cancancan 1.11.0 → 2.3.0

data/lib/cancan/controller_resource_loader.rb

@@ -0,0 +1,116 @@
+require_relative 'controller_resource_finder.rb'
+require_relative 'controller_resource_name_finder.rb'
+require_relative 'controller_resource_builder.rb'
+require_relative 'controller_resource_sanitizer.rb'
+module CanCan
+  module ControllerResourceLoader
+    include CanCan::ControllerResourceNameFinder
+    include CanCan::ControllerResourceFinder
+    include CanCan::ControllerResourceBuilder
+    include CanCan::ControllerResourceSanitizer
+
+    def load_resource
+      return if skip?(:load)
+      if load_instance?
+        self.resource_instance ||= load_resource_instance
+      elsif load_collection?
+        self.collection_instance ||= load_collection
+      end
+    end
+
+    protected
+
+    def new_actions
+      %i[new create] + Array(@options[:new])
+    end
+
+    def resource_params_by_key(key)
+      return unless @options[key] && @params.key?(extract_key(@options[key]))
+      @params[extract_key(@options[key])]
+    end
+
+    def resource_params_by_namespaced_name
+      resource_params_by_key(:instance_name) || resource_params_by_key(:class) || (
+      params = @params[extract_key(namespaced_name)]
+      params.respond_to?(:to_h) ? params : nil)
+    end
+
+    def resource_params
+      if parameters_require_sanitizing? && params_method.present?
+        sanitize_parameters
+      else
+        resource_params_by_namespaced_name
+      end
+    end
+
+    def fetch_parent(name)
+      if @controller.instance_variable_defined? "@#{name}"
+        @controller.instance_variable_get("@#{name}")
+      elsif @controller.respond_to?(name, true)
+        @controller.send(name)
+      end
+    end
+
+    # The object to load this resource through.
+    def parent_resource
+      parent_name && fetch_parent(parent_name)
+    end
+
+    def parent_name
+      @options[:through] && [@options[:through]].flatten.detect { |i| fetch_parent(i) }
+    end
+
+    def resource_base_through_parent_resource
+      if @options[:singleton]
+        resource_class
+      else
+        parent_resource.send(@options[:through_association] || name.to_s.pluralize)
+      end
+    end
+
+    def resource_base_through
+      if parent_resource
+        resource_base_through_parent_resource
+      elsif @options[:shallow]
+        resource_class
+      else
+        # maybe this should be a record not found error instead?
+        raise AccessDenied.new(nil, authorization_action, resource_class)
+      end
+    end
+
+    # The object that methods (such as "find", "new" or "build") are called on.
+    # If the :through option is passed it will go through an association on that instance.
+    # If the :shallow option is passed it will use the resource_class if there's no parent
+    # If the :singleton option is passed it won't use the association because it needs to be handled later.
+    def resource_base
+      @options[:through] ? resource_base_through : resource_class
+    end
+
+    def parent_authorization_action
+      @options[:parent_action] || :show
+    end
+
+    def authorization_action
+      parent? ? parent_authorization_action : @params[:action].to_sym
+    end
+
+    def load_collection
+      resource_base.accessible_by(current_ability, authorization_action)
+    end
+
+    def load_resource_instance
+      if !parent? && new_actions.include?(@params[:action].to_sym)
+        build_resource
+      elsif id_param || @options[:singleton]
+        find_resource
+      end
+    end
+
+    private
+
+    def extract_key(value)
+      value.to_s.underscore.tr('/', '_')
+    end
+  end
+end

data/lib/cancan/controller_resource_name_finder.rb

@@ -0,0 +1,21 @@
+module CanCan
+  module ControllerResourceNameFinder
+    protected
+
+    def name_from_controller
+      @params[:controller].split('/').last.singularize
+    end
+
+    def namespaced_name
+      [namespace, name].join('/').singularize.camelize.safe_constantize || name
+    end
+
+    def name
+      @name || name_from_controller
+    end
+
+    def namespace
+      @params[:controller].split('/')[0..-2]
+    end
+  end
+end

data/lib/cancan/controller_resource_sanitizer.rb

@@ -0,0 +1,30 @@
+module CanCan
+  module ControllerResourceSanitizer
+    protected
+
+    def sanitize_parameters
+      case params_method
+      when Symbol
+        @controller.send(params_method)
+      when String
+        @controller.instance_eval(params_method)
+      when Proc
+        params_method.call(@controller)
+      end
+    end
+
+    def params_methods
+      methods = ["#{@params[:action]}_params".to_sym, "#{name}_params".to_sym, :resource_params]
+      methods.unshift(@options[:param_method]) if @options[:param_method].present?
+      methods
+    end
+
+    def params_method
+      params_methods.each do |method|
+        return method if (method.is_a?(Symbol) && @controller.respond_to?(method, true)) ||
+                         method.is_a?(String) || method.is_a?(Proc)
+      end
+      nil
+    end
+  end
+end

data/lib/cancan/exceptions.rb

@@ -11,6 +11,9 @@ module CanCan
   # Raised when using check_authorization without calling authorized!
   class AuthorizationNotPerformed < Error; end
 
+  # Raised when using a wrong association name
+  class WrongAssociationName < Error; end
+
   # This error is raised when a user isn't allowed to access a given controller action.
   # This usually happens within a call to ControllerAdditions#authorize! but can be
   # raised manually.
@@ -33,14 +36,15 @@ module CanCan
   # See ControllerAdditions#authorized! for more information on rescuing from this exception
   # and customizing the message using I18n.
   class AccessDenied < Error
-    attr_reader :action, :subject
+    attr_reader :action, :subject, :conditions
     attr_writer :default_message
 
-    def initialize(message = nil, action = nil, subject = nil)
+    def initialize(message = nil, action = nil, subject = nil, conditions = nil)
       @message = message
       @action = action
       @subject = subject
-      @default_message = I18n.t(:"unauthorized.default", :default => "You are not authorized to access this page.")
+      @conditions = conditions
+      @default_message = I18n.t(:"unauthorized.default", default: 'You are not authorized to access this page.')
     end
 
     def to_s

data/lib/cancan/matchers.rb

@@ -9,13 +9,22 @@ end
 
 Kernel.const_get(rspec_module)::Matchers.define :be_able_to do |*args|
   match do |ability|
-    ability.can?(*args)
+    actions = args.first
+    if actions.is_a? Array
+      break false if actions.empty?
+      actions.all? { |action| ability.can?(action, *args[1..-1]) }
+    else
+      ability.can?(*args)
+    end
   end
 
   # Check that RSpec is < 2.99
   if !respond_to?(:failure_message) && respond_to?(:failure_message_for_should)
-    alias :failure_message :failure_message_for_should
-    alias :failure_message_when_negated :failure_message_for_should_not
+    alias_method :failure_message, :failure_message_for_should
+  end
+
+  if !respond_to?(:failure_message_when_negated) && respond_to?(:failure_message_for_should_not)
+    alias_method :failure_message_when_negated, :failure_message_for_should_not
   end
 
   failure_message do

data/lib/cancan/model_adapters/abstract_adapter.rb

@@ -11,7 +11,7 @@ module CanCan
       end
 
       # Used to determine if the given adapter should be used for the passed in class.
-      def self.for_class?(member_class)
+      def self.for_class?(_member_class)
         false # override in subclass
       end
 
@@ -22,24 +22,24 @@ module CanCan
 
       # Used to determine if this model adapter will override the matching behavior for a hash of conditions.
       # If this returns true then matches_conditions_hash? will be called. See Rule#matches_conditions_hash
-      def self.override_conditions_hash_matching?(subject, conditions)
+      def self.override_conditions_hash_matching?(_subject, _conditions)
         false
       end
 
       # Override if override_conditions_hash_matching? returns true
-      def self.matches_conditions_hash?(subject, conditions)
-        raise NotImplemented, "This model adapter does not support matching on a conditions hash."
+      def self.matches_conditions_hash?(_subject, _conditions)
+        raise NotImplemented, 'This model adapter does not support matching on a conditions hash.'
       end
 
       # Used to determine if this model adapter will override the matching behavior for a specific condition.
       # If this returns true then matches_condition? will be called. See Rule#matches_conditions_hash
-      def self.override_condition_matching?(subject, name, value)
+      def self.override_condition_matching?(_subject, _name, _value)
         false
       end
 
       # Override if override_condition_matching? returns true
-      def self.matches_condition?(subject, name, value)
-        raise NotImplemented, "This model adapter does not support matching on a specific condition."
+      def self.matches_condition?(_subject, _name, _value)
+        raise NotImplemented, 'This model adapter does not support matching on a specific condition.'
       end
 
       def initialize(model_class, rules)
@@ -49,7 +49,7 @@ module CanCan
 
       def database_records
         # This should be overridden in a subclass to return records which match @rules
-        raise NotImplemented, "This model adapter does not support fetching records from the database."
+        raise NotImplemented, 'This model adapter does not support fetching records from the database.'
       end
     end
   end

data/lib/cancan/model_adapters/active_record_4_adapter.rb

@@ -3,7 +3,26 @@ module CanCan
     class ActiveRecord4Adapter < AbstractAdapter
       include ActiveRecordAdapter
       def self.for_class?(model_class)
-        model_class <= ActiveRecord::Base
+        ActiveRecord::VERSION::MAJOR == 4 && model_class <= ActiveRecord::Base
+      end
+
+      # TODO: this should be private
+      def self.override_condition_matching?(subject, name, _value)
+        subject.class.defined_enums.include?(name.to_s)
+      end
+
+      # TODO: this should be private
+      def self.matches_condition?(subject, name, value)
+        # Get the mapping from enum strings to values.
+        enum = subject.class.send(name.to_s.pluralize)
+        # Get the value of the attribute as an integer.
+        attribute = enum[subject.send(name)]
+        # Check to see if the value matches the condition.
+        if value.is_a?(Enumerable)
+          value.include? attribute
+        else
+          attribute == value
+        end
       end
 
       private
@@ -20,19 +39,23 @@ module CanCan
 
       # Rails 4.2 deprecates `sanitize_sql_hash_for_conditions`
       def sanitize_sql(conditions)
-        if ActiveRecord::VERSION::MINOR >= 2 && Hash === conditions
-          table = Arel::Table.new(@model_class.send(:table_name))
-
-          conditions = ActiveRecord::PredicateBuilder.resolve_column_aliases @model_class, conditions
-          conditions = @model_class.send(:expand_hash_conditions_for_aggregates, conditions)
-
-          ActiveRecord::PredicateBuilder.build_from_hash(@model_class, conditions, table).map { |b|
-            @model_class.send(:connection).visitor.compile b
-          }.join(' AND ')
+        if ActiveRecord::VERSION::MINOR >= 2 && conditions.is_a?(Hash)
+          sanitize_sql_activerecord4(conditions)
         else
           @model_class.send(:sanitize_sql, conditions)
         end
       end
+
+      def sanitize_sql_activerecord4(conditions)
+        table = Arel::Table.new(@model_class.send(:table_name))
+
+        conditions = ActiveRecord::PredicateBuilder.resolve_column_aliases @model_class, conditions
+        conditions = @model_class.send(:expand_hash_conditions_for_aggregates, conditions)
+
+        ActiveRecord::PredicateBuilder.build_from_hash(@model_class, conditions, table).map do |b|
+          @model_class.send(:connection).visitor.compile b
+        end.join(' AND ')
+      end
     end
   end
 end

data/lib/cancan/model_adapters/active_record_5_adapter.rb

@@ -0,0 +1,70 @@
+module CanCan
+  module ModelAdapters
+    class ActiveRecord5Adapter < ActiveRecord4Adapter
+      AbstractAdapter.inherited(self)
+
+      def self.for_class?(model_class)
+        ActiveRecord::VERSION::MAJOR == 5 && model_class <= ActiveRecord::Base
+      end
+
+      # rails 5 is capable of using strings in enum
+      # but often people use symbols in rules
+      def self.matches_condition?(subject, name, value)
+        return super if Array.wrap(value).all? { |x| x.is_a? Integer }
+
+        attribute = subject.send(name)
+        if value.is_a?(Enumerable)
+          value.map(&:to_s).include? attribute
+        else
+          attribute == value.to_s
+        end
+      end
+
+      private
+
+      # As of rails 4, `includes()` no longer causes active record to
+      # look inside the where clause to decide to outer join tables
+      # you're using in the where. Instead, `references()` is required
+      # in addition to `includes()` to force the outer join.
+      def build_relation(*where_conditions)
+        relation = @model_class.where(*where_conditions)
+        relation = relation.includes(joins).references(joins) if joins.present?
+        relation
+      end
+
+      # Rails 4.2 deprecates `sanitize_sql_hash_for_conditions`
+      def sanitize_sql(conditions)
+        if conditions.is_a?(Hash)
+          sanitize_sql_activerecord5(conditions)
+        else
+          @model_class.send(:sanitize_sql, conditions)
+        end
+      end
+
+      def sanitize_sql_activerecord5(conditions)
+        table = @model_class.send(:arel_table)
+        table_metadata = ActiveRecord::TableMetadata.new(@model_class, table)
+        predicate_builder = ActiveRecord::PredicateBuilder.new(table_metadata)
+
+        conditions = predicate_builder.resolve_column_aliases(conditions)
+
+        conditions.stringify_keys!
+
+        predicate_builder.build_from_hash(conditions).map do |b|
+          visit_nodes(b)
+        end.join(' AND ')
+      end
+
+      def visit_nodes(b)
+        # Rails 5.2 adds a BindParam node that prevents the visitor method from properly compiling the SQL query
+        if ActiveRecord::VERSION::MINOR >= 2
+          connection = @model_class.send(:connection)
+          collector = Arel::Collectors::SubstituteBinds.new(connection, Arel::Collectors::SQLString.new)
+          connection.visitor.accept(b, collector).value
+        else
+          @model_class.send(:connection).visitor.compile(b)
+        end
+      end
+    end
+  end
+end

data/lib/cancan/model_adapters/active_record_adapter.rb

@@ -1,6 +1,11 @@
+require_relative 'can_can/model_adapters/active_record_adapter/joins.rb'
+require_relative 'conditions_extractor.rb'
+require 'cancan/rules_compressor'
 module CanCan
   module ModelAdapters
     module ActiveRecordAdapter
+      include CanCan::ModelAdapters::ActiveRecordAdapter::Joins
+
       # Returns conditions intended to be used inside a database query. Normally you will not call this
       # method directly, but instead go through ModelAdditions#accessible_by.
       #
@@ -17,94 +22,69 @@ module CanCan
       #   query(:manage, User).conditions # => "not (self_managed = 't') AND ((manager_id = 1) OR (id = 1))"
       #
       def conditions
-        if @rules.size == 1 && @rules.first.base_behavior
+        compressed_rules = RulesCompressor.new(@rules.reverse).rules_collapsed.reverse
+        conditions_extractor = ConditionsExtractor.new(@model_class)
+        if compressed_rules.size == 1 && compressed_rules.first.base_behavior
           # Return the conditions directly if there's just one definition
-          tableized_conditions(@rules.first.conditions).dup
+          conditions_extractor.tableize_conditions(compressed_rules.first.conditions).dup
         else
-          @rules.reverse.inject(false_sql) do |sql, rule|
-            merge_conditions(sql, tableized_conditions(rule.conditions).dup, rule.base_behavior)
-          end
+          extract_multiple_conditions(conditions_extractor, compressed_rules)
         end
       end
 
-      def tableized_conditions(conditions, model_class = @model_class)
-        return conditions unless conditions.kind_of? Hash
-        conditions.inject({}) do |result_hash, (name, value)|
-          if value.kind_of? Hash
-            value = value.dup
-            association_class = model_class.reflect_on_association(name).klass.name.constantize
-            nested = value.inject({}) do |nested,(k,v)|
-              if v.kind_of? Hash
-                value.delete(k)
-                nested[k] = v
-              else
-                result_hash[model_class.reflect_on_association(name).table_name.to_sym] = value
-              end
-              nested
-            end
-            result_hash.merge!(tableized_conditions(nested,association_class))
-          else
-            result_hash[name] = value
-          end
-          result_hash
+      def extract_multiple_conditions(conditions_extractor, rules)
+        rules.reverse.inject(false_sql) do |sql, rule|
+          merge_conditions(sql, conditions_extractor.tableize_conditions(rule.conditions).dup, rule.base_behavior)
         end
       end
 
-      # Returns the associations used in conditions for the :joins option of a search.
-      # See ModelAdditions#accessible_by
-      def joins
-        joins_hash = {}
-        @rules.each do |rule|
-          merge_joins(joins_hash, rule.associations_hash)
-        end
-        clean_joins(joins_hash) unless joins_hash.empty?
-      end
-
       def database_records
         if override_scope
           @model_class.where(nil).merge(override_scope)
         elsif @model_class.respond_to?(:where) && @model_class.respond_to?(:joins)
-          if mergeable_conditions?
-            build_relation(conditions)
-          else
-            build_relation(*(@rules.map(&:conditions)))
-          end
+          mergeable_conditions? ? build_relation(conditions) : build_relation(*@rules.map(&:conditions))
         else
-          @model_class.all(:conditions => conditions, :joins => joins)
+          @model_class.all(conditions: conditions, joins: joins)
         end
       end
 
       private
 
       def mergeable_conditions?
-        @rules.find {|rule| rule.unmergeable? }.blank?
+        @rules.find(&:unmergeable?).blank?
       end
 
       def override_scope
         conditions = @rules.map(&:conditions).compact
-        if defined?(ActiveRecord::Relation) && conditions.any? { |c| c.kind_of?(ActiveRecord::Relation) }
-          if conditions.size == 1
-            conditions.first
-          else
-            rule = @rules.detect { |rule| rule.conditions.kind_of?(ActiveRecord::Relation) }
-            raise Error, "Unable to merge an Active Record scope with other conditions. Instead use a hash or SQL for #{rule.actions.first} #{rule.subjects.first} ability."
-          end
-        end
+        return unless conditions.any? { |c| c.is_a?(ActiveRecord::Relation) }
+        return conditions.first if conditions.size == 1
+        raise_override_scope_error
+      end
+
+      def raise_override_scope_error
+        rule_found = @rules.detect { |rule| rule.conditions.is_a?(ActiveRecord::Relation) }
+        raise Error,
+              'Unable to merge an Active Record scope with other conditions. '\
+              "Instead use a hash or SQL for #{rule_found.actions.first} #{rule_found.subjects.first} ability."
       end
 
       def merge_conditions(sql, conditions_hash, behavior)
         if conditions_hash.blank?
           behavior ? true_sql : false_sql
         else
-          conditions = sanitize_sql(conditions_hash)
-          case sql
-          when true_sql
-            behavior ? true_sql : "not (#{conditions})"
-          when false_sql
-            behavior ? conditions : false_sql
-          else
-            behavior ? "(#{conditions}) OR (#{sql})" : "not (#{conditions}) AND (#{sql})"
-          end
+          merge_non_empty_conditions(behavior, conditions_hash, sql)
+        end
+      end
+
+      def merge_non_empty_conditions(behavior, conditions_hash, sql)
+        conditions = sanitize_sql(conditions_hash)
+        case sql
+        when true_sql
+          behavior ? true_sql : "not (#{conditions})"
+        when false_sql
+          behavior ? conditions : false_sql
+        else
+          behavior ? "(#{conditions}) OR (#{sql})" : "not (#{conditions}) AND (#{sql})"
         end
       end
 
@@ -119,30 +99,10 @@ module CanCan
       def sanitize_sql(conditions)
         @model_class.send(:sanitize_sql, conditions)
       end
-
-      # Takes two hashes and does a deep merge.
-      def merge_joins(base, add)
-        add.each do |name, nested|
-          if base[name].is_a?(Hash)
-            merge_joins(base[name], nested) unless nested.empty?
-          else
-            base[name] = nested
-          end
-        end
-      end
-
-      # Removes empty hashes and moves everything into arrays.
-      def clean_joins(joins_hash)
-        joins = []
-        joins_hash.each do |name, nested|
-          joins << (nested.empty? ? name : {name => clean_joins(nested)})
-        end
-        joins
-      end
     end
   end
 end
 
-ActiveRecord::Base.class_eval do
-  include CanCan::ModelAdditions
+ActiveSupport.on_load(:active_record) do
+  send :include, CanCan::ModelAdditions
 end

data/lib/cancan/model_adapters/can_can/model_adapters/active_record_adapter/joins.rb

@@ -0,0 +1,39 @@
+module CanCan
+  module ModelAdapters
+    module ActiveRecordAdapter
+      module Joins
+        # Returns the associations used in conditions for the :joins option of a search.
+        # See ModelAdditions#accessible_by
+        def joins
+          joins_hash = {}
+          @rules.reverse.each do |rule|
+            merge_joins(joins_hash, rule.associations_hash)
+          end
+          clean_joins(joins_hash) unless joins_hash.empty?
+        end
+
+        private
+
+        # Removes empty hashes and moves everything into arrays.
+        def clean_joins(joins_hash)
+          joins = []
+          joins_hash.each do |name, nested|
+            joins << (nested.empty? ? name : { name => clean_joins(nested) })
+          end
+          joins
+        end
+
+        # Takes two hashes and does a deep merge.
+        def merge_joins(base, add)
+          add.each do |name, nested|
+            if base[name].is_a?(Hash)
+              merge_joins(base[name], nested) unless nested.empty?
+            else
+              base[name] = nested
+            end
+          end
+        end
+      end
+    end
+  end
+end