cancancan 1.17.0 → 3.5.0

data/lib/cancan/controller_resource.rb

@@ -1,8 +1,13 @@
+# frozen_string_literal: true
+
+require_relative 'controller_resource_loader.rb'
 module CanCan
   # Handle the load and authorization controller logic
   # so we don't clutter up all controllers with non-interface methods.
   # This class is used internally, so you do not need to call methods directly on it.
   class ControllerResource # :nodoc:
+    include ControllerResourceLoader
+
     def self.add_before_action(controller_class, method, *args)
       options = args.extract_options!
       resource_name = args.first
@@ -14,11 +19,7 @@ module CanCan
     end
 
     def self.before_callback_name(options)
-      if ActiveSupport.respond_to?(:version) && ActiveSupport.version >= Gem::Version.new('4')
-        options.delete(:prepend) ? :prepend_before_action : :before_action
-      else
-        options.delete(:prepend) ? :prepend_before_filter : :before_filter
-      end
+      options.delete(:prepend) ? :prepend_before_action : :before_action
     end
 
     def initialize(controller, *args)
@@ -26,12 +27,6 @@ module CanCan
       @params = controller.params
       @options = args.extract_options!
       @name = args.first
-      nested_err = 'The :nested option is no longer supported, instead use :through with separate load/authorize call.'
-      raise CanCan::ImplementationRemoved, nested_err if @options[:nested]
-      name_err = 'The :name option is no longer supported, instead pass the name as the first argument.'
-      raise CanCan::ImplementationRemoved, name_err if @options[:name]
-      resource_err = 'The :resource option has been renamed back to :class, use false if no class.'
-      raise CanCan::ImplementationRemoved, resource_err if @options[:resource]
     end
 
     def load_and_authorize_resource
@@ -39,17 +34,9 @@ module CanCan
       authorize_resource
     end
 
-    def load_resource
-      return if skip?(:load)
-      if load_instance?
-        self.resource_instance ||= load_resource_instance
-      elsif load_collection?
-        self.collection_instance ||= load_collection
-      end
-    end
-
     def authorize_resource
       return if skip?(:authorize)
+
       @controller.authorize!(authorization_action, resource_instance || resource_class_with_parent)
     end
 
@@ -59,6 +46,7 @@ module CanCan
 
     def skip?(behavior)
       return false unless (options = @controller.class.cancan_skipper[behavior][@name])
+
       options == {} ||
         options[:except] && !action_exists_in?(options[:except]) ||
         action_exists_in?(options[:only])
@@ -66,11 +54,19 @@ module CanCan
 
     protected
 
-    def load_resource_instance
-      if !parent? && new_actions.include?(@params[:action].to_sym)
-        build_resource
-      elsif id_param || @options[:singleton]
-        find_resource
+    # Returns the class used for this resource. This can be overridden by the :class option.
+    # If +false+ is passed in it will use the resource name as a symbol in which case it should
+    # only be used for authorization, not loading since there's no class to load through.
+    def resource_class
+      case @options[:class]
+      when false
+        name.to_sym
+      when nil
+        namespaced_name.to_s.camelize.constantize
+      when String
+        @options[:class].constantize
+      else
+        @options[:class]
       end
     end
 
@@ -82,95 +78,12 @@ module CanCan
       resource_base.respond_to?(:accessible_by) && !current_ability.has_block?(authorization_action, resource_class)
     end
 
-    def load_collection
-      resource_base.accessible_by(current_ability, authorization_action)
-    end
-
-    def build_resource
-      resource = resource_base.new(resource_params || {})
-      assign_attributes(resource)
-    end
-
-    def assign_attributes(resource)
-      resource.send("#{parent_name}=", parent_resource) if @options[:singleton] && parent_resource
-      initial_attributes.each do |attr_name, value|
-        resource.send("#{attr_name}=", value)
-      end
-      resource
-    end
-
-    def initial_attributes
-      current_ability.attributes_for(@params[:action].to_sym, resource_class).delete_if do |key, _value|
-        resource_params && resource_params.include?(key)
-      end
-    end
-
-    def find_resource
-      if @options[:singleton] && parent_resource.respond_to?(name)
-        parent_resource.send(name)
-      elsif @options[:find_by]
-        find_resource_using_find_by
-      else
-        adapter.find(resource_base, id_param)
-      end
-    end
-
-    def find_resource_using_find_by
-      if resource_base.respond_to? "find_by_#{@options[:find_by]}!"
-        resource_base.send("find_by_#{@options[:find_by]}!", id_param)
-      elsif resource_base.respond_to? 'find_by'
-        resource_base.send('find_by', @options[:find_by].to_sym => id_param)
-      else
-        resource_base.send(@options[:find_by], id_param)
-      end
-    end
-
-    def adapter
-      ModelAdapters::AbstractAdapter.adapter_class(resource_class)
-    end
-
-    def authorization_action
-      parent? ? parent_authorization_action : @params[:action].to_sym
-    end
-
-    def parent_authorization_action
-      @options[:parent_action] || :show
-    end
-
-    def id_param
-      @params[id_param_key].to_s if @params[id_param_key]
-    end
-
-    def id_param_key
-      if @options[:id_param]
-        @options[:id_param]
-      else
-        parent? ? :"#{name}_id" : :id
-      end
-    end
-
     def member_action?
       new_actions.include?(@params[:action].to_sym) || @options[:singleton] ||
         ((@params[:id] || @params[@options[:id_param]]) &&
           !collection_actions.include?(@params[:action].to_sym))
     end
 
-    # Returns the class used for this resource. This can be overriden by the :class option.
-    # If +false+ is passed in it will use the resource name as a symbol in which case it should
-    # only be used for authorization, not loading since there's no class to load through.
-    def resource_class
-      case @options[:class]
-      when false then
-        name.to_sym
-      when nil then
-        namespaced_name.to_s.camelize.constantize
-      when String then
-        @options[:class].constantize
-      else
-        @options[:class]
-      end
-    end
-
     def resource_class_with_parent
       parent_resource ? { parent_resource => resource_class } : resource_class
     end
@@ -180,7 +93,9 @@ module CanCan
     end
 
     def resource_instance
-      @controller.instance_variable_get("@#{instance_name}") if load_instance?
+      return unless load_instance? && @controller.instance_variable_defined?("@#{instance_name}")
+
+      @controller.instance_variable_get("@#{instance_name}")
     end
 
     def collection_instance=(instance)
@@ -188,122 +103,15 @@ module CanCan
     end
 
     def collection_instance
-      @controller.instance_variable_get("@#{instance_name.to_s.pluralize}")
-    end
-
-    # The object that methods (such as "find", "new" or "build") are called on.
-    # If the :through option is passed it will go through an association on that instance.
-    # If the :shallow option is passed it will use the resource_class if there's no parent
-    # If the :singleton option is passed it won't use the association because it needs to be handled later.
-    def resource_base
-      if @options[:through]
-        resource_base_through
-      else
-        resource_class
-      end
-    end
-
-    def resource_base_through
-      if parent_resource
-        base = if @options[:singleton]
-                 resource_class
-               else
-                 parent_resource.send(@options[:through_association] || name.to_s.pluralize)
-               end
-        base = base.scoped if base.respond_to?(:scoped) && active_record_3?
-        base
-      elsif @options[:shallow]
-        resource_class
-      else
-        # maybe this should be a record not found error instead?
-        raise AccessDenied.new(nil, authorization_action, resource_class)
-      end
-    end
-
-    def active_record_3?
-      defined?(ActiveRecord) && ActiveRecord::VERSION::MAJOR == 3
-    end
-
-    def parent_name
-      @options[:through] && [@options[:through]].flatten.detect { |i| fetch_parent(i) }
-    end
-
-    # The object to load this resource through.
-    def parent_resource
-      parent_name && fetch_parent(parent_name)
-    end
-
-    def fetch_parent(name)
-      if @controller.instance_variable_defined? "@#{name}"
-        @controller.instance_variable_get("@#{name}")
-      elsif @controller.respond_to?(name, true)
-        @controller.send(name)
-      end
-    end
-
-    def current_ability
-      @controller.send(:current_ability)
-    end
+      return unless @controller.instance_variable_defined?("@#{instance_name.to_s.pluralize}")
 
-    def name
-      @name || name_from_controller
-    end
-
-    def resource_params
-      if parameters_require_sanitizing? && params_method.present?
-        case params_method
-        when Symbol then
-          @controller.send(params_method)
-        when String then
-          @controller.instance_eval(params_method)
-        when Proc then
-          params_method.call(@controller)
-        end
-      else
-        resource_params_by_namespaced_name
-      end
+      @controller.instance_variable_get("@#{instance_name.to_s.pluralize}")
     end
 
     def parameters_require_sanitizing?
       save_actions.include?(@params[:action].to_sym) || resource_params_by_namespaced_name.present?
     end
 
-    def resource_params_by_namespaced_name
-      if @options[:instance_name] && @params.key?(extract_key(@options[:instance_name]))
-        @params[extract_key(@options[:instance_name])]
-      elsif @options[:class] && @params.key?(extract_key(@options[:class]))
-        @params[extract_key(@options[:class])]
-      else
-        @params[extract_key(namespaced_name)]
-      end
-    end
-
-    def params_method
-      params_methods.each do |method|
-        return method if (method.is_a?(Symbol) && @controller.respond_to?(method, true)) ||
-                         method.is_a?(String) || method.is_a?(Proc)
-      end
-      nil
-    end
-
-    def params_methods
-      methods = ["#{@params[:action]}_params".to_sym, "#{name}_params".to_sym, :resource_params]
-      methods.unshift(@options[:param_method]) if @options[:param_method].present?
-      methods
-    end
-
-    def namespace
-      @params[:controller].split('/')[0..-2]
-    end
-
-    def namespaced_name
-      [namespace, name].join('/').singularize.camelize.safe_constantize || name
-    end
-
-    def name_from_controller
-      @params[:controller].split('/').last.singularize
-    end
-
     def instance_name
       @options[:instance_name] || name
     end
@@ -312,12 +120,8 @@ module CanCan
       [:index] + Array(@options[:collection])
     end
 
-    def new_actions
-      [:new, :create] + Array(@options[:new])
-    end
-
     def save_actions
-      [:create, :update]
+      %i[create update]
     end
 
     private
@@ -326,8 +130,12 @@ module CanCan
       Array(options).include?(@params[:action].to_sym)
     end
 
-    def extract_key(value)
-      value.to_s.underscore.tr('/', '_')
+    def adapter
+      ModelAdapters::AbstractAdapter.adapter_class(resource_class)
+    end
+
+    def current_ability
+      @controller.send(:current_ability)
     end
   end
 end

data/lib/cancan/controller_resource_builder.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module CanCan
+  module ControllerResourceBuilder
+    protected
+
+    def build_resource
+      resource = resource_base.new(resource_params || {})
+      assign_attributes(resource)
+    end
+
+    def assign_attributes(resource)
+      resource.send("#{parent_name}=", parent_resource) if @options[:singleton] && parent_resource
+      initial_attributes.each do |attr_name, value|
+        resource.send("#{attr_name}=", value)
+      end
+      resource
+    end
+
+    def initial_attributes
+      current_ability.attributes_for(@params[:action].to_sym, resource_class).delete_if do |key, _value|
+        resource_params && resource_params.include?(key)
+      end
+    end
+  end
+end

data/lib/cancan/controller_resource_finder.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+module CanCan
+  module ControllerResourceFinder
+    protected
+
+    def find_resource
+      if @options[:singleton] && parent_resource.respond_to?(name)
+        parent_resource.send(name)
+      elsif @options[:find_by]
+        find_resource_using_find_by
+      else
+        adapter.find(resource_base, id_param)
+      end
+    end
+
+    def find_resource_using_find_by
+      find_by_dynamic_finder || find_by_find_by_finder || resource_base.send(@options[:find_by], id_param)
+    end
+
+    def find_by_dynamic_finder
+      method_name = "find_by_#{@options[:find_by]}!"
+      resource_base.send(method_name, id_param) if resource_base.respond_to? method_name
+    end
+
+    def find_by_find_by_finder
+      resource_base.find_by(@options[:find_by].to_sym => id_param) if resource_base.respond_to? :find_by
+    end
+
+    def id_param
+      @params[id_param_key].to_s if @params[id_param_key].present?
+    end
+
+    def id_param_key
+      if @options[:id_param]
+        @options[:id_param]
+      else
+        parent? ? :"#{name}_id" : :id
+      end
+    end
+  end
+end

data/lib/cancan/controller_resource_loader.rb

@@ -0,0 +1,120 @@
+# frozen_string_literal: true
+
+require_relative 'controller_resource_finder.rb'
+require_relative 'controller_resource_name_finder.rb'
+require_relative 'controller_resource_builder.rb'
+require_relative 'controller_resource_sanitizer.rb'
+module CanCan
+  module ControllerResourceLoader
+    include CanCan::ControllerResourceNameFinder
+    include CanCan::ControllerResourceFinder
+    include CanCan::ControllerResourceBuilder
+    include CanCan::ControllerResourceSanitizer
+
+    def load_resource
+      return if skip?(:load)
+
+      if load_instance?
+        self.resource_instance ||= load_resource_instance
+      elsif load_collection?
+        self.collection_instance ||= load_collection
+      end
+    end
+
+    protected
+
+    def new_actions
+      %i[new create] + Array(@options[:new])
+    end
+
+    def resource_params_by_key(key)
+      return unless @options[key] && @params.key?(extract_key(@options[key]))
+
+      @params[extract_key(@options[key])]
+    end
+
+    def resource_params_by_namespaced_name
+      resource_params_by_key(:instance_name) || resource_params_by_key(:class) || (
+      params = @params[extract_key(namespaced_name)]
+      params.respond_to?(:to_h) ? params : nil)
+    end
+
+    def resource_params
+      if parameters_require_sanitizing? && params_method.present?
+        sanitize_parameters
+      else
+        resource_params_by_namespaced_name
+      end
+    end
+
+    def fetch_parent(name)
+      if @controller.instance_variable_defined? "@#{name}"
+        @controller.instance_variable_get("@#{name}")
+      elsif @controller.respond_to?(name, true)
+        @controller.send(name)
+      end
+    end
+
+    # The object to load this resource through.
+    def parent_resource
+      parent_name && fetch_parent(parent_name)
+    end
+
+    def parent_name
+      @options[:through] && [@options[:through]].flatten.detect { |i| fetch_parent(i) }
+    end
+
+    def resource_base_through_parent_resource
+      if @options[:singleton]
+        resource_class
+      else
+        parent_resource.send(@options[:through_association] || name.to_s.pluralize)
+      end
+    end
+
+    def resource_base_through
+      if parent_resource
+        resource_base_through_parent_resource
+      elsif @options[:shallow]
+        resource_class
+      else
+        # maybe this should be a record not found error instead?
+        raise AccessDenied.new(nil, authorization_action, resource_class)
+      end
+    end
+
+    # The object that methods (such as "find", "new" or "build") are called on.
+    # If the :through option is passed it will go through an association on that instance.
+    # If the :shallow option is passed it will use the resource_class if there's no parent
+    # If the :singleton option is passed it won't use the association because it needs to be handled later.
+    def resource_base
+      @options[:through] ? resource_base_through : resource_class
+    end
+
+    def parent_authorization_action
+      @options[:parent_action] || :show
+    end
+
+    def authorization_action
+      parent? ? parent_authorization_action : @params[:action].to_sym
+    end
+
+    def load_collection
+      resource_base.accessible_by(current_ability, authorization_action)
+    end
+
+    def load_resource_instance
+      if !parent? && new_actions.include?(@params[:action].to_sym)
+        build_resource
+      elsif id_param || @options[:singleton]
+        find_resource
+      end
+    end
+
+    private
+
+    def extract_key(value)
+      value.to_s.underscore.tr('/', '_')
+    end
+  end
+end

data/lib/cancan/controller_resource_name_finder.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module CanCan
+  module ControllerResourceNameFinder
+    protected
+
+    def name_from_controller
+      @params[:controller].split('/').last.singularize
+    end
+
+    def namespaced_name
+      [namespace, name].join('/').singularize.camelize.safe_constantize || name
+    end
+
+    def name
+      @name || name_from_controller
+    end
+
+    def namespace
+      @params[:controller].split('/')[0..-2]
+    end
+  end
+end

data/lib/cancan/controller_resource_sanitizer.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module CanCan
+  module ControllerResourceSanitizer
+    protected
+
+    def sanitize_parameters
+      case params_method
+      when Symbol
+        @controller.send(params_method)
+      when String
+        @controller.instance_eval(params_method)
+      when Proc
+        params_method.call(@controller)
+      end
+    end
+
+    def params_methods
+      methods = ["#{@params[:action]}_params".to_sym, "#{name}_params".to_sym, :resource_params]
+      methods.unshift(@options[:param_method]) if @options[:param_method].present?
+      methods
+    end
+
+    def params_method
+      params_methods.each do |method|
+        return method if (method.is_a?(Symbol) && @controller.respond_to?(method, true)) ||
+                         method.is_a?(String) || method.is_a?(Proc)
+      end
+      nil
+    end
+  end
+end

data/lib/cancan/exceptions.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   # A general CanCan exception
   class Error < StandardError; end
@@ -8,9 +10,18 @@ module CanCan
   # Raised when removed code is called, an alternative solution is provided in message.
   class ImplementationRemoved < Error; end
 
-  # Raised when using check_authorization without calling authorized!
+  # Raised when using check_authorization without calling authorize!
   class AuthorizationNotPerformed < Error; end
 
+  # Raised when a rule is created with both a block and a hash of conditions
+  class BlockAndConditionsError < Error; end
+
+  # Raised when an unexpected argument is passed as an attribute
+  class AttributeArgumentError < Error; end
+
+  # Raised when using a wrong association name
+  class WrongAssociationName < Error; end
+
   # This error is raised when a user isn't allowed to access a given controller action.
   # This usually happens within a call to ControllerAdditions#authorize! but can be
   # raised manually.
@@ -30,21 +41,30 @@ module CanCan
   #   exception.default_message = "Default error message"
   #   exception.message # => "Default error message"
   #
-  # See ControllerAdditions#authorized! for more information on rescuing from this exception
+  # See ControllerAdditions#authorize! for more information on rescuing from this exception
   # and customizing the message using I18n.
   class AccessDenied < Error
-    attr_reader :action, :subject
+    attr_reader :action, :subject, :conditions
     attr_writer :default_message
 
-    def initialize(message = nil, action = nil, subject = nil)
+    def initialize(message = nil, action = nil, subject = nil, conditions = nil)
       @message = message
       @action = action
       @subject = subject
+      @conditions = conditions
       @default_message = I18n.t(:"unauthorized.default", default: 'You are not authorized to access this page.')
     end
 
     def to_s
       @message || @default_message
     end
+
+    def inspect
+      details = %i[action subject conditions message].map do |attribute|
+        value = instance_variable_get "@#{attribute}"
+        "#{attribute}: #{value.inspect}" if value.present?
+      end.compact.join(', ')
+      "#<#{self.class.name} #{details}>"
+    end
   end
 end

data/lib/cancan/matchers.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 rspec_module = defined?(RSpec::Core) ? 'RSpec' : 'Spec' # RSpec 1 compatability
 
 if rspec_module == 'RSpec'
@@ -9,7 +11,16 @@ end
 
 Kernel.const_get(rspec_module)::Matchers.define :be_able_to do |*args|
   match do |ability|
-    ability.can?(*args)
+    actions = args.first
+    if actions.is_a? Array
+      if actions.empty?
+        false
+      else
+        actions.all? { |action| ability.can?(action, *args[1..-1]) }
+      end
+    else
+      ability.can?(*args)
+    end
   end
 
   # Check that RSpec is < 2.99