cancancan 1.17.0 → 3.5.0

data/lib/cancan/class_matcher.rb

@@ -0,0 +1,30 @@
+require_relative 'sti_detector'
+
+# This class is responsible for matching classes and their subclasses as well as
+# upmatching classes to their ancestors.
+# This is used to generate sti connections
+class SubjectClassMatcher
+  def self.matches_subject_class?(subjects, subject)
+    subjects.any? do |sub|
+      has_subclasses = subject.respond_to?(:subclasses)
+      matching_class_check(subject, sub, has_subclasses)
+    end
+  end
+
+  def self.matching_class_check(subject, sub, has_subclasses)
+    matches = matches_class_or_is_related(subject, sub)
+    if has_subclasses
+      return matches unless StiDetector.sti_class?(sub)
+
+      matches || subject.subclasses.include?(sub)
+    else
+      matches
+    end
+  end
+
+  def self.matches_class_or_is_related(subject, sub)
+    sub.is_a?(Module) && (subject.is_a?(sub) ||
+        subject.class.to_s == sub.to_s ||
+        (subject.is_a?(Module) && subject.ancestors.include?(sub)))
+  end
+end

data/lib/cancan/conditions_matcher.rb

@@ -0,0 +1,147 @@
+# frozen_string_literal: true
+
+module CanCan
+  module ConditionsMatcher
+    # Matches the block or conditions hash
+    def matches_conditions?(action, subject, attribute = nil, *extra_args)
+      return call_block_with_all(action, subject, extra_args) if @match_all
+      return matches_block_conditions(subject, attribute, *extra_args) if @block
+      return matches_non_block_conditions(subject) unless conditions_empty?
+
+      true
+    end
+
+    private
+
+    def subject_class?(subject)
+      klass = (subject.is_a?(Hash) ? subject.values.first : subject).class
+      [Class, Module].include? klass
+    end
+
+    def matches_block_conditions(subject, attribute, *extra_args)
+      return @base_behavior if subject_class?(subject)
+
+      if attribute
+        @block.call(subject, attribute, *extra_args)
+      else
+        @block.call(subject, *extra_args)
+      end
+    end
+
+    def matches_non_block_conditions(subject)
+      return nested_subject_matches_conditions?(subject) if subject.class == Hash
+      return matches_conditions_hash?(subject) unless subject_class?(subject)
+
+      # Don't stop at "cannot" definitions when there are conditions.
+      @base_behavior
+    end
+
+    def nested_subject_matches_conditions?(subject_hash)
+      parent, child = subject_hash.first
+
+      adapter = model_adapter(parent)
+
+      parent_condition_name = adapter.parent_condition_name(parent, child)
+
+      matches_base_parent_conditions = matches_conditions_hash?(parent,
+                                                                @conditions[parent_condition_name] || {})
+
+      matches_base_parent_conditions &&
+        (!adapter.override_nested_subject_conditions_matching?(parent, child, @conditions) ||
+          adapter.nested_subject_matches_conditions?(parent, child, @conditions))
+    end
+
+    # Checks if the given subject matches the given conditions hash.
+    # This behavior can be overridden by a model adapter by defining two class methods:
+    # override_matching_for_conditions?(subject, conditions) and
+    # matches_conditions_hash?(subject, conditions)
+    def matches_conditions_hash?(subject, conditions = @conditions)
+      return true if conditions.is_a?(Hash) && conditions.empty?
+
+      adapter = model_adapter(subject)
+
+      if adapter.override_conditions_hash_matching?(subject, conditions)
+        return adapter.matches_conditions_hash?(subject, conditions)
+      end
+
+      matches_all_conditions?(adapter, subject, conditions)
+    end
+
+    def matches_all_conditions?(adapter, subject, conditions)
+      if conditions.is_a?(Hash)
+        matches_hash_conditions?(adapter, subject, conditions)
+      elsif conditions.respond_to?(:include?)
+        conditions.include?(subject)
+      else
+        subject == conditions
+      end
+    end
+
+    def matches_hash_conditions?(adapter, subject, conditions)
+      conditions.all? do |name, value|
+        if adapter.override_condition_matching?(subject, name, value)
+          adapter.matches_condition?(subject, name, value)
+        else
+          condition_match?(subject.send(name), value)
+        end
+      end
+    end
+
+    def condition_match?(attribute, value)
+      case value
+      when Hash
+        hash_condition_match?(attribute, value)
+      when Range
+        value.cover?(attribute)
+      when Enumerable
+        value.include?(attribute)
+      else
+        attribute == value
+      end
+    end
+
+    def hash_condition_match?(attribute, value)
+      if attribute.is_a?(Array) || (defined?(ActiveRecord) && attribute.is_a?(ActiveRecord::Relation))
+        array_like_matches_condition_hash?(attribute, value)
+      else
+        attribute && matches_conditions_hash?(attribute, value)
+      end
+    end
+
+    def array_like_matches_condition_hash?(attribute, value)
+      if attribute.any?
+        attribute.any? { |element| matches_conditions_hash?(element, value) }
+      else
+        # you can use `nil`s in your ability definition to tell cancancan to find
+        # objects that *don't* have any children in a has_many relationship.
+        #
+        # for example, given ability:
+        # => can :read, Article, comments: { id: nil }
+        # cancancan will return articles where `article.comments == []`
+        #
+        # this is implemented here. `attribute` is `article.comments`, and it's an empty array.
+        # the expression below returns true if this was expected.
+        !value.values.empty? && value.values.all?(&:nil?)
+      end
+    end
+
+    def call_block_with_all(action, subject, *extra_args)
+      if subject.class == Class
+        @block.call(action, subject, nil, *extra_args)
+      else
+        @block.call(action, subject.class, subject, *extra_args)
+      end
+    end
+
+    def model_adapter(subject)
+      CanCan::ModelAdapters::AbstractAdapter.adapter_class(subject_class?(subject) ? subject : subject.class)
+    end
+
+    def conditions_empty?
+      # @conditions might be an ActiveRecord::Associations::CollectionProxy
+      # which it's `==` implementation will fetch all records for comparison
+
+      (@conditions.is_a?(Hash) && @conditions == {}) || @conditions.nil?
+    end
+  end
+end

data/lib/cancan/config.rb

@@ -0,0 +1,101 @@
+# frozen_string_literal: true
+
+module CanCan
+  def self.valid_accessible_by_strategies
+    strategies = [:left_join]
+
+    unless does_not_support_subquery_strategy?
+      strategies.push(:joined_alias_exists_subquery, :joined_alias_each_rule_as_exists_subquery, :subquery)
+    end
+
+    strategies
+  end
+
+  # You can disable the rules compressor if it's causing unexpected issues.
+  def self.rules_compressor_enabled
+    return @rules_compressor_enabled if defined?(@rules_compressor_enabled)
+
+    @rules_compressor_enabled = true
+  end
+
+  def self.rules_compressor_enabled=(value)
+    @rules_compressor_enabled = value
+  end
+
+  def self.with_rules_compressor_enabled(value)
+    return yield if value == rules_compressor_enabled
+
+    begin
+      rules_compressor_enabled_was = rules_compressor_enabled
+      @rules_compressor_enabled = value
+      yield
+    ensure
+      @rules_compressor_enabled = rules_compressor_enabled_was
+    end
+  end
+
+  # Determines how CanCan should build queries when calling accessible_by,
+  # if the query will contain a join. The default strategy is `:subquery`.
+  #
+  #   # config/initializers/cancan.rb
+  #   CanCan.accessible_by_strategy = :subquery
+  #
+  # Valid strategies are:
+  # - :subquery - Creates a nested query with all joins, wrapped by a
+  #               WHERE IN query.
+  # - :left_join - Calls the joins directly using `left_joins`, and
+  #                ensures records are unique using `distinct`. Note that
+  #                `distinct` is not reliable in some cases. See
+  #                https://github.com/CanCanCommunity/cancancan/pull/605
+  def self.accessible_by_strategy
+    return @accessible_by_strategy if @accessible_by_strategy
+
+    @accessible_by_strategy = default_accessible_by_strategy
+  end
+
+  def self.default_accessible_by_strategy
+    if does_not_support_subquery_strategy?
+      # see https://github.com/CanCanCommunity/cancancan/pull/655 for where this was added
+      # the `subquery` strategy (from https://github.com/CanCanCommunity/cancancan/pull/619
+      # only works in Rails 5 and higher
+      :left_join
+    else
+      :subquery
+    end
+  end
+
+  def self.accessible_by_strategy=(value)
+    validate_accessible_by_strategy!(value)
+
+    if value == :subquery && does_not_support_subquery_strategy?
+      raise ArgumentError, 'accessible_by_strategy = :subquery requires ActiveRecord 5 or newer'
+    end
+
+    @accessible_by_strategy = value
+  end
+
+  def self.with_accessible_by_strategy(value)
+    return yield if value == accessible_by_strategy
+
+    validate_accessible_by_strategy!(value)
+
+    begin
+      strategy_was = accessible_by_strategy
+      @accessible_by_strategy = value
+      yield
+    ensure
+      @accessible_by_strategy = strategy_was
+    end
+  end
+
+  def self.validate_accessible_by_strategy!(value)
+    return if valid_accessible_by_strategies.include?(value)
+
+    raise ArgumentError, "accessible_by_strategy must be one of #{valid_accessible_by_strategies.join(', ')}"
+  end
+
+  def self.does_not_support_subquery_strategy?
+    !defined?(CanCan::ModelAdapters::ActiveRecordAdapter) ||
+      CanCan::ModelAdapters::ActiveRecordAdapter.version_lower?('5.0.0')
+  end
+end

data/lib/cancan/controller_additions.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   # This module is automatically included into all controllers.
   # It also makes the "can?" and "cannot?" methods available to all views.
@@ -40,7 +42,7 @@ module CanCan
       #     private
       #
       #     def find_book_by_permalink
-      #       @book = Book.find_by_permalink!(params[:id)
+      #       @book = Book.find_by_permalink!(params[:id])
       #     end
       #   end
       #
@@ -225,7 +227,7 @@ module CanCan
         cancan_skipper[:authorize][name] = options
       end
 
-      # Add this to a controller to ensure it performs authorization through +authorized+! or +authorize_resource+ call.
+      # Add this to a controller to ensure it performs authorization through +authorize+! or +authorize_resource+ call.
       # If neither of these authorization methods are called,
       # a CanCan::AuthorizationNotPerformed exception will be raised.
       # This is normally added to the ApplicationController to ensure all controller actions do authorization.
@@ -256,18 +258,17 @@ module CanCan
       #     check_authorization :unless => :devise_controller?
       #
       def check_authorization(options = {})
-        method_name = active_support_4? ? :after_action : :after_filter
-
         block = proc do |controller|
           next if controller.instance_variable_defined?(:@_authorized)
           next if options[:if] && !controller.send(options[:if])
           next if options[:unless] && controller.send(options[:unless])
+
           raise AuthorizationNotPerformed,
-                'This action failed the check_authorization because it does not authorize_resource. '\
+                'This action failed the check_authorization because it does not authorize_resource. ' \
                 'Add skip_authorization_check to bypass this check.'
         end
 
-        send(method_name, options.slice(:only, :except), &block)
+        send(:after_action, options.slice(:only, :except), &block)
       end
 
       # Call this in the class of a controller to skip the check_authorization behavior on the actions.
@@ -278,37 +279,23 @@ module CanCan
       #
       # Any arguments are passed to the +before_action+ it triggers.
       def skip_authorization_check(*args)
-        method_name = active_support_4? ? :before_action : :before_filter
         block = proc { |controller| controller.instance_variable_set(:@_authorized, true) }
-        send(method_name, *args, &block)
-      end
-
-      def skip_authorization(*_args)
-        raise ImplementationRemoved,
-              'The CanCan skip_authorization method has been renamed to skip_authorization_check. '\
-              'Please update your code.'
+        send(:before_action, *args, &block)
       end
 
       def cancan_resource_class
-        if ancestors.map(&:to_s).include? 'InheritedResources::Actions'
-          InheritedResource
-        else
-          ControllerResource
-        end
+        ControllerResource
       end
 
       def cancan_skipper
-        @_cancan_skipper ||= { authorize: {}, load: {} }
-      end
-
-      def active_support_4?
-        ActiveSupport.respond_to?(:version) && ActiveSupport.version >= Gem::Version.new('4')
+        self._cancan_skipper ||= { authorize: {}, load: {} }
       end
     end
 
     def self.included(base)
       base.extend ClassMethods
       base.helper_method :can?, :cannot?, :current_ability if base.respond_to? :helper_method
+      base.class_attribute :_cancan_skipper
     end
 
     # Raises a CanCan::AccessDenied exception if the current_ability cannot
@@ -352,10 +339,6 @@ module CanCan
       current_ability.authorize!(*args)
     end
 
-    def unauthorized!(_message = nil)
-      raise ImplementationRemoved, 'The unauthorized! method has been removed from CanCan, use authorize! instead.'
-    end
-
     # Creates and returns the current user's ability and caches it. If you
     # want to override how the Ability is defined then this is the place.
     # Just define the method in the controller to change behavior.
@@ -404,8 +387,8 @@ module CanCan
   end
 end
 
-if defined? ActionController::Base
-  ActionController::Base.class_eval do
+if defined? ActiveSupport
+  ActiveSupport.on_load(:action_controller) do
     include CanCan::ControllerAdditions
   end
 end