Revert to use local team but leveled permission.

gitop.core/src/main/java/com/pmease/gitop/core/entitymanager/GroupManager.java

@@ -5,11 +5,11 @@ import java.util.Collection;
 import com.google.inject.ImplementedBy;
 import com.pmease.commons.persistence.dao.GenericDao;
 import com.pmease.gitop.core.entitymanager.impl.DefaultGroupManager;
-import com.pmease.gitop.core.model.Group;
+import com.pmease.gitop.core.model.Team;
 
 @ImplementedBy(DefaultGroupManager.class)
-public interface GroupManager extends GenericDao<Group> {
+public interface GroupManager extends GenericDao<Team> {
 
-	Collection<Group> getGroups(Long userId);
+	Collection<Team> getGroups(Long userId);
 	
 }

gitop.core/src/main/java/com/pmease/gitop/core/entitymanager/impl/DefaultGroupManager.java

@@ -13,11 +13,11 @@ import com.pmease.commons.persistence.dao.DefaultGenericDao;
 import com.pmease.commons.persistence.dao.GeneralDao;
 import com.pmease.gitop.core.entitymanager.GroupManager;
 import com.pmease.gitop.core.entitymanager.UserManager;
-import com.pmease.gitop.core.model.Group;
+import com.pmease.gitop.core.model.Team;
-import com.pmease.gitop.core.model.Membership;
+import com.pmease.gitop.core.model.TeamMembership;
 
 @Singleton
-public class DefaultGroupManager extends DefaultGenericDao<Group> implements GroupManager {
+public class DefaultGroupManager extends DefaultGenericDao<Team> implements GroupManager {
 
 	private final UserManager userManager;
 	
@@ -28,9 +28,9 @@ public class DefaultGroupManager extends DefaultGenericDao<Group> implements Gro
 
 	@Transactional
 	@Override
-	public Collection<Group> getGroups(Long userId) {
+	public Collection<Team> getGroups(Long userId) {
-		Collection<Group> groups = new ArrayList<Group>();
+		Collection<Team> groups = new ArrayList<Team>();
-		for (Membership membership: userManager.load(userId).getMemberships())
+		for (TeamMembership membership: userManager.load(userId).getMemberships())
 			groups.add(membership.getGroup());
 		
 		return groups;

gitop.core/src/main/java/com/pmease/gitop/core/model/Group.java

@@ -1,48 +0,0 @@
-package com.pmease.gitop.core.model;
-
-import java.util.Collection;
-
-import javax.persistence.Column;
-import javax.persistence.Entity;
-import javax.persistence.OneToMany;
-
-import org.apache.shiro.authz.Permission;
-
-import com.pmease.commons.persistence.AbstractEntity;
-
-@Entity
-@org.hibernate.annotations.Cache(
-		usage=org.hibernate.annotations.CacheConcurrencyStrategy.READ_WRITE)
-@SuppressWarnings("serial")
-public class Group extends AbstractEntity implements Permission {
-
-	@Column(nullable=false, unique=true)
-	private String name;
-	
-	private String description;
-	
-	@OneToMany(mappedBy="group")
-	private Collection<Membership> memberships;
-
-	public String getName() {
-		return name;
-	}
-
-	public void setName(String name) {
-		this.name = name;
-	}
-
-	public String getDescription() {
-		return description;
-	}
-
-	public void setDescription(String description) {
-		this.description = description;
-	}
-
-	@Override
-	public boolean implies(Permission permission) {
-		return false;
-	}
-
-}

gitop.core/src/main/java/com/pmease/gitop/core/model/InvolvedBranch.java

@@ -21,21 +21,13 @@ import com.pmease.commons.persistence.AbstractEntity;
 @SuppressWarnings("serial")
 public class InvolvedBranch extends AbstractEntity {
 
-	@Column(nullable=false)
-	private String name;
-	
 	@ManyToOne(fetch=FetchType.EAGER)
 	@org.hibernate.annotations.Fetch(FetchMode.SELECT)
 	@JoinColumn(nullable=false)
 	private Repository repository;
 
-	public String getName() {
+	@Column(nullable=false)
-		return name;
+	private String name;
-	}
-
-	public void setName(String name) {
-		this.name = name;
-	}
 	
 	public Repository getRepository() {
 		return repository;
@@ -45,4 +37,12 @@ public class InvolvedBranch extends AbstractEntity {
 		this.repository = repository;
 	}
 
+	public String getName() {
+		return name;
+	}
+
+	public void setName(String name) {
+		this.name = name;
+	}
+
 }

gitop.core/src/main/java/com/pmease/gitop/core/model/Repository.java

@@ -12,29 +12,41 @@ import org.hibernate.annotations.FetchMode;
 
 import com.pmease.commons.persistence.AbstractEntity;
 import com.pmease.gitop.core.model.gatekeeper.GateKeeper;
+import com.pmease.gitop.core.model.permission.object.ProtectedObject;
+import com.pmease.gitop.core.model.permission.object.RepositoryBelonging;
+import com.pmease.gitop.core.model.permission.object.UserBelonging;
 
 @Entity
 @org.hibernate.annotations.Cache(
 		usage=org.hibernate.annotations.CacheConcurrencyStrategy.READ_WRITE)
 @Table(uniqueConstraints={
-		@UniqueConstraint(columnNames={"user", "name"})
+		@UniqueConstraint(columnNames={"owner", "name"})
 })
 @SuppressWarnings("serial")
-public class Repository extends AbstractEntity {
+public class Repository extends AbstractEntity implements UserBelonging {
+	
+	@ManyToOne(fetch=FetchType.EAGER)
+	@org.hibernate.annotations.Fetch(FetchMode.SELECT)
+	@JoinColumn(nullable=false)
+	private User owner;
 
 	@Column(nullable=false)
 	private String name;
 	
 	private String description;
 
-	@ManyToOne(fetch=FetchType.EAGER)
-	@org.hibernate.annotations.Fetch(FetchMode.SELECT)
-	@JoinColumn(nullable=false)
-	private User user;
-	
 	@Column(nullable=true)
 	private GateKeeper gateKeeper;
 
+	@Override
+	public User getOwner() {
+		return owner;
+	}
+
+	public void setOwner(User owner) {
+		this.owner = owner;
+	}
+
 	public String getName() {
 		return name;
 	}
@@ -51,14 +63,6 @@ public class Repository extends AbstractEntity {
 		this.description = description;
 	}
 
-	public User getUser() {
-		return user;
-	}
-
-	public void setUser(User user) {
-		this.user = user;
-	}
-
 	public GateKeeper getGateKeeper() {
 		return gateKeeper;
 	}
@@ -67,4 +71,17 @@ public class Repository extends AbstractEntity {
 		this.gateKeeper = gateKeeper;
 	}
 
+	@Override
+	public boolean has(ProtectedObject object) {
+		if (object instanceof Repository) {
+			Repository repository = (Repository) object;
+			return repository.getId().equals(getId());
+		} else if (object instanceof RepositoryBelonging) {
+			RepositoryBelonging repositoryBelonging = (RepositoryBelonging) object;
+			return repositoryBelonging.getOwner().getId().equals(getId());
+		} else {
+			return false;
+		}
+	}
+
 }

gitop.core/src/main/java/com/pmease/gitop/core/model/RepositoryAuthorization.java

@@ -1,5 +1,6 @@
 package com.pmease.gitop.core.model;
 
+import javax.persistence.Column;
 import javax.persistence.Entity;
 import javax.persistence.FetchType;
 import javax.persistence.JoinColumn;
@@ -10,40 +11,52 @@ import javax.persistence.UniqueConstraint;
 import org.hibernate.annotations.FetchMode;
 
 import com.pmease.commons.persistence.AbstractEntity;
+import com.pmease.gitop.core.model.permission.RepositoryOperation;
 
 @SuppressWarnings("serial")
 @Entity
 @Table(uniqueConstraints={
-		@UniqueConstraint(columnNames={"who", "what"})
+		@UniqueConstraint(columnNames={"subject", "object"})
 })
 @org.hibernate.annotations.Cache(
 		usage=org.hibernate.annotations.CacheConcurrencyStrategy.READ_WRITE)
-public class UserLevelPermissionByGroup extends AbstractEntity {
+public class RepositoryAuthorization extends AbstractEntity {
 
 	@ManyToOne(fetch=FetchType.EAGER)
 	@org.hibernate.annotations.Fetch(FetchMode.SELECT)
 	@JoinColumn(nullable=false)
-	private Group who;	
+	private Team subject;	
 
 	@ManyToOne(fetch=FetchType.EAGER)
 	@org.hibernate.annotations.Fetch(FetchMode.SELECT)
 	@JoinColumn(nullable=false)
-	private User what;
+	private Repository object;
 	
-	public Group getWho() {
+	@Column(nullable=false)
-		return who;
+	private RepositoryOperation operation;
+
+	public Team getSubject() {
+		return subject;
 	}
 
-	public void setWho(Group who) {
+	public void setSubject(Team subject) {
-		this.who = who;
+		this.subject = subject;
 	}
 	
-	public User getWhat() {
+	public Repository getObject() {
-		return what;
+		return object;
 	}
 
-	public void setWhat(User what) {
+	public void setObject(Repository object) {
-		this.what = what;
+		this.object = object;
+	}
+
+	public RepositoryOperation getOperation() {
+		return operation;
+	}
+
+	public void setOperation(RepositoryOperation operation) {
+		this.operation = operation;
 	}
 
 }

gitop.core/src/main/java/com/pmease/gitop/core/model/RepositoryLevelPermissionByGroup.java

@@ -1,49 +0,0 @@
-package com.pmease.gitop.core.model;
-
-import javax.persistence.Entity;
-import javax.persistence.FetchType;
-import javax.persistence.JoinColumn;
-import javax.persistence.ManyToOne;
-import javax.persistence.Table;
-import javax.persistence.UniqueConstraint;
-
-import org.hibernate.annotations.FetchMode;
-
-import com.pmease.commons.persistence.AbstractEntity;
-
-@SuppressWarnings("serial")
-@Entity
-@Table(uniqueConstraints={
-		@UniqueConstraint(columnNames={"who", "what"})
-})
-@org.hibernate.annotations.Cache(
-		usage=org.hibernate.annotations.CacheConcurrencyStrategy.READ_WRITE)
-public class RepositoryLevelPermissionByGroup extends AbstractEntity {
-
-	@ManyToOne(fetch=FetchType.EAGER)
-	@org.hibernate.annotations.Fetch(FetchMode.SELECT)
-	@JoinColumn(nullable=false)
-	private Group who;	
-
-	@ManyToOne(fetch=FetchType.EAGER)
-	@org.hibernate.annotations.Fetch(FetchMode.SELECT)
-	@JoinColumn(nullable=false)
-	private Repository what;
-	
-	public Group getWho() {
-		return who;
-	}
-
-	public void setWho(Group who) {
-		this.who = who;
-	}
-	
-	public Repository getWhat() {
-		return what;
-	}
-
-	public void setWhat(Repository what) {
-		this.what = what;
-	}
-
-}

gitop.core/src/main/java/com/pmease/gitop/core/model/RepositoryLevelPermissionByUser.java

@@ -1,49 +0,0 @@
-package com.pmease.gitop.core.model;
-
-import javax.persistence.Entity;
-import javax.persistence.FetchType;
-import javax.persistence.JoinColumn;
-import javax.persistence.ManyToOne;
-import javax.persistence.Table;
-import javax.persistence.UniqueConstraint;
-
-import org.hibernate.annotations.FetchMode;
-
-import com.pmease.commons.persistence.AbstractEntity;
-
-@SuppressWarnings("serial")
-@Entity
-@Table(uniqueConstraints={
-		@UniqueConstraint(columnNames={"who", "what"})
-})
-@org.hibernate.annotations.Cache(
-		usage=org.hibernate.annotations.CacheConcurrencyStrategy.READ_WRITE)
-public class RepositoryLevelPermissionByUser extends AbstractEntity {
-
-	@ManyToOne(fetch=FetchType.EAGER)
-	@org.hibernate.annotations.Fetch(FetchMode.SELECT)
-	@JoinColumn(nullable=false)
-	private User who;	
-
-	@ManyToOne(fetch=FetchType.EAGER)
-	@org.hibernate.annotations.Fetch(FetchMode.SELECT)
-	@JoinColumn(nullable=false)
-	private Repository what;
-	
-	public User getWho() {
-		return who;
-	}
-
-	public void setWho(User who) {
-		this.who = who;
-	}
-	
-	public Repository getWhat() {
-		return what;
-	}
-
-	public void setWhat(Repository what) {
-		this.what = what;
-	}
-
-}

gitop.core/src/main/java/com/pmease/gitop/core/model/Role.java

@@ -0,0 +1,81 @@
+package com.pmease.gitop.core.model;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.OneToMany;
+
+import org.apache.shiro.authz.Permission;
+
+import com.pmease.commons.persistence.AbstractEntity;
+import com.pmease.gitop.core.model.permission.ObjectPermission;
+import com.pmease.gitop.core.model.permission.object.SystemObject;
+import com.pmease.gitop.core.model.permission.operation.PrivilegedOperation;
+
+@Entity
+@org.hibernate.annotations.Cache(
+		usage=org.hibernate.annotations.CacheConcurrencyStrategy.READ_WRITE)
+@SuppressWarnings("serial")
+public class Role extends AbstractEntity implements Permission {
+
+	@Column(nullable=false, unique=true)
+	private String name;
+	
+	private String description;
+	
+	@Column(nullable=false)
+	private List<PrivilegedOperation> operations = new ArrayList<PrivilegedOperation>();
+	
+	@OneToMany(mappedBy="role")
+	private Collection<RoleMembership> memberships;
+
+	public String getName() {
+		return name;
+	}
+
+	public void setName(String name) {
+		this.name = name;
+	}
+
+	public String getDescription() {
+		return description;
+	}
+
+	public void setDescription(String description) {
+		this.description = description;
+	}
+
+	public Collection<RoleMembership> getMemberships() {
+		return memberships;
+	}
+
+	public void setMemberships(Collection<RoleMembership> memberships) {
+		this.memberships = memberships;
+	}
+
+	public List<PrivilegedOperation> getOperations() {
+		return operations;
+	}
+
+	public void setOperations(List<PrivilegedOperation> operations) {
+		this.operations = operations;
+	}
+
+	@Override
+	public boolean implies(Permission permission) {
+		if (permission instanceof ObjectPermission) {
+			ObjectPermission objectPermission = (ObjectPermission) permission;
+			if (new SystemObject().has(objectPermission.getObject())) {
+				for (PrivilegedOperation each: getOperations()) {
+					if (each.can(objectPermission.getOperation()))
+						return true;
+				}
+			}
+		}
+		return false;
+	}
+
+}

gitop.core/src/main/java/com/pmease/gitop/core/model/RoleMembership.java

@@ -14,36 +14,36 @@ import com.pmease.commons.persistence.AbstractEntity;
 @SuppressWarnings("serial")
 @Entity
 @Table(uniqueConstraints={
-		@UniqueConstraint(columnNames={"who", "what"})
+		@UniqueConstraint(columnNames={"user", "role"})
 })
 @org.hibernate.annotations.Cache(
 		usage=org.hibernate.annotations.CacheConcurrencyStrategy.READ_WRITE)
-public class UserLevelPermissionByUser extends AbstractEntity {
+public class RoleMembership extends AbstractEntity {
 
 	@ManyToOne(fetch=FetchType.EAGER)
 	@org.hibernate.annotations.Fetch(FetchMode.SELECT)
 	@JoinColumn(nullable=false)
-	private User who;	
+	private User user;
 	
 	@ManyToOne(fetch=FetchType.EAGER)
 	@org.hibernate.annotations.Fetch(FetchMode.SELECT)
 	@JoinColumn(nullable=false)
-	private User what;
+	private Role role;
 
-	public User getWhat() {
+	public User getUser() {
-		return what;
+		return user;
 	}
 
-	public void setWhat(User what) {
+	public void setUser(User user) {
-		this.what = what;
+		this.user = user;
 	}
 
-	public User getWho() {
+	public Role getRole() {
-		return who;
+		return role;
 	}
 
-	public void setWho(User who) {
+	public void setRole(Role role) {
-		this.who = who;
+		this.role = role;
 	}
 	
 }

gitop.core/src/main/java/com/pmease/gitop/core/model/Team.java

@@ -0,0 +1,110 @@
+package com.pmease.gitop.core.model;
+
+import java.util.Collection;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.OneToMany;
+import javax.persistence.Table;
+import javax.persistence.UniqueConstraint;
+
+import org.apache.shiro.authz.Permission;
+
+import com.pmease.commons.persistence.AbstractEntity;
+import com.pmease.gitop.core.model.permission.ObjectPermission;
+import com.pmease.gitop.core.model.permission.operation.PrivilegedOperation;
+
+@Entity
+@org.hibernate.annotations.Cache(
+		usage=org.hibernate.annotations.CacheConcurrencyStrategy.READ_WRITE)
+@Table(uniqueConstraints={
+		@UniqueConstraint(columnNames={"owner", "name"})
+})
+@SuppressWarnings("serial")
+public class Team extends AbstractEntity implements Permission {
+
+	private User owner;
+
+	@Column(nullable=false, unique=true)
+	private String name;
+	
+	private String description;
+	
+	private PrivilegedOperation operation;
+	
+	@OneToMany(mappedBy="team")
+	private Collection<TeamMembership> memberships;
+	
+	@OneToMany(mappedBy="subject")
+	private Collection<RepositoryAuthorization> repositoryAuthorizations;
+
+	public User getOwner() {
+		return owner;
+	}
+
+	public void setOwner(User owner) {
+		this.owner = owner;
+	}
+
+	public String getName() {
+		return name;
+	}
+
+	public void setName(String name) {
+		this.name = name;
+	}
+
+	public String getDescription() {
+		return description;
+	}
+
+	public void setDescription(String description) {
+		this.description = description;
+	}
+
+	public PrivilegedOperation getOperation() {
+		return operation;
+	}
+
+	public void setOperation(PrivilegedOperation operation) {
+		this.operation = operation;
+	}
+
+	public Collection<TeamMembership> getMemberships() {
+		return memberships;
+	}
+
+	public void setMemberships(Collection<TeamMembership> memberships) {
+		this.memberships = memberships;
+	}
+
+	public Collection<RepositoryAuthorization> getRepositoryAuthorizations() {
+		return repositoryAuthorizations;
+	}
+
+	public void setRepositoryAuthorizations(
+			Collection<RepositoryAuthorization> repositoryAuthorizations) {
+		this.repositoryAuthorizations = repositoryAuthorizations;
+	}
+
+	@Override
+	public boolean implies(Permission permission) {
+		if (permission instanceof ObjectPermission) {
+			ObjectPermission objectPermission = (ObjectPermission) permission;
+			
+			for (RepositoryAuthorization each: getRepositoryAuthorizations()) {
+				PrivilegedOperation operation = each.getOperation().operationOf(
+						objectPermission.getObject(), each.getObject());
+				
+				if (operation != null)
+					return operation.can(objectPermission.getOperation());
+			}
+
+			if (getOwner().has(objectPermission.getObject()))
+				return getOperation().can(objectPermission.getOperation());
+		} 
+		
+		return false;
+	}
+
+}

gitop.core/src/main/java/com/pmease/gitop/core/model/TeamMembership.java

@@ -18,7 +18,7 @@ import com.pmease.commons.persistence.AbstractEntity;
 })
 @org.hibernate.annotations.Cache(
 		usage=org.hibernate.annotations.CacheConcurrencyStrategy.READ_WRITE)
-public class Membership extends AbstractEntity {
+public class TeamMembership extends AbstractEntity {
 
 	@ManyToOne(fetch=FetchType.EAGER)
 	@org.hibernate.annotations.Fetch(FetchMode.SELECT)
@@ -28,7 +28,7 @@ public class Membership extends AbstractEntity {
 	@ManyToOne(fetch=FetchType.EAGER)
 	@org.hibernate.annotations.Fetch(FetchMode.SELECT)
 	@JoinColumn(nullable=false)
-	private Group group;
+	private Team group;
 
 	public User getUser() {
 		return user;
@@ -38,11 +38,11 @@ public class Membership extends AbstractEntity {
 		this.user = user;
 	}
 
-	public Group getGroup() {
+	public Team getGroup() {
 		return group;
 	}
 
-	public void setGroup(Group group) {
+	public void setGroup(Team group) {
 		this.group = group;
 	}
 	

gitop.core/src/main/java/com/pmease/gitop/core/model/User.java

@@ -5,7 +5,11 @@ import java.util.Collection;
 import javax.persistence.Entity;
 import javax.persistence.OneToMany;
 
+import org.apache.shiro.authz.Permission;
+
 import com.pmease.commons.security.AbstractUser;
+import com.pmease.gitop.core.model.permission.object.ProtectedObject;
+import com.pmease.gitop.core.model.permission.object.UserBelonging;
 
 /**
  * This class represents either a project or an user in the system. 
@@ -21,28 +25,73 @@ import com.pmease.commons.security.AbstractUser;
 @Entity
 @org.hibernate.annotations.Cache(
 		usage=org.hibernate.annotations.CacheConcurrencyStrategy.READ_WRITE)
-public class User extends AbstractUser {
+public class User extends AbstractUser implements ProtectedObject, Permission {
 
 	@OneToMany(mappedBy="user")
-	private Collection<Membership> memberships;
+	private Collection<TeamMembership> memberships;
 	
 	@OneToMany(mappedBy="user")
-	private Collection<Membership> mergeRequests;
+	private Collection<MergeRequest> mergeRequests;
 	
-	public Collection<Membership> getMemberships() {
+	@OneToMany(mappedBy="owner")
+	private Collection<Repository> repositories;
+
+	@OneToMany(mappedBy="owner")
+	private Collection<Team> teams;
+
+	public Collection<TeamMembership> getMemberships() {
 		return memberships;
 	}
 
-	public void setMemberships(Collection<Membership> memberships) {
+	public void setMemberships(Collection<TeamMembership> memberships) {
 		this.memberships = memberships;
 	}
 
-	public Collection<Membership> getMergeRequests() {
+	public Collection<Repository> getRepositories() {
+		return repositories;
+	}
+
+	public void setRepositories(Collection<Repository> repositories) {
+		this.repositories = repositories;
+	}
+
+	public Collection<Team> getTeams() {
+		return teams;
+	}
+
+	public void setTeams(Collection<Team> teams) {
+		this.teams = teams;
+	}
+
+	public Collection<MergeRequest> getMergeRequests() {
 		return mergeRequests;
 	}
 
-	public void setMergeRequests(Collection<Membership> mergeRequests) {
+	public void setMergeRequests(Collection<MergeRequest> mergeRequests) {
 		this.mergeRequests = mergeRequests;
 	}
 
+	@Override
+	public boolean has(ProtectedObject object) {
+		if (object instanceof User) {
+			User user = (User) object;
+			return user.getId().equals(getId());
+		} else if (object instanceof UserBelonging) {
+			UserBelonging userBelonging = (UserBelonging) object;
+			return userBelonging.getOwner().getId().equals(getId());
+		} else {
+			return false;
+		}
+	}
+
+	@Override
+	public boolean implies(Permission permission) {
+		for (TeamMembership each: getMemberships()) {
+			if (each.getGroup().implies(permission))
+				return true;
+		}
+		
+		return false;
+	}
+
 }

gitop.core/src/main/java/com/pmease/gitop/core/model/permission/BranchPermission.java

@@ -0,0 +1,27 @@
+package com.pmease.gitop.core.model.permission;
+
+import com.pmease.gitop.core.model.permission.operation.PrivilegedOperation;
+
+public class BranchPermission {
+	
+	private String branchNames;
+	
+	private PrivilegedOperation branchOperation;
+
+	public String getBranchNames() {
+		return branchNames;
+	}
+
+	public void setBranchNames(String branchNames) {
+		this.branchNames = branchNames;
+	}
+
+	public PrivilegedOperation getBranchOperation() {
+		return branchOperation;
+	}
+
+	public void setBranchOperation(PrivilegedOperation branchOperation) {
+		this.branchOperation = branchOperation;
+	}
+
+}

gitop.core/src/main/java/com/pmease/gitop/core/model/permission/ObjectPermission.java

@@ -0,0 +1,52 @@
+package com.pmease.gitop.core.model.permission;
+
+import org.apache.shiro.authz.Permission;
+
+import com.pmease.gitop.core.model.permission.object.ProtectedObject;
+import com.pmease.gitop.core.model.permission.operation.PrivilegedOperation;
+
+/**
+ * This class represents permissions to operate an account and its belongings.
+ *  
+ * @author robin
+ *
+ */
+public class ObjectPermission implements Permission {
+	
+	private ProtectedObject object;
+	
+	private PrivilegedOperation operation;
+
+	public ObjectPermission(ProtectedObject object, PrivilegedOperation operation) {
+		this.object = object;
+		this.operation = operation;
+	}
+	
+	public ProtectedObject getObject() {
+		return object;
+	}
+
+	public PrivilegedOperation getOperation() {
+		return operation;
+	}
+
+	public void setOperation(PrivilegedOperation operation) {
+		this.operation = operation;
+	}
+
+	public void setObject(ProtectedObject object) {
+		this.object = object;
+	}
+
+	@Override
+	public boolean implies(Permission permission) {
+		if (permission instanceof ObjectPermission) {
+			ObjectPermission objectPermission = (ObjectPermission) permission;
+			return getObject().has(objectPermission.getObject()) 
+					&& getOperation().can(objectPermission.getOperation());
+		} else {
+			return false;
+		}
+	}
+
+}

gitop.core/src/main/java/com/pmease/gitop/core/model/permission/RepositoryOperation.java

@@ -0,0 +1,45 @@
+package com.pmease.gitop.core.model.permission;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import com.pmease.gitop.core.model.Repository;
+import com.pmease.gitop.core.model.permission.object.ProtectedBranches;
+import com.pmease.gitop.core.model.permission.object.ProtectedObject;
+import com.pmease.gitop.core.model.permission.operation.PrivilegedOperation;
+
+public class RepositoryOperation {
+	
+	private PrivilegedOperation repositoryLevel;
+	
+	private List<BranchPermission> branchLevel = new ArrayList<BranchPermission>();
+
+	public PrivilegedOperation getRepositoryWide() {
+		return repositoryLevel;
+	}
+
+	public void setRepositoryLevel(PrivilegedOperation repositoryLevel) {
+		this.repositoryLevel = repositoryLevel;
+	}
+
+	public List<BranchPermission> getBranchLevel() {
+		return branchLevel;
+	}
+
+	public void setBranchLevel(List<BranchPermission> branchLevel) {
+		this.branchLevel = branchLevel;
+	}
+
+	public PrivilegedOperation operationOf(ProtectedObject object, Repository repository) {
+		for (BranchPermission each: getBranchLevel()) {
+			if (new ProtectedBranches(repository, each.getBranchNames()).has(object))
+				return each.getBranchOperation();
+		}
+		
+		if (repository.has(object))
+			return getRepositoryWide();
+		else
+			return null;
+	}
+
+}

gitop.core/src/main/java/com/pmease/gitop/core/model/permission/object/ProtectedBranches.java

@@ -0,0 +1,36 @@
+package com.pmease.gitop.core.model.permission.object;
+
+import com.pmease.commons.util.pattern.WildcardUtils;
+import com.pmease.gitop.core.model.Repository;
+
+public class ProtectedBranches implements RepositoryBelonging {
+
+	private final Repository repository;
+	
+	private final String branchNames;
+	
+	public ProtectedBranches(Repository repository, String branchNames) {
+		this.repository = repository;
+		this.branchNames = branchNames;
+	}
+	
+	public String getBranchNames() {
+		return branchNames;
+	}
+	
+	@Override
+	public boolean has(ProtectedObject object) {
+		if (object instanceof ProtectedBranches) {
+			ProtectedBranches branches = (ProtectedBranches) object;
+			return WildcardUtils.matchPath(getBranchNames(), branches.getBranchNames());
+		} else {
+			return false;
+		}
+	}
+
+	@Override
+	public Repository getOwner() {
+		return repository;
+	}
+
+}

gitop.core/src/main/java/com/pmease/gitop/core/model/permission/object/ProtectedObject.java

@@ -0,0 +1,5 @@
+package com.pmease.gitop.core.model.permission.object;
+
+public interface ProtectedObject {
+	boolean has(ProtectedObject object);
+}

gitop.core/src/main/java/com/pmease/gitop/core/model/permission/object/RepositoryBelonging.java

@@ -0,0 +1,7 @@
+package com.pmease.gitop.core.model.permission.object;
+
+import com.pmease.gitop.core.model.Repository;
+
+public interface RepositoryBelonging extends ProtectedObject {
+	Repository getOwner();
+}

gitop.core/src/main/java/com/pmease/gitop/core/model/permission/object/SystemObject.java

@@ -0,0 +1,10 @@
+package com.pmease.gitop.core.model.permission.object;
+
+public class SystemObject implements ProtectedObject {
+
+	@Override
+	public boolean has(ProtectedObject object) {
+		return true;
+	}
+
+}

gitop.core/src/main/java/com/pmease/gitop/core/model/permission/object/UserBelonging.java

@@ -0,0 +1,7 @@
+package com.pmease.gitop.core.model.permission.object;
+
+import com.pmease.gitop.core.model.User;
+
+public interface UserBelonging extends ProtectedObject {
+	User getOwner();
+}

gitop.core/src/main/java/com/pmease/gitop/core/model/permission/operation/Administration.java

@@ -0,0 +1,10 @@
+package com.pmease.gitop.core.model.permission.operation;
+
+public class Administration implements PrivilegedOperation {
+
+	@Override
+	public boolean can(PrivilegedOperation operation) {
+		return true;
+	}
+
+}

gitop.core/src/main/java/com/pmease/gitop/core/model/permission/operation/CreateAssessment.java

@@ -0,0 +1,10 @@
+package com.pmease.gitop.core.model.permission.operation;
+
+public class CreateAssessment implements PrivilegedOperation {
+
+	@Override
+	public boolean can(PrivilegedOperation operation) {
+		return operation instanceof CreateAssessment;
+	}
+
+}

gitop.core/src/main/java/com/pmease/gitop/core/model/permission/operation/CreateComment.java

@@ -0,0 +1,10 @@
+package com.pmease.gitop.core.model.permission.operation;
+
+public class CreateComment implements PrivilegedOperation {
+
+	@Override
+	public boolean can(PrivilegedOperation operation) {
+		return operation instanceof CreateComment;
+	}
+
+}

gitop.core/src/main/java/com/pmease/gitop/core/model/permission/operation/CreateMergeRequest.java

@@ -0,0 +1,10 @@
+package com.pmease.gitop.core.model.permission.operation;
+
+public class CreateMergeRequest implements PrivilegedOperation {
+
+	@Override
+	public boolean can(PrivilegedOperation operation) {
+		return operation instanceof CreateMergeRequest;
+	}
+
+}

gitop.core/src/main/java/com/pmease/gitop/core/model/permission/operation/CreateRepository.java

@@ -0,0 +1,10 @@
+package com.pmease.gitop.core.model.permission.operation;
+
+public class CreateRepository implements PrivilegedOperation {
+
+	@Override
+	public boolean can(PrivilegedOperation operation) {
+		return operation instanceof CreateRepository;
+	}
+
+}

gitop.core/src/main/java/com/pmease/gitop/core/model/permission/operation/PrivilegedOperation.java

@@ -1,4 +1,4 @@
-package com.pmease.gitop.core.model.permission;
+package com.pmease.gitop.core.model.permission.operation;
 
 public interface PrivilegedOperation {
 	boolean can(PrivilegedOperation operation);

gitop.core/src/main/java/com/pmease/gitop/core/model/permission/operation/Read.java

@@ -0,0 +1,10 @@
+package com.pmease.gitop.core.model.permission.operation;
+
+public class Read implements PrivilegedOperation {
+
+	@Override
+	public boolean can(PrivilegedOperation operation) {
+		return operation instanceof Read;
+	}
+
+}

gitop.core/src/main/java/com/pmease/gitop/core/model/permission/operation/SystemOperation.java

@@ -0,0 +1,60 @@
+package com.pmease.gitop.core.model.permission.operation;
+
+public enum SystemOperation implements PrivilegedOperation {
+	ADMINISTRATION {
+
+		@Override
+		public boolean can(PrivilegedOperation operation) {
+			return true;
+		}
+		
+	},
+	CREATE_ASSESSMENT {
+
+		@Override
+		public boolean can(PrivilegedOperation operation) {
+			return operation == CREATE_ASSESSMENT;
+		}
+		
+	},
+	CREATE_COMMENT {
+
+		@Override
+		public boolean can(PrivilegedOperation operation) {
+			return operation == CREATE_COMMENT;
+		}
+		
+	},
+	CREATE_MERGE_REQUEST {
+
+		@Override
+		public boolean can(PrivilegedOperation operation) {
+			return operation == CREATE_MERGE_REQUEST;
+		}
+		
+	},
+	CREATE_REPOSITORY {
+
+		@Override
+		public boolean can(PrivilegedOperation operation) {
+			return operation == CREATE_REPOSITORY;
+		}
+		
+	},
+	READ_ALL_REPOSITORIES {
+
+		@Override
+		public boolean can(PrivilegedOperation operation) {
+			return operation == READ_ALL_REPOSITORIES;
+		}
+		
+	},
+	WRITE_ALL_REPOSITORIES {
+
+		@Override
+		public boolean can(PrivilegedOperation operation) {
+			return READ_ALL_REPOSITORIES.can(operation);
+		}
+		
+	}
+}

gitop.core/src/main/java/com/pmease/gitop/core/model/permission/operation/Write.java

@@ -0,0 +1,10 @@
+package com.pmease.gitop.core.model.permission.operation;
+
+public class Write implements PrivilegedOperation{
+
+	@Override
+	public boolean can(PrivilegedOperation operation) {
+		return operation instanceof Write || new Read().can(operation);
+	}
+
+}

gitop.core/src/main/java/com/pmease/gitop/core/model/permission/operation/WriteToBranch.java

@@ -0,0 +1,27 @@
+package com.pmease.gitop.core.model.permission.operation;
+
+import com.pmease.commons.util.pattern.WildcardUtils;
+
+public class WriteToBranch implements PrivilegedOperation {
+
+	private String filePaths = "**";
+	
+	public String getFilePaths() {
+		return filePaths;
+	}
+
+	public void setFilePaths(String filePaths) {
+		this.filePaths = filePaths;
+	}
+
+	@Override
+	public boolean can(PrivilegedOperation operation) {
+		if (operation instanceof WriteToBranch) {
+			WriteToBranch writeToBranch = (WriteToBranch) operation;
+			return WildcardUtils.matchPath(getFilePaths(), writeToBranch.getFilePaths());
+		} else {
+			return new Read().can(operation);
+		}
+	}
+
+}