diff --git a/app/controllers/admin/object_auths_controller.rb b/app/controllers/admin/object_auths_controller.rb
new file mode 100644
index 000000000..ce404e53c
--- /dev/null
+++ b/app/controllers/admin/object_auths_controller.rb
@@ -0,0 +1,75 @@
+class Admin::ObjectAuthsController < ApplicationController
+  layout "admin"
+  before_filter :authenticate_user!
+#  before_filter :is_admin? ,:only => :index
+  
+  def index
+    # if current_user.admin?
+      @object_auths = ObjectAuth.all
+    # else
+    #       @module_apps = current_user.managing_apps.collect{|t| t.managing_app}
+    #     end
+  end
+  
+  def new
+    obj = eval(params[:type]).find params[:obj_id]
+    @object_auth=obj.object_auths.build
+    respond_to do |format|
+      format.html # new.html.erb
+      format.xml  { render :xml => @post }
+    end
+  end
+  
+  def create
+    obj = eval(params[:object_auth][:type]).find params[:object_auth][:obj_id]
+    @object_auth=obj.object_auths.create :title=> params[:object_auth][:title]
+    redirect_to edit_admin_object_auth_path(@object_auth)
+  end
+
+  def create_role
+    object_auth = ObjectAuth.find(params[:id])
+    params[:new].each do |item|
+      field = item[0]
+      field_value = item[1]
+      if field_value!=''
+        case field
+        when 'role'
+          object_auth.send("add_#{field}",(Role.find field_value)) rescue nil
+        when 'sub_role'
+          object_auth.send("add_#{field}",(SubRole.find field_value)) rescue nil
+        when 'privilege_user'
+          object_auth.add_user_to_privilege_list (User.find field_value) rescue nil
+        when 'blocked_user'  
+          object_auth.add_user_to_black_list (User.find field_value) rescue nil
+        end
+      end
+    end
+    redirect_to edit_admin_object_auth_path(object_auth)
+   end
+  
+  def remove_role
+    object_auth = ObjectAuth.find(params[:id])
+         type = params[:type]
+         field_value = params[:target_id]
+         if field_value!=''
+           case type
+           when 'role'
+             object_auth.remove_role(Role.find field_value) rescue nil
+           when 'sub_role'
+             object_auth.remove_sub_role(SubRole.find field_value) rescue nil
+           when 'privilege_user'
+             object_auth.remove_user_from_privilege_list (User.find field_value) rescue nil
+           when 'blocked_user'  
+             object_auth.remove_user_from_black_list (User.find field_value) rescue nil
+           end
+         end
+       redirect_to edit_admin_object_auth_path(object_auth)
+  end
+
+  def edit
+    @object_auth = ObjectAuth.find(params[:id])
+  end
+  
+
+
+end
\ No newline at end of file
diff --git a/app/models/app_auth.rb b/app/models/app_auth.rb
index b31add3c0..5a3de60c5 100644
--- a/app/models/app_auth.rb
+++ b/app/models/app_auth.rb
@@ -1,94 +1,5 @@
-class AppAuth
-  include Mongoid::Document
-  include Mongoid::Timestamps
- # after_save :update_block_list,:update_privilage_list
-  
-  field :title
-  field :token
-  field :all ,type: Boolean,default: false
+class AppAuth < PrototypeAuth
+
   belongs_to :module_app
   
-  belongs_to :users
-  # belongs_to :users,as: :block_users, :inverse_of => :privilege_apps
-  has_and_belongs_to_many :blocked_users,  :inverse_of => nil, :class_name => "User"
-  has_and_belongs_to_many :privilege_users,  :inverse_of => nil, :class_name => "User"
-
-
-  has_and_belongs_to_many :roles
-  has_and_belongs_to_many :sub_roles
-  
-  attr_protected :roles,:sub_roles,:privilege_users,:blocked_users,:users
-
-  def add_role role
-    add_operation(:roles,role)
-  end
-  
-  def add_sub_role role
-    add_operation(:sub_roles,role)
-  end
-  
-  def remove_role role
-    remove_operation(:roles,role)
-  end
-  
-  def remove_sub_role role
-    remove_operation(:sub_roles,role)
-  end
-  
-  def add_user_to_black_list user
-    add_operation(:blocked_users,user)
-  end
-  
-  def remove_user_from_black_list user
-    remove_operation(:blocked_users,user)
-  end
-  
-  def add_user_to_privilege_list user
-    add_operation(:privilege_users,user)
-  end
-  
-  def remove_user_from_privilege_list user
-    remove_operation(:privilege_users,user)
-  end
-  
-  def remove_operation(item,obj)
-    if (self.send item).include? obj
-       (self.send item).delete obj
-      self.save!
-    else
-      false #should put error message for user not existed in list
-    end    
-  end
-  
-  def add_operation(item,obj)
-    unless (self.send item).include?(obj)
-      (self.send item) << obj
-      self.save!
-    else
-      false #should put error message for user existed in list already
-    end
-  end
-  
-  def auth_users
-    if self.all?
-      User.all.entries
-    else
-      ary=[]
-      [:roles,:sub_roles].each do |t_role|
-        ary += (self.send t_role).collect do |role|
-          role.users
-        end        
-      end
-      ary << self.privilege_users
-      ary.flatten!.uniq  
-    end
-  end
-  
-  def auth_users_after_block_list
-    auth_users - self.blocked_users
-  end
-  
- # protected
-  
-
 end
\ No newline at end of file
diff --git a/app/models/object_auth.rb b/app/models/object_auth.rb
new file mode 100644
index 000000000..dab7acc73
--- /dev/null
+++ b/app/models/object_auth.rb
@@ -0,0 +1,11 @@
+class ObjectAuth  < PrototypeAuth
+
+  belongs_to :obj_authable, polymorphic: true
+  # > - Something.find_with_auth(query)
+  # > - or Something.find(query).auth
+  def auth_obj
+    class_obj = eval(self.obj_authable_type)
+    class_obj.find self.obj_authable_id
+  end
+
+end
\ No newline at end of file
diff --git a/app/models/prototype_auth.rb b/app/models/prototype_auth.rb
new file mode 100644
index 000000000..734268c43
--- /dev/null
+++ b/app/models/prototype_auth.rb
@@ -0,0 +1,93 @@
+class PrototypeAuth
+  include Mongoid::Document
+  include Mongoid::Timestamps
+ # after_save :update_block_list,:update_privilage_list
+  
+  field :title
+  field :token
+  field :all ,type: Boolean,default: false
+  
+  belongs_to :users
+  # belongs_to :users,as: :block_users, :inverse_of => :privilege_apps
+  has_and_belongs_to_many :blocked_users,  :inverse_of => nil, :class_name => "User"
+  has_and_belongs_to_many :privilege_users,  :inverse_of => nil, :class_name => "User"
+
+
+  has_and_belongs_to_many :roles
+  has_and_belongs_to_many :sub_roles
+  
+  attr_protected :roles,:sub_roles,:privilege_users,:blocked_users,:users
+
+  def add_role role
+    add_operation(:roles,role)
+  end
+  
+  def add_sub_role role
+    add_operation(:sub_roles,role)
+  end
+  
+  def remove_role role
+    remove_operation(:roles,role)
+  end
+  
+  def remove_sub_role role
+    remove_operation(:sub_roles,role)
+  end
+  
+  def add_user_to_black_list user
+    add_operation(:blocked_users,user)
+  end
+  
+  def remove_user_from_black_list user
+    remove_operation(:blocked_users,user)
+  end
+  
+  def add_user_to_privilege_list user
+    add_operation(:privilege_users,user)
+  end
+  
+  def remove_user_from_privilege_list user
+    remove_operation(:privilege_users,user)
+  end
+  
+  def remove_operation(item,obj)
+    if (self.send item).include? obj
+       (self.send item).delete obj
+      self.save!
+    else
+      false #should put error message for user not existed in list
+    end    
+  end
+  
+  def add_operation(item,obj)
+    unless (self.send item).include?(obj)
+      (self.send item) << obj
+      self.save!
+    else
+      false #should put error message for user existed in list already
+    end
+  end
+  
+  def auth_users
+    if self.all?
+      User.all.entries
+    else
+      ary=[]
+      [:roles,:sub_roles].each do |t_role|
+        ary += (self.send t_role).collect do |role|
+          role.users
+        end        
+      end
+      ary << self.privilege_users
+      ary.flatten!.uniq  
+    end
+  end
+  
+  def auth_users_after_block_list
+    auth_users - self.blocked_users
+  end
+  
+ # protected
+  
+
+end
\ No newline at end of file
diff --git a/app/views/admin/components/_user_role_management.html.erb b/app/views/admin/components/_user_role_management.html.erb
new file mode 100644
index 000000000..593073516
--- /dev/null
+++ b/app/views/admin/components/_user_role_management.html.erb
@@ -0,0 +1,32 @@
+<div id="user_role_management">
+	<h1>User Role</h1>
+	<%= form_tag(submit_url) do %>
+		<%= collection_select(:new,:role, Role.all, :id, :key, :prompt => true) %>
+		<%= submit_tag 'Add Role' %><br/>
+		<%= collection_select(:new,:sub_role, SubRole.all, :id, :key, :prompt => true) %>
+		<%= submit_tag 'Add SubRole' %><br/>
+		<%= collection_select(:new,:privilege_user, User.all, :id, :name, :prompt => true) %>	
+		<%= submit_tag 'Add PrivilegeList' %><br/>
+		<%= collection_select(:new,:blocked_user, User.all, :id, :name, :prompt => true) %>
+		<%= submit_tag 'Add BlockedList' %><br/>
+	<% end %>
+	<ul>Roles </ul>
+	<% unless auth.nil? %>
+		<% auth.roles.each do |role| %>
+			<li> <%= role.key %> Build in:<%= role.built_in ? 'Yes' : 'No' %>
+				<%= link_to '[X]',polymorphic_path(ploy_route_ary,:type=>'role',:target_id=>role.id),:method => :delete %></li>
+		<% end %>
+	<ul>Sub Roles </ul>
+		<% auth.sub_roles.each do |role| %>
+			<li> <%= role.key %> Build in:<%= role.built_in ? 'Yes' : 'No' %> </li><%= link_to '[X]',polymorphic_path(ploy_route_ary,:type=>'sub_role',:target_id=>role.id),:method => :delete %>
+			<% end %>
+	<ul>PrivilegeList </ul>
+			<% auth.privilege_users.each do |user| %>
+				<li> <%= user.name %> <%= link_to '[X]',polymorphic_path(ploy_route_ary,:type=>'privilege_user',:target_id=>user.id),:method => :delete %> </li>
+			<% end %>
+	<ul>BlockedList </ul>
+			<% auth.blocked_users.each do |user| %>
+				<li> <%= user.name %><%= link_to '[X]',polymorphic_path(ploy_route_ary,:type=>'blocked_user',:target_id=>user.id),:method => :delete %> </li>
+			<% end %>
+<% end %>
+</div>
\ No newline at end of file
diff --git a/app/views/admin/module_apps/edit.html.erb b/app/views/admin/module_apps/edit.html.erb
index 9429e963d..23745806b 100644
--- a/app/views/admin/module_apps/edit.html.erb
+++ b/app/views/admin/module_apps/edit.html.erb
@@ -36,34 +36,5 @@
 		</dd>
 	</dl>
 </div>
-<div id="user_role_management">
-	<h1>User Role</h1>
-	<%= form_tag(admin_module_app_app_auths_path(@module_app),:method => :post) do %>
-		<%= collection_select(:new,:role, Role.all, :id, :key, :prompt => true) %>
-		<%= submit_tag 'Add Role' %><br/>
-		<%= collection_select(:new,:sub_role, SubRole.all, :id, :key, :prompt => true) %>
-		<%= submit_tag 'Add SubRole' %><br/>
-		<%= collection_select(:new,:privilege_user, User.all, :id, :name, :prompt => true) %>	
-		<%= submit_tag 'Add PrivilegeList' %><br/>
-		<%= collection_select(:new,:blocked_user, User.all, :id, :name, :prompt => true) %>
-		<%= submit_tag 'Add BlockedList' %><br/>
-	<% end %>
-	<ul>Roles </ul>
-	<% unless @module_app.app_auth.nil? %>
-		<% @module_app.app_auth.roles.each do |role| %>
-			<li> <%= role.key %> Build in:<%= role.built_in ? 'Yes' : 'No' %> <%= link_to '[X]',remove_admin_module_app_app_auth_path(@module_app,@module_app.app_auth,'role',role),:method => :delete %></li>
-		<% end %>
-	<ul>Sub Roles </ul>
-		<% @module_app.app_auth.sub_roles.each do |role| %>
-			<li> <%= role.key %> Build in:<%= role.built_in ? 'Yes' : 'No' %> </li><%= link_to '[X]',remove_admin_module_app_app_auth_path(@module_app,@module_app.app_auth,'sub_role',role),:method => :delete %>
-			<% end %>
-	<ul>PrivilegeList </ul>
-			<% @module_app.app_auth.privilege_users.each do |user| %>
-				<li> <%= user.name %> <%= link_to '[X]',remove_admin_module_app_app_auth_path(@module_app,@module_app.app_auth,'privilege_user',user),:method => :delete %> </li>
-			<% end %>
-	<ul>BlockedList </ul>
-			<% @module_app.app_auth.blocked_users.each do |user| %>
-				<li> <%= user.name %><%= link_to '[X]',remove_admin_module_app_app_auth_path(@module_app,@module_app.app_auth,'blocked_user',user),:method => :delete %> </li>
-			<% end %>
-<% end %>
-</div>
+<%= render :partial => "admin/components/user_role_management", :locals => { :object => @module_app ,:auth=> @module_app.app_auth ,:submit_url=> admin_module_app_app_auths_path(@module_app),:ploy_route_ary=>['remove',:admin,@module_app,@module_app.app_auth] } %>
+
diff --git a/app/views/admin/object_auths/_auth_unit.html.erb b/app/views/admin/object_auths/_auth_unit.html.erb
new file mode 100644
index 000000000..5a246fc3a
--- /dev/null
+++ b/app/views/admin/object_auths/_auth_unit.html.erb
@@ -0,0 +1,3 @@
+<div class="auth_unit">
+	<%= unit%>
+<div>
\ No newline at end of file
diff --git a/app/views/admin/object_auths/edit.html.erb b/app/views/admin/object_auths/edit.html.erb
new file mode 100644
index 000000000..67fb026e1
--- /dev/null
+++ b/app/views/admin/object_auths/edit.html.erb
@@ -0,0 +1,14 @@
+<% content_for :secondary do %>
+<% end %>
+
+<!-- Remove if CSS done-->
+<br />
+<br />
+<br />
+<!-- Remove if CSS done-->
+<h3><%= @object_auth.title %></h3>
+
+<%= render :partial => "admin/components/user_role_management", :locals => { 
+	:object => @object_auth.auth_obj ,:auth=>@object_auth,:submit_url=>create_role_admin_object_auth_path(@object_auth),:ploy_route_ary=>['remove',:admin,@object_auth] } %>
+
+
diff --git a/app/views/admin/object_auths/index.html.erb b/app/views/admin/object_auths/index.html.erb
new file mode 100644
index 000000000..7db021e54
--- /dev/null
+++ b/app/views/admin/object_auths/index.html.erb
@@ -0,0 +1,39 @@
+<% content_for :secondary do %>
+	<% #render 'side_bar' %>
+<% end %>
+
+<div class="main_list">
+	<%= flash_messages %>
+	<div class="button_bar up">
+		<%  #link_to t('admin.new_user'), new_admin_user_path, :class => 'new' %>
+	</div>
+	<table>
+		<thead>
+			<tr>
+				 <td><%= t('admin.object_auth.title') %></td>
+		      <td><%= t('admin.object_auth.obj_type') %></td>
+		      
+			</tr>
+		</thead>
+		<tbody>
+			<% @object_auths.each do |object_auth| %>
+			<tr>
+				<td class="name"><%= object_auth.title %></td>
+				<td class="name"><%= object_auth.obj_authable_type.to_s %></td>
+			
+				<td class="action">
+					<%= link_to t(:show), admin_object_auth_path(object_auth), :class => 'show' %>
+					<%= link_to t(:edit), edit_admin_object_auth_path(object_auth), :class => 'edit' %>
+					<%= link_to t(:delete), admin_object_auth_path(object_auth), :class => 'delete', :confirm => t('sure?'), :method => :delete %>
+				</td>
+			</tr>
+			<tr>
+				<td colspan="5"></td>
+			</tr>
+			<% end %>
+		</tbody>
+	</table>
+	<div class="button_bar">
+		<%# link_to t('admin.new_user'), new_admin_user_path, :class => 'new' %>
+	</div>	
+</div>
diff --git a/app/views/admin/object_auths/new.html.erb b/app/views/admin/object_auths/new.html.erb
new file mode 100644
index 000000000..25fd6fd5e
--- /dev/null
+++ b/app/views/admin/object_auths/new.html.erb
@@ -0,0 +1,23 @@
+<% content_for :secondary do %>
+  <ul class="list">
+  </ul>
+<% end -%>
+
+<br/>
+<br/>
+<br/>
+<br/>
+
+<%= flash_messages %>
+<h1><%= t('object_auth.new_object_auth') %></h1>
+<%= form_for @object_auth, :url => admin_object_auths_path do |f| %>
+	<%= f.label :title   %>
+	<%= f.text_field :title, :class => 'text'   %>
+	<%= f.hidden_field :obj_id, :value => params[:obj_id]   %>
+	<%= f.hidden_field :type, :value => params[:type]   %>
+
+	<%= submit_tag 'Add Auth' %><br/>
+	
+<% end %>
+
+<%= link_back %>
\ No newline at end of file
diff --git a/config/routes.rb b/config/routes.rb
index a8574ee66..9b653d7fb 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -12,6 +12,16 @@ PrototypeR4::Application.routes.draw do
   namespace :admin do
     resources :assets
     resources :app_auths 
+    resources :object_auths  do
+      collection do
+        match 'new/:type/:obj_id',:action => 'new',:via => "get",:as => :init
+      end
+      member do
+        match ':id/create_role',:action => 'create_role',:via => "post",:as => :create_role
+        match 'remove/:type/:target_id' ,:action=> 'remove_role',:via => "delete",:as =>:remove
+      end
+    end
+
     resources :ad_banners
     resources :designs do
       collection do
diff --git a/lib/orbit_core_lib.rb b/lib/orbit_core_lib.rb
new file mode 100644
index 000000000..bf1d66a39
--- /dev/null
+++ b/lib/orbit_core_lib.rb
@@ -0,0 +1,34 @@
+module  OrbitCoreLib
+  module  ObjectAuthable
+    def self.included(base)
+      base.instance_eval("has_many :object_auths,as: :obj_authable,dependent: :delete")
+      
+      base.define_singleton_method :authed_for_user do |user,title = nil|
+        sub_role_ids_ary=user.sub_roles.collect{|t| t.id}
+        if title.nil?
+          auth_object_space = ObjectAuth.where(obj_authable_type: self.to_s)
+        else
+          auth_object_space = ObjectAuth.where(obj_authable_type: self.to_s,title: title)
+        end
+        
+        query1 = auth_object_space.any_in({sub_role_ids: sub_role_ids_ary}).excludes(blocked_user_ids: user.id)
+        query2 = auth_object_space.any_of({all: true},{privilege_user_ids: user.id},{role_ids: user.role.id}).excludes(blocked_user_ids: user.id)
+        result = (query1 + query2).uniq
+        result.collect{|t| t.obj_authable}
+      end
+        
+    end
+    
+    def authed_users(title=nil)
+      users = []
+      unless title.nil?
+        users = self.object_auths.where(title: title )[0].auth_users_after_block_list rescue []
+      else
+        users = self.object_auths.collect{|t| t.auth_users_after_block_list} rescue []
+        users.flatten!.uniq!
+      end
+      users
+    end
+    
+  end
+end
diff --git a/vendor/built_in_modules/new_blog/app/models/post.rb b/vendor/built_in_modules/new_blog/app/models/post.rb
index f60c1c196..ef882a6dd 100644
--- a/vendor/built_in_modules/new_blog/app/models/post.rb
+++ b/vendor/built_in_modules/new_blog/app/models/post.rb
@@ -1,6 +1,8 @@
 class Post
   include Mongoid::Document
   include Mongoid::Timestamps
+  include OrbitCoreLib::ObjectAuthable
+  
   field :title, :type => String
   field :body, :type => String
   embeds_many :comments
diff --git a/vendor/built_in_modules/new_blog/app/views/panel/new_blog/back_end/posts/index.html.erb b/vendor/built_in_modules/new_blog/app/views/panel/new_blog/back_end/posts/index.html.erb
index 9473b70b4..54ed9f1ee 100644
--- a/vendor/built_in_modules/new_blog/app/views/panel/new_blog/back_end/posts/index.html.erb
+++ b/vendor/built_in_modules/new_blog/app/views/panel/new_blog/back_end/posts/index.html.erb
@@ -21,6 +21,7 @@
   <tr>
     <td><%= post.title %></td>
     <td><%= truncate(post.body,:length=>15) %></td>
+    <td><%= link_to t('blog.new_auth'), init_admin_object_auths_path("Post",post) %></td>
     <td><%= link_to t('blog.show'), panel_new_blog_back_end_post_path(post) %></td>
     <td><%= link_to t('blog.edit'), edit_panel_new_blog_back_end_post_path(post) %></td>
     <td><%= link_to t('blog.delete'), panel_new_blog_back_end_post_path(post), :confirm => t('blog.sure?'), :method => :delete %></td>
diff --git a/vendor/built_in_modules/new_blog/app/views/panel/new_blog/back_end/posts/new.html.erb b/vendor/built_in_modules/new_blog/app/views/panel/new_blog/back_end/posts/new.html.erb
index af5aa326b..21758da8d 100644
--- a/vendor/built_in_modules/new_blog/app/views/panel/new_blog/back_end/posts/new.html.erb
+++ b/vendor/built_in_modules/new_blog/app/views/panel/new_blog/back_end/posts/new.html.erb
@@ -7,7 +7,7 @@
 <%= flash_messages %>
 <h1><%= t('blog.new_post') %></h1>
 <%= form_for @post, :url => panel_new_blog_back_end_posts_path do |f| %>
-	<%= render :partial => 'form', :locals => {:f => f} %>
+	<%= f.text_field :title, :class => 'text'   %>
 <% end %>
 
 <%= link_back %>