cancancan 1.10.0 → 3.5.0

data/lib/cancan/conditions_matcher.rb

@@ -0,0 +1,147 @@
+# frozen_string_literal: true
+
+module CanCan
+  module ConditionsMatcher
+    # Matches the block or conditions hash
+    def matches_conditions?(action, subject, attribute = nil, *extra_args)
+      return call_block_with_all(action, subject, extra_args) if @match_all
+      return matches_block_conditions(subject, attribute, *extra_args) if @block
+      return matches_non_block_conditions(subject) unless conditions_empty?
+
+      true
+    end
+
+    private
+
+    def subject_class?(subject)
+      klass = (subject.is_a?(Hash) ? subject.values.first : subject).class
+      [Class, Module].include? klass
+    end
+
+    def matches_block_conditions(subject, attribute, *extra_args)
+      return @base_behavior if subject_class?(subject)
+
+      if attribute
+        @block.call(subject, attribute, *extra_args)
+      else
+        @block.call(subject, *extra_args)
+      end
+    end
+
+    def matches_non_block_conditions(subject)
+      return nested_subject_matches_conditions?(subject) if subject.class == Hash
+      return matches_conditions_hash?(subject) unless subject_class?(subject)
+
+      # Don't stop at "cannot" definitions when there are conditions.
+      @base_behavior
+    end
+
+    def nested_subject_matches_conditions?(subject_hash)
+      parent, child = subject_hash.first
+
+      adapter = model_adapter(parent)
+
+      parent_condition_name = adapter.parent_condition_name(parent, child)
+
+      matches_base_parent_conditions = matches_conditions_hash?(parent,
+                                                                @conditions[parent_condition_name] || {})
+
+      matches_base_parent_conditions &&
+        (!adapter.override_nested_subject_conditions_matching?(parent, child, @conditions) ||
+          adapter.nested_subject_matches_conditions?(parent, child, @conditions))
+    end
+
+    # Checks if the given subject matches the given conditions hash.
+    # This behavior can be overridden by a model adapter by defining two class methods:
+    # override_matching_for_conditions?(subject, conditions) and
+    # matches_conditions_hash?(subject, conditions)
+    def matches_conditions_hash?(subject, conditions = @conditions)
+      return true if conditions.is_a?(Hash) && conditions.empty?
+
+      adapter = model_adapter(subject)
+
+      if adapter.override_conditions_hash_matching?(subject, conditions)
+        return adapter.matches_conditions_hash?(subject, conditions)
+      end
+
+      matches_all_conditions?(adapter, subject, conditions)
+    end
+
+    def matches_all_conditions?(adapter, subject, conditions)
+      if conditions.is_a?(Hash)
+        matches_hash_conditions?(adapter, subject, conditions)
+      elsif conditions.respond_to?(:include?)
+        conditions.include?(subject)
+      else
+        subject == conditions
+      end
+    end
+
+    def matches_hash_conditions?(adapter, subject, conditions)
+      conditions.all? do |name, value|
+        if adapter.override_condition_matching?(subject, name, value)
+          adapter.matches_condition?(subject, name, value)
+        else
+          condition_match?(subject.send(name), value)
+        end
+      end
+    end
+
+    def condition_match?(attribute, value)
+      case value
+      when Hash
+        hash_condition_match?(attribute, value)
+      when Range
+        value.cover?(attribute)
+      when Enumerable
+        value.include?(attribute)
+      else
+        attribute == value
+      end
+    end
+
+    def hash_condition_match?(attribute, value)
+      if attribute.is_a?(Array) || (defined?(ActiveRecord) && attribute.is_a?(ActiveRecord::Relation))
+        array_like_matches_condition_hash?(attribute, value)
+      else
+        attribute && matches_conditions_hash?(attribute, value)
+      end
+    end
+
+    def array_like_matches_condition_hash?(attribute, value)
+      if attribute.any?
+        attribute.any? { |element| matches_conditions_hash?(element, value) }
+      else
+        # you can use `nil`s in your ability definition to tell cancancan to find
+        # objects that *don't* have any children in a has_many relationship.
+        #
+        # for example, given ability:
+        # => can :read, Article, comments: { id: nil }
+        # cancancan will return articles where `article.comments == []`
+        #
+        # this is implemented here. `attribute` is `article.comments`, and it's an empty array.
+        # the expression below returns true if this was expected.
+        !value.values.empty? && value.values.all?(&:nil?)
+      end
+    end
+
+    def call_block_with_all(action, subject, *extra_args)
+      if subject.class == Class
+        @block.call(action, subject, nil, *extra_args)
+      else
+        @block.call(action, subject.class, subject, *extra_args)
+      end
+    end
+
+    def model_adapter(subject)
+      CanCan::ModelAdapters::AbstractAdapter.adapter_class(subject_class?(subject) ? subject : subject.class)
+    end
+
+    def conditions_empty?
+      # @conditions might be an ActiveRecord::Associations::CollectionProxy
+      # which it's `==` implementation will fetch all records for comparison
+
+      (@conditions.is_a?(Hash) && @conditions == {}) || @conditions.nil?
+    end
+  end
+end

data/lib/cancan/config.rb

@@ -0,0 +1,101 @@
+# frozen_string_literal: true
+
+module CanCan
+  def self.valid_accessible_by_strategies
+    strategies = [:left_join]
+
+    unless does_not_support_subquery_strategy?
+      strategies.push(:joined_alias_exists_subquery, :joined_alias_each_rule_as_exists_subquery, :subquery)
+    end
+
+    strategies
+  end
+
+  # You can disable the rules compressor if it's causing unexpected issues.
+  def self.rules_compressor_enabled
+    return @rules_compressor_enabled if defined?(@rules_compressor_enabled)
+
+    @rules_compressor_enabled = true
+  end
+
+  def self.rules_compressor_enabled=(value)
+    @rules_compressor_enabled = value
+  end
+
+  def self.with_rules_compressor_enabled(value)
+    return yield if value == rules_compressor_enabled
+
+    begin
+      rules_compressor_enabled_was = rules_compressor_enabled
+      @rules_compressor_enabled = value
+      yield
+    ensure
+      @rules_compressor_enabled = rules_compressor_enabled_was
+    end
+  end
+
+  # Determines how CanCan should build queries when calling accessible_by,
+  # if the query will contain a join. The default strategy is `:subquery`.
+  #
+  #   # config/initializers/cancan.rb
+  #   CanCan.accessible_by_strategy = :subquery
+  #
+  # Valid strategies are:
+  # - :subquery - Creates a nested query with all joins, wrapped by a
+  #               WHERE IN query.
+  # - :left_join - Calls the joins directly using `left_joins`, and
+  #                ensures records are unique using `distinct`. Note that
+  #                `distinct` is not reliable in some cases. See
+  #                https://github.com/CanCanCommunity/cancancan/pull/605
+  def self.accessible_by_strategy
+    return @accessible_by_strategy if @accessible_by_strategy
+
+    @accessible_by_strategy = default_accessible_by_strategy
+  end
+
+  def self.default_accessible_by_strategy
+    if does_not_support_subquery_strategy?
+      # see https://github.com/CanCanCommunity/cancancan/pull/655 for where this was added
+      # the `subquery` strategy (from https://github.com/CanCanCommunity/cancancan/pull/619
+      # only works in Rails 5 and higher
+      :left_join
+    else
+      :subquery
+    end
+  end
+
+  def self.accessible_by_strategy=(value)
+    validate_accessible_by_strategy!(value)
+
+    if value == :subquery && does_not_support_subquery_strategy?
+      raise ArgumentError, 'accessible_by_strategy = :subquery requires ActiveRecord 5 or newer'
+    end
+
+    @accessible_by_strategy = value
+  end
+
+  def self.with_accessible_by_strategy(value)
+    return yield if value == accessible_by_strategy
+
+    validate_accessible_by_strategy!(value)
+
+    begin
+      strategy_was = accessible_by_strategy
+      @accessible_by_strategy = value
+      yield
+    ensure
+      @accessible_by_strategy = strategy_was
+    end
+  end
+
+  def self.validate_accessible_by_strategy!(value)
+    return if valid_accessible_by_strategies.include?(value)
+
+    raise ArgumentError, "accessible_by_strategy must be one of #{valid_accessible_by_strategies.join(', ')}"
+  end
+
+  def self.does_not_support_subquery_strategy?
+    !defined?(CanCan::ModelAdapters::ActiveRecordAdapter) ||
+      CanCan::ModelAdapters::ActiveRecordAdapter.version_lower?('5.0.0')
+  end
+end

data/lib/cancan/controller_additions.rb

@@ -1,5 +1,6 @@
-module CanCan
+# frozen_string_literal: true
 
+module CanCan
   # This module is automatically included into all controllers.
   # It also makes the "can?" and "cannot?" methods available to all views.
   module ControllerAdditions
@@ -12,7 +13,7 @@ module CanCan
       #   end
       #
       def load_and_authorize_resource(*args)
-        cancan_resource_class.add_before_filter(self, :load_and_authorize_resource, *args)
+        cancan_resource_class.add_before_action(self, :load_and_authorize_resource, *args)
       end
 
       # Sets up a before filter which loads the model resource into an instance variable.
@@ -32,16 +33,16 @@ module CanCan
       #   end
       #
       # A resource is not loaded if the instance variable is already set. This makes it easy to override
-      # the behavior through a before_filter on certain actions.
+      # the behavior through a before_action on certain actions.
       #
       #   class BooksController < ApplicationController
-      #     before_filter :find_book_by_permalink, :only => :show
+      #     before_action :find_book_by_permalink, :only => :show
       #     load_resource
       #
       #     private
       #
       #     def find_book_by_permalink
-      #       @book = Book.find_by_permalink!(params[:id)
+      #       @book = Book.find_by_permalink!(params[:id])
       #     end
       #   end
       #
@@ -72,8 +73,8 @@ module CanCan
       #   Load this resource through another one. This should match the name of the parent instance variable or method.
       #
       # [:+through_association+]
-      #   The name of the association to fetch the child records through the parent resource. This is normally not needed
-      #   because it defaults to the pluralized resource name.
+      #   The name of the association to fetch the child records through the parent resource.
+      #   This is normally not needed because it defaults to the pluralized resource name.
       #
       # [:+shallow+]
       #   Pass +true+ to allow this resource to be loaded directly when parent is +nil+. Defaults to +false+.
@@ -82,8 +83,8 @@ module CanCan
       #   Pass +true+ if this is a singleton resource through a +has_one+ association.
       #
       # [:+parent+]
-      #   True or false depending on if the resource is considered a parent resource. This defaults to +true+ if a resource
-      #   name is given which does not match the controller.
+      #   True or false depending on if the resource is considered a parent resource.
+      #   This defaults to +true+ if a resource name is given which does not match the controller.
       #
       # [:+class+]
       #   The class to use for the model (string or constant).
@@ -115,10 +116,10 @@ module CanCan
       #     load_resource :new => :build
       #
       # [:+prepend+]
-      #   Passing +true+ will use prepend_before_filter instead of a normal before_filter.
+      #   Passing +true+ will use prepend_before_action instead of a normal before_action.
       #
       def load_resource(*args)
-        cancan_resource_class.add_before_filter(self, :load_resource, *args)
+        cancan_resource_class.add_before_action(self, :load_resource, *args)
       end
 
       # Sets up a before filter which authorizes the resource using the instance variable.
@@ -160,8 +161,8 @@ module CanCan
       #   Pass +true+ if this is a singleton resource through a +has_one+ association.
       #
       # [:+parent+]
-      #   True or false depending on if the resource is considered a parent resource. This defaults to +true+ if a resource
-      #   name is given which does not match the controller.
+      #   True or false depending on if the resource is considered a parent resource.
+      #   This defaults to +true+ if a resource name is given which does not match the controller.
       #
       # [:+class+]
       #   The class to use for the model (string or constant). This passed in when the instance variable is not set.
@@ -174,10 +175,10 @@ module CanCan
       #   Authorize conditions on this parent resource when instance isn't available.
       #
       # [:+prepend+]
-      #   Passing +true+ will use prepend_before_filter instead of a normal before_filter.
+      #   Passing +true+ will use prepend_before_action instead of a normal before_action.
       #
       def authorize_resource(*args)
-        cancan_resource_class.add_before_filter(self, :authorize_resource, *args)
+        cancan_resource_class.add_before_action(self, :authorize_resource, *args)
       end
 
       # Skip both the loading and authorization behavior of CanCan for this given controller. This is primarily
@@ -226,8 +227,9 @@ module CanCan
         cancan_skipper[:authorize][name] = options
       end
 
-      # Add this to a controller to ensure it performs authorization through +authorized+! or +authorize_resource+ call.
-      # If neither of these authorization methods are called, a CanCan::AuthorizationNotPerformed exception will be raised.
+      # Add this to a controller to ensure it performs authorization through +authorize+! or +authorize_resource+ call.
+      # If neither of these authorization methods are called,
+      # a CanCan::AuthorizationNotPerformed exception will be raised.
       # This is normally added to the ApplicationController to ensure all controller actions do authorization.
       #
       #   class ApplicationController < ActionController::Base
@@ -244,22 +246,29 @@ module CanCan
       #   Does not apply to given actions.
       #
       # [:+if+]
-      #   Supply the name of a controller method to be called. The authorization check only takes place if this returns true.
+      #   Supply the name of a controller method to be called.
+      #   The authorization check only takes place if this returns true.
       #
       #     check_authorization :if => :admin_controller?
       #
       # [:+unless+]
-      #   Supply the name of a controller method to be called. The authorization check only takes place if this returns false.
+      #   Supply the name of a controller method to be called.
+      #   The authorization check only takes place if this returns false.
       #
       #     check_authorization :unless => :devise_controller?
       #
       def check_authorization(options = {})
-        self.after_filter(options.slice(:only, :except)) do |controller|
+        block = proc do |controller|
           next if controller.instance_variable_defined?(:@_authorized)
           next if options[:if] && !controller.send(options[:if])
           next if options[:unless] && controller.send(options[:unless])
-          raise AuthorizationNotPerformed, "This action failed the check_authorization because it does not authorize_resource. Add skip_authorization_check to bypass this check."
+
+          raise AuthorizationNotPerformed,
+                'This action failed the check_authorization because it does not authorize_resource. ' \
+                'Add skip_authorization_check to bypass this check.'
         end
+
+        send(:after_action, options.slice(:only, :except), &block)
       end
 
       # Call this in the class of a controller to skip the check_authorization behavior on the actions.
@@ -268,33 +277,25 @@ module CanCan
       #     skip_authorization_check :only => :index
       #   end
       #
-      # Any arguments are passed to the +before_filter+ it triggers.
+      # Any arguments are passed to the +before_action+ it triggers.
       def skip_authorization_check(*args)
-        self.before_filter(*args) do |controller|
-          controller.instance_variable_set(:@_authorized, true)
-        end
-      end
-
-      def skip_authorization(*args)
-        raise ImplementationRemoved, "The CanCan skip_authorization method has been renamed to skip_authorization_check. Please update your code."
+        block = proc { |controller| controller.instance_variable_set(:@_authorized, true) }
+        send(:before_action, *args, &block)
       end
 
       def cancan_resource_class
-        if ancestors.map(&:to_s).include? "InheritedResources::Actions"
-          InheritedResource
-        else
-          ControllerResource
-        end
+        ControllerResource
       end
 
       def cancan_skipper
-        @_cancan_skipper ||= {:authorize => {}, :load => {}}
+        self._cancan_skipper ||= { authorize: {}, load: {} }
       end
     end
 
     def self.included(base)
       base.extend ClassMethods
       base.helper_method :can?, :cannot?, :current_ability if base.respond_to? :helper_method
+      base.class_attribute :_cancan_skipper
     end
 
     # Raises a CanCan::AccessDenied exception if the current_ability cannot
@@ -338,10 +339,6 @@ module CanCan
       current_ability.authorize!(*args)
     end
 
-    def unauthorized!(message = nil)
-      raise ImplementationRemoved, "The unauthorized! method has been removed from CanCan, use authorize! instead."
-    end
-
     # Creates and returns the current user's ability and caches it. If you
     # want to override how the Ability is defined then this is the place.
     # Just define the method in the controller to change behavior.
@@ -390,8 +387,8 @@ module CanCan
   end
 end
 
-if defined? ActionController::Base
-  ActionController::Base.class_eval do
+if defined? ActiveSupport
+  ActiveSupport.on_load(:action_controller) do
     include CanCan::ControllerAdditions
   end
 end