cancancan 1.17.0 → 3.5.0

data/lib/cancan/model_adapters/strategies/base.rb

@@ -0,0 +1,40 @@
+module CanCan
+  module ModelAdapters
+    class Strategies
+      class Base
+        attr_reader :adapter, :relation, :where_conditions
+
+        delegate(
+          :compressed_rules,
+          :extract_multiple_conditions,
+          :joins,
+          :model_class,
+          :quoted_primary_key,
+          :quoted_aliased_table_name,
+          :quoted_table_name,
+          to: :adapter
+        )
+        delegate :connection, :quoted_primary_key, to: :model_class
+        delegate :quote_table_name, to: :connection
+
+        def initialize(adapter:, relation:, where_conditions:)
+          @adapter = adapter
+          @relation = relation
+          @where_conditions = where_conditions
+        end
+
+        def aliased_table_name
+          @aliased_table_name ||= "#{model_class.table_name}_alias"
+        end
+
+        def quoted_aliased_table_name
+          @quoted_aliased_table_name ||= quote_table_name(aliased_table_name)
+        end
+
+        def quoted_table_name
+          @quoted_table_name ||= quote_table_name(model_class.table_name)
+        end
+      end
+    end
+  end
+end

data/lib/cancan/model_adapters/strategies/joined_alias_each_rule_as_exists_subquery.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: false
+
+module CanCan
+  module ModelAdapters
+    class Strategies
+      class JoinedAliasEachRuleAsExistsSubquery < Base
+        def execute!
+          model_class
+            .joins(
+              "JOIN #{quoted_table_name} AS #{quoted_aliased_table_name} ON " \
+              "#{quoted_aliased_table_name}.#{quoted_primary_key} = #{quoted_table_name}.#{quoted_primary_key}"
+            )
+            .where(double_exists_sql)
+        end
+
+        def double_exists_sql
+          double_exists_sql = ''
+
+          compressed_rules.each_with_index do |rule, index|
+            double_exists_sql << ' OR ' if index.positive?
+            double_exists_sql << "EXISTS (#{sub_query_for_rule(rule).to_sql})"
+          end
+
+          double_exists_sql
+        end
+
+        def sub_query_for_rule(rule)
+          conditions_extractor = ConditionsExtractor.new(model_class)
+          rule_where_conditions = extract_multiple_conditions(conditions_extractor, [rule])
+          joins_hash, left_joins_hash = extract_joins_from_rule(rule)
+          sub_query_for_rules_and_join_hashes(rule_where_conditions, joins_hash, left_joins_hash)
+        end
+
+        def sub_query_for_rules_and_join_hashes(rule_where_conditions, joins_hash, left_joins_hash)
+          model_class
+            .select('1')
+            .joins(joins_hash)
+            .left_joins(left_joins_hash)
+            .where(
+              "#{quoted_table_name}.#{quoted_primary_key} = " \
+              "#{quoted_aliased_table_name}.#{quoted_primary_key}"
+            )
+            .where(rule_where_conditions)
+            .limit(1)
+        end
+
+        def extract_joins_from_rule(rule)
+          joins = {}
+          left_joins = {}
+
+          extra_joins_recursive([], rule.conditions, joins, left_joins)
+          [joins, left_joins]
+        end
+
+        def extra_joins_recursive(current_path, conditions, joins, left_joins)
+          conditions.each do |key, value|
+            if value.is_a?(Hash)
+              current_path << key
+              extra_joins_recursive(current_path, value, joins, left_joins)
+              current_path.pop
+            else
+              extra_joins_recursive_merge_joins(current_path, value, joins, left_joins)
+            end
+          end
+        end
+
+        def extra_joins_recursive_merge_joins(current_path, value, joins, left_joins)
+          hash_joins = current_path_to_hash(current_path)
+
+          if value.nil?
+            left_joins.deep_merge!(hash_joins)
+          else
+            joins.deep_merge!(hash_joins)
+          end
+        end
+
+        # Converts an array like [:child, :grand_child] into a hash like {child: {grand_child: {}}
+        def current_path_to_hash(current_path)
+          hash_joins = {}
+          current_hash_joins = hash_joins
+
+          current_path.each do |path_part|
+            new_hash = {}
+            current_hash_joins[path_part] = new_hash
+            current_hash_joins = new_hash
+          end
+
+          hash_joins
+        end
+      end
+    end
+  end
+end

data/lib/cancan/model_adapters/strategies/joined_alias_exists_subquery.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module CanCan
+  module ModelAdapters
+    class Strategies
+      class JoinedAliasExistsSubquery < Base
+        def execute!
+          model_class
+            .joins(
+              "JOIN #{quoted_table_name} AS #{quoted_aliased_table_name} ON " \
+              "#{quoted_aliased_table_name}.#{quoted_primary_key} = #{quoted_table_name}.#{quoted_primary_key}"
+            )
+            .where("EXISTS (#{joined_alias_exists_subquery_inner_query.to_sql})")
+        end
+
+        def joined_alias_exists_subquery_inner_query
+          model_class
+            .unscoped
+            .select('1')
+            .left_joins(joins)
+            .where(*where_conditions)
+            .where(
+              "#{quoted_table_name}.#{quoted_primary_key} = " \
+              "#{quoted_aliased_table_name}.#{quoted_primary_key}"
+            )
+            .limit(1)
+        end
+      end
+    end
+  end
+end

data/lib/cancan/model_adapters/strategies/left_join.rb

@@ -0,0 +1,11 @@
+module CanCan
+  module ModelAdapters
+    class Strategies
+      class LeftJoin < Base
+        def execute!
+          relation.left_joins(joins).distinct
+        end
+      end
+    end
+  end
+end

data/lib/cancan/model_adapters/strategies/subquery.rb

@@ -0,0 +1,18 @@
+module CanCan
+  module ModelAdapters
+    class Strategies
+      class Subquery < Base
+        def execute!
+          build_joins_relation_subquery(where_conditions)
+        end
+
+        def build_joins_relation_subquery(where_conditions)
+          inner = model_class.unscoped do
+            model_class.left_joins(joins).where(*where_conditions)
+          end
+          model_class.where(model_class.primary_key => inner)
+        end
+      end
+    end
+  end
+end

data/lib/cancan/model_additions.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   # This module adds the accessible_by class method to a model. It is included in the model adapters.
   module ModelAdditions
@@ -18,8 +20,10 @@ module CanCan
       #   @articles = Article.accessible_by(current_ability, :update)
       #
       # Here only the articles which the user can update are returned.
-      def accessible_by(ability, action = :index)
-        ability.model_adapter(self, action).database_records
+      def accessible_by(ability, action = :index, strategy: CanCan.accessible_by_strategy)
+        CanCan.with_accessible_by_strategy(strategy) do
+          ability.model_adapter(self, action).database_records
+        end
       end
     end
 

data/lib/cancan/parameter_validators.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module CanCan
+  module ParameterValidators
+    def valid_attribute_param?(attribute)
+      attribute.nil? || attribute.is_a?(Symbol) || (attribute.is_a?(Array) && attribute.all? { |a| a.is_a?(Symbol) })
+    end
+  end
+end

data/lib/cancan/relevant.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module CanCan
+  module Relevant
+    # Matches both the action, subject, and attribute, not necessarily the conditions
+    def relevant?(action, subject)
+      subject = subject.values.first if subject.class == Hash
+      @match_all || (matches_action?(action) && matches_subject?(subject))
+    end
+
+    private
+
+    def matches_action?(action)
+      @expanded_actions.include?(:manage) || @expanded_actions.include?(action)
+    end
+
+    def matches_subject?(subject)
+      @subjects.include?(:all) || @subjects.include?(subject) || matches_subject_class?(subject)
+    end
+
+    def matches_subject_class?(subject)
+      @subjects.any? do |sub|
+        sub.is_a?(Module) && (subject.is_a?(sub) ||
+            subject.class.to_s == sub.to_s ||
+            (subject.is_a?(Module) && subject.ancestors.include?(sub)))
+      end
+    end
+  end
+end

data/lib/cancan/rule.rb

@@ -1,47 +1,64 @@
+# frozen_string_literal: true
+
+require_relative 'conditions_matcher.rb'
+require_relative 'class_matcher.rb'
+require_relative 'relevant.rb'
+
 module CanCan
   # This class is used internally and should only be called through Ability.
   # it holds the information about a "can" call made on Ability and provides
   # helpful methods to determine permission checking and conditions hash generation.
   class Rule # :nodoc:
-    attr_reader :base_behavior, :subjects, :actions, :conditions
-    attr_writer :expanded_actions
+    include ConditionsMatcher
+    include Relevant
+    include ParameterValidators
+    attr_reader :base_behavior, :subjects, :actions, :conditions, :attributes, :block
+    attr_writer :expanded_actions, :conditions
 
     # The first argument when initializing is the base_behavior which is a true/false
     # value. True for "can" and false for "cannot". The next two arguments are the action
     # and subject respectively (such as :read, @project). The third argument is a hash
     # of conditions and the last one is the block passed to the "can" call.
-    def initialize(base_behavior, action, subject, conditions, block)
-      both_block_and_hash_error = 'You are not able to supply a block with a hash of conditions in '\
-                                  "#{action} #{subject} ability. Use either one."
-      raise Error, both_block_and_hash_error if conditions.is_a?(Hash) && block
+    def initialize(base_behavior, action, subject, *extra_args, &block)
+      # for backwards compatibility, attributes are an optional parameter. Check if
+      # attributes were passed or are actually conditions
+      attributes, extra_args = parse_attributes_from_extra_args(extra_args)
+      condition_and_block_check(extra_args, block, action, subject)
       @match_all = action.nil? && subject.nil?
+      raise Error, "Subject is required for #{action}" if action && subject.nil?
+
       @base_behavior = base_behavior
-      @actions = [action].flatten
-      @subjects = [subject].flatten
-      @conditions = conditions || {}
+      @actions = wrap(action)
+      @subjects = wrap(subject)
+      @attributes = wrap(attributes)
+      @conditions = extra_args || {}
       @block = block
     end
 
-    # Matches both the subject and action, not necessarily the conditions
-    def relevant?(action, subject)
-      subject = subject.values.first if subject.class == Hash
-      @match_all || (matches_action?(action) && matches_subject?(subject))
-    end
+    def inspect
+      repr = "#<#{self.class.name}"
+      repr += "#{@base_behavior ? 'can' : 'cannot'} #{@actions.inspect}, #{@subjects.inspect}, #{@attributes.inspect}"
 
-    # Matches the block or conditions hash
-    def matches_conditions?(action, subject, extra_args)
-      if @match_all
-        call_block_with_all(action, subject, extra_args)
-      elsif @block && !subject_class?(subject)
-        @block.call(subject, *extra_args)
-      elsif @conditions.is_a?(Hash) && subject.class == Hash
-        nested_subject_matches_conditions?(subject)
-      elsif @conditions.is_a?(Hash) && !subject_class?(subject)
-        matches_conditions_hash?(subject)
-      else
-        # Don't stop at "cannot" definitions when there are conditions.
-        conditions_empty? ? true : @base_behavior
+      if with_scope?
+        repr += ", #{@conditions.where_values_hash}"
+      elsif [Hash, String].include?(@conditions.class)
+        repr += ", #{@conditions.inspect}"
       end
+
+      repr + '>'
+    end
+
+    def can_rule?
+      base_behavior
+    end
+
+    def cannot_catch_all?
+      !can_rule? && catch_all?
+    end
+
+    def catch_all?
+      (with_scope? && @conditions.where_values_hash.empty?) ||
+        (!with_scope? && [nil, false, [], {}, '', ' '].include?(@conditions))
     end
 
     def only_block?
@@ -52,13 +69,8 @@ module CanCan
       @block.nil? && !conditions_empty? && !@conditions.is_a?(Hash)
     end
 
-    def conditions_empty?
-      @conditions == {} || @conditions.nil?
-    end
-
-    def unmergeable?
-      @conditions.respond_to?(:keys) && @conditions.present? &&
-        (!@conditions.keys.first.is_a? Symbol)
+    def with_scope?
+      defined?(ActiveRecord) && @conditions.is_a?(ActiveRecord::Relation)
     end
 
     def associations_hash(conditions = @conditions)
@@ -81,13 +93,15 @@ module CanCan
       attributes
     end
 
-    private
+    def matches_attributes?(attribute)
+      return true if @attributes.empty?
+      return @base_behavior if attribute.nil?
 
-    def subject_class?(subject)
-      klass = (subject.is_a?(Hash) ? subject.values.first : subject).class
-      klass == Class || klass == Module
+      @attributes.include?(attribute.to_sym)
     end
 
+    private
+
     def matches_action?(action)
       @expanded_actions.include?(:manage) || @expanded_actions.include?(action)
     end
@@ -97,66 +111,29 @@ module CanCan
     end
 
     def matches_subject_class?(subject)
-      @subjects.any? do |sub|
-        sub.is_a?(Module) && (subject.is_a?(sub) ||
-                                 subject.class.to_s == sub.to_s ||
-                                 (subject.is_a?(Module) && subject.ancestors.include?(sub)))
-      end
+      SubjectClassMatcher.matches_subject_class?(@subjects, subject)
     end
 
-    # Checks if the given subject matches the given conditions hash.
-    # This behavior can be overriden by a model adapter by defining two class methods:
-    # override_matching_for_conditions?(subject, conditions) and
-    # matches_conditions_hash?(subject, conditions)
-    def matches_conditions_hash?(subject, conditions = @conditions)
-      return true if conditions.empty?
-      adapter = model_adapter(subject)
-
-      if adapter.override_conditions_hash_matching?(subject, conditions)
-        return adapter.matches_conditions_hash?(subject, conditions)
-      end
-
-      conditions.all? do |name, value|
-        if adapter.override_condition_matching?(subject, name, value)
-          adapter.matches_condition?(subject, name, value)
-        else
-          condition_match?(subject.send(name), value)
-        end
-      end
+    def parse_attributes_from_extra_args(args)
+      attributes = args.shift if valid_attribute_param?(args.first)
+      extra_args = args.shift
+      [attributes, extra_args]
     end
 
-    def nested_subject_matches_conditions?(subject_hash)
-      parent, _child = subject_hash.first
-      matches_conditions_hash?(parent, @conditions[parent.class.name.downcase.to_sym] || {})
-    end
+    def condition_and_block_check(conditions, block, action, subject)
+      return unless conditions.is_a?(Hash) && block
 
-    def call_block_with_all(action, subject, extra_args)
-      if subject.class == Class
-        @block.call(action, subject, nil, *extra_args)
-      else
-        @block.call(action, subject.class, subject, *extra_args)
-      end
-    end
-
-    def model_adapter(subject)
-      CanCan::ModelAdapters::AbstractAdapter.adapter_class(subject_class?(subject) ? subject : subject.class)
-    end
-
-    def condition_match?(attribute, value)
-      case value
-      when Hash       then hash_condition_match?(attribute, value)
-      when String     then attribute == value
-      when Range      then value.cover?(attribute)
-      when Enumerable then value.include?(attribute)
-      else attribute == value
-      end
+      raise BlockAndConditionsError, 'A hash of conditions is mutually exclusive with a block. ' \
+        "Check \":#{action} #{subject}\" ability."
     end
 
-    def hash_condition_match?(attribute, value)
-      if attribute.is_a?(Array) || (defined?(ActiveRecord) && attribute.is_a?(ActiveRecord::Relation))
-        attribute.any? { |element| matches_conditions_hash?(element, value) }
+    def wrap(object)
+      if object.nil?
+        []
+      elsif object.respond_to?(:to_ary)
+        object.to_ary || [object]
       else
-        attribute && matches_conditions_hash?(attribute, value)
+        [object]
       end
     end
   end

data/lib/cancan/rules_compressor.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require_relative 'conditions_matcher.rb'
+module CanCan
+  class RulesCompressor
+    attr_reader :initial_rules, :rules_collapsed
+
+    def initialize(rules)
+      @initial_rules = rules
+      @rules_collapsed = compress(@initial_rules)
+    end
+
+    def compress(array)
+      idx = array.rindex(&:catch_all?)
+      return array unless idx
+
+      value = array[idx]
+      array[idx..-1]
+        .drop_while { |n| n.base_behavior == value.base_behavior }
+        .tap { |a| a.unshift(value) unless value.cannot_catch_all? }
+    end
+  end
+end

data/lib/cancan/sti_detector.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+class StiDetector
+  def self.sti_class?(subject)
+    return false unless defined?(ActiveRecord::Base)
+    return false unless subject.respond_to?(:descends_from_active_record?)
+    return false if subject == :all || subject.descends_from_active_record?
+    return false unless subject < ActiveRecord::Base
+
+    true
+  end
+end

data/lib/cancan/unauthorized_message_resolver.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module CanCan
+  module UnauthorizedMessageResolver
+    def unauthorized_message(action, subject)
+      subject = subject.values.last if subject.is_a?(Hash)
+      keys = unauthorized_message_keys(action, subject)
+      variables = {}
+      variables[:action] = I18n.translate("actions.#{action}", default: action.to_s)
+      variables[:subject] = translate_subject(subject)
+      message = I18n.translate(keys.shift, **variables.merge(scope: :unauthorized, default: keys + ['']))
+      message.blank? ? nil : message
+    end
+
+    def translate_subject(subject)
+      klass = (subject.class == Class ? subject : subject.class)
+      if klass.respond_to?(:model_name)
+        klass.model_name.human
+      else
+        klass.to_s.underscore.humanize.downcase
+      end
+    end
+  end
+end

data/lib/cancan/version.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
-  VERSION = '1.17.0'.freeze
+  VERSION = '3.5.0'.freeze
 end

data/lib/cancan.rb

@@ -1,24 +1,29 @@
+# frozen_string_literal: true
+
 require 'cancan/version'
+require 'cancan/config'
+require 'cancan/parameter_validators'
 require 'cancan/ability'
 require 'cancan/rule'
 require 'cancan/controller_resource'
 require 'cancan/controller_additions'
 require 'cancan/model_additions'
 require 'cancan/exceptions'
-require 'cancan/inherited_resource'
 
 require 'cancan/model_adapters/abstract_adapter'
 require 'cancan/model_adapters/default_adapter'
+require 'cancan/rules_compressor'
 
 if defined? ActiveRecord
+  require 'cancan/model_adapters/conditions_extractor'
+  require 'cancan/model_adapters/conditions_normalizer'
+  require 'cancan/model_adapters/sti_normalizer'
   require 'cancan/model_adapters/active_record_adapter'
-  if ActiveRecord.respond_to?(:version) &&
-     ActiveRecord.version >= Gem::Version.new('4')
-    require 'cancan/model_adapters/active_record_4_adapter'
-  else
-    require 'cancan/model_adapters/active_record_3_adapter'
-  end
+  require 'cancan/model_adapters/active_record_4_adapter'
+  require 'cancan/model_adapters/active_record_5_adapter'
+  require 'cancan/model_adapters/strategies/base'
+  require 'cancan/model_adapters/strategies/joined_alias_each_rule_as_exists_subquery'
+  require 'cancan/model_adapters/strategies/joined_alias_exists_subquery'
+  require 'cancan/model_adapters/strategies/left_join'
+  require 'cancan/model_adapters/strategies/subquery'
 end
-
-require 'cancan/model_adapters/mongoid_adapter' if defined?(Mongoid) && defined?(Mongoid::Document)
-require 'cancan/model_adapters/sequel_adapter' if defined? Sequel

data/lib/cancancan.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'cancan'
 
 module CanCanCan

data/lib/generators/cancan/ability/ability_generator.rb

@@ -1,7 +1,9 @@
+# frozen_string_literal: true
+
 module Cancan
   module Generators
     class AbilityGenerator < Rails::Generators::Base
-      source_root File.expand_path('../templates', __FILE__)
+      source_root File.expand_path('templates', __dir__)
 
       def generate_ability
         copy_file 'ability.rb', 'app/models/ability.rb'

data/lib/generators/cancan/ability/templates/ability.rb

@@ -1,15 +1,15 @@
+# frozen_string_literal: true
+
 class Ability
   include CanCan::Ability
 
   def initialize(user)
-    # Define abilities for the passed in user here. For example:
+    # Define abilities for the user here. For example:
     #
-    #   user ||= User.new # guest user (not logged in)
-    #   if user.admin?
-    #     can :manage, :all
-    #   else
-    #     can :read, :all
-    #   end
+    #   return unless user.present?
+    #   can :read, :all
+    #   return unless user.admin?
+    #   can :manage, :all
     #
     # The first argument to `can` is the action you are giving the user
     # permission to do.
@@ -24,9 +24,9 @@ class Ability
     # objects.
     # For example, here the user can only update published articles.
     #
-    #   can :update, Article, :published => true
+    #   can :update, Article, published: true
     #
     # See the wiki for details:
-    # https://github.com/CanCanCommunity/cancancan/wiki/Defining-Abilities
+    # https://github.com/CanCanCommunity/cancancan/blob/develop/docs/define_check_abilities.md
   end
 end