/page_content/back_end/page_contexts_controller.rb

@@ -1,9 +1,6 @@
 class Panel::PageContent::BackEnd::PageContextsController < OrbitBackendController
-  before_filter :force_order_for_visitor,:only=>[:index]
-  before_filter :force_order_for_user,:except => [:index]
 
-  before_filter :for_app_manager,:except => [:index]
+  prepend_before_filter :set_public, :only => [:index]
-  before_filter :for_app_sub_manager,:except => [:index]
    
   #before_filter :is_admin?
 

vendor/built_in_modules/page_content/app/models/page_context.rb

@@ -5,7 +5,7 @@ class PageContext
   include Mongoid::Timestamps
   include Mongoid::MultiParameterAttributes
   include Impressionist::Impressionable
-  include OrbitCoreLib::ObjectAuthable
+  include OrbitModel::Authorizable
 
   is_impressionable :counter_cache => { :column_name => :view_count }