cancan 1.4.1 → 1.5.0.beta1

data/lib/cancan/exceptions.rb

@@ -2,6 +2,9 @@ module CanCan
   # A general CanCan exception
   class Error < StandardError; end
 
+  # Raised when behavior is not implemented, usually used in an abstract class.
+  class NotImplemented < Error; end
+
   # Raised when removed code is called, an alternative solution is provided in message.
   class ImplementationRemoved < Error; end
 

data/lib/cancan/model_adapters/abstract_adapter.rb

@@ -0,0 +1,40 @@
+module CanCan
+  module ModelAdapters
+    class AbstractAdapter
+      def self.inherited(subclass)
+        @subclasses ||= []
+        @subclasses << subclass
+      end
+
+      def self.adapter_class(model_class)
+        @subclasses.detect { |subclass| subclass.for_class?(model_class) } || DefaultAdapter
+      end
+
+      # Used to determine if the given adapter should be used for the passed in class.
+      def self.for_class?(member_class)
+        false # override in subclass
+      end
+
+      # Used to determine if this model adapter will override the matching behavior for a hash of conditions.
+      # If this returns true then matches_conditions_hash? will be called. See Rule#matches_conditions_hash
+      def self.override_conditions_hash_matching?(subject, conditions)
+        false
+      end
+
+      # Override if override_conditions_hash_matching? returns true
+      def self.matches_conditions_hash?(subject, conditions)
+        raise NotImplemented, "This model adapter does not support matching on a conditions hash."
+      end
+
+      def initialize(model_class, rules)
+        @model_class = model_class
+        @rules = rules
+      end
+
+      def database_records
+        # This should be overridden in a subclass to return records which match @rules
+        raise NotImplemented, "This model adapter does not support fetching records from the database."
+      end
+    end
+  end
+end

data/lib/cancan/model_adapters/active_record_adapter.rb

@@ -0,0 +1,119 @@
+module CanCan
+  module ModelAdapters
+    class ActiveRecordAdapter < AbstractAdapter
+      def self.for_class?(model_class)
+        model_class <= ActiveRecord::Base
+      end
+
+      # Returns conditions intended to be used inside a database query. Normally you will not call this
+      # method directly, but instead go through ModelAdditions#accessible_by.
+      #
+      # If there is only one "can" definition, a hash of conditions will be returned matching the one defined.
+      #
+      #   can :manage, User, :id => 1
+      #   query(:manage, User).conditions # => { :id => 1 }
+      #
+      # If there are multiple "can" definitions, a SQL string will be returned to handle complex cases.
+      #
+      #   can :manage, User, :id => 1
+      #   can :manage, User, :manager_id => 1
+      #   cannot :manage, User, :self_managed => true
+      #   query(:manage, User).conditions # => "not (self_managed = 't') AND ((manager_id = 1) OR (id = 1))"
+      #
+      def conditions
+        if @rules.size == 1 && @rules.first.base_behavior
+          # Return the conditions directly if there's just one definition
+          tableized_conditions(@rules.first.conditions).dup
+        else
+          @rules.reverse.inject(false_sql) do |sql, rule|
+            merge_conditions(sql, tableized_conditions(rule.conditions).dup, rule.base_behavior)
+          end
+        end
+      end
+
+      def tableized_conditions(conditions)
+        return conditions unless conditions.kind_of? Hash
+        conditions.inject({}) do |result_hash, (name, value)|
+          if value.kind_of? Hash
+            name = @model_class.reflect_on_association(name).table_name
+            value = tableized_conditions(value)
+          end
+          result_hash[name] = value
+          result_hash
+        end
+      end
+
+      # Returns the associations used in conditions for the :joins option of a search.
+      # See ModelAdditions#accessible_by
+      def joins
+        joins_hash = {}
+        @rules.each do |rule|
+          merge_joins(joins_hash, rule.associations_hash)
+        end
+        clean_joins(joins_hash) unless joins_hash.empty?
+      end
+
+      def database_records
+        if @model_class.respond_to?(:where) && @model_class.respond_to?(:joins)
+          @model_class.where(conditions).joins(joins)
+        else
+          @model_class.scoped(:conditions => conditions, :joins => joins)
+        end
+      end
+
+      private
+
+      def merge_conditions(sql, conditions_hash, behavior)
+        if conditions_hash.blank?
+          behavior ? true_sql : false_sql
+        else
+          conditions = sanitize_sql(conditions_hash)
+          case sql
+          when true_sql
+            behavior ? true_sql : "not (#{conditions})"
+          when false_sql
+            behavior ? conditions : false_sql
+          else
+            behavior ? "(#{conditions}) OR (#{sql})" : "not (#{conditions}) AND (#{sql})"
+          end
+        end
+      end
+
+      def false_sql
+        sanitize_sql(['?=?', true, false])
+      end
+
+      def true_sql
+        sanitize_sql(['?=?', true, true])
+      end
+
+      def sanitize_sql(conditions)
+        @model_class.send(:sanitize_sql, conditions)
+      end
+
+      # Takes two hashes and does a deep merge.
+      def merge_joins(base, add)
+        add.each do |name, nested|
+          if base[name].is_a?(Hash) && !nested.empty?
+            merge_joins(base[name], nested)
+          else
+            base[name] = nested
+          end
+        end
+      end
+
+      # Removes empty hashes and moves everything into arrays.
+      def clean_joins(joins_hash)
+        joins = []
+        joins_hash.each do |name, nested|
+          joins << (nested.empty? ? name : {name => clean_joins(nested)})
+        end
+        joins
+      end
+    end
+  end
+end
+
+ActiveRecord::Base.class_eval do
+  include CanCan::ModelAdditions
+end

data/lib/cancan/model_adapters/data_mapper_adapter.rb

@@ -0,0 +1,33 @@
+module CanCan
+  module ModelAdapters
+    class DataMapperAdapter < AbstractAdapter
+      def self.for_class?(model_class)
+        model_class <= DataMapper::Resource
+      end
+
+      def self.override_conditions_hash_matching?(subject, conditions)
+        conditions.any? { |k,v| !k.kind_of?(Symbol) }
+      end
+
+      def self.matches_conditions_hash?(subject, conditions)
+        subject.class.all(:conditions => conditions).include?(subject) # TODO don't use a database query here for performance and other instances
+      end
+
+      def database_records
+        scope = @model_class.all(:conditions => ["0=1"])
+        conditions.each do |condition|
+          scope += @model_class.all(:conditions => condition)
+        end
+        scope
+      end
+
+      def conditions
+        @rules.map(&:conditions)
+      end
+    end
+  end
+end
+
+DataMapper::Model.class_eval do
+  include CanCan::ModelAdditions::ClassMethods
+end

data/lib/cancan/model_adapters/default_adapter.rb

@@ -0,0 +1,7 @@
+module CanCan
+  module ModelAdapters
+    class DefaultAdapter < AbstractAdapter
+      # This adapter is used when no matching adapter is found
+    end
+  end
+end

data/lib/cancan/model_adapters/mongoid_adapter.rb

@@ -0,0 +1,41 @@
+module CanCan
+  module ModelAdapters
+    class MongoidAdapter < AbstractAdapter
+      def self.for_class?(model_class)
+        model_class <= Mongoid::Document
+      end
+
+      def self.override_conditions_hash_matching?(subject, conditions)
+        conditions.any? { |k,v| !k.kind_of?(Symbol) }
+      end
+
+      def self.matches_conditions_hash?(subject, conditions)
+        # To avoid hitting the db, retrieve the raw Mongo selector from
+        # the Mongoid Criteria and use Mongoid::Matchers#matches?
+        subject.matches?( subject.class.where(conditions).selector )
+      end
+
+      def database_records
+        @model_class.where(conditions)
+      end
+
+      def conditions
+        if @rules.size == 0
+          false_query
+        else
+          @rules.first.conditions
+        end
+      end
+
+      def false_query
+        # this query is sure to return no results
+        {:_id => {'$exists' => false, '$type' => 7}}  # type 7 is an ObjectID (default for _id)
+      end
+    end
+  end
+end
+
+# simplest way to add `accessible_by` to all Mongoid Documents
+module Mongoid::Document::ClassMethods
+  include CanCan::ModelAdditions::ClassMethods
+end

data/lib/cancan/{active_record_additions.rb → model_additions.rb}

@@ -1,6 +1,7 @@
 module CanCan
-  # This module is automatically included into all Active Record models.
-  module ActiveRecordAdditions
+
+  # This module adds the accessible_by class method to a model. It is included in the model adapters.
+  module ModelAdditions
     module ClassMethods
       # Returns a scope which fetches only the records that the passed ability
       # can perform a given action on. The action defaults to :read. This
@@ -17,15 +18,9 @@ module CanCan
       #
       #   @articles = Article.accessible_by(current_ability, :update)
       #
-      # Here only the articles which the user can update are returned. This
-      # internally uses Ability#conditions method, see that for more information.
+      # Here only the articles which the user can update are returned.
       def accessible_by(ability, action = :read)
-        query = ability.query(action, self)
-        if respond_to?(:where) && respond_to?(:joins)
-          where(query.conditions).joins(query.joins)
-        else
-          scoped(:conditions => query.conditions, :joins => query.joins)
-        end
+        ability.model_adapter(self, action).database_records
       end
     end
 
@@ -34,9 +29,3 @@ module CanCan
     end
   end
 end
-
-if defined? ActiveRecord
-  ActiveRecord::Base.class_eval do
-    include CanCan::ActiveRecordAdditions
-  end
-end

data/lib/cancan/{can_definition.rb → rule.rb}

@@ -2,8 +2,8 @@ module CanCan
   # This class is used internally and should only be called through Ability.
   # it holds the information about a "can" call made on Ability and provides
   # helpful methods to determine permission checking and conditions hash generation.
-  class CanDefinition # :nodoc:
-    attr_reader :base_behavior, :actions
+  class Rule # :nodoc:
+    attr_reader :base_behavior, :actions, :conditions
     attr_writer :expanded_actions
 
     # The first argument when initializing is the base_behavior which is a true/false
@@ -41,18 +41,6 @@ module CanCan
       end
     end
 
-    def tableized_conditions(conditions = @conditions)
-      return conditions unless conditions.kind_of? Hash
-      conditions.inject({}) do |result_hash, (name, value)|
-        if value.kind_of? Hash
-          name = name.to_s.tableize.to_sym
-          value = tableized_conditions(value)
-        end
-        result_hash[name] = value
-        result_hash
-      end
-    end
-
     def only_block?
       conditions_empty? && !@block.nil?
     end
@@ -100,19 +88,31 @@ module CanCan
       @subjects.any? { |sub| sub.kind_of?(Module) && (subject.kind_of?(sub) || subject.class.to_s == sub.to_s || subject.kind_of?(Module) && subject.ancestors.include?(sub)) }
     end
 
+    # Checks if the given subject matches the given conditions hash.
+    # This behavior can be overriden by a model adapter by defining two class methods:
+    # override_matching_for_conditions?(subject, conditions) and
+    # matches_conditions_hash?(subject, conditions)
     def matches_conditions_hash?(subject, conditions = @conditions)
-      conditions.all? do |name, value|
-        attribute = subject.send(name)
-        if value.kind_of?(Hash)
-          if attribute.kind_of? Array
-            attribute.any? { |element| matches_conditions_hash? element, value }
-          else
-            matches_conditions_hash? attribute, value
-          end
-        elsif value.kind_of?(Array) || value.kind_of?(Range)
-          value.include? attribute
+      if conditions.empty?
+        true
+      else
+        if model_adapter(subject).override_conditions_hash_matching? subject, conditions
+          model_adapter(subject).matches_conditions_hash? subject, conditions
         else
-          attribute == value
+          conditions.all? do |name, value|
+            attribute = subject.send(name)
+            if value.kind_of?(Hash)
+              if attribute.kind_of? Array
+                attribute.any? { |element| matches_conditions_hash? element, value }
+              else
+                matches_conditions_hash? attribute, value
+              end
+            elsif value.kind_of?(Array) || value.kind_of?(Range)
+              value.include? attribute
+            else
+              attribute == value
+            end
+          end
         end
       end
     end
@@ -129,5 +129,9 @@ module CanCan
         @block.call(action, subject.class, subject, *extra_args)
       end
     end
+
+    def model_adapter(subject)
+      ModelAdapters::AbstractAdapter.adapter_class(subject_class?(subject) ? subject : subject.class)
+    end
   end
 end

data/lib/generators/cancan/ability/USAGE

@@ -0,0 +1,4 @@
+Description:
+  The cancan:ability generator creates an Ability class in the models
+  directory. You can move this file anywhere you want as long as it
+  is in the load path.

data/lib/generators/cancan/ability/ability_generator.rb

@@ -0,0 +1,11 @@
+module Cancan
+  module Generators
+    class AbilityGenerator < Rails::Generators::Base
+      source_root File.expand_path('../templates', __FILE__)
+
+      def generate_ability
+        copy_file "ability.rb", "app/models/ability.rb"
+      end
+    end
+  end
+end

data/lib/generators/cancan/ability/templates/ability.rb

@@ -0,0 +1,28 @@
+class Ability
+  include CanCan::Ability
+
+  def initialize(user)
+    # Define abilities for the passed in user here. For example:
+    #
+    #   user ||= User.new # guest user (not logged in)
+    #   if user.admin?
+    #     can :manage, :all
+    #   else
+    #     can :read, :all
+    #   end
+    #
+    # The first argument to `can` is the action you are giving the user permission to do.
+    # If you pass :manage it will apply to every action. Other common actions here are
+    # :read, :create, :update and :destroy.
+    #
+    # The second argument is the resource the user can perform the action on. If you pass
+    # :all it will apply to every resource. Otherwise pass a Ruby class of the resource.
+    #
+    # The third argument is an optional hash of conditions to further filter the objects.
+    # For example, here the user can only update published articles.
+    #
+    #   can :update, Article, :published => true
+    #
+    # See the wiki for details: https://github.com/ryanb/cancan/wiki/Defining-Abilities
+  end
+end

data/spec/README.rdoc

@@ -0,0 +1,28 @@
+= CanCan Specs
+
+== Running the specs
+
+To run the specs first run the +bundle+ command to install the necessary gems and the +rake+ command to run the specs.
+
+  bundle
+  rake
+
+The specs currently require Ruby 1.8.7. Ruby 1.9.2 support will be coming soon.
+
+
+== Model Adapters
+
+CanCan offers separate specs for different model adapters (such as Mongoid and Data Mapper). By default it will use Active Record but you can change this by setting the +MODEL_ADAPTER+ environment variable before running. You can run the +bundle+ command with this as well to ensure you have the installed gems.
+
+  MODEL_ADAPTER=data_mapper bundle
+  MODEL_ADAPTER=data_mapper rake
+
+The different model adapters you can specify are:
+
+* active_record (default)
+* data_mapper
+* mongoid
+
+You can also run the +spec_all+ rake task to run specs for each adapter.
+
+  rake spec_all