cancancan 1.15.0 → 3.1.0

data/lib/cancan/model_adapters/conditions_extractor.rb

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+# this class is responsible of converting the hash of conditions
+# in "where conditions" to generate the sql query
+# it consists of a names_cache that helps calculating the next name given to the association
+# it tries to reflect the bahavior of ActiveRecord when generating aliases for tables.
+module CanCan
+  module ModelAdapters
+    class ConditionsExtractor
+      def initialize(model_class)
+        @names_cache = { model_class.table_name => [] }.with_indifferent_access
+        @root_model_class = model_class
+      end
+
+      def tableize_conditions(conditions, model_class = @root_model_class, path_to_key = 0)
+        return conditions unless conditions.is_a? Hash
+
+        conditions.each_with_object({}) do |(key, value), result_hash|
+          if value.is_a? Hash
+            result_hash.merge!(calculate_result_hash(key, model_class, path_to_key, result_hash, value))
+          else
+            result_hash[key] = value
+          end
+          result_hash
+        end
+      end
+
+      private
+
+      def calculate_result_hash(key, model_class, path_to_key, result_hash, value)
+        reflection = model_class.reflect_on_association(key)
+        nested_resulted = calculate_nested(model_class, result_hash, key, value.dup, path_to_key)
+        association_class = reflection.klass.name.constantize
+        tableize_conditions(nested_resulted, association_class, "#{path_to_key}_#{key}")
+      end
+
+      def calculate_nested(model_class, result_hash, relation_name, value, path_to_key)
+        value.each_with_object({}) do |(k, v), nested|
+          if v.is_a? Hash
+            value.delete(k)
+            nested[k] = v
+          else
+            table_alias = generate_table_alias(model_class, relation_name, path_to_key)
+            result_hash[table_alias] = value
+          end
+          nested
+        end
+      end
+
+      def generate_table_alias(model_class, relation_name, path_to_key)
+        table_alias = model_class.reflect_on_association(relation_name).table_name.to_sym
+
+        if alredy_used?(table_alias, relation_name, path_to_key)
+          table_alias = "#{relation_name.to_s.pluralize}_#{model_class.table_name}".to_sym
+
+          index = 1
+          while alredy_used?(table_alias, relation_name, path_to_key)
+            table_alias = "#{table_alias}_#{index += 1}".to_sym
+          end
+        end
+        add_to_cache(table_alias, relation_name, path_to_key)
+      end
+
+      def alredy_used?(table_alias, relation_name, path_to_key)
+        @names_cache[table_alias].try(:exclude?, "#{path_to_key}_#{relation_name}")
+      end
+
+      def add_to_cache(table_alias, relation_name, path_to_key)
+        @names_cache[table_alias] ||= []
+        @names_cache[table_alias] << "#{path_to_key}_#{relation_name}"
+        table_alias
+      end
+    end
+  end
+end

data/lib/cancan/model_adapters/conditions_normalizer.rb

@@ -0,0 +1,49 @@
+# this class is responsible of normalizing the hash of conditions
+# by exploding has_many through associations
+# when a condition is defined with an has_many thorugh association this is exploded in all its parts
+# TODO: it could identify STI and normalize it
+module CanCan
+  module ModelAdapters
+    class ConditionsNormalizer
+      class << self
+        def normalize(model_class, rules)
+          rules.each { |rule| rule.conditions = normalize_conditions(model_class, rule.conditions) }
+        end
+
+        def normalize_conditions(model_class, conditions)
+          return conditions unless conditions.is_a? Hash
+
+          conditions.each_with_object({}) do |(key, value), result_hash|
+            if value.is_a? Hash
+              result_hash.merge!(calculate_result_hash(model_class, key, value))
+            else
+              result_hash[key] = value
+            end
+            result_hash
+          end
+        end
+
+        private
+
+        def calculate_result_hash(model_class, key, value)
+          reflection = model_class.reflect_on_association(key)
+          unless reflection
+            raise WrongAssociationName, "Association '#{key}' not defined in model '#{model_class.name}'"
+          end
+
+          if normalizable_association? reflection
+            key = reflection.options[:through]
+            value = { reflection.source_reflection_name => value }
+            reflection = model_class.reflect_on_association(key)
+          end
+
+          { key => normalize_conditions(reflection.klass.name.constantize, value) }
+        end
+
+        def normalizable_association?(reflection)
+          reflection.options[:through].present? && !reflection.options[:source_type].present?
+        end
+      end
+    end
+  end
+end

data/lib/cancan/model_adapters/default_adapter.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   module ModelAdapters
     class DefaultAdapter < AbstractAdapter

data/lib/cancan/model_additions.rb

@@ -1,5 +1,6 @@
-module CanCan
+# frozen_string_literal: true
 
+module CanCan
   # This module adds the accessible_by class method to a model. It is included in the model adapters.
   module ModelAdditions
     module ClassMethods

data/lib/cancan/parameter_validators.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module CanCan
+  module ParameterValidators
+    def valid_attribute_param?(attribute)
+      attribute.nil? || attribute.is_a?(Symbol) || (attribute.is_a?(Array) && attribute.all? { |a| a.is_a?(Symbol) })
+    end
+  end
+end

data/lib/cancan/relevant.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module CanCan
+  module Relevant
+    # Matches both the action, subject, and attribute, not necessarily the conditions
+    def relevant?(action, subject)
+      subject = subject.values.first if subject.class == Hash
+      @match_all || (matches_action?(action) && matches_subject?(subject))
+    end
+
+    private
+
+    def matches_action?(action)
+      @expanded_actions.include?(:manage) || @expanded_actions.include?(action)
+    end
+
+    def matches_subject?(subject)
+      @subjects.include?(:all) || @subjects.include?(subject) || matches_subject_class?(subject)
+    end
+
+    def matches_subject_class?(subject)
+      @subjects.any? do |sub|
+        sub.is_a?(Module) && (subject.is_a?(sub) ||
+            subject.class.to_s == sub.to_s ||
+            (subject.is_a?(Module) && subject.ancestors.include?(sub)))
+      end
+    end
+  end
+end

data/lib/cancan/rule.rb

@@ -1,156 +1,126 @@
+# frozen_string_literal: true
+
+require_relative 'conditions_matcher.rb'
+require_relative 'relevant.rb'
+
 module CanCan
   # This class is used internally and should only be called through Ability.
   # it holds the information about a "can" call made on Ability and provides
   # helpful methods to determine permission checking and conditions hash generation.
   class Rule # :nodoc:
-    attr_reader :base_behavior, :subjects, :actions, :conditions
-    attr_writer :expanded_actions
+    include ConditionsMatcher
+    include Relevant
+    include ParameterValidators
+    attr_reader :base_behavior, :subjects, :actions, :conditions, :attributes
+    attr_writer :expanded_actions, :conditions
 
     # The first argument when initializing is the base_behavior which is a true/false
     # value. True for "can" and false for "cannot". The next two arguments are the action
     # and subject respectively (such as :read, @project). The third argument is a hash
     # of conditions and the last one is the block passed to the "can" call.
-    def initialize(base_behavior, action, subject, conditions, block)
-      raise Error, "You are not able to supply a block with a hash of conditions in #{action} #{subject} ability. Use either one." if conditions.kind_of?(Hash) && !block.nil?
+    def initialize(base_behavior, action, subject, *extra_args, &block)
+      # for backwards compatibility, attributes are an optional parameter. Check if
+      # attributes were passed or are actually conditions
+      attributes, extra_args = parse_attributes_from_extra_args(extra_args)
+      condition_and_block_check(extra_args, block, action, subject)
       @match_all = action.nil? && subject.nil?
+      raise Error, "Subject is required for #{action}" if action && subject.nil?
+
       @base_behavior = base_behavior
-      @actions = [action].flatten
-      @subjects = [subject].flatten
-      @conditions = conditions || {}
+      @actions = wrap(action)
+      @subjects = wrap(subject)
+      @attributes = wrap(attributes)
+      @conditions = extra_args || {}
       @block = block
     end
 
-    # Matches both the subject and action, not necessarily the conditions
-    def relevant?(action, subject)
-      subject = subject.values.first if subject.class == Hash
-      @match_all || (matches_action?(action) && matches_subject?(subject))
-    end
+    def inspect
+      repr = "#<#{self.class.name}"
+      repr += "#{@base_behavior ? 'can' : 'cannot'} #{@actions.inspect}, #{@subjects.inspect}, #{@attributes.inspect}"
 
-    # Matches the block or conditions hash
-    def matches_conditions?(action, subject, extra_args)
-      if @match_all
-        call_block_with_all(action, subject, extra_args)
-      elsif @block && !subject_class?(subject)
-        @block.call(subject, *extra_args)
-      elsif @conditions.kind_of?(Hash) && subject.class == Hash
-        nested_subject_matches_conditions?(subject)
-      elsif @conditions.kind_of?(Hash) && !subject_class?(subject)
-        matches_conditions_hash?(subject)
-      else
-        # Don't stop at "cannot" definitions when there are conditions.
-        conditions_empty? ? true : @base_behavior
+      if with_scope?
+        repr += ", #{@conditions.where_values_hash}"
+      elsif [Hash, String].include?(@conditions.class)
+        repr += ", #{@conditions.inspect}"
       end
-    end
-
-    def only_block?
-      conditions_empty? && !@block.nil?
-    end
-
-    def only_raw_sql?
-      @block.nil? && !conditions_empty? && !@conditions.kind_of?(Hash)
-    end
 
-    def conditions_empty?
-      @conditions == {} || @conditions.nil?
+      repr + '>'
     end
 
-    def unmergeable?
-      @conditions.respond_to?(:keys) && @conditions.present? &&
-        (!@conditions.keys.first.kind_of? Symbol)
+    def can_rule?
+      base_behavior
     end
 
-    def associations_hash(conditions = @conditions)
-      hash = {}
-      conditions.map do |name, value|
-        hash[name] = associations_hash(value) if value.kind_of? Hash
-      end if conditions.kind_of? Hash
-      hash
+    def cannot_catch_all?
+      !can_rule? && catch_all?
     end
 
-    def attributes_from_conditions
-      attributes = {}
-      @conditions.each do |key, value|
-        attributes[key] = value unless [Array, Range, Hash].include? value.class
-      end if @conditions.kind_of? Hash
-      attributes
+    def catch_all?
+      (with_scope? && @conditions.where_values_hash.empty?) ||
+        (!with_scope? && [nil, false, [], {}, '', ' '].include?(@conditions))
     end
 
-    private
-
-    def subject_class?(subject)
-      klass = (subject.kind_of?(Hash) ? subject.values.first : subject).class
-      klass == Class || klass == Module
+    def only_block?
+      conditions_empty? && @block
     end
 
-    def matches_action?(action)
-      @expanded_actions.include?(:manage) || @expanded_actions.include?(action)
+    def only_raw_sql?
+      @block.nil? && !conditions_empty? && !@conditions.is_a?(Hash)
     end
 
-    def matches_subject?(subject)
-      @subjects.include?(:all) || @subjects.include?(subject) || matches_subject_class?(subject)
+    def with_scope?
+      @conditions.is_a?(ActiveRecord::Relation)
     end
 
-    def matches_subject_class?(subject)
-      @subjects.any? do |sub|
-        sub.kind_of?(Module) && (subject.kind_of?(sub) ||
-                                 subject.class.to_s == sub.to_s ||
-                                 (subject.kind_of?(Module) && subject.ancestors.include?(sub)))
+    def associations_hash(conditions = @conditions)
+      hash = {}
+      if conditions.is_a? Hash
+        conditions.map do |name, value|
+          hash[name] = associations_hash(value) if value.is_a? Hash
+        end
       end
+      hash
     end
 
-    # Checks if the given subject matches the given conditions hash.
-    # This behavior can be overriden by a model adapter by defining two class methods:
-    # override_matching_for_conditions?(subject, conditions) and
-    # matches_conditions_hash?(subject, conditions)
-    def matches_conditions_hash?(subject, conditions = @conditions)
-      return true if conditions.empty?
-      adapter = model_adapter(subject)
-
-      if adapter.override_conditions_hash_matching?(subject, conditions)
-        return adapter.matches_conditions_hash?(subject, conditions)
-      end
-
-      conditions.all? do |name, value|
-        if adapter.override_condition_matching?(subject, name, value)
-          adapter.matches_condition?(subject, name, value)
-        else
-          condition_match?(subject.send(name), value)
+    def attributes_from_conditions
+      attributes = {}
+      if @conditions.is_a? Hash
+        @conditions.each do |key, value|
+          attributes[key] = value unless [Array, Range, Hash].include? value.class
         end
       end
+      attributes
     end
 
-    def nested_subject_matches_conditions?(subject_hash)
-      parent, _child = subject_hash.first
-      matches_conditions_hash?(parent, @conditions[parent.class.name.downcase.to_sym] || {})
-    end
+    def matches_attributes?(attribute)
+      return true if @attributes.empty?
+      return @base_behavior if attribute.nil?
 
-    def call_block_with_all(action, subject, extra_args)
-      if subject.class == Class
-        @block.call(action, subject, nil, *extra_args)
-      else
-        @block.call(action, subject.class, subject, *extra_args)
-      end
+      @attributes.include?(attribute.to_sym)
     end
 
-    def model_adapter(subject)
-      CanCan::ModelAdapters::AbstractAdapter.adapter_class(subject_class?(subject) ? subject : subject.class)
+    private
+
+    def parse_attributes_from_extra_args(args)
+      attributes = args.shift if valid_attribute_param?(args.first)
+      extra_args = args.shift
+      [attributes, extra_args]
     end
 
-    def condition_match?(attribute, value)
-      case value
-      when Hash       then hash_condition_match?(attribute, value)
-      when String     then attribute == value
-      when Range      then value.cover?(attribute)
-      when Enumerable then value.include?(attribute)
-      else attribute == value
-      end
+    def condition_and_block_check(conditions, block, action, subject)
+      return unless conditions.is_a?(Hash) && block
+
+      raise BlockAndConditionsError, 'A hash of conditions is mutually exclusive with a block. '\
+        "Check \":#{action} #{subject}\" ability."
     end
 
-    def hash_condition_match?(attribute, value)
-      if attribute.kind_of?(Array) || (defined?(ActiveRecord) && attribute.kind_of?(ActiveRecord::Relation))
-        attribute.any? { |element| matches_conditions_hash?(element, value) }
+    def wrap(object)
+      if object.nil?
+        []
+      elsif object.respond_to?(:to_ary)
+        object.to_ary || [object]
       else
-        !attribute.nil? && matches_conditions_hash?(attribute, value)
+        [object]
       end
     end
   end

data/lib/cancan/rules_compressor.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require_relative 'conditions_matcher.rb'
+module CanCan
+  class RulesCompressor
+    attr_reader :initial_rules, :rules_collapsed
+
+    def initialize(rules)
+      @initial_rules = rules
+      @rules_collapsed = compress(@initial_rules)
+    end
+
+    def compress(array)
+      idx = array.rindex(&:catch_all?)
+      return array unless idx
+
+      value = array[idx]
+      array[idx..-1]
+        .drop_while { |n| n.base_behavior == value.base_behavior }
+        .tap { |a| a.unshift(value) unless value.cannot_catch_all? }
+    end
+  end
+end

data/lib/cancan/unauthorized_message_resolver.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module CanCan
+  module UnauthorizedMessageResolver
+    def unauthorized_message(action, subject)
+      subject = subject.values.last if subject.is_a?(Hash)
+      keys = unauthorized_message_keys(action, subject)
+      variables = {}
+      variables[:action] = I18n.translate("actions.#{action}", default: action.to_s)
+      variables[:subject] = translate_subject(subject)
+      message = I18n.translate(keys.shift, **variables.merge(scope: :unauthorized, default: keys + ['']))
+      message.blank? ? nil : message
+    end
+
+    def translate_subject(subject)
+      klass = (subject.class == Class ? subject : subject.class)
+      if klass.respond_to?(:model_name)
+        klass.model_name.human
+      else
+        klass.to_s.underscore.humanize.downcase
+      end
+    end
+  end
+end