diff --git a/app/controllers/admin/object_auths_controller.rb b/app/controllers/admin/object_auths_controller.rb
index 2b54cc5e..7c6f60f0 100644
--- a/app/controllers/admin/object_auths_controller.rb
+++ b/app/controllers/admin/object_auths_controller.rb
@@ -19,53 +19,50 @@ class Admin::ObjectAuthsController < ApplicationController
     #     end
   end
 
-  def create
-    # app_auth = AppAuth.find_or_create_by(module_app_id: params[:module_app_id])
-    #    params[:new].each do |item|
-    #      field = item[0]
-    #      field_value = item[1]
-    #      if field_value!=''
-    #        case field
-    #        when 'role'
-    #          app_auth.send("add_#{field}",(Role.find field_value)) rescue nil
-    #        when 'sub_role'
-    #          app_auth.send("add_#{field}",(SubRole.find field_value)) rescue nil
-    #        when 'privilege_user'
-    #          app_auth.add_user_to_privilege_list (User.find field_value) rescue nil
-    #        when 'blocked_user'  
-    #          app_auth.add_user_to_black_list (User.find field_value) rescue nil
-    #        end
-    #      end
-    #    end
-    #    app = ModuleApp.find params[:module_app_id] rescue nil
-    #    redirect_to edit_admin_module_app_path(app)
-  end
+  def create_role
+    object_auth = ObjectAuth.find(params[:id])
+          params[:new].each do |item|
+            field = item[0]
+            field_value = item[1]
+            if field_value!=''
+              case field
+              when 'role'
+                object_auth.send("add_#{field}",(Role.find field_value)) rescue nil
+              when 'sub_role'
+                object_auth.send("add_#{field}",(SubRole.find field_value)) rescue nil
+              when 'privilege_user'
+                object_auth.add_user_to_privilege_list (User.find field_value) rescue nil
+              when 'blocked_user'  
+                object_auth.add_user_to_black_list (User.find field_value) rescue nil
+              end
+            end
+          end
+          redirect_to edit_admin_object_auth_path(object_auth)
+   end
   
-  def remove
-    # app_auth = AppAuth.find( params[:id] )
-    #      type = params[:type]
-    #      field_value = params[:target_id]
-    #      if field_value!=''
-    #        case type
-    #        when 'role'
-    #          app_auth.remove_role(Role.find field_value) rescue nil
-    #        when 'sub_role'
-    #          app_auth.remove_sub_role(SubRole.find field_value) rescue nil
-    #        when 'privilege_user'
-    #          app_auth.remove_user_from_privilege_list (User.find field_value) rescue nil
-    #        when 'blocked_user'  
-    #          app_auth.remove_user_from_black_list (User.find field_value) rescue nil
-    #        end
-    #      end
-    #    
-    #    app = ModuleApp.find params[:module_app_id] rescue nil
-    #    redirect_to edit_admin_module_app_path(app)
+  def remove_role
+    object_auth = ObjectAuth.find(params[:id])
+         type = params[:type]
+         field_value = params[:target_id]
+         if field_value!=''
+           case type
+           when 'role'
+             object_auth.remove_role(Role.find field_value) rescue nil
+           when 'sub_role'
+             object_auth.remove_sub_role(SubRole.find field_value) rescue nil
+           when 'privilege_user'
+             object_auth.remove_user_from_privilege_list (User.find field_value) rescue nil
+           when 'blocked_user'  
+             object_auth.remove_user_from_black_list (User.find field_value) rescue nil
+           end
+         end
+       redirect_to edit_admin_object_auth_path(object_auth)
   end
 
   def edit
     @object_auth = ObjectAuth.find(params[:id])
   end
   
-  
+
 
 end
\ No newline at end of file
diff --git a/app/views/admin/components/_user_role_management.html.erb b/app/views/admin/components/_user_role_management.html.erb
index 7afca0a4..59307351 100644
--- a/app/views/admin/components/_user_role_management.html.erb
+++ b/app/views/admin/components/_user_role_management.html.erb
@@ -1,8 +1,6 @@
 <div id="user_role_management">
-	<%#= debugger %>
 	<h1>User Role</h1>
-	<%= debugger %>
-	<%= form_tag(polymorphic_path([controller_path.split('/')[0],object,auth.class.name.underscore]),:method => :post) do %>
+	<%= form_tag(submit_url) do %>
 		<%= collection_select(:new,:role, Role.all, :id, :key, :prompt => true) %>
 		<%= submit_tag 'Add Role' %><br/>
 		<%= collection_select(:new,:sub_role, SubRole.all, :id, :key, :prompt => true) %>
@@ -16,19 +14,19 @@
 	<% unless auth.nil? %>
 		<% auth.roles.each do |role| %>
 			<li> <%= role.key %> Build in:<%= role.built_in ? 'Yes' : 'No' %>
-				<%= link_to '[X]',polymorphic_path(['remove',:admin,object,auth],:type=>'role',:target_id=>role.id),:method => :delete %></li>
+				<%= link_to '[X]',polymorphic_path(ploy_route_ary,:type=>'role',:target_id=>role.id),:method => :delete %></li>
 		<% end %>
 	<ul>Sub Roles </ul>
 		<% auth.sub_roles.each do |role| %>
-			<li> <%= role.key %> Build in:<%= role.built_in ? 'Yes' : 'No' %> </li><%= link_to '[X]',polymorphic_path(['remove',:admin,object,auth],:type=>'sub_role',:target_id=>role.id),:method => :delete %>
+			<li> <%= role.key %> Build in:<%= role.built_in ? 'Yes' : 'No' %> </li><%= link_to '[X]',polymorphic_path(ploy_route_ary,:type=>'sub_role',:target_id=>role.id),:method => :delete %>
 			<% end %>
 	<ul>PrivilegeList </ul>
 			<% auth.privilege_users.each do |user| %>
-				<li> <%= user.name %> <%= link_to '[X]',polymorphic_path(['remove',:admin,object,auth],:type=>'privilege_user',:target_id=>user.id),:method => :delete %> </li>
+				<li> <%= user.name %> <%= link_to '[X]',polymorphic_path(ploy_route_ary,:type=>'privilege_user',:target_id=>user.id),:method => :delete %> </li>
 			<% end %>
 	<ul>BlockedList </ul>
 			<% auth.blocked_users.each do |user| %>
-				<li> <%= user.name %><%= link_to '[X]',polymorphic_path(['remove',:admin,object,auth],:type=>'blocked_user',:target_id=>user.id),:method => :delete %> </li>
+				<li> <%= user.name %><%= link_to '[X]',polymorphic_path(ploy_route_ary,:type=>'blocked_user',:target_id=>user.id),:method => :delete %> </li>
 			<% end %>
 <% end %>
 </div>
\ No newline at end of file
diff --git a/app/views/admin/module_apps/edit.html.erb b/app/views/admin/module_apps/edit.html.erb
index 5a2d56ec..23745806 100644
--- a/app/views/admin/module_apps/edit.html.erb
+++ b/app/views/admin/module_apps/edit.html.erb
@@ -36,5 +36,5 @@
 		</dd>
 	</dl>
 </div>
-<%= render :partial => "admin/components/user_role_management", :locals => { :object => @module_app ,:auth=> @module_app.app_auth } %>
+<%= render :partial => "admin/components/user_role_management", :locals => { :object => @module_app ,:auth=> @module_app.app_auth ,:submit_url=> admin_module_app_app_auths_path(@module_app),:ploy_route_ary=>['remove',:admin,@module_app,@module_app.app_auth] } %>
 
diff --git a/app/views/admin/object_auths/edit.html.erb b/app/views/admin/object_auths/edit.html.erb
index 62e9b465..67fb026e 100644
--- a/app/views/admin/object_auths/edit.html.erb
+++ b/app/views/admin/object_auths/edit.html.erb
@@ -8,6 +8,7 @@
 <!-- Remove if CSS done-->
 <h3><%= @object_auth.title %></h3>
 
-<%= render :partial => "admin/components/user_role_management", :locals => { :object => @object_auth.auth_obj ,:auth=> @object_auth } %>
+<%= render :partial => "admin/components/user_role_management", :locals => { 
+	:object => @object_auth.auth_obj ,:auth=>@object_auth,:submit_url=>create_role_admin_object_auth_path(@object_auth),:ploy_route_ary=>['remove',:admin,@object_auth] } %>
 
 
diff --git a/config/routes.rb b/config/routes.rb
index c9bb7f7a..cf37f82d 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -12,7 +12,12 @@ PrototypeR4::Application.routes.draw do
   namespace :admin do
     resources :assets
     resources :app_auths 
-    resources :object_auths 
+    resources :object_auths  do
+      member do
+        match ':id/create_role',:action => 'create_role',:iia => "post",:as => :create_role
+        match 'remove/:type/:target_id' ,:action=> 'remove_role',:via => "delete",:as =>:remove
+      end
+    end
 
     resources :ad_banners
     resources :designs do
diff --git a/lib/orbit_core_lib.rb b/lib/orbit_core_lib.rb
new file mode 100644
index 00000000..8056f4f9
--- /dev/null
+++ b/lib/orbit_core_lib.rb
@@ -0,0 +1,42 @@
+module  OrbitCoreLib
+  module  ObjectAuthable
+    def self.included(base)
+      base.instance_eval("has_many :object_auths,as: :obj_authable,dependent: :delete")
+      
+      base.define_singleton_method :authed_for_user do |user,title = nil|
+        sub_role_ids_ary=user.sub_roles.collect{|t| t.id}
+        if title.nil?
+          auth_object_space = ObjectAuth.where(obj_authable_type: self.to_s)
+        else
+          auth_object_space = ObjectAuth.where(obj_authable_type: self.to_s,title: title)
+        end
+        
+        query1 = auth_object_space.any_in({sub_role_ids: sub_role_ids_ary}).excludes(blocked_user_ids: user.id)
+        query2 = auth_object_space.any_of({all: true},{privilege_user_ids: user.id},{role_ids: user.role.id}).excludes(blocked_user_ids: user.id)
+        result = (query1 + query2).uniq
+        result.collect{|t| t.obj_authable}
+      end
+        
+    end
+    
+    def authed_users(title=nil)
+      users = []
+      unless title.nil?
+        users = self.object_auths.where(title: title )[0].auth_users_after_block_list rescue []
+      else
+        users = self.object_auths.collect{|t| t.auth_users_after_block_list} rescue []
+        users.flatten!.uniq!
+      end
+      users
+    end
+    
+    def tell_me_class
+      self.class.name
+    end
+    
+    def search_object_db
+      ObjectAuth.where(obj_authable_type: self.class.name)
+    end
+    
+  end
+end
diff --git a/vendor/built_in_modules/new_blog/app/models/post.rb b/vendor/built_in_modules/new_blog/app/models/post.rb
index 2926c305..ef882a6d 100644
--- a/vendor/built_in_modules/new_blog/app/models/post.rb
+++ b/vendor/built_in_modules/new_blog/app/models/post.rb
@@ -1,9 +1,10 @@
 class Post
   include Mongoid::Document
   include Mongoid::Timestamps
+  include OrbitCoreLib::ObjectAuthable
+  
   field :title, :type => String
   field :body, :type => String
   embeds_many :comments
   validates_presence_of :title, :body
-  has_one :object_auth,as: :obj_authable,dependent: :delete
 end
\ No newline at end of file