cancancan 1.13.1 → 3.1.0

data/lib/cancan/ability/actions.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+module CanCan
+  module Ability
+    module Actions
+      # Alias one or more actions into another one.
+      #
+      #   alias_action :update, :destroy, :to => :modify
+      #   can :modify, Comment
+      #
+      # Then :modify permission will apply to both :update and :destroy requests.
+      #
+      #   can? :update, Comment # => true
+      #   can? :destroy, Comment # => true
+      #
+      # This only works in one direction. Passing the aliased action into the "can?" call
+      # will not work because aliases are meant to generate more generic actions.
+      #
+      #   alias_action :update, :destroy, :to => :modify
+      #   can :update, Comment
+      #   can? :modify, Comment # => false
+      #
+      # Unless that exact alias is used.
+      #
+      #   can :modify, Comment
+      #   can? :modify, Comment # => true
+      #
+      # The following aliases are added by default for conveniently mapping common controller actions.
+      #
+      #   alias_action :index, :show, :to => :read
+      #   alias_action :new, :to => :create
+      #   alias_action :edit, :to => :update
+      #
+      # This way one can use params[:action] in the controller to determine the permission.
+      def alias_action(*args)
+        target = args.pop[:to]
+        validate_target(target)
+        aliased_actions[target] ||= []
+        aliased_actions[target] += args
+      end
+
+      # Returns a hash of aliased actions. The key is the target and the value is an array of actions aliasing the key.
+      def aliased_actions
+        @aliased_actions ||= default_alias_actions
+      end
+
+      # Removes previously aliased actions including the defaults.
+      def clear_aliased_actions
+        @aliased_actions = {}
+      end
+
+      private
+
+      def default_alias_actions
+        {
+          read: %i[index show],
+          create: [:new],
+          update: [:edit]
+        }
+      end
+
+      # Given an action, it will try to find all of the actions which are aliased to it.
+      # This does the opposite kind of lookup as expand_actions.
+      def aliases_for_action(action)
+        results = [action]
+        aliased_actions.each do |aliased_action, actions|
+          results += aliases_for_action(aliased_action) if actions.include? action
+        end
+        results
+      end
+
+      def expanded_actions
+        @expanded_actions ||= {}
+      end
+
+      # Accepts an array of actions and returns an array of actions which match.
+      # This should be called before "matches?" and other checking methods since they
+      # rely on the actions to be expanded.
+      def expand_actions(actions)
+        expanded_actions[actions] ||= begin
+          expanded = []
+          actions.each do |action|
+            expanded << action
+            if (aliases = aliased_actions[action])
+              expanded += expand_actions(aliases)
+            end
+          end
+          expanded
+        end
+      end
+    end
+  end
+end

data/lib/cancan/ability/rules.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+module CanCan
+  module Ability
+    module Rules
+      protected
+
+      # Must be protected as an ability can merge with other abilities.
+      # This means that an ability must expose their rules with another ability.
+      def rules
+        @rules ||= []
+      end
+
+      private
+
+      def add_rule(rule)
+        rules << rule
+        add_rule_to_index(rule, rules.size - 1)
+      end
+
+      def add_rule_to_index(rule, position)
+        @rules_index ||= Hash.new { |h, k| h[k] = [] }
+
+        subjects = rule.subjects.compact
+        subjects << :all if subjects.empty?
+
+        subjects.each do |subject|
+          @rules_index[subject] << position
+        end
+      end
+
+      # Returns an array of Rule instances which match the action and subject
+      # This does not take into consideration any hash conditions or block statements
+      def relevant_rules(action, subject)
+        return [] unless @rules
+
+        relevant = possible_relevant_rules(subject).select do |rule|
+          rule.expanded_actions = expand_actions(rule.actions)
+          rule.relevant? action, subject
+        end
+        relevant.reverse!.uniq!
+        optimize_order! relevant
+        relevant
+      end
+
+      def possible_relevant_rules(subject)
+        if subject.is_a?(Hash)
+          rules
+        else
+          positions = @rules_index.values_at(subject, *alternative_subjects(subject))
+          positions.flatten!.sort!
+          positions.map { |i| @rules[i] }
+        end
+      end
+
+      def relevant_rules_for_match(action, subject)
+        relevant_rules(action, subject).each do |rule|
+          next unless rule.only_raw_sql?
+
+          raise Error,
+                "The can? and cannot? call cannot be used with a raw sql 'can' definition."\
+                " The checking code cannot be determined for #{action.inspect} #{subject.inspect}"
+        end
+      end
+
+      def relevant_rules_for_query(action, subject)
+        rules = relevant_rules(action, subject).reject do |rule|
+          # reject 'cannot' rules with attributes when doing queries
+          rule.base_behavior == false && rule.attributes.present?
+        end
+        if rules.any?(&:only_block?)
+          raise Error, "The accessible_by call cannot be used with a block 'can' definition."\
+            "The SQL cannot be determined for #{action.inspect} #{subject.inspect}"
+        end
+        rules
+      end
+
+      # Optimizes the order of the rules, so that rules with the :all subject are evaluated first.
+      def optimize_order!(rules)
+        first_can_in_group = -1
+        rules.each_with_index do |rule, i|
+          (first_can_in_group = -1) && next unless rule.base_behavior
+          (first_can_in_group = i) && next if first_can_in_group == -1
+          next unless rule.subjects == [:all]
+
+          rules[i] = rules[first_can_in_group]
+          rules[first_can_in_group] = rule
+          first_can_in_group += 1
+        end
+      end
+    end
+  end
+end

data/lib/cancan/ability/strong_parameter_support.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module CanCan
+  module Ability
+    module StrongParameterSupport
+      # Returns an array of attributes suitable for use with strong parameters
+      #
+      # Note: reversing the relevant rules is important. Normal order means that 'cannot'
+      # rules will come before 'can' rules. However, you can't remove attributes before
+      # they are added. The 'reverse' is so that attributes will be added before the
+      # 'cannot' rules remove them.
+      def permitted_attributes(action, subject)
+        relevant_rules(action, subject)
+          .reverse
+          .select { |rule| rule.matches_conditions? action, subject }
+          .each_with_object(Set.new) do |rule, set|
+          attributes = get_attributes(rule, subject)
+          # add attributes for 'can', remove them for 'cannot'
+          rule.base_behavior ? set.merge(attributes) : set.subtract(attributes)
+        end.to_a
+      end
+
+      private
+
+      def subject_class?(subject)
+        klass = (subject.is_a?(Hash) ? subject.values.first : subject).class
+        [Class, Module].include? klass
+      end
+
+      def get_attributes(rule, subject)
+        klass = subject_class?(subject) ? subject : subject.class
+        # empty attributes is an 'all'
+        if rule.attributes.empty? && klass < ActiveRecord::Base
+          klass.column_names.map(&:to_sym) - Array(klass.primary_key)
+        else
+          rule.attributes
+        end
+      end
+    end
+  end
+end

data/lib/cancan/conditions_matcher.rb

@@ -0,0 +1,106 @@
+# frozen_string_literal: true
+
+module CanCan
+  module ConditionsMatcher
+    # Matches the block or conditions hash
+    def matches_conditions?(action, subject, attribute = nil, *extra_args)
+      return call_block_with_all(action, subject, extra_args) if @match_all
+      return matches_block_conditions(subject, attribute, *extra_args) if @block
+      return matches_non_block_conditions(subject) unless conditions_empty?
+
+      true
+    end
+
+    private
+
+    def subject_class?(subject)
+      klass = (subject.is_a?(Hash) ? subject.values.first : subject).class
+      [Class, Module].include? klass
+    end
+
+    def matches_block_conditions(subject, *extra_args)
+      return @base_behavior if subject_class?(subject)
+
+      @block.call(subject, *extra_args.compact)
+    end
+
+    def matches_non_block_conditions(subject)
+      return nested_subject_matches_conditions?(subject) if subject.class == Hash
+      return matches_conditions_hash?(subject) unless subject_class?(subject)
+
+      # Don't stop at "cannot" definitions when there are conditions.
+      @base_behavior
+    end
+
+    def nested_subject_matches_conditions?(subject_hash)
+      parent, _child = subject_hash.first
+      matches_conditions_hash?(parent, @conditions[parent.class.name.downcase.to_sym] || {})
+    end
+
+    # Checks if the given subject matches the given conditions hash.
+    # This behavior can be overriden by a model adapter by defining two class methods:
+    # override_matching_for_conditions?(subject, conditions) and
+    # matches_conditions_hash?(subject, conditions)
+    def matches_conditions_hash?(subject, conditions = @conditions)
+      return true if conditions.empty?
+
+      adapter = model_adapter(subject)
+
+      if adapter.override_conditions_hash_matching?(subject, conditions)
+        return adapter.matches_conditions_hash?(subject, conditions)
+      end
+
+      matches_all_conditions?(adapter, conditions, subject)
+    end
+
+    def matches_all_conditions?(adapter, conditions, subject)
+      conditions.all? do |name, value|
+        if adapter.override_condition_matching?(subject, name, value)
+          adapter.matches_condition?(subject, name, value)
+        else
+          condition_match?(subject.send(name), value)
+        end
+      end
+    end
+
+    def condition_match?(attribute, value)
+      case value
+      when Hash
+        hash_condition_match?(attribute, value)
+      when Range
+        value.cover?(attribute)
+      when Enumerable
+        value.include?(attribute)
+      else
+        attribute == value
+      end
+    end
+
+    def hash_condition_match?(attribute, value)
+      if attribute.is_a?(Array) || (defined?(ActiveRecord) && attribute.is_a?(ActiveRecord::Relation))
+        attribute.any? { |element| matches_conditions_hash?(element, value) }
+      else
+        attribute && matches_conditions_hash?(attribute, value)
+      end
+    end
+
+    def call_block_with_all(action, subject, *extra_args)
+      if subject.class == Class
+        @block.call(action, subject, nil, *extra_args)
+      else
+        @block.call(action, subject.class, subject, *extra_args)
+      end
+    end
+
+    def model_adapter(subject)
+      CanCan::ModelAdapters::AbstractAdapter.adapter_class(subject_class?(subject) ? subject : subject.class)
+    end
+
+    def conditions_empty?
+      # @conditions might be an ActiveRecord::Associations::CollectionProxy
+      # which it's `==` implementation will fetch all records for comparison
+
+      (@conditions.is_a?(Hash) && @conditions == {}) || @conditions.nil?
+    end
+  end
+end

data/lib/cancan/controller_additions.rb

@@ -1,5 +1,6 @@
-module CanCan
+# frozen_string_literal: true
 
+module CanCan
   # This module is automatically included into all controllers.
   # It also makes the "can?" and "cannot?" methods available to all views.
   module ControllerAdditions
@@ -12,7 +13,7 @@ module CanCan
       #   end
       #
       def load_and_authorize_resource(*args)
-        cancan_resource_class.add_before_filter(self, :load_and_authorize_resource, *args)
+        cancan_resource_class.add_before_action(self, :load_and_authorize_resource, *args)
       end
 
       # Sets up a before filter which loads the model resource into an instance variable.
@@ -32,16 +33,16 @@ module CanCan
       #   end
       #
       # A resource is not loaded if the instance variable is already set. This makes it easy to override
-      # the behavior through a before_filter on certain actions.
+      # the behavior through a before_action on certain actions.
       #
       #   class BooksController < ApplicationController
-      #     before_filter :find_book_by_permalink, :only => :show
+      #     before_action :find_book_by_permalink, :only => :show
       #     load_resource
       #
       #     private
       #
       #     def find_book_by_permalink
-      #       @book = Book.find_by_permalink!(params[:id)
+      #       @book = Book.find_by_permalink!(params[:id])
       #     end
       #   end
       #
@@ -72,8 +73,8 @@ module CanCan
       #   Load this resource through another one. This should match the name of the parent instance variable or method.
       #
       # [:+through_association+]
-      #   The name of the association to fetch the child records through the parent resource. This is normally not needed
-      #   because it defaults to the pluralized resource name.
+      #   The name of the association to fetch the child records through the parent resource.
+      #   This is normally not needed because it defaults to the pluralized resource name.
       #
       # [:+shallow+]
       #   Pass +true+ to allow this resource to be loaded directly when parent is +nil+. Defaults to +false+.
@@ -82,8 +83,8 @@ module CanCan
       #   Pass +true+ if this is a singleton resource through a +has_one+ association.
       #
       # [:+parent+]
-      #   True or false depending on if the resource is considered a parent resource. This defaults to +true+ if a resource
-      #   name is given which does not match the controller.
+      #   True or false depending on if the resource is considered a parent resource.
+      #   This defaults to +true+ if a resource name is given which does not match the controller.
       #
       # [:+class+]
       #   The class to use for the model (string or constant).
@@ -115,10 +116,10 @@ module CanCan
       #     load_resource :new => :build
       #
       # [:+prepend+]
-      #   Passing +true+ will use prepend_before_filter instead of a normal before_filter.
+      #   Passing +true+ will use prepend_before_action instead of a normal before_action.
       #
       def load_resource(*args)
-        cancan_resource_class.add_before_filter(self, :load_resource, *args)
+        cancan_resource_class.add_before_action(self, :load_resource, *args)
       end
 
       # Sets up a before filter which authorizes the resource using the instance variable.
@@ -160,8 +161,8 @@ module CanCan
       #   Pass +true+ if this is a singleton resource through a +has_one+ association.
       #
       # [:+parent+]
-      #   True or false depending on if the resource is considered a parent resource. This defaults to +true+ if a resource
-      #   name is given which does not match the controller.
+      #   True or false depending on if the resource is considered a parent resource.
+      #   This defaults to +true+ if a resource name is given which does not match the controller.
       #
       # [:+class+]
       #   The class to use for the model (string or constant). This passed in when the instance variable is not set.
@@ -174,10 +175,10 @@ module CanCan
       #   Authorize conditions on this parent resource when instance isn't available.
       #
       # [:+prepend+]
-      #   Passing +true+ will use prepend_before_filter instead of a normal before_filter.
+      #   Passing +true+ will use prepend_before_action instead of a normal before_action.
       #
       def authorize_resource(*args)
-        cancan_resource_class.add_before_filter(self, :authorize_resource, *args)
+        cancan_resource_class.add_before_action(self, :authorize_resource, *args)
       end
 
       # Skip both the loading and authorization behavior of CanCan for this given controller. This is primarily
@@ -226,8 +227,9 @@ module CanCan
         cancan_skipper[:authorize][name] = options
       end
 
-      # Add this to a controller to ensure it performs authorization through +authorized+! or +authorize_resource+ call.
-      # If neither of these authorization methods are called, a CanCan::AuthorizationNotPerformed exception will be raised.
+      # Add this to a controller to ensure it performs authorization through +authorize+! or +authorize_resource+ call.
+      # If neither of these authorization methods are called,
+      # a CanCan::AuthorizationNotPerformed exception will be raised.
       # This is normally added to the ApplicationController to ensure all controller actions do authorization.
       #
       #   class ApplicationController < ActionController::Base
@@ -244,22 +246,29 @@ module CanCan
       #   Does not apply to given actions.
       #
       # [:+if+]
-      #   Supply the name of a controller method to be called. The authorization check only takes place if this returns true.
+      #   Supply the name of a controller method to be called.
+      #   The authorization check only takes place if this returns true.
       #
       #     check_authorization :if => :admin_controller?
       #
       # [:+unless+]
-      #   Supply the name of a controller method to be called. The authorization check only takes place if this returns false.
+      #   Supply the name of a controller method to be called.
+      #   The authorization check only takes place if this returns false.
       #
       #     check_authorization :unless => :devise_controller?
       #
       def check_authorization(options = {})
-        self.after_filter(options.slice(:only, :except)) do |controller|
+        block = proc do |controller|
           next if controller.instance_variable_defined?(:@_authorized)
           next if options[:if] && !controller.send(options[:if])
           next if options[:unless] && controller.send(options[:unless])
-          raise AuthorizationNotPerformed, "This action failed the check_authorization because it does not authorize_resource. Add skip_authorization_check to bypass this check."
+
+          raise AuthorizationNotPerformed,
+                'This action failed the check_authorization because it does not authorize_resource. '\
+                'Add skip_authorization_check to bypass this check.'
         end
+
+        send(:after_action, options.slice(:only, :except), &block)
       end
 
       # Call this in the class of a controller to skip the check_authorization behavior on the actions.
@@ -268,33 +277,25 @@ module CanCan
       #     skip_authorization_check :only => :index
       #   end
       #
-      # Any arguments are passed to the +before_filter+ it triggers.
+      # Any arguments are passed to the +before_action+ it triggers.
       def skip_authorization_check(*args)
-        self.before_filter(*args) do |controller|
-          controller.instance_variable_set(:@_authorized, true)
-        end
-      end
-
-      def skip_authorization(*args)
-        raise ImplementationRemoved, "The CanCan skip_authorization method has been renamed to skip_authorization_check. Please update your code."
+        block = proc { |controller| controller.instance_variable_set(:@_authorized, true) }
+        send(:before_action, *args, &block)
       end
 
       def cancan_resource_class
-        if ancestors.map(&:to_s).include? "InheritedResources::Actions"
-          InheritedResource
-        else
-          ControllerResource
-        end
+        ControllerResource
       end
 
       def cancan_skipper
-        @_cancan_skipper ||= {:authorize => {}, :load => {}}
+        self._cancan_skipper ||= { authorize: {}, load: {} }
       end
     end
 
     def self.included(base)
       base.extend ClassMethods
       base.helper_method :can?, :cannot?, :current_ability if base.respond_to? :helper_method
+      base.class_attribute :_cancan_skipper
     end
 
     # Raises a CanCan::AccessDenied exception if the current_ability cannot
@@ -338,10 +339,6 @@ module CanCan
       current_ability.authorize!(*args)
     end
 
-    def unauthorized!(message = nil)
-      raise ImplementationRemoved, "The unauthorized! method has been removed from CanCan, use authorize! instead."
-    end
-
     # Creates and returns the current user's ability and caches it. If you
     # want to override how the Ability is defined then this is the place.
     # Just define the method in the controller to change behavior.
@@ -390,8 +387,8 @@ module CanCan
   end
 end
 
-if defined? ActionController::Base
-  ActionController::Base.class_eval do
+if defined? ActiveSupport
+  ActiveSupport.on_load(:action_controller) do
     include CanCan::ControllerAdditions
   end
 end