GitHub User: iast
Very nice! Especially liked that it was all done with testing.
Not sure that I like putting permissions definitions into separate files though. I would expect to see those directly in controllers and models defined with class method calls. The same way as attr_accessible is used - right from the model - for example. But maybe I just don't see all the benefits of using separate files yet, need to play with the code first I guess. Or maybe it's just a matter of taste :)
Anyway, great learning material!
There's a need to create a plugin to call .remove() on Update button. So maybe there's not much difference what method to use here anyway.