cancancan 1.17.0 → 3.5.0

data/lib/cancan/model_adapters/abstract_adapter.rb

@@ -1,9 +1,13 @@
+# frozen_string_literal: true
+
 module CanCan
   module ModelAdapters
     class AbstractAdapter
+      attr_reader :model_class
+
       def self.inherited(subclass)
         @subclasses ||= []
-        @subclasses << subclass
+        @subclasses.insert(0, subclass)
       end
 
       def self.adapter_class(model_class)
@@ -31,6 +35,23 @@ module CanCan
         raise NotImplemented, 'This model adapter does not support matching on a conditions hash.'
       end
 
+      # Override if parent condition could be under a different key in conditions
+      def self.parent_condition_name(parent, _child)
+        parent.class.name.downcase.to_sym
+      end
+
+      # Used above override_conditions_hash_matching to determine if this model adapter will override the
+      # matching behavior for nested subject.
+      # If this returns true then nested_subject_matches_conditions? will be called.
+      def self.override_nested_subject_conditions_matching?(_parent, _child, _all_conditions)
+        false
+      end
+
+      # Override if override_nested_subject_conditions_matching? returns true
+      def self.nested_subject_matches_conditions?(_parent, _child, _all_conditions)
+        raise NotImplemented, 'This model adapter does not support matching on a nested subject.'
+      end
+
       # Used to determine if this model adapter will override the matching behavior for a specific condition.
       # If this returns true then matches_condition? will be called. See Rule#matches_conditions_hash
       def self.override_condition_matching?(_subject, _name, _value)

data/lib/cancan/model_adapters/active_record_4_adapter.rb

@@ -1,29 +1,30 @@
+# frozen_string_literal: true
+
 module CanCan
   module ModelAdapters
-    class ActiveRecord4Adapter < AbstractAdapter
-      include ActiveRecordAdapter
-      def self.for_class?(model_class)
-        model_class <= ActiveRecord::Base
-      end
+    class ActiveRecord4Adapter < ActiveRecordAdapter
+      AbstractAdapter.inherited(self)
+
+      class << self
+        def for_class?(model_class)
+          version_lower?('5.0.0') && model_class <= ActiveRecord::Base
+        end
 
-      # TODO: this should be private
-      def self.override_condition_matching?(subject, name, _value)
-        # ActiveRecord introduced enums in version 4.1.
-        (ActiveRecord::VERSION::MAJOR > 4 || ActiveRecord::VERSION::MINOR >= 1) &&
+        def override_condition_matching?(subject, name, _value)
           subject.class.defined_enums.include?(name.to_s)
-      end
+        end
 
-      # TODO: this should be private
-      def self.matches_condition?(subject, name, value)
-        # Get the mapping from enum strings to values.
-        enum = subject.class.send(name.to_s.pluralize)
-        # Get the value of the attribute as an integer.
-        attribute = enum[subject.send(name)]
-        # Check to see if the value matches the condition.
-        if value.is_a?(Enumerable)
-          value.include? attribute
-        else
-          attribute == value
+        def matches_condition?(subject, name, value)
+          # Get the mapping from enum strings to values.
+          enum = subject.class.send(name.to_s.pluralize)
+          # Get the value of the attribute as an integer.
+          attribute = enum[subject.send(name)]
+          # Check to see if the value matches the condition.
+          if value.is_a?(Enumerable)
+            value.include? attribute
+          else
+            attribute == value
+          end
         end
       end
 
@@ -33,19 +34,14 @@ module CanCan
       # look inside the where clause to decide to outer join tables
       # you're using in the where. Instead, `references()` is required
       # in addition to `includes()` to force the outer join.
-      def build_relation(*where_conditions)
-        relation = @model_class.where(*where_conditions)
-        relation = relation.includes(joins).references(joins) if joins.present?
-        relation
+      def build_joins_relation(relation, *_where_conditions)
+        relation.includes(joins).references(joins)
       end
 
       # Rails 4.2 deprecates `sanitize_sql_hash_for_conditions`
       def sanitize_sql(conditions)
-        if ActiveRecord::VERSION::MAJOR > 4 && conditions.is_a?(Hash)
-          sanitize_sql_activerecord5(conditions)
-        elsif ActiveRecord::VERSION::MINOR >= 2 && conditions.is_a?(Hash)
+        if self.class.version_greater_or_equal?('4.2.0') && conditions.is_a?(Hash)
           sanitize_sql_activerecord4(conditions)
-
         else
           @model_class.send(:sanitize_sql, conditions)
         end
@@ -61,21 +57,6 @@ module CanCan
           @model_class.send(:connection).visitor.compile b
         end.join(' AND ')
       end
-
-      def sanitize_sql_activerecord5(conditions)
-        table = @model_class.send(:arel_table)
-        table_metadata = ActiveRecord::TableMetadata.new(@model_class, table)
-        predicate_builder = ActiveRecord::PredicateBuilder.new(table_metadata)
-
-        conditions = predicate_builder.resolve_column_aliases(conditions)
-        conditions = @model_class.send(:expand_hash_conditions_for_aggregates, conditions)
-
-        conditions.stringify_keys!
-
-        predicate_builder.build_from_hash(conditions).map do |b|
-          @model_class.send(:connection).visitor.compile b
-        end.join(' AND ')
-      end
     end
   end
 end

data/lib/cancan/model_adapters/active_record_5_adapter.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+module CanCan
+  module ModelAdapters
+    class ActiveRecord5Adapter < ActiveRecord4Adapter
+      AbstractAdapter.inherited(self)
+
+      def self.for_class?(model_class)
+        version_greater_or_equal?('5.0.0') && model_class <= ActiveRecord::Base
+      end
+
+      # rails 5 is capable of using strings in enum
+      # but often people use symbols in rules
+      def self.matches_condition?(subject, name, value)
+        return super if Array.wrap(value).all? { |x| x.is_a? Integer }
+
+        attribute = subject.send(name)
+        raw_attribute = subject.class.send(name.to_s.pluralize)[attribute]
+        !(Array(value).map(&:to_s) & [attribute, raw_attribute]).empty?
+      end
+
+      private
+
+      def build_joins_relation(relation, *where_conditions)
+        strategy_class.new(adapter: self, relation: relation, where_conditions: where_conditions).execute!
+      end
+
+      def strategy_class
+        strategy_class_name = CanCan.accessible_by_strategy.to_s.camelize
+        CanCan::ModelAdapters::Strategies.const_get(strategy_class_name)
+      end
+
+      def sanitize_sql(conditions)
+        if conditions.is_a?(Hash)
+          sanitize_sql_activerecord5(conditions)
+        else
+          @model_class.send(:sanitize_sql, conditions)
+        end
+      end
+
+      def sanitize_sql_activerecord5(conditions)
+        table = @model_class.send(:arel_table)
+        table_metadata = ActiveRecord::TableMetadata.new(@model_class, table)
+        predicate_builder = ActiveRecord::PredicateBuilder.new(table_metadata)
+
+        predicate_builder.build_from_hash(conditions.stringify_keys).map { |b| visit_nodes(b) }.join(' AND ')
+      end
+
+      def visit_nodes(node)
+        # Rails 5.2 adds a BindParam node that prevents the visitor method from properly compiling the SQL query
+        if self.class.version_greater_or_equal?('5.2.0')
+          connection = @model_class.send(:connection)
+          collector = Arel::Collectors::SubstituteBinds.new(connection, Arel::Collectors::SQLString.new)
+          connection.visitor.accept(node, collector).value
+        else
+          @model_class.send(:connection).visitor.compile(node)
+        end
+      end
+    end
+  end
+end

data/lib/cancan/model_adapters/active_record_adapter.rb

@@ -1,6 +1,96 @@
+# frozen_string_literal: true
+
 module CanCan
   module ModelAdapters
-    module ActiveRecordAdapter
+    class ActiveRecordAdapter < AbstractAdapter
+      def self.version_greater_or_equal?(version)
+        Gem::Version.new(ActiveRecord.version).release >= Gem::Version.new(version)
+      end
+
+      def self.version_lower?(version)
+        Gem::Version.new(ActiveRecord.version).release < Gem::Version.new(version)
+      end
+
+      attr_reader :compressed_rules
+
+      def initialize(model_class, rules)
+        super
+        @compressed_rules = if CanCan.rules_compressor_enabled
+                              RulesCompressor.new(@rules.reverse).rules_collapsed.reverse
+                            else
+                              @rules
+                            end
+        StiNormalizer.normalize(@compressed_rules)
+        ConditionsNormalizer.normalize(model_class, @compressed_rules)
+      end
+
+      class << self
+        # When belongs_to parent_id is a condition for a model,
+        # we want to check the parent when testing ability for a hash {parent => model}
+        def override_nested_subject_conditions_matching?(parent, child, all_conditions)
+          parent_child_conditions(parent, child, all_conditions).present?
+        end
+
+        # parent_id condition can be an array of integer or one integer, we check the parent against this
+        def nested_subject_matches_conditions?(parent, child, all_conditions)
+          id_condition = parent_child_conditions(parent, child, all_conditions)
+          return id_condition.include?(parent.id) if id_condition.is_a? Array
+          return id_condition == parent.id if id_condition.is_a? Integer
+
+          false
+        end
+
+        def parent_child_conditions(parent, child, all_conditions)
+          child_class = child.is_a?(Class) ? child : child.class
+          parent_class = parent.is_a?(Class) ? parent : parent.class
+
+          foreign_key = child_class.reflect_on_all_associations(:belongs_to).find do |association|
+            # Do not match on polymorphic associations or it will throw an error (klass cannot be determined)
+            !association.polymorphic? && association.klass == parent.class
+          end&.foreign_key&.to_sym
+
+          # Search again in case of polymorphic associations, this time matching on the :has_many side
+          # via the :as option, as well as klass
+          foreign_key ||= parent_class.reflect_on_all_associations(:has_many).find do |has_many_assoc|
+            !matching_parent_child_polymorphic_association(has_many_assoc, child_class).nil?
+          end&.foreign_key&.to_sym
+
+          foreign_key.nil? ? nil : all_conditions[foreign_key]
+        end
+
+        def matching_parent_child_polymorphic_association(parent_assoc, child_class)
+          return nil unless parent_assoc.klass == child_class
+          return nil if parent_assoc&.options[:as].nil?
+  
+          child_class.reflect_on_all_associations(:belongs_to).find do |child_assoc|
+            # Only match this way for polymorphic associations
+            child_assoc.polymorphic? && child_assoc.name == parent_assoc.options[:as]
+          end
+        end
+
+        def child_association_to_parent(parent, child)
+          child_class = child.is_a?(Class) ? child : child.class
+          parent_class = parent.is_a?(Class) ? parent : parent.class
+
+          association = child_class.reflect_on_all_associations(:belongs_to).find do |association|
+            # Do not match on polymorphic associations or it will throw an error (klass cannot be determined)
+            !association.polymorphic? && association.klass == parent.class
+          end
+
+          return association unless association.nil?
+
+          parent_class.reflect_on_all_associations(:has_many).each do |has_many_assoc|
+            association ||= matching_parent_child_polymorphic_association(has_many_assoc, child_class)
+          end
+
+          association
+        end
+
+        def parent_condition_name(parent, child)
+          child_association_to_parent(parent, child)&.name || parent.class.name.downcase.to_sym
+        end
+      end
+
       # Returns conditions intended to be used inside a database query. Normally you will not call this
       # method directly, but instead go through ModelAdditions#accessible_by.
       #
@@ -17,95 +107,99 @@ module CanCan
       #   query(:manage, User).conditions # => "not (self_managed = 't') AND ((manager_id = 1) OR (id = 1))"
       #
       def conditions
-        if @rules.size == 1 && @rules.first.base_behavior
+        conditions_extractor = ConditionsExtractor.new(@model_class)
+        if @compressed_rules.size == 1 && @compressed_rules.first.base_behavior
           # Return the conditions directly if there's just one definition
-          tableized_conditions(@rules.first.conditions).dup
+          conditions_extractor.tableize_conditions(@compressed_rules.first.conditions).dup
         else
-          @rules.reverse.inject(false_sql) do |sql, rule|
-            merge_conditions(sql, tableized_conditions(rule.conditions).dup, rule.base_behavior)
-          end
+          extract_multiple_conditions(conditions_extractor, @compressed_rules)
         end
       end
 
-      def tableized_conditions(conditions, model_class = @model_class)
-        return conditions unless conditions.is_a? Hash
-        conditions.each_with_object({}) do |(name, value), result_hash|
-          if value.is_a? Hash
-            value = value.dup
-            association_class = model_class.reflect_on_association(name).klass.name.constantize
-            nested_resulted = value.each_with_object({}) do |(k, v), nested|
-              if v.is_a? Hash
-                value.delete(k)
-                nested[k] = v
-              else
-                result_hash[model_class.reflect_on_association(name).table_name.to_sym] = value
-              end
-              nested
-            end
-            result_hash.merge!(tableized_conditions(nested_resulted, association_class))
-          else
-            result_hash[name] = value
-          end
-          result_hash
+      def extract_multiple_conditions(conditions_extractor, rules)
+        rules.reverse.inject(false_sql) do |sql, rule|
+          merge_conditions(sql, conditions_extractor.tableize_conditions(rule.conditions).dup, rule.base_behavior)
+        end
+      end
+
+      def database_records
+        if override_scope
+          @model_class.where(nil).merge(override_scope)
+        elsif @model_class.respond_to?(:where) && @model_class.respond_to?(:joins)
+          build_relation(conditions)
+        else
+          @model_class.all(conditions: conditions, joins: joins)
         end
       end
 
+      def build_relation(*where_conditions)
+        relation = @model_class.where(*where_conditions)
+        return relation unless joins.present?
+
+        # subclasses must implement `build_joins_relation`
+        build_joins_relation(relation, *where_conditions)
+      end
+
       # Returns the associations used in conditions for the :joins option of a search.
       # See ModelAdditions#accessible_by
       def joins
         joins_hash = {}
-        @rules.each do |rule|
-          merge_joins(joins_hash, rule.associations_hash)
+        @compressed_rules.reverse_each do |rule|
+          deep_merge(joins_hash, rule.associations_hash)
         end
-        clean_joins(joins_hash) unless joins_hash.empty?
+        deep_clean(joins_hash) unless joins_hash.empty?
       end
 
-      def database_records
-        if override_scope
-          @model_class.where(nil).merge(override_scope)
-        elsif @model_class.respond_to?(:where) && @model_class.respond_to?(:joins)
-          if mergeable_conditions?
-            build_relation(conditions)
+      private
+
+      # Removes empty hashes and moves everything into arrays.
+      def deep_clean(joins_hash)
+        joins_hash.map { |name, nested| nested.empty? ? name : { name => deep_clean(nested) } }
+      end
+
+      # Takes two hashes and does a deep merge.
+      def deep_merge(base_hash, added_hash)
+        added_hash.each do |key, value|
+          if base_hash[key].is_a?(Hash)
+            deep_merge(base_hash[key], value) unless value.empty?
           else
-            build_relation(*@rules.map(&:conditions))
+            base_hash[key] = value
           end
-        else
-          @model_class.all(conditions: conditions, joins: joins)
         end
       end
 
-      private
+      def override_scope
+        conditions = @compressed_rules.map(&:conditions).compact
+        return unless conditions.any? { |c| c.is_a?(ActiveRecord::Relation) }
+        return conditions.first if conditions.size == 1
 
-      def mergeable_conditions?
-        @rules.find(&:unmergeable?).blank?
+        raise_override_scope_error
       end
 
-      def override_scope
-        conditions = @rules.map(&:conditions).compact
-        return unless defined?(ActiveRecord::Relation) && conditions.any? { |c| c.is_a?(ActiveRecord::Relation) }
-        if conditions.size == 1
-          conditions.first
-        else
-          rule_found = @rules.detect { |rule| rule.conditions.is_a?(ActiveRecord::Relation) }
-          raise Error,
-                'Unable to merge an Active Record scope with other conditions. '\
-                "Instead use a hash or SQL for #{rule_found.actions.first} #{rule_found.subjects.first} ability."
-        end
+      def raise_override_scope_error
+        rule_found = @compressed_rules.detect { |rule| rule.conditions.is_a?(ActiveRecord::Relation) }
+        raise Error,
+              'Unable to merge an Active Record scope with other conditions. ' \
+              "Instead use a hash or SQL for #{rule_found.actions.first} #{rule_found.subjects.first} ability."
       end
 
       def merge_conditions(sql, conditions_hash, behavior)
         if conditions_hash.blank?
           behavior ? true_sql : false_sql
         else
-          conditions = sanitize_sql(conditions_hash)
-          case sql
-          when true_sql
-            behavior ? true_sql : "not (#{conditions})"
-          when false_sql
-            behavior ? conditions : false_sql
-          else
-            behavior ? "(#{conditions}) OR (#{sql})" : "not (#{conditions}) AND (#{sql})"
-          end
+          merge_non_empty_conditions(behavior, conditions_hash, sql)
+        end
+      end
+
+      def merge_non_empty_conditions(behavior, conditions_hash, sql)
+        conditions = sanitize_sql(conditions_hash)
+        case sql
+        when true_sql
+          behavior ? true_sql : "not (#{conditions})"
+        when false_sql
+          behavior ? conditions : false_sql
+        else
+          behavior ? "(#{conditions}) OR (#{sql})" : "not (#{conditions}) AND (#{sql})"
         end
       end
 
@@ -120,30 +214,10 @@ module CanCan
       def sanitize_sql(conditions)
         @model_class.send(:sanitize_sql, conditions)
       end
-
-      # Takes two hashes and does a deep merge.
-      def merge_joins(base, add)
-        add.each do |name, nested|
-          if base[name].is_a?(Hash)
-            merge_joins(base[name], nested) unless nested.empty?
-          else
-            base[name] = nested
-          end
-        end
-      end
-
-      # Removes empty hashes and moves everything into arrays.
-      def clean_joins(joins_hash)
-        joins = []
-        joins_hash.each do |name, nested|
-          joins << (nested.empty? ? name : { name => clean_joins(nested) })
-        end
-        joins
-      end
     end
   end
 end
 
-ActiveRecord::Base.class_eval do
-  include CanCan::ModelAdditions
+ActiveSupport.on_load(:active_record) do
+  send :include, CanCan::ModelAdditions
 end

data/lib/cancan/model_adapters/conditions_extractor.rb

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+# this class is responsible of converting the hash of conditions
+# in "where conditions" to generate the sql query
+# it consists of a names_cache that helps calculating the next name given to the association
+# it tries to reflect the behavior of ActiveRecord when generating aliases for tables.
+module CanCan
+  module ModelAdapters
+    class ConditionsExtractor
+      def initialize(model_class)
+        @names_cache = { model_class.table_name => [] }.with_indifferent_access
+        @root_model_class = model_class
+      end
+
+      def tableize_conditions(conditions, model_class = @root_model_class, path_to_key = 0)
+        return conditions unless conditions.is_a? Hash
+
+        conditions.each_with_object({}) do |(key, value), result_hash|
+          if value.is_a? Hash
+            result_hash.merge!(calculate_result_hash(key, model_class, path_to_key, result_hash, value))
+          else
+            result_hash[key] = value
+          end
+          result_hash
+        end
+      end
+
+      private
+
+      def calculate_result_hash(key, model_class, path_to_key, result_hash, value)
+        reflection = model_class.reflect_on_association(key)
+        nested_resulted = calculate_nested(model_class, result_hash, key, value.dup, path_to_key)
+        association_class = reflection.klass.name.constantize
+        tableize_conditions(nested_resulted, association_class, "#{path_to_key}_#{key}")
+      end
+
+      def calculate_nested(model_class, result_hash, relation_name, value, path_to_key)
+        value.each_with_object({}) do |(k, v), nested|
+          if v.is_a? Hash
+            value.delete(k)
+            nested[k] = v
+          else
+            table_alias = generate_table_alias(model_class, relation_name, path_to_key)
+            result_hash[table_alias] = value
+          end
+          nested
+        end
+      end
+
+      def generate_table_alias(model_class, relation_name, path_to_key)
+        table_alias = model_class.reflect_on_association(relation_name).table_name.to_sym
+
+        if already_used?(table_alias, relation_name, path_to_key)
+          table_alias = "#{relation_name.to_s.pluralize}_#{model_class.table_name}".to_sym
+
+          index = 1
+          while already_used?(table_alias, relation_name, path_to_key)
+            table_alias = "#{table_alias}_#{index += 1}".to_sym
+          end
+        end
+        add_to_cache(table_alias, relation_name, path_to_key)
+      end
+
+      def already_used?(table_alias, relation_name, path_to_key)
+        @names_cache[table_alias].try(:exclude?, "#{path_to_key}_#{relation_name}")
+      end
+
+      def add_to_cache(table_alias, relation_name, path_to_key)
+        @names_cache[table_alias] ||= []
+        @names_cache[table_alias] << "#{path_to_key}_#{relation_name}"
+        table_alias
+      end
+    end
+  end
+end

data/lib/cancan/model_adapters/conditions_normalizer.rb

@@ -0,0 +1,49 @@
+# this class is responsible of normalizing the hash of conditions
+# by exploding has_many through associations
+# when a condition is defined with an has_many through association this is exploded in all its parts
+# TODO: it could identify STI and normalize it
+module CanCan
+  module ModelAdapters
+    class ConditionsNormalizer
+      class << self
+        def normalize(model_class, rules)
+          rules.each { |rule| rule.conditions = normalize_conditions(model_class, rule.conditions) }
+        end
+
+        def normalize_conditions(model_class, conditions)
+          return conditions unless conditions.is_a? Hash
+
+          conditions.each_with_object({}) do |(key, value), result_hash|
+            if value.is_a? Hash
+              result_hash.merge!(calculate_result_hash(model_class, key, value))
+            else
+              result_hash[key] = value
+            end
+            result_hash
+          end
+        end
+
+        private
+
+        def calculate_result_hash(model_class, key, value)
+          reflection = model_class.reflect_on_association(key)
+          unless reflection
+            raise WrongAssociationName, "Association '#{key}' not defined in model '#{model_class.name}'"
+          end
+
+          if normalizable_association? reflection
+            key = reflection.options[:through]
+            value = { reflection.source_reflection_name => value }
+            reflection = model_class.reflect_on_association(key)
+          end
+
+          { key => normalize_conditions(reflection.klass.name.constantize, value) }
+        end
+
+        def normalizable_association?(reflection)
+          reflection.options[:through].present? && !reflection.options[:source_type].present?
+        end
+      end
+    end
+  end
+end

data/lib/cancan/model_adapters/default_adapter.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   module ModelAdapters
     class DefaultAdapter < AbstractAdapter

data/lib/cancan/model_adapters/sti_normalizer.rb

@@ -0,0 +1,47 @@
+require_relative '../sti_detector'
+
+# this class is responsible for detecting sti classes and creating new rules for the
+# relevant subclasses, using the inheritance_column as a merger
+module CanCan
+  module ModelAdapters
+    class StiNormalizer
+      class << self
+        def normalize(rules)
+          rules_cache = []
+          return unless defined?(ActiveRecord::Base)
+
+          rules.delete_if do |rule|
+            subjects = rule.subjects.select do |subject|
+              update_rule(subject, rule, rules_cache)
+            end
+            subjects.length == rule.subjects.length
+          end
+          rules_cache.each { |rule| rules.push(rule) }
+        end
+
+        private
+
+        def update_rule(subject, rule, rules_cache)
+          return false unless StiDetector.sti_class?(subject)
+
+          rules_cache.push(build_rule_for_subclass(rule, subject))
+          true
+        end
+
+        # create a new rule for the subclasses that links on the inheritance_column
+        def build_rule_for_subclass(rule, subject)
+          sti_conditions = { subject.inheritance_column => subject.sti_name }
+          new_rule_conditions =
+            if rule.with_scope?
+              rule.conditions.where(sti_conditions)
+            else
+              rule.conditions.merge(sti_conditions)
+            end
+
+          CanCan::Rule.new(rule.base_behavior, rule.actions, subject.superclass,
+                           new_rule_conditions, rule.block)
+        end
+      end
+    end
+  end
+end