cancancan 1.15.0 → 3.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/cancancan.gemspec +18 -18
- data/init.rb +2 -0
- data/lib/cancan.rb +9 -11
- data/lib/cancan/ability.rb +90 -203
- data/lib/cancan/ability/actions.rb +93 -0
- data/lib/cancan/ability/rules.rb +93 -0
- data/lib/cancan/ability/strong_parameter_support.rb +41 -0
- data/lib/cancan/conditions_matcher.rb +106 -0
- data/lib/cancan/controller_additions.rb +29 -36
- data/lib/cancan/controller_resource.rb +46 -211
- data/lib/cancan/controller_resource_builder.rb +26 -0
- data/lib/cancan/controller_resource_finder.rb +42 -0
- data/lib/cancan/controller_resource_loader.rb +120 -0
- data/lib/cancan/controller_resource_name_finder.rb +23 -0
- data/lib/cancan/controller_resource_sanitizer.rb +32 -0
- data/lib/cancan/exceptions.rb +17 -5
- data/lib/cancan/matchers.rb +12 -3
- data/lib/cancan/model_adapters/abstract_adapter.rb +10 -8
- data/lib/cancan/model_adapters/active_record_4_adapter.rb +39 -43
- data/lib/cancan/model_adapters/active_record_5_adapter.rb +68 -0
- data/lib/cancan/model_adapters/active_record_adapter.rb +77 -82
- data/lib/cancan/model_adapters/conditions_extractor.rb +75 -0
- data/lib/cancan/model_adapters/conditions_normalizer.rb +49 -0
- data/lib/cancan/model_adapters/default_adapter.rb +2 -0
- data/lib/cancan/model_additions.rb +2 -1
- data/lib/cancan/parameter_validators.rb +9 -0
- data/lib/cancan/relevant.rb +29 -0
- data/lib/cancan/rule.rb +76 -106
- data/lib/cancan/rules_compressor.rb +23 -0
- data/lib/cancan/unauthorized_message_resolver.rb +24 -0
- data/lib/cancan/version.rb +3 -1
- data/lib/cancancan.rb +2 -0
- data/lib/generators/cancan/ability/ability_generator.rb +4 -2
- data/lib/generators/cancan/ability/templates/ability.rb +2 -0
- metadata +66 -57
- data/.gitignore +0 -15
- data/.rspec +0 -1
- data/.travis.yml +0 -33
- data/Appraisals +0 -104
- data/CHANGELOG.rdoc +0 -527
- data/CONTRIBUTING.md +0 -23
- data/Gemfile +0 -3
- data/LICENSE +0 -22
- data/README.md +0 -217
- data/Rakefile +0 -9
- data/gemfiles/activerecord_3.2.gemfile +0 -17
- data/gemfiles/activerecord_4.0.gemfile +0 -18
- data/gemfiles/activerecord_4.1.gemfile +0 -18
- data/gemfiles/activerecord_4.2.gemfile +0 -19
- data/gemfiles/activerecord_5.0.gemfile +0 -19
- data/gemfiles/mongoid_2.x.gemfile +0 -17
- data/gemfiles/sequel_3.x.gemfile +0 -17
- data/lib/cancan/inherited_resource.rb +0 -20
- data/lib/cancan/model_adapters/active_record_3_adapter.rb +0 -16
- data/lib/cancan/model_adapters/mongoid_adapter.rb +0 -75
- data/lib/cancan/model_adapters/sequel_adapter.rb +0 -87
- data/spec/README.rdoc +0 -27
- data/spec/cancan/ability_spec.rb +0 -544
- data/spec/cancan/controller_additions_spec.rb +0 -151
- data/spec/cancan/controller_resource_spec.rb +0 -643
- data/spec/cancan/exceptions_spec.rb +0 -58
- data/spec/cancan/inherited_resource_spec.rb +0 -71
- data/spec/cancan/matchers_spec.rb +0 -29
- data/spec/cancan/model_adapters/active_record_4_adapter_spec.rb +0 -154
- data/spec/cancan/model_adapters/active_record_adapter_spec.rb +0 -405
- data/spec/cancan/model_adapters/default_adapter_spec.rb +0 -7
- data/spec/cancan/model_adapters/mongoid_adapter_spec.rb +0 -247
- data/spec/cancan/model_adapters/sequel_adapter_spec.rb +0 -132
- data/spec/cancan/rule_spec.rb +0 -52
- data/spec/matchers.rb +0 -13
- data/spec/spec.opts +0 -2
- data/spec/spec_helper.rb +0 -27
- data/spec/support/ability.rb +0 -7
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
|
-
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: 81afd3cec5dc78c4e4d9d14719482ae589ed43bf336cc1b4f9e5681dea56b99d
|
4
|
+
data.tar.gz: fd23ce69481f9daf4b227b61e4e7e236abcd40d7b5f0dd01f70ca20a3706fae3
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 04ee2bfead0ce01e0bdc64e69fae219c221495c30950542323fc5e3d91e250e9a679863546c09db9f3a71a647cb414510bcbb92db41309d9b0b2d04f7d2a1b0e
|
7
|
+
data.tar.gz: 79b4b11ef02ca50417c4e441dd8586569ed86caa4d3216fc54e1713bd09071e544b529db0babd429dd14b0efc90f59f2dfbd8a8d101a9e4d4332908f0487115b
|
data/cancancan.gemspec
CHANGED
@@ -1,28 +1,28 @@
|
|
1
|
-
#
|
2
|
-
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
lib = File.expand_path('lib', __dir__)
|
3
4
|
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
4
5
|
require 'cancan/version'
|
5
6
|
|
6
7
|
Gem::Specification.new do |s|
|
7
|
-
s.name =
|
8
|
+
s.name = 'cancancan'
|
8
9
|
s.version = CanCan::VERSION
|
9
|
-
s.authors = [
|
10
|
-
s.email =
|
11
|
-
s.homepage =
|
12
|
-
s.summary =
|
13
|
-
s.description =
|
10
|
+
s.authors = ['Alessandro Rodi (Renuo AG)', 'Bryan Rite', 'Ryan Bates', 'Richard Wilson']
|
11
|
+
s.email = 'alessandro.rodi@renuo.ch'
|
12
|
+
s.homepage = 'https://github.com/CanCanCommunity/cancancan'
|
13
|
+
s.summary = 'Simple authorization solution for Rails.'
|
14
|
+
s.description = 'Simple authorization solution for Rails. All permissions are stored in a single location.'
|
14
15
|
s.platform = Gem::Platform::RUBY
|
15
|
-
s.license =
|
16
|
+
s.license = 'MIT'
|
16
17
|
|
17
|
-
s.files = `git ls-files`.split(
|
18
|
-
s.
|
19
|
-
s.executables = `git ls-files -- bin/*`.split($/).map{ |f| File.basename(f) }
|
20
|
-
s.require_paths = ["lib"]
|
18
|
+
s.files = `git ls-files lib init.rb cancancan.gemspec`.split($INPUT_RECORD_SEPARATOR)
|
19
|
+
s.require_paths = ['lib']
|
21
20
|
|
22
|
-
s.required_ruby_version =
|
21
|
+
s.required_ruby_version = '>= 2.2.0'
|
23
22
|
|
24
|
-
s.add_development_dependency '
|
25
|
-
s.add_development_dependency '
|
26
|
-
s.add_development_dependency '
|
27
|
-
s.add_development_dependency '
|
23
|
+
s.add_development_dependency 'appraisal', '~> 2.0', '>= 2.0.0'
|
24
|
+
s.add_development_dependency 'bundler', '~> 2.0'
|
25
|
+
s.add_development_dependency 'rake', '~> 10.1', '>= 10.1.1'
|
26
|
+
s.add_development_dependency 'rspec', '~> 3.2', '>= 3.2.0'
|
27
|
+
s.add_development_dependency 'rubocop', '~> 0.63.1'
|
28
28
|
end
|
data/init.rb
CHANGED
data/lib/cancan.rb
CHANGED
@@ -1,24 +1,22 @@
|
|
1
|
-
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'cancan/version'
|
4
|
+
require 'cancan/parameter_validators'
|
2
5
|
require 'cancan/ability'
|
3
6
|
require 'cancan/rule'
|
4
7
|
require 'cancan/controller_resource'
|
5
8
|
require 'cancan/controller_additions'
|
6
9
|
require 'cancan/model_additions'
|
7
10
|
require 'cancan/exceptions'
|
8
|
-
require 'cancan/inherited_resource'
|
9
11
|
|
10
12
|
require 'cancan/model_adapters/abstract_adapter'
|
11
13
|
require 'cancan/model_adapters/default_adapter'
|
14
|
+
require 'cancan/rules_compressor'
|
12
15
|
|
13
16
|
if defined? ActiveRecord
|
17
|
+
require 'cancan/model_adapters/conditions_extractor'
|
18
|
+
require 'cancan/model_adapters/conditions_normalizer'
|
14
19
|
require 'cancan/model_adapters/active_record_adapter'
|
15
|
-
|
16
|
-
|
17
|
-
require 'cancan/model_adapters/active_record_4_adapter'
|
18
|
-
else
|
19
|
-
require 'cancan/model_adapters/active_record_3_adapter'
|
20
|
-
end
|
20
|
+
require 'cancan/model_adapters/active_record_4_adapter'
|
21
|
+
require 'cancan/model_adapters/active_record_5_adapter'
|
21
22
|
end
|
22
|
-
|
23
|
-
require 'cancan/model_adapters/mongoid_adapter' if defined?(Mongoid) && defined?(Mongoid::Document)
|
24
|
-
require 'cancan/model_adapters/sequel_adapter' if defined? Sequel
|
data/lib/cancan/ability.rb
CHANGED
@@ -1,5 +1,11 @@
|
|
1
|
-
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require_relative 'ability/rules.rb'
|
4
|
+
require_relative 'ability/actions.rb'
|
5
|
+
require_relative 'unauthorized_message_resolver.rb'
|
6
|
+
require_relative 'ability/strong_parameter_support'
|
2
7
|
|
8
|
+
module CanCan
|
3
9
|
# This module is designed to be included into an Ability class. This will
|
4
10
|
# provide the "can" methods for defining and checking abilities.
|
5
11
|
#
|
@@ -16,6 +22,11 @@ module CanCan
|
|
16
22
|
# end
|
17
23
|
#
|
18
24
|
module Ability
|
25
|
+
include CanCan::Ability::Rules
|
26
|
+
include CanCan::Ability::Actions
|
27
|
+
include CanCan::UnauthorizedMessageResolver
|
28
|
+
include StrongParameterSupport
|
29
|
+
|
19
30
|
# Check if the user has permission to perform a given action on an object.
|
20
31
|
#
|
21
32
|
# can? :destroy, @project
|
@@ -60,14 +71,15 @@ module CanCan
|
|
60
71
|
# end
|
61
72
|
#
|
62
73
|
# Also see the RSpec Matchers to aid in testing.
|
63
|
-
def can?(action, subject, *extra_args)
|
74
|
+
def can?(action, subject, attribute = nil, *extra_args)
|
64
75
|
match = extract_subjects(subject).lazy.map do |a_subject|
|
65
76
|
relevant_rules_for_match(action, a_subject).detect do |rule|
|
66
|
-
rule.matches_conditions?(action, a_subject, extra_args)
|
77
|
+
rule.matches_conditions?(action, a_subject, attribute, *extra_args) && rule.matches_attributes?(attribute)
|
67
78
|
end
|
68
79
|
end.reject(&:nil?).first
|
69
80
|
match ? match.base_behavior : false
|
70
81
|
end
|
82
|
+
|
71
83
|
# Convenience method which works the same as "can?" but returns the opposite value.
|
72
84
|
#
|
73
85
|
# cannot? :destroy, @project
|
@@ -129,8 +141,8 @@ module CanCan
|
|
129
141
|
# # check the database and return true/false
|
130
142
|
# end
|
131
143
|
#
|
132
|
-
def can(action = nil, subject = nil,
|
133
|
-
add_rule(Rule.new(true, action, subject,
|
144
|
+
def can(action = nil, subject = nil, *attributes_and_conditions, &block)
|
145
|
+
add_rule(Rule.new(true, action, subject, *attributes_and_conditions, &block))
|
134
146
|
end
|
135
147
|
|
136
148
|
# Defines an ability which cannot be done. Accepts the same arguments as "can".
|
@@ -145,59 +157,14 @@ module CanCan
|
|
145
157
|
# product.invisible?
|
146
158
|
# end
|
147
159
|
#
|
148
|
-
def cannot(action = nil, subject = nil,
|
149
|
-
add_rule(Rule.new(false, action, subject,
|
150
|
-
end
|
151
|
-
|
152
|
-
# Alias one or more actions into another one.
|
153
|
-
#
|
154
|
-
# alias_action :update, :destroy, :to => :modify
|
155
|
-
# can :modify, Comment
|
156
|
-
#
|
157
|
-
# Then :modify permission will apply to both :update and :destroy requests.
|
158
|
-
#
|
159
|
-
# can? :update, Comment # => true
|
160
|
-
# can? :destroy, Comment # => true
|
161
|
-
#
|
162
|
-
# This only works in one direction. Passing the aliased action into the "can?" call
|
163
|
-
# will not work because aliases are meant to generate more generic actions.
|
164
|
-
#
|
165
|
-
# alias_action :update, :destroy, :to => :modify
|
166
|
-
# can :update, Comment
|
167
|
-
# can? :modify, Comment # => false
|
168
|
-
#
|
169
|
-
# Unless that exact alias is used.
|
170
|
-
#
|
171
|
-
# can :modify, Comment
|
172
|
-
# can? :modify, Comment # => true
|
173
|
-
#
|
174
|
-
# The following aliases are added by default for conveniently mapping common controller actions.
|
175
|
-
#
|
176
|
-
# alias_action :index, :show, :to => :read
|
177
|
-
# alias_action :new, :to => :create
|
178
|
-
# alias_action :edit, :to => :update
|
179
|
-
#
|
180
|
-
# This way one can use params[:action] in the controller to determine the permission.
|
181
|
-
def alias_action(*args)
|
182
|
-
target = args.pop[:to]
|
183
|
-
validate_target(target)
|
184
|
-
aliased_actions[target] ||= []
|
185
|
-
aliased_actions[target] += args
|
160
|
+
def cannot(action = nil, subject = nil, *attributes_and_conditions, &block)
|
161
|
+
add_rule(Rule.new(false, action, subject, *attributes_and_conditions, &block))
|
186
162
|
end
|
187
163
|
|
188
164
|
# User shouldn't specify targets with names of real actions or it will cause Seg fault
|
189
165
|
def validate_target(target)
|
190
|
-
|
191
|
-
|
192
|
-
|
193
|
-
# Returns a hash of aliased actions. The key is the target and the value is an array of actions aliasing the key.
|
194
|
-
def aliased_actions
|
195
|
-
@aliased_actions ||= default_alias_actions
|
196
|
-
end
|
197
|
-
|
198
|
-
# Removes previously aliased actions including the defaults.
|
199
|
-
def clear_aliased_actions
|
200
|
-
@aliased_actions = {}
|
166
|
+
error_message = "You can't specify target (#{target}) as alias because it is real action name"
|
167
|
+
raise Error, error_message if aliased_actions.values.flatten.include? target
|
201
168
|
end
|
202
169
|
|
203
170
|
def model_adapter(model_class, action)
|
@@ -207,25 +174,14 @@ module CanCan
|
|
207
174
|
|
208
175
|
# See ControllerAdditions#authorize! for documentation.
|
209
176
|
def authorize!(action, subject, *args)
|
210
|
-
message = nil
|
211
|
-
if args.last.kind_of?(Hash) && args.last.has_key?(:message)
|
212
|
-
message = args.pop[:message]
|
213
|
-
end
|
177
|
+
message = args.last.is_a?(Hash) && args.last.key?(:message) ? args.pop[:message] : nil
|
214
178
|
if cannot?(action, subject, *args)
|
215
179
|
message ||= unauthorized_message(action, subject)
|
216
|
-
raise AccessDenied.new(message, action, subject)
|
180
|
+
raise AccessDenied.new(message, action, subject, args)
|
217
181
|
end
|
218
182
|
subject
|
219
183
|
end
|
220
184
|
|
221
|
-
def unauthorized_message(action, subject)
|
222
|
-
keys = unauthorized_message_keys(action, subject)
|
223
|
-
variables = {:action => action.to_s}
|
224
|
-
variables[:subject] = (subject.class == Class ? subject : subject.class).to_s.underscore.humanize.downcase
|
225
|
-
message = I18n.translate(nil, variables.merge(:scope => :unauthorized, :default => keys + [""]))
|
226
|
-
message.blank? ? nil : message
|
227
|
-
end
|
228
|
-
|
229
185
|
def attributes_for(action, subject)
|
230
186
|
attributes = {}
|
231
187
|
relevant_rules(action, subject).map do |rule|
|
@@ -242,10 +198,58 @@ module CanCan
|
|
242
198
|
relevant_rules(action, subject).any?(&:only_raw_sql?)
|
243
199
|
end
|
244
200
|
|
201
|
+
# Copies all rules and aliased actions of the given +CanCan::Ability+ and adds them to +self+.
|
202
|
+
# class ReadAbility
|
203
|
+
# include CanCan::Ability
|
204
|
+
#
|
205
|
+
# def initialize
|
206
|
+
# can :read, User
|
207
|
+
# alias_action :show, :index, to: :see
|
208
|
+
# end
|
209
|
+
# end
|
210
|
+
#
|
211
|
+
# class WritingAbility
|
212
|
+
# include CanCan::Ability
|
213
|
+
#
|
214
|
+
# def initialize
|
215
|
+
# can :edit, User
|
216
|
+
# alias_action :create, :update, to: :modify
|
217
|
+
# end
|
218
|
+
# end
|
219
|
+
#
|
220
|
+
# read_ability = ReadAbility.new
|
221
|
+
# read_ability.can? :edit, User.new #=> false
|
222
|
+
# read_ability.merge(WritingAbility.new)
|
223
|
+
# read_ability.can? :edit, User.new #=> true
|
224
|
+
# read_ability.aliased_actions #=> [:see => [:show, :index], :modify => [:create, :update]]
|
225
|
+
#
|
226
|
+
# If there are collisions when merging the +aliased_actions+, the actions on +self+ will be
|
227
|
+
# overwritten.
|
228
|
+
#
|
229
|
+
# class ReadAbility
|
230
|
+
# include CanCan::Ability
|
231
|
+
#
|
232
|
+
# def initialize
|
233
|
+
# alias_action :show, :index, to: :see
|
234
|
+
# end
|
235
|
+
# end
|
236
|
+
#
|
237
|
+
# class ShowAbility
|
238
|
+
# include CanCan::Ability
|
239
|
+
#
|
240
|
+
# def initialize
|
241
|
+
# alias_action :show, to: :see
|
242
|
+
# end
|
243
|
+
# end
|
244
|
+
#
|
245
|
+
# read_ability = ReadAbility.new
|
246
|
+
# read_ability.merge(ShowAbility)
|
247
|
+
# read_ability.aliased_actions #=> [:see => [:show]]
|
245
248
|
def merge(ability)
|
246
249
|
ability.rules.each do |rule|
|
247
250
|
add_rule(rule.dup)
|
248
251
|
end
|
252
|
+
@aliased_actions = aliased_actions.merge(ability.aliased_actions)
|
249
253
|
self
|
250
254
|
end
|
251
255
|
|
@@ -257,165 +261,48 @@ module CanCan
|
|
257
261
|
#
|
258
262
|
# Where can_hash and cannot_hash are formatted thusly:
|
259
263
|
# {
|
260
|
-
# action:
|
264
|
+
# action: { subject: [attributes] }
|
261
265
|
# }
|
262
266
|
def permissions
|
263
|
-
permissions_list = {
|
264
|
-
|
265
|
-
|
266
|
-
|
267
|
-
|
268
|
-
if(rule.base_behavior)
|
269
|
-
permissions_list[:can][action] ||= []
|
270
|
-
permissions_list[:can][action] += subjects.map(&:to_s)
|
271
|
-
else
|
272
|
-
permissions_list[:cannot][action] ||= []
|
273
|
-
permissions_list[:cannot][action] += subjects.map(&:to_s)
|
274
|
-
end
|
275
|
-
end
|
276
|
-
end
|
277
|
-
|
267
|
+
permissions_list = {
|
268
|
+
can: Hash.new { |actions, k1| actions[k1] = Hash.new { |subjects, k2| subjects[k2] = [] } },
|
269
|
+
cannot: Hash.new { |actions, k1| actions[k1] = Hash.new { |subjects, k2| subjects[k2] = [] } }
|
270
|
+
}
|
271
|
+
rules.each { |rule| extract_rule_in_permissions(permissions_list, rule) }
|
278
272
|
permissions_list
|
279
273
|
end
|
280
274
|
|
281
|
-
|
282
|
-
|
283
|
-
|
284
|
-
|
285
|
-
|
286
|
-
|
275
|
+
def extract_rule_in_permissions(permissions_list, rule)
|
276
|
+
expand_actions(rule.actions).each do |action|
|
277
|
+
container = rule.base_behavior ? :can : :cannot
|
278
|
+
rule.subjects.each do |subject|
|
279
|
+
permissions_list[container][action][subject.to_s] += rule.attributes
|
280
|
+
end
|
281
|
+
end
|
287
282
|
end
|
288
283
|
|
289
284
|
private
|
290
285
|
|
291
286
|
def unauthorized_message_keys(action, subject)
|
292
|
-
subject = (subject.class == Class ? subject : subject.class).name.underscore unless subject.
|
293
|
-
|
294
|
-
|
295
|
-
|
296
|
-
end
|
297
|
-
end.flatten
|
298
|
-
end
|
299
|
-
|
300
|
-
# Accepts an array of actions and returns an array of actions which match.
|
301
|
-
# This should be called before "matches?" and other checking methods since they
|
302
|
-
# rely on the actions to be expanded.
|
303
|
-
def expand_actions(actions)
|
304
|
-
expanded_actions[actions] ||= begin
|
305
|
-
expanded = []
|
306
|
-
actions.each do |action|
|
307
|
-
expanded << action
|
308
|
-
if aliases = aliased_actions[action]
|
309
|
-
expanded += expand_actions(aliases)
|
310
|
-
end
|
311
|
-
end
|
312
|
-
expanded
|
287
|
+
subject = (subject.class == Class ? subject : subject.class).name.underscore unless subject.is_a? Symbol
|
288
|
+
aliases = aliases_for_action(action)
|
289
|
+
[subject, :all].product([*aliases, :manage]).map do |try_subject, try_action|
|
290
|
+
:"#{try_action}.#{try_subject}"
|
313
291
|
end
|
314
292
|
end
|
315
293
|
|
316
|
-
def expanded_actions
|
317
|
-
@expanded_actions ||= {}
|
318
|
-
end
|
319
|
-
|
320
294
|
# It translates to an array the subject or the hash with multiple subjects given to can?.
|
321
295
|
def extract_subjects(subject)
|
322
|
-
if subject.
|
296
|
+
if subject.is_a?(Hash) && subject.key?(:any)
|
323
297
|
subject[:any]
|
324
298
|
else
|
325
299
|
[subject]
|
326
300
|
end
|
327
301
|
end
|
328
302
|
|
329
|
-
# Given an action, it will try to find all of the actions which are aliased to it.
|
330
|
-
# This does the opposite kind of lookup as expand_actions.
|
331
|
-
def aliases_for_action(action)
|
332
|
-
results = [action]
|
333
|
-
aliased_actions.each do |aliased_action, actions|
|
334
|
-
results += aliases_for_action(aliased_action) if actions.include? action
|
335
|
-
end
|
336
|
-
results
|
337
|
-
end
|
338
|
-
|
339
|
-
def add_rule(rule)
|
340
|
-
rules << rule
|
341
|
-
add_rule_to_index(rule, rules.size - 1)
|
342
|
-
end
|
343
|
-
|
344
|
-
def add_rule_to_index(rule, position)
|
345
|
-
@rules_index ||= Hash.new { |h, k| h[k] = [] }
|
346
|
-
|
347
|
-
subjects = rule.subjects.compact
|
348
|
-
subjects << :all if subjects.empty?
|
349
|
-
|
350
|
-
subjects.each do |subject|
|
351
|
-
@rules_index[subject] << position
|
352
|
-
end
|
353
|
-
end
|
354
|
-
|
355
303
|
def alternative_subjects(subject)
|
356
304
|
subject = subject.class unless subject.is_a?(Module)
|
357
|
-
[:all, *subject.ancestors,
|
358
|
-
end
|
359
|
-
|
360
|
-
# Returns an array of Rule instances which match the action and subject
|
361
|
-
# This does not take into consideration any hash conditions or block statements
|
362
|
-
def relevant_rules(action, subject)
|
363
|
-
return [] unless @rules
|
364
|
-
relevant = possible_relevant_rules(subject).select do |rule|
|
365
|
-
rule.expanded_actions = expand_actions(rule.actions)
|
366
|
-
rule.relevant? action, subject
|
367
|
-
end
|
368
|
-
relevant.reverse!.uniq!
|
369
|
-
optimize_order! relevant
|
370
|
-
relevant
|
371
|
-
end
|
372
|
-
|
373
|
-
# Optimizes the order of the rules, so that rules with the :all subject are evaluated first.
|
374
|
-
def optimize_order!(rules)
|
375
|
-
first_can_in_group = -1
|
376
|
-
rules.each_with_index do |rule, i|
|
377
|
-
(first_can_in_group = -1) and next unless rule.base_behavior
|
378
|
-
(first_can_in_group = i) and next if first_can_in_group == -1
|
379
|
-
if rule.subjects == [:all]
|
380
|
-
rules[i] = rules[first_can_in_group]
|
381
|
-
rules[first_can_in_group] = rule
|
382
|
-
first_can_in_group += 1
|
383
|
-
end
|
384
|
-
end
|
385
|
-
end
|
386
|
-
|
387
|
-
def possible_relevant_rules(subject)
|
388
|
-
if subject.is_a?(Hash)
|
389
|
-
rules
|
390
|
-
else
|
391
|
-
positions = @rules_index.values_at(subject, *alternative_subjects(subject))
|
392
|
-
positions.flatten!.sort!
|
393
|
-
positions.map { |i| @rules[i] }
|
394
|
-
end
|
395
|
-
end
|
396
|
-
|
397
|
-
def relevant_rules_for_match(action, subject)
|
398
|
-
relevant_rules(action, subject).each do |rule|
|
399
|
-
if rule.only_raw_sql?
|
400
|
-
raise Error, "The can? and cannot? call cannot be used with a raw sql 'can' definition. The checking code cannot be determined for #{action.inspect} #{subject.inspect}"
|
401
|
-
end
|
402
|
-
end
|
403
|
-
end
|
404
|
-
|
405
|
-
def relevant_rules_for_query(action, subject)
|
406
|
-
relevant_rules(action, subject).each do |rule|
|
407
|
-
if rule.only_block?
|
408
|
-
raise Error, "The accessible_by call cannot be used with a block 'can' definition. The SQL cannot be determined for #{action.inspect} #{subject.inspect}"
|
409
|
-
end
|
410
|
-
end
|
411
|
-
end
|
412
|
-
|
413
|
-
def default_alias_actions
|
414
|
-
{
|
415
|
-
:read => [:index, :show],
|
416
|
-
:create => [:new],
|
417
|
-
:update => [:edit],
|
418
|
-
}
|
305
|
+
[:all, *subject.ancestors, subject.class.to_s]
|
419
306
|
end
|
420
307
|
end
|
421
308
|
end
|