cancancan 1.15.0 → 1.16.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f603bcd9b02f8b042e5de713df94cb01abec7486
-  data.tar.gz: 358a5080dcef4525f7993d9c1383daffc147d169
+  metadata.gz: 993f2327cf688ab257cf339cabfd621ee1757d86
+  data.tar.gz: 8e04df79a1f6619758cfa6faffa8a9d8a91bf647
 SHA512:
-  metadata.gz: c56c8b9e82e5ab6868a5dafcf811d2363b023c4f1eb05149de64996919e6da6e60dff583e7d1b9f1c1eeb277a52a5327e03b52bf753b3ed79ce2cc22fad0b431
-  data.tar.gz: a1be98535ecbcde3db1b8accc41446bbb139b413b544a2541af00f699e5e5a548d3fdfdb41b09ed951504d4c8a6a31fc24a50aea690ad70ed2fb224a1676d954
+  metadata.gz: f761b9d2b370a9105184d09cb05ea11729ca16fae21dd74e979cb07c5885021181cd4f4aa75d8562b49c55663cf70a4d84f8de8ec0b1ece6da3a5ee1b117aa9a
+  data.tar.gz: 372c69b7c60be72ccb473137fcd1ae2be1815a8b6996a520d53c13079d425cd0ab879c9867bedfb39827db85c04efb0d499cf72fd1dbfbcc7848db3934cb5e0a

data/.rubocop.yml

@@ -0,0 +1,38 @@
+Style/Documentation:
+  Enabled: false
+
+Style/NonNilCheck:
+  IncludeSemanticChanges: true
+
+Style/FrozenStringLiteralComment:
+  Enabled: false
+
+Style/EmptyMethod:
+  Enabled: false
+
+Style/VariableNumber:
+  Enabled: false
+
+Style/ClassAndModuleChildren:
+  Enabled: false
+
+Metrics/LineLength:
+  Max: 120
+
+Metrics/ClassLength:
+  Exclude:
+    - 'lib/cancan/controller_resource.rb'
+    - 'lib/cancan/rule.rb'
+
+Metrics/ModuleLength:
+  Exclude:
+    - "**/*_spec.rb"
+    - 'lib/cancan/ability.rb'
+    - 'lib/cancan/model_adapters/active_record_adapter.rb'
+
+AllCops:
+  TargetRubyVersion: 2.0
+  Exclude:
+    - 'gemfiles/vendor/bundle/**/*'
+
+inherit_from: .rubocop_todo.yml

data/.rubocop_todo.yml

@@ -0,0 +1,48 @@
+# This configuration was generated by
+# `rubocop --auto-gen-config`
+# on 2016-12-14 08:11:19 +0100 using RuboCop version 0.45.0.
+# The point is for the user to remove these configuration records
+# one by one as the offenses are removed from the code base.
+# Note that changes in the inspected code, or installation of new
+# versions of RuboCop, may require this file to be generated again.
+
+# Offense count: 14
+Metrics/AbcSize:
+  Max: 25
+
+# Offense count: 5
+Metrics/CyclomaticComplexity:
+  Max: 9
+
+# Offense count: 14
+# Configuration parameters: CountComments.
+Metrics/MethodLength:
+  Max: 21
+
+
+Metrics/BlockLength:
+  Max: 28
+  Exclude:
+    - "**/*_spec.rb"
+
+# Offense count: 7
+Metrics/PerceivedComplexity:
+  Max: 11
+
+# TODO: due to mongoid. can't be fixed
+# Offense count: 1
+Performance/FixedSize:
+  Exclude:
+    - 'spec/cancan/model_adapters/mongoid_adapter_spec.rb'
+
+
+# TODO: fixing this would change the APIs
+# Offense count: 2
+# Configuration parameters: NamePrefix, NamePrefixBlacklist, NameWhitelist.
+# NamePrefix: is_, has_, have_
+# NamePrefixBlacklist: is_, has_, have_
+# NameWhitelist: is_a?
+Style/PredicateName:
+  Exclude:
+    - 'spec/**/*'
+    - 'lib/cancan/ability.rb'

data/.travis.yml

@@ -29,5 +29,11 @@ matrix:
     - rvm: jruby-9.0.5.0
       gemfile: gemfiles/activerecord_5.0.gemfile
 notifications:
-  recipients:
-    - bryan@bryanrite.com
+  email:
+    recipients:
+      - alessandro.rodi@renuo.ch
+      - josua.schmid@renuo.ch
+      - zora.fuchs@renuo.ch
+    on_success: change
+    on_failure: change
+

data/Appraisals

@@ -47,6 +47,7 @@ appraise "activerecord_4.2" do
   gem "activerecord", "~> 4.2.0", :require => "active_record"
   gem 'activesupport', '~> 4.2.0', :require => 'active_support/all'
   gem "actionpack", "~> 4.2.0", :require => "action_pack"
+  gem "nokogiri", "~> 1.6.8", :require => "nokogiri"    # TODO: fix for ruby 2.0.0
 
   gemfile.platforms :jruby do
     gem "activerecord-jdbcsqlite3-adapter"

data/CHANGELOG.rdoc

@@ -2,6 +2,10 @@ Develop
 
 Unreleased
 
+1.16.0 (February 2nd, 2017)
+
+* Introduce rubocop and fixes most of the issues
+
 1.15.0 (June 13th, 2016)
 
 * Add support for Rails 5 (craig1410)
@@ -19,6 +23,7 @@ Unreleased
 
 * Significantly improve rule lookup time (amarshall)
 * Removed deprecation warnings for RSpec 3.2 (NekoNova)
+* Drop support for REE and Ruby 1.x and so Rails 2 (Richard Wilson)
 
 1.12.0 (June 28th, 2015)
 

data/Gemfile

@@ -1,3 +1,3 @@
-source "https://rubygems.org"
+source 'https://rubygems.org'
 
 gemspec

data/README.md

@@ -5,33 +5,31 @@
 [![Code Climate Badge](https://codeclimate.com/github/CanCanCommunity/cancancan.svg)](https://codeclimate.com/github/CanCanCommunity/cancancan)
 [![Inch CI](http://inch-ci.org/github/CanCanCommunity/cancancan.svg)](http://inch-ci.org/github/CanCanCommunity/cancancan)
 
-[Wiki](https://github.com/CanCanCommunity/cancancan/wiki) | [RDocs](http://rdoc.info/projects/CanCanCommunity/cancancan) | [Screencast](http://railscasts.com/episodes/192-authorization-with-cancan) | [IRC: #cancancan (freenode)](http://webchat.freenode.net/?channels=cancancan)
+[Wiki](https://github.com/CanCanCommunity/cancancan/wiki) | 
+[RDocs](http://rdoc.info/projects/CanCanCommunity/cancancan) | 
+[Screencast](http://railscasts.com/episodes/192-authorization-with-cancan) | 
+[Gitter](https://gitter.im/CanCanCommunity/cancancan)
 
-CanCan is an authorization library for Ruby on Rails which restricts what resources a given user is allowed to access. All permissions are defined in a single location (the `Ability` class) and not duplicated across controllers, views, and database queries.
+CanCanCan is an authorization library for Ruby 2.0+ and Ruby on Rails 3+ which restricts what resources a given user is allowed to access. 
 
-## This is the master branch!
-This branch represents work towards version 2.0. Please checkout the 1.x branch for the stable release. Use master at your own risk.
-
-## Mission
-
-This repo is a continuation of the dead [CanCan](https://github.com/ryanb/cancan) project. Our mission is to keep CanCan alive and moving forward, with maintenance fixes and new features. Pull Requests are welcome!
-
-I am currently focusing on the 1.x branch for the immediate future, making sure it is up to date as well as ensuring compatibility with Rails 4+. I will take a look into the 2.x branch and try to see what improvements, reorganizations and redesigns Ryan was attempting and go forward from there.
-
-Any help is greatly appreciated, feel free to submit pull-requests or open issues.
+All permissions are defined in a single location (the `Ability` class) and not duplicated across controllers, views, and database queries.
 
 
 ## Installation
 
-In **Rails 3 and 4**, add this to your Gemfile and run the `bundle install` command.
+Add this to your Gemfile: 
 
-    gem 'cancancan', '~> 1.10'
+    gem 'cancancan'
+    
+and run the `bundle install` command.
 
 ## Getting Started
 
-CanCanCan expects a `current_user` method to exist in the controller. First, set up some authentication (such as [Authlogic](https://github.com/binarylogic/authlogic) or [Devise](https://github.com/plataformatec/devise)). See [Changing Defaults](https://github.com/CanCanCommunity/cancancan/wiki/changing-defaults) if you need different behavior.
+CanCanCan expects a `current_user` method to exist in the controller. 
+First, set up some authentication (such as [Devise](https://github.com/plataformatec/devise) or [Authlogic](https://github.com/binarylogic/authlogic)). 
+See [Changing Defaults](https://github.com/CanCanCommunity/cancancan/wiki/changing-defaults) if you need a different behavior.
 
-When using [rails-api](https://github.com/rails-api/rails-api), you have to manually include the controller methods for CanCan:
+When using [rails-api](https://github.com/rails-api/rails-api), you have to manually include the controller methods for CanCanCan:
 ```ruby
 class ApplicationController < ActionController::API
   include CanCan::ControllerAdditions
@@ -40,27 +38,16 @@ end
 
 ### 1. Define Abilities
 
-User permissions are defined in an `Ability` class. CanCan 1.5 includes a Rails 3 and 4 generator for creating this class.
+User permissions are defined in an `Ability` class.
 
     rails g cancan:ability
 
-In Rails 2.3, just add a new class in `app/models/ability.rb` with the following contents:
-
-```ruby
-class Ability
-  include CanCan::Ability
-
-  def initialize(user)
-  end
-end
-```
-
 See [Defining Abilities](https://github.com/CanCanCommunity/cancancan/wiki/defining-abilities) for details.
 
 
 ### 2. Check Abilities & Authorization
 
-The current user's permissions can then be checked using the `can?` and `cannot?` methods in the view and controller.
+The current user's permissions can then be checked using the `can?` and `cannot?` methods in views and controllers.
 
 ```erb
 <% if can? :update, @article %>
@@ -79,7 +66,9 @@ def show
 end
 ```
 
-Setting this for every action can be tedious, therefore the `load_and_authorize_resource` method is provided to automatically authorize all actions in a RESTful style resource controller. It will use a before filter to load the resource into an instance variable and authorize it for every action.
+Setting this for every action can be tedious, therefore the `load_and_authorize_resource` method is provided to 
+automatically authorize all actions in a RESTful style resource controller. 
+It will use a before action to load the resource into an instance variable and authorize it for every action.
 
 ```ruby
 class ArticlesController < ApplicationController
@@ -98,7 +87,7 @@ See [Authorizing Controller Actions](https://github.com/CanCanCommunity/cancanca
 
 When using `strong_parameters` or Rails 4+, you have to sanitize inputs before saving the record, in actions such as `:create` and `:update`.
 
-For the `:update` action, CanCan will load and authorize the resource but *not* change it automatically, so the typical usage would be something like:
+For the `:update` action, CanCanCan will load and authorize the resource but *not* change it automatically, so the typical usage would be something like:
 
 ```ruby
 def update
@@ -115,7 +104,8 @@ def update_params
 end
 ```
 
-For the `:create` action, CanCan will try to initialize a new instance with sanitized input by seeing if your controller will respond to the following methods (in order):
+For the `:create` action, CanCan will try to initialize a new instance with sanitized input by seeing if your 
+controller will respond to the following methods (in order):
 
 1. `create_params`
 2. `<model_name>_params` such as `article_params` (this is the default convention in rails for naming your param method)
@@ -145,7 +135,7 @@ class ArticlesController < ApplicationController
 end
 ```
 
-You can also use a string that will be evaluated in the context of the controller using `instance_eval` and needs to contain valid Ruby code. This does come in handy when using a PermittedParams class as suggested in Railscast 371:
+You can also use a string that will be evaluated in the context of the controller using `instance_eval` and needs to contain valid Ruby code. 
 
     load_and_authorize_resource param_method: 'permitted_params.article'
 
@@ -157,13 +147,18 @@ See [Strong Parameters](https://github.com/CanCanCommunity/cancancan/wiki/Strong
 
 ### 3. Handle Unauthorized Access
 
-If the user authorization fails, a `CanCan::AccessDenied` exception will be raised. You can catch this and modify its behavior in the `ApplicationController`.
+If the user authorization fails, a `CanCan::AccessDenied` exception will be raised. 
+You can catch this and modify its behavior in the `ApplicationController`.
 
 ```ruby
 class ApplicationController < ActionController::Base
   rescue_from CanCan::AccessDenied do |exception|
-    redirect_to root_url, :alert => exception.message
-  end
+      respond_to do |format|
+        format.json { head :forbidden, content_type: 'text/html' }
+        format.html { redirect_to main_app.root_url, notice: exception.message }
+        format.js   { head :forbidden, content_type: 'text/html' }
+      end
+    end
 end
 ```
 
@@ -180,7 +175,9 @@ class ApplicationController < ActionController::Base
 end
 ```
 
-This will raise an exception if authorization is not performed in an action. If you want to skip this, add `skip_authorization_check` to a controller subclass. See [Ensure Authorization](https://github.com/CanCanCommunity/cancancan/wiki/Ensure-Authorization) for more information.
+This will raise an exception if authorization is not performed in an action. 
+If you want to skip this, add `skip_authorization_check` to a controller subclass. 
+See [Ensure Authorization](https://github.com/CanCanCommunity/cancancan/wiki/Ensure-Authorization) for more information.
 
 
 ## Wiki Docs
@@ -193,8 +190,22 @@ This will raise an exception if authorization is not performed in an action. If
 * [Changing Defaults](https://github.com/CanCanCommunity/cancancan/wiki/Changing-Defaults)
 * [See more](https://github.com/CanCanCommunity/cancancan/wiki)
 
+## Mission
+
+This repo is a continuation of the dead [CanCan](https://github.com/ryanb/cancan) project. 
+Our mission is to keep CanCan alive and moving forward, with maintenance fixes and new features. 
+Pull Requests are welcome!
+
+Any help is greatly appreciated, feel free to submit pull-requests or open issues.
+
+
 ## Questions?
-If you have any question or doubt regarding CanCanCan which you cannot find the solution to in the [documentation](https://github.com/CanCanCommunity/cancancan/wiki) or our [mailing list](http://groups.google.com/group/cancancan), please [open a question on Stackoverflow](http://stackoverflow.com/questions/ask?tags=cancancan) with tag [cancancan](http://stackoverflow.com/questions/tagged/cancancan)
+
+If you have any question or doubt regarding CanCanCan which you cannot find the solution to in the 
+[documentation](https://github.com/CanCanCommunity/cancancan/wiki) or our 
+[mailing list](http://groups.google.com/group/cancancan), please 
+[open a question on Stackoverflow](http://stackoverflow.com/questions/ask?tags=cancancan) with tag 
+[cancancan](http://stackoverflow.com/questions/tagged/cancancan)
 
 ## Bugs?
 
@@ -203,15 +214,21 @@ If you find a bug please add an [issue on GitHub](https://github.com/CanCanCommu
 
 ## Development
 
-Cancancan uses [appraisals](https://github.com/thoughtbot/appraisal) to test the code base against multiple versions of Rails, as well as the different model adapters.
+CanCanCan uses [appraisals](https://github.com/thoughtbot/appraisal) to test the code base against multiple versions 
+of Rails, as well as the different model adapters.
 
 When first developing, you may need to run `bundle install` and then `appraisal install`, to install the different sets.
 
 You can then run all appraisal files (like CI does), with `appraisal rake` or just run a specific set `appraisal activerecord_3.0 rake`.
 
-See the [CONTRIBUTING](https://github.com/CanCanCommunity/cancancan/blob/develop/CONTRIBUTING.md) and [spec/README](https://github.com/CanCanCommunity/cancancan/blob/master/spec/README.rdoc) for more information.
+See the [CONTRIBUTING](https://github.com/CanCanCommunity/cancancan/blob/develop/CONTRIBUTING.md) and 
+[spec/README](https://github.com/CanCanCommunity/cancancan/blob/master/spec/README.rdoc) for more information.
 
 
 ## Special Thanks
 
-CanCan was inspired by [declarative_authorization](https://github.com/stffn/declarative_authorization/) and [aegis](https://github.com/makandra/aegis). Also many thanks to the [CanCan contributors](https://github.com/CanCanCommunity/cancancan/contributors). See the [CHANGELOG](https://github.com/CanCanCommunity/cancancan/blob/master/CHANGELOG.rdoc) for the full list.
+CanCanCan was inspired by [declarative_authorization](https://github.com/stffn/declarative_authorization/) and 
+[aegis](https://github.com/makandra/aegis). 
+
+Also many thanks to the [CanCanCan contributors](https://github.com/CanCanCommunity/cancancan/contributors). 
+See the [CHANGELOG](https://github.com/CanCanCommunity/cancancan/blob/master/CHANGELOG.rdoc) for the full list.

data/Rakefile

@@ -1,9 +1,13 @@
-require "bundler/gem_tasks"
+require 'bundler/gem_tasks'
 require 'rspec/core/rake_task'
+require 'rubocop/rake_task'
 
-desc "Run RSpec"
+desc 'Run Rubocop'
+RuboCop::RakeTask.new
+
+desc 'Run RSpec'
 RSpec::Core::RakeTask.new do |t|
   t.verbose = false
 end
 
-task :default => :spec
+task default: [:rubocop, :spec]

data/cancancan.gemspec

@@ -4,24 +4,25 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'cancan/version'
 
 Gem::Specification.new do |s|
-  s.name        = "cancancan"
+  s.name        = 'cancancan'
   s.version     = CanCan::VERSION
-  s.authors     = ["Bryan Rite", "Ryan Bates", "Richard Wilson"]
-  s.email       = "r.crawfordwilson@gmail.com"
-  s.homepage    = "https://github.com/CanCanCommunity/cancancan"
-  s.summary     = "Simple authorization solution for Rails."
-  s.description = "Continuation of the simple authorization solution for Rails which is decoupled from user roles. All permissions are stored in a single location."
+  s.authors     = ['Alessandro Rodi (Renuo AG)', 'Bryan Rite', 'Ryan Bates', 'Richard Wilson']
+  s.email       = 'alessandro.rodi@renuo.ch'
+  s.homepage    = 'https://github.com/CanCanCommunity/cancancan'
+  s.summary     = 'Simple authorization solution for Rails.'
+  s.description = 'Simple authorization solution for Rails. All permissions are stored in a single location.'
   s.platform    = Gem::Platform::RUBY
-  s.license     = "MIT"
+  s.license     = 'MIT'
 
-  s.files       = `git ls-files`.split($/)
-  s.test_files  = `git ls-files -- Appraisals {spec,features,gemfiles}/*`.split($/)
-  s.executables = `git ls-files -- bin/*`.split($/).map{ |f| File.basename(f) }
-  s.require_paths = ["lib"]
+  s.files       = `git ls-files`.split($INPUT_RECORD_SEPARATOR)
+  s.test_files  = `git ls-files -- Appraisals {spec,features,gemfiles}/*`.split($INPUT_RECORD_SEPARATOR)
+  s.executables = `git ls-files -- bin/*`.split($INPUT_RECORD_SEPARATOR).map { |f| File.basename(f) }
+  s.require_paths = ['lib']
 
-  s.required_ruby_version = ">= 2.0.0"
+  s.required_ruby_version = '>= 2.0.0'
 
   s.add_development_dependency 'bundler', '~> 1.3'
+  s.add_development_dependency 'rubocop', '~> 0.46'
   s.add_development_dependency 'rake', '~> 10.1.1'
   s.add_development_dependency 'rspec', '~> 3.2.0'
   s.add_development_dependency 'appraisal', '>= 2.0.0'

data/gemfiles/activerecord_4.2.gemfile

@@ -5,6 +5,7 @@ source "https://rubygems.org"
 gem "activerecord", "~> 4.2.0", :require => "active_record"
 gem "activesupport", "~> 4.2.0", :require => "active_support/all"
 gem "actionpack", "~> 4.2.0", :require => "action_pack"
+gem "nokogiri", "~> 1.6.8", :require => "nokogiri"
 
 platforms :jruby do
   gem "activerecord-jdbcsqlite3-adapter"

data/lib/cancan.rb

@@ -1,4 +1,4 @@
-require "cancan/version"
+require 'cancan/version'
 require 'cancan/ability'
 require 'cancan/rule'
 require 'cancan/controller_resource'
@@ -13,7 +13,7 @@ require 'cancan/model_adapters/default_adapter'
 if defined? ActiveRecord
   require 'cancan/model_adapters/active_record_adapter'
   if ActiveRecord.respond_to?(:version) &&
-      ActiveRecord.version >= Gem::Version.new("4")
+     ActiveRecord.version >= Gem::Version.new('4')
     require 'cancan/model_adapters/active_record_4_adapter'
   else
     require 'cancan/model_adapters/active_record_3_adapter'

data/lib/cancan/ability.rb

@@ -1,5 +1,4 @@
 module CanCan
-
   # This module is designed to be included into an Ability class. This will
   # provide the "can" methods for defining and checking abilities.
   #
@@ -68,6 +67,7 @@ module CanCan
       end.reject(&:nil?).first
       match ? match.base_behavior : false
     end
+
     # Convenience method which works the same as "can?" but returns the opposite value.
     #
     #   cannot? :destroy, @project
@@ -187,7 +187,8 @@ module CanCan
 
     # User shouldn't specify targets with names of real actions or it will cause Seg fault
     def validate_target(target)
-      raise Error, "You can't specify target (#{target}) as alias because it is real action name" if aliased_actions.values.flatten.include? target
+      error_message = "You can't specify target (#{target}) as alias because it is real action name"
+      raise Error, error_message if aliased_actions.values.flatten.include? target
     end
 
     # Returns a hash of aliased actions. The key is the target and the value is an array of actions aliasing the key.
@@ -208,7 +209,7 @@ module CanCan
     # See ControllerAdditions#authorize! for documentation.
     def authorize!(action, subject, *args)
       message = nil
-      if args.last.kind_of?(Hash) && args.last.has_key?(:message)
+      if args.last.is_a?(Hash) && args.last.key?(:message)
         message = args.pop[:message]
       end
       if cannot?(action, subject, *args)
@@ -220,9 +221,9 @@ module CanCan
 
     def unauthorized_message(action, subject)
       keys = unauthorized_message_keys(action, subject)
-      variables = {:action => action.to_s}
+      variables = { action: action.to_s }
       variables[:subject] = (subject.class == Class ? subject : subject.class).to_s.underscore.humanize.downcase
-      message = I18n.translate(nil, variables.merge(:scope => :unauthorized, :default => keys + [""]))
+      message = I18n.translate(nil, variables.merge(scope: :unauthorized, default: keys + ['']))
       message.blank? ? nil : message
     end
 
@@ -260,12 +261,12 @@ module CanCan
     #     action: array_of_objects
     #   }
     def permissions
-      permissions_list = {:can => {}, :cannot => {}}
+      permissions_list = { can: {}, cannot: {} }
 
       rules.each do |rule|
         subjects = rule.subjects
         expand_actions(rule.actions).each do |action|
-          if(rule.base_behavior)
+          if rule.base_behavior
             permissions_list[:can][action] ||= []
             permissions_list[:can][action] += subjects.map(&:to_s)
           else
@@ -289,7 +290,7 @@ module CanCan
     private
 
     def unauthorized_message_keys(action, subject)
-      subject = (subject.class == Class ? subject : subject.class).name.underscore unless subject.kind_of? Symbol
+      subject = (subject.class == Class ? subject : subject.class).name.underscore unless subject.is_a? Symbol
       [subject, :all].map do |try_subject|
         [aliases_for_action(action), :manage].flatten.map do |try_action|
           :"#{try_action}.#{try_subject}"
@@ -305,7 +306,7 @@ module CanCan
         expanded = []
         actions.each do |action|
           expanded << action
-          if aliases = aliased_actions[action]
+          if (aliases = aliased_actions[action])
             expanded += expand_actions(aliases)
           end
         end
@@ -319,7 +320,7 @@ module CanCan
 
     # It translates to an array the subject or the hash with multiple subjects given to can?.
     def extract_subjects(subject)
-      if subject.kind_of?(Hash) && subject.key?(:any)
+      if subject.is_a?(Hash) && subject.key?(:any)
         subject[:any]
       else
         [subject]
@@ -374,13 +375,12 @@ module CanCan
     def optimize_order!(rules)
       first_can_in_group = -1
       rules.each_with_index do |rule, i|
-        (first_can_in_group = -1) and next unless rule.base_behavior
-        (first_can_in_group = i) and next if first_can_in_group == -1
-        if rule.subjects == [:all]
-          rules[i] = rules[first_can_in_group]
-          rules[first_can_in_group] = rule
-          first_can_in_group += 1
-        end
+        (first_can_in_group = -1) && next unless rule.base_behavior
+        (first_can_in_group = i) && next if first_can_in_group == -1
+        next unless rule.subjects == [:all]
+        rules[i] = rules[first_can_in_group]
+        rules[first_can_in_group] = rule
+        first_can_in_group += 1
       end
     end
 
@@ -396,25 +396,27 @@ module CanCan
 
     def relevant_rules_for_match(action, subject)
       relevant_rules(action, subject).each do |rule|
-        if rule.only_raw_sql?
-          raise Error, "The can? and cannot? call cannot be used with a raw sql 'can' definition. The checking code cannot be determined for #{action.inspect} #{subject.inspect}"
-        end
+        next unless rule.only_raw_sql?
+        raise Error,
+              "The can? and cannot? call cannot be used with a raw sql 'can' definition."\
+              " The checking code cannot be determined for #{action.inspect} #{subject.inspect}"
       end
     end
 
     def relevant_rules_for_query(action, subject)
       relevant_rules(action, subject).each do |rule|
         if rule.only_block?
-          raise Error, "The accessible_by call cannot be used with a block 'can' definition. The SQL cannot be determined for #{action.inspect} #{subject.inspect}"
+          raise Error, "The accessible_by call cannot be used with a block 'can' definition."\
+                       " The SQL cannot be determined for #{action.inspect} #{subject.inspect}"
         end
       end
     end
 
     def default_alias_actions
       {
-        :read => [:index, :show],
-        :create => [:new],
-        :update => [:edit],
+        read: [:index, :show],
+        create: [:new],
+        update: [:edit]
       }
     end
   end