cancancan 1.13.1 → 3.1.0

data/lib/cancan/controller_resource_name_finder.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module CanCan
+  module ControllerResourceNameFinder
+    protected
+
+    def name_from_controller
+      @params[:controller].split('/').last.singularize
+    end
+
+    def namespaced_name
+      [namespace, name].join('/').singularize.camelize.safe_constantize || name
+    end
+
+    def name
+      @name || name_from_controller
+    end
+
+    def namespace
+      @params[:controller].split('/')[0..-2]
+    end
+  end
+end

data/lib/cancan/controller_resource_sanitizer.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module CanCan
+  module ControllerResourceSanitizer
+    protected
+
+    def sanitize_parameters
+      case params_method
+      when Symbol
+        @controller.send(params_method)
+      when String
+        @controller.instance_eval(params_method)
+      when Proc
+        params_method.call(@controller)
+      end
+    end
+
+    def params_methods
+      methods = ["#{@params[:action]}_params".to_sym, "#{name}_params".to_sym, :resource_params]
+      methods.unshift(@options[:param_method]) if @options[:param_method].present?
+      methods
+    end
+
+    def params_method
+      params_methods.each do |method|
+        return method if (method.is_a?(Symbol) && @controller.respond_to?(method, true)) ||
+                         method.is_a?(String) || method.is_a?(Proc)
+      end
+      nil
+    end
+  end
+end

data/lib/cancan/exceptions.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   # A general CanCan exception
   class Error < StandardError; end
@@ -8,9 +10,18 @@ module CanCan
   # Raised when removed code is called, an alternative solution is provided in message.
   class ImplementationRemoved < Error; end
 
-  # Raised when using check_authorization without calling authorized!
+  # Raised when using check_authorization without calling authorize!
   class AuthorizationNotPerformed < Error; end
 
+  # Raised when a rule is created with both a block and a hash of conditions
+  class BlockAndConditionsError < Error; end
+
+  # Raised when an unexpected argument is passed as an attribute
+  class AttributeArgumentError < Error; end
+
+  # Raised when using a wrong association name
+  class WrongAssociationName < Error; end
+
   # This error is raised when a user isn't allowed to access a given controller action.
   # This usually happens within a call to ControllerAdditions#authorize! but can be
   # raised manually.
@@ -30,17 +41,18 @@ module CanCan
   #   exception.default_message = "Default error message"
   #   exception.message # => "Default error message"
   #
-  # See ControllerAdditions#authorized! for more information on rescuing from this exception
+  # See ControllerAdditions#authorize! for more information on rescuing from this exception
   # and customizing the message using I18n.
   class AccessDenied < Error
-    attr_reader :action, :subject
+    attr_reader :action, :subject, :conditions
     attr_writer :default_message
 
-    def initialize(message = nil, action = nil, subject = nil)
+    def initialize(message = nil, action = nil, subject = nil, conditions = nil)
       @message = message
       @action = action
       @subject = subject
-      @default_message = I18n.t(:"unauthorized.default", :default => "You are not authorized to access this page.")
+      @conditions = conditions
+      @default_message = I18n.t(:"unauthorized.default", default: 'You are not authorized to access this page.')
     end
 
     def to_s

data/lib/cancan/matchers.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 rspec_module = defined?(RSpec::Core) ? 'RSpec' : 'Spec' # RSpec 1 compatability
 
 if rspec_module == 'RSpec'
@@ -9,16 +11,23 @@ end
 
 Kernel.const_get(rspec_module)::Matchers.define :be_able_to do |*args|
   match do |ability|
-    ability.can?(*args)
+    actions = args.first
+    if actions.is_a? Array
+      break false if actions.empty?
+
+      actions.all? { |action| ability.can?(action, *args[1..-1]) }
+    else
+      ability.can?(*args)
+    end
   end
 
   # Check that RSpec is < 2.99
   if !respond_to?(:failure_message) && respond_to?(:failure_message_for_should)
-    alias :failure_message :failure_message_for_should
+    alias_method :failure_message, :failure_message_for_should
   end
 
   if !respond_to?(:failure_message_when_negated) && respond_to?(:failure_message_for_should_not)
-    alias :failure_message_when_negated :failure_message_for_should_not
+    alias_method :failure_message_when_negated, :failure_message_for_should_not
   end
 
   failure_message do

data/lib/cancan/model_adapters/abstract_adapter.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   module ModelAdapters
     class AbstractAdapter
@@ -11,7 +13,7 @@ module CanCan
       end
 
       # Used to determine if the given adapter should be used for the passed in class.
-      def self.for_class?(member_class)
+      def self.for_class?(_member_class)
         false # override in subclass
       end
 
@@ -22,24 +24,24 @@ module CanCan
 
       # Used to determine if this model adapter will override the matching behavior for a hash of conditions.
       # If this returns true then matches_conditions_hash? will be called. See Rule#matches_conditions_hash
-      def self.override_conditions_hash_matching?(subject, conditions)
+      def self.override_conditions_hash_matching?(_subject, _conditions)
         false
       end
 
       # Override if override_conditions_hash_matching? returns true
-      def self.matches_conditions_hash?(subject, conditions)
-        raise NotImplemented, "This model adapter does not support matching on a conditions hash."
+      def self.matches_conditions_hash?(_subject, _conditions)
+        raise NotImplemented, 'This model adapter does not support matching on a conditions hash.'
       end
 
       # Used to determine if this model adapter will override the matching behavior for a specific condition.
       # If this returns true then matches_condition? will be called. See Rule#matches_conditions_hash
-      def self.override_condition_matching?(subject, name, value)
+      def self.override_condition_matching?(_subject, _name, _value)
         false
       end
 
       # Override if override_condition_matching? returns true
-      def self.matches_condition?(subject, name, value)
-        raise NotImplemented, "This model adapter does not support matching on a specific condition."
+      def self.matches_condition?(_subject, _name, _value)
+        raise NotImplemented, 'This model adapter does not support matching on a specific condition.'
       end
 
       def initialize(model_class, rules)
@@ -49,7 +51,7 @@ module CanCan
 
       def database_records
         # This should be overridden in a subclass to return records which match @rules
-        raise NotImplemented, "This model adapter does not support fetching records from the database."
+        raise NotImplemented, 'This model adapter does not support fetching records from the database.'
       end
     end
   end

data/lib/cancan/model_adapters/active_record_4_adapter.rb

@@ -1,9 +1,31 @@
+# frozen_string_literal: true
+
 module CanCan
   module ModelAdapters
-    class ActiveRecord4Adapter < AbstractAdapter
-      include ActiveRecordAdapter
-      def self.for_class?(model_class)
-        model_class <= ActiveRecord::Base
+    class ActiveRecord4Adapter < ActiveRecordAdapter
+      AbstractAdapter.inherited(self)
+
+      class << self
+        def for_class?(model_class)
+          version_lower?('5.0.0') && model_class <= ActiveRecord::Base
+        end
+
+        def override_condition_matching?(subject, name, _value)
+          subject.class.defined_enums.include?(name.to_s)
+        end
+
+        def matches_condition?(subject, name, value)
+          # Get the mapping from enum strings to values.
+          enum = subject.class.send(name.to_s.pluralize)
+          # Get the value of the attribute as an integer.
+          attribute = enum[subject.send(name)]
+          # Check to see if the value matches the condition.
+          if value.is_a?(Enumerable)
+            value.include? attribute
+          else
+            attribute == value
+          end
+        end
       end
 
       private
@@ -20,19 +42,23 @@ module CanCan
 
       # Rails 4.2 deprecates `sanitize_sql_hash_for_conditions`
       def sanitize_sql(conditions)
-        if ActiveRecord::VERSION::MINOR >= 2 && Hash === conditions
-          table = Arel::Table.new(@model_class.send(:table_name))
-
-          conditions = ActiveRecord::PredicateBuilder.resolve_column_aliases @model_class, conditions
-          conditions = @model_class.send(:expand_hash_conditions_for_aggregates, conditions)
-
-          ActiveRecord::PredicateBuilder.build_from_hash(@model_class, conditions, table).map { |b|
-            @model_class.send(:connection).visitor.compile b
-          }.join(' AND ')
+        if self.class.version_greater_or_equal?('4.2.0') && conditions.is_a?(Hash)
+          sanitize_sql_activerecord4(conditions)
         else
           @model_class.send(:sanitize_sql, conditions)
         end
       end
+
+      def sanitize_sql_activerecord4(conditions)
+        table = Arel::Table.new(@model_class.send(:table_name))
+
+        conditions = ActiveRecord::PredicateBuilder.resolve_column_aliases @model_class, conditions
+        conditions = @model_class.send(:expand_hash_conditions_for_aggregates, conditions)
+
+        ActiveRecord::PredicateBuilder.build_from_hash(@model_class, conditions, table).map do |b|
+          @model_class.send(:connection).visitor.compile b
+        end.join(' AND ')
+      end
     end
   end
 end

data/lib/cancan/model_adapters/active_record_5_adapter.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+module CanCan
+  module ModelAdapters
+    class ActiveRecord5Adapter < ActiveRecord4Adapter
+      AbstractAdapter.inherited(self)
+
+      def self.for_class?(model_class)
+        version_greater_or_equal?('5.0.0') && model_class <= ActiveRecord::Base
+      end
+
+      # rails 5 is capable of using strings in enum
+      # but often people use symbols in rules
+      def self.matches_condition?(subject, name, value)
+        return super if Array.wrap(value).all? { |x| x.is_a? Integer }
+
+        attribute = subject.send(name)
+        raw_attribute = subject.class.send(name.to_s.pluralize)[attribute]
+        !(Array(value).map(&:to_s) & [attribute, raw_attribute]).empty?
+      end
+
+      private
+
+      def build_relation(*where_conditions)
+        if joins.present?
+          inner = @model_class.unscoped do
+            @model_class.left_joins(joins).where(*where_conditions)
+          end
+          @model_class.where(@model_class.primary_key => inner)
+        else
+          @model_class.where(*where_conditions)
+        end
+      end
+
+      # Rails 4.2 deprecates `sanitize_sql_hash_for_conditions`
+      def sanitize_sql(conditions)
+        if conditions.is_a?(Hash)
+          sanitize_sql_activerecord5(conditions)
+        else
+          @model_class.send(:sanitize_sql, conditions)
+        end
+      end
+
+      def sanitize_sql_activerecord5(conditions)
+        table = @model_class.send(:arel_table)
+        table_metadata = ActiveRecord::TableMetadata.new(@model_class, table)
+        predicate_builder = ActiveRecord::PredicateBuilder.new(table_metadata)
+
+        conditions = predicate_builder.resolve_column_aliases(conditions)
+
+        conditions.stringify_keys!
+
+        predicate_builder.build_from_hash(conditions).map { |b| visit_nodes(b) }.join(' AND ')
+      end
+
+      def visit_nodes(node)
+        # Rails 5.2 adds a BindParam node that prevents the visitor method from properly compiling the SQL query
+        if self.class.version_greater_or_equal?('5.2.0')
+          connection = @model_class.send(:connection)
+          collector = Arel::Collectors::SubstituteBinds.new(connection, Arel::Collectors::SQLString.new)
+          connection.visitor.accept(node, collector).value
+        else
+          @model_class.send(:connection).visitor.compile(node)
+        end
+      end
+    end
+  end
+end

data/lib/cancan/model_adapters/active_record_adapter.rb

@@ -1,6 +1,24 @@
+# frozen_string_literal: true
+
+require_relative 'conditions_extractor.rb'
+require 'cancan/rules_compressor'
 module CanCan
   module ModelAdapters
-    module ActiveRecordAdapter
+    class ActiveRecordAdapter < AbstractAdapter
+      def self.version_greater_or_equal?(version)
+        Gem::Version.new(ActiveRecord.version).release >= Gem::Version.new(version)
+      end
+
+      def self.version_lower?(version)
+        Gem::Version.new(ActiveRecord.version).release < Gem::Version.new(version)
+      end
+
+      def initialize(model_class, rules)
+        super
+        @compressed_rules = RulesCompressor.new(@rules.reverse).rules_collapsed.reverse
+        ConditionsNormalizer.normalize(model_class, @compressed_rules)
+      end
+
       # Returns conditions intended to be used inside a database query. Normally you will not call this
       # method directly, but instead go through ModelAdditions#accessible_by.
       #
@@ -17,94 +35,91 @@ module CanCan
       #   query(:manage, User).conditions # => "not (self_managed = 't') AND ((manager_id = 1) OR (id = 1))"
       #
       def conditions
-        if @rules.size == 1 && @rules.first.base_behavior
+        conditions_extractor = ConditionsExtractor.new(@model_class)
+        if @compressed_rules.size == 1 && @compressed_rules.first.base_behavior
           # Return the conditions directly if there's just one definition
-          tableized_conditions(@rules.first.conditions).dup
+          conditions_extractor.tableize_conditions(@compressed_rules.first.conditions).dup
         else
-          @rules.reverse.inject(false_sql) do |sql, rule|
-            merge_conditions(sql, tableized_conditions(rule.conditions).dup, rule.base_behavior)
-          end
-        end
-      end
-
-      def tableized_conditions(conditions, model_class = @model_class)
-        return conditions unless conditions.kind_of? Hash
-        conditions.inject({}) do |result_hash, (name, value)|
-          if value.kind_of? Hash
-            value = value.dup
-            association_class = model_class.reflect_on_association(name).klass.name.constantize
-            nested = value.inject({}) do |nested,(k,v)|
-              if v.kind_of? Hash
-                value.delete(k)
-                nested[k] = v
-              else
-                result_hash[model_class.reflect_on_association(name).table_name.to_sym] = value
-              end
-              nested
-            end
-            result_hash.merge!(tableized_conditions(nested,association_class))
-          else
-            result_hash[name] = value
-          end
-          result_hash
+          extract_multiple_conditions(conditions_extractor, @compressed_rules)
         end
       end
 
-      # Returns the associations used in conditions for the :joins option of a search.
-      # See ModelAdditions#accessible_by
-      def joins
-        joins_hash = {}
-        @rules.each do |rule|
-          merge_joins(joins_hash, rule.associations_hash)
+      def extract_multiple_conditions(conditions_extractor, rules)
+        rules.reverse.inject(false_sql) do |sql, rule|
+          merge_conditions(sql, conditions_extractor.tableize_conditions(rule.conditions).dup, rule.base_behavior)
         end
-        clean_joins(joins_hash) unless joins_hash.empty?
       end
 
       def database_records
         if override_scope
           @model_class.where(nil).merge(override_scope)
         elsif @model_class.respond_to?(:where) && @model_class.respond_to?(:joins)
-          if mergeable_conditions?
-            build_relation(conditions)
-          else
-            build_relation(*(@rules.map(&:conditions)))
-          end
+          build_relation(conditions)
         else
-          @model_class.all(:conditions => conditions, :joins => joins)
+          @model_class.all(conditions: conditions, joins: joins)
+        end
+      end
+
+      # Returns the associations used in conditions for the :joins option of a search.
+      # See ModelAdditions#accessible_by
+      def joins
+        joins_hash = {}
+        @compressed_rules.reverse_each do |rule|
+          deep_merge(joins_hash, rule.associations_hash)
         end
+        deep_clean(joins_hash) unless joins_hash.empty?
       end
 
       private
 
-      def mergeable_conditions?
-        @rules.find {|rule| rule.unmergeable? }.blank?
+      # Removes empty hashes and moves everything into arrays.
+      def deep_clean(joins_hash)
+        joins_hash.map { |name, nested| nested.empty? ? name : { name => deep_clean(nested) } }
       end
 
-      def override_scope
-        conditions = @rules.map(&:conditions).compact
-        if defined?(ActiveRecord::Relation) && conditions.any? { |c| c.kind_of?(ActiveRecord::Relation) }
-          if conditions.size == 1
-            conditions.first
+      # Takes two hashes and does a deep merge.
+      def deep_merge(base_hash, added_hash)
+        added_hash.each do |key, value|
+          if base_hash[key].is_a?(Hash)
+            deep_merge(base_hash[key], value) unless value.empty?
           else
-            rule = @rules.detect { |rule| rule.conditions.kind_of?(ActiveRecord::Relation) }
-            raise Error, "Unable to merge an Active Record scope with other conditions. Instead use a hash or SQL for #{rule.actions.first} #{rule.subjects.first} ability."
+            base_hash[key] = value
           end
         end
       end
 
+      def override_scope
+        conditions = @compressed_rules.map(&:conditions).compact
+        return unless conditions.any? { |c| c.is_a?(ActiveRecord::Relation) }
+        return conditions.first if conditions.size == 1
+
+        raise_override_scope_error
+      end
+
+      def raise_override_scope_error
+        rule_found = @compressed_rules.detect { |rule| rule.conditions.is_a?(ActiveRecord::Relation) }
+        raise Error,
+              'Unable to merge an Active Record scope with other conditions. '\
+              "Instead use a hash or SQL for #{rule_found.actions.first} #{rule_found.subjects.first} ability."
+      end
+
       def merge_conditions(sql, conditions_hash, behavior)
         if conditions_hash.blank?
           behavior ? true_sql : false_sql
         else
-          conditions = sanitize_sql(conditions_hash)
-          case sql
-          when true_sql
-            behavior ? true_sql : "not (#{conditions})"
-          when false_sql
-            behavior ? conditions : false_sql
-          else
-            behavior ? "(#{conditions}) OR (#{sql})" : "not (#{conditions}) AND (#{sql})"
-          end
+          merge_non_empty_conditions(behavior, conditions_hash, sql)
+        end
+      end
+
+      def merge_non_empty_conditions(behavior, conditions_hash, sql)
+        conditions = sanitize_sql(conditions_hash)
+        case sql
+        when true_sql
+          behavior ? true_sql : "not (#{conditions})"
+        when false_sql
+          behavior ? conditions : false_sql
+        else
+          behavior ? "(#{conditions}) OR (#{sql})" : "not (#{conditions}) AND (#{sql})"
         end
       end
 
@@ -119,30 +134,10 @@ module CanCan
       def sanitize_sql(conditions)
         @model_class.send(:sanitize_sql, conditions)
       end
-
-      # Takes two hashes and does a deep merge.
-      def merge_joins(base, add)
-        add.each do |name, nested|
-          if base[name].is_a?(Hash)
-            merge_joins(base[name], nested) unless nested.empty?
-          else
-            base[name] = nested
-          end
-        end
-      end
-
-      # Removes empty hashes and moves everything into arrays.
-      def clean_joins(joins_hash)
-        joins = []
-        joins_hash.each do |name, nested|
-          joins << (nested.empty? ? name : {name => clean_joins(nested)})
-        end
-        joins
-      end
     end
   end
 end
 
-ActiveRecord::Base.class_eval do
-  include CanCan::ModelAdditions
+ActiveSupport.on_load(:active_record) do
+  send :include, CanCan::ModelAdditions
 end