cancancan 1.7.0

data/lib/cancan/exceptions.rb

@@ -0,0 +1,50 @@
+module CanCan
+  # A general CanCan exception
+  class Error < StandardError; end
+
+  # Raised when behavior is not implemented, usually used in an abstract class.
+  class NotImplemented < Error; end
+
+  # Raised when removed code is called, an alternative solution is provided in message.
+  class ImplementationRemoved < Error; end
+
+  # Raised when using check_authorization without calling authorized!
+  class AuthorizationNotPerformed < Error; end
+
+  # This error is raised when a user isn't allowed to access a given controller action.
+  # This usually happens within a call to ControllerAdditions#authorize! but can be
+  # raised manually.
+  #
+  #   raise CanCan::AccessDenied.new("Not authorized!", :read, Article)
+  #
+  # The passed message, action, and subject are optional and can later be retrieved when
+  # rescuing from the exception.
+  #
+  #   exception.message # => "Not authorized!"
+  #   exception.action # => :read
+  #   exception.subject # => Article
+  #
+  # If the message is not specified (or is nil) it will default to "You are not authorized
+  # to access this page." This default can be overridden by setting default_message.
+  #
+  #   exception.default_message = "Default error message"
+  #   exception.message # => "Default error message"
+  #
+  # See ControllerAdditions#authorized! for more information on rescuing from this exception
+  # and customizing the message using I18n.
+  class AccessDenied < Error
+    attr_reader :action, :subject
+    attr_writer :default_message
+
+    def initialize(message = nil, action = nil, subject = nil)
+      @message = message
+      @action = action
+      @subject = subject
+      @default_message = I18n.t(:"unauthorized.default", :default => "You are not authorized to access this page.")
+    end
+
+    def to_s
+      @message || @default_message
+    end
+  end
+end

data/lib/cancan/inherited_resource.rb

@@ -0,0 +1,20 @@
+module CanCan
+  # For use with Inherited Resources
+  class InheritedResource < ControllerResource # :nodoc:
+    def load_resource_instance
+      if parent?
+        @controller.send :association_chain
+        @controller.instance_variable_get("@#{instance_name}")
+      elsif new_actions.include? @params[:action].to_sym
+        resource = @controller.send :build_resource
+        assign_attributes(resource)
+      else
+        @controller.send :resource
+      end
+    end
+
+    def resource_base
+      @controller.send :end_of_association_chain
+    end
+  end
+end

data/lib/cancan/matchers.rb

@@ -0,0 +1,14 @@
+rspec_module = defined?(RSpec::Core) ? 'RSpec' : 'Spec'  # for RSpec 1 compatability
+Kernel.const_get(rspec_module)::Matchers.define :be_able_to do |*args|
+  match do |ability|
+    ability.can?(*args)
+  end
+
+  failure_message_for_should do |ability|
+    "expected to be able to #{args.map(&:inspect).join(" ")}"
+  end
+
+  failure_message_for_should_not do |ability|
+    "expected not to be able to #{args.map(&:inspect).join(" ")}"
+  end
+end

data/lib/cancan/model_adapters/abstract_adapter.rb

@@ -0,0 +1,56 @@
+module CanCan
+  module ModelAdapters
+    class AbstractAdapter
+      def self.inherited(subclass)
+        @subclasses ||= []
+        @subclasses << subclass
+      end
+
+      def self.adapter_class(model_class)
+        @subclasses.detect { |subclass| subclass.for_class?(model_class) } || DefaultAdapter
+      end
+
+      # Used to determine if the given adapter should be used for the passed in class.
+      def self.for_class?(member_class)
+        false # override in subclass
+      end
+
+      # Override if you need custom find behavior
+      def self.find(model_class, id)
+        model_class.find(id)
+      end
+
+      # Used to determine if this model adapter will override the matching behavior for a hash of conditions.
+      # If this returns true then matches_conditions_hash? will be called. See Rule#matches_conditions_hash
+      def self.override_conditions_hash_matching?(subject, conditions)
+        false
+      end
+
+      # Override if override_conditions_hash_matching? returns true
+      def self.matches_conditions_hash?(subject, conditions)
+        raise NotImplemented, "This model adapter does not support matching on a conditions hash."
+      end
+
+      # Used to determine if this model adapter will override the matching behavior for a specific condition.
+      # If this returns true then matches_condition? will be called. See Rule#matches_conditions_hash
+      def self.override_condition_matching?(subject, name, value)
+        false
+      end
+
+      # Override if override_condition_matching? returns true
+      def self.matches_condition?(subject, name, value)
+        raise NotImplemented, "This model adapter does not support matching on a specific condition."
+      end
+
+      def initialize(model_class, rules)
+        @model_class = model_class
+        @rules = rules
+      end
+
+      def database_records
+        # This should be overridden in a subclass to return records which match @rules
+        raise NotImplemented, "This model adapter does not support fetching records from the database."
+      end
+    end
+  end
+end

data/lib/cancan/model_adapters/active_record_adapter.rb

@@ -0,0 +1,180 @@
+module CanCan
+  module ModelAdapters
+    class ActiveRecordAdapter < AbstractAdapter
+      def self.for_class?(model_class)
+        model_class <= ActiveRecord::Base
+      end
+
+      def self.override_condition_matching?(subject, name, value)
+        name.kind_of?(MetaWhere::Column) if defined? MetaWhere
+      end
+
+      def self.matches_condition?(subject, name, value)
+        subject_value = subject.send(name.column)
+        if name.method.to_s.ends_with? "_any"
+          value.any? { |v| meta_where_match? subject_value, name.method.to_s.sub("_any", ""), v }
+        elsif name.method.to_s.ends_with? "_all"
+          value.all? { |v| meta_where_match? subject_value, name.method.to_s.sub("_all", ""), v }
+        else
+          meta_where_match? subject_value, name.method, value
+        end
+      end
+
+      def self.meta_where_match?(subject_value, method, value)
+        case method.to_sym
+        when :eq      then subject_value == value
+        when :not_eq  then subject_value != value
+        when :in      then value.include?(subject_value)
+        when :not_in  then !value.include?(subject_value)
+        when :lt      then subject_value < value
+        when :lteq    then subject_value <= value
+        when :gt      then subject_value > value
+        when :gteq    then subject_value >= value
+        when :matches then subject_value =~ Regexp.new("^" + Regexp.escape(value).gsub("%", ".*") + "$", true)
+        when :does_not_match then !meta_where_match?(subject_value, :matches, value)
+        else raise NotImplemented, "The #{method} MetaWhere condition is not supported."
+        end
+      end
+
+      # Returns conditions intended to be used inside a database query. Normally you will not call this
+      # method directly, but instead go through ModelAdditions#accessible_by.
+      #
+      # If there is only one "can" definition, a hash of conditions will be returned matching the one defined.
+      #
+      #   can :manage, User, :id => 1
+      #   query(:manage, User).conditions # => { :id => 1 }
+      #
+      # If there are multiple "can" definitions, a SQL string will be returned to handle complex cases.
+      #
+      #   can :manage, User, :id => 1
+      #   can :manage, User, :manager_id => 1
+      #   cannot :manage, User, :self_managed => true
+      #   query(:manage, User).conditions # => "not (self_managed = 't') AND ((manager_id = 1) OR (id = 1))"
+      #
+      def conditions
+        if @rules.size == 1 && @rules.first.base_behavior
+          # Return the conditions directly if there's just one definition
+          tableized_conditions(@rules.first.conditions).dup
+        else
+          @rules.reverse.inject(false_sql) do |sql, rule|
+            merge_conditions(sql, tableized_conditions(rule.conditions).dup, rule.base_behavior)
+          end
+        end
+      end
+
+      def tableized_conditions(conditions, model_class = @model_class)
+        return conditions unless conditions.kind_of? Hash
+        conditions.inject({}) do |result_hash, (name, value)|
+          if value.kind_of? Hash
+            value = value.dup
+            association_class = model_class.reflect_on_association(name).class_name.constantize
+            nested = value.inject({}) do |nested,(k,v)|
+              if v.kind_of? Hash
+                value.delete(k)
+                nested[k] = v
+              else
+                result_hash[model_class.reflect_on_association(name).table_name.to_sym] = value
+              end
+              nested
+            end
+            result_hash.merge!(tableized_conditions(nested,association_class))
+          else
+            result_hash[name] = value
+          end
+          result_hash
+        end
+      end
+
+      # Returns the associations used in conditions for the :joins option of a search.
+      # See ModelAdditions#accessible_by
+      def joins
+        joins_hash = {}
+        @rules.each do |rule|
+          merge_joins(joins_hash, rule.associations_hash)
+        end
+        clean_joins(joins_hash) unless joins_hash.empty?
+      end
+
+      def database_records
+        if override_scope
+          @model_class.scoped.merge(override_scope)
+        elsif @model_class.respond_to?(:where) && @model_class.respond_to?(:joins)
+          mergeable_conditions = @rules.select {|rule| rule.unmergeable? }.blank?
+          if mergeable_conditions
+            @model_class.where(conditions).includes(joins)
+          else
+            @model_class.where(*(@rules.map(&:conditions))).includes(joins)
+          end
+        else
+          @model_class.scoped(:conditions => conditions, :joins => joins)
+        end
+      end
+
+      private
+
+      def override_scope
+        conditions = @rules.map(&:conditions).compact
+        if defined?(ActiveRecord::Relation) && conditions.any? { |c| c.kind_of?(ActiveRecord::Relation) }
+          if conditions.size == 1
+            conditions.first
+          else
+            rule = @rules.detect { |rule| rule.conditions.kind_of?(ActiveRecord::Relation) }
+            raise Error, "Unable to merge an Active Record scope with other conditions. Instead use a hash or SQL for #{rule.actions.first} #{rule.subjects.first} ability."
+          end
+        end
+      end
+
+      def merge_conditions(sql, conditions_hash, behavior)
+        if conditions_hash.blank?
+          behavior ? true_sql : false_sql
+        else
+          conditions = sanitize_sql(conditions_hash)
+          case sql
+          when true_sql
+            behavior ? true_sql : "not (#{conditions})"
+          when false_sql
+            behavior ? conditions : false_sql
+          else
+            behavior ? "(#{conditions}) OR (#{sql})" : "not (#{conditions}) AND (#{sql})"
+          end
+        end
+      end
+
+      def false_sql
+        sanitize_sql(['?=?', true, false])
+      end
+
+      def true_sql
+        sanitize_sql(['?=?', true, true])
+      end
+
+      def sanitize_sql(conditions)
+        @model_class.send(:sanitize_sql, conditions)
+      end
+
+      # Takes two hashes and does a deep merge.
+      def merge_joins(base, add)
+        add.each do |name, nested|
+          if base[name].is_a?(Hash)
+            merge_joins(base[name], nested) unless nested.empty?
+          else
+            base[name] = nested
+          end
+        end
+      end
+
+      # Removes empty hashes and moves everything into arrays.
+      def clean_joins(joins_hash)
+        joins = []
+        joins_hash.each do |name, nested|
+          joins << (nested.empty? ? name : {name => clean_joins(nested)})
+        end
+        joins
+      end
+    end
+  end
+end
+
+ActiveRecord::Base.class_eval do
+  include CanCan::ModelAdditions
+end

data/lib/cancan/model_adapters/data_mapper_adapter.rb

@@ -0,0 +1,34 @@
+module CanCan
+  module ModelAdapters
+    class DataMapperAdapter < AbstractAdapter
+      def self.for_class?(model_class)
+        model_class <= DataMapper::Resource
+      end
+
+      def self.find(model_class, id)
+        model_class.get(id)
+      end
+
+      def self.override_conditions_hash_matching?(subject, conditions)
+        conditions.any? { |k,v| !k.kind_of?(Symbol) }
+      end
+
+      def self.matches_conditions_hash?(subject, conditions)
+        collection = DataMapper::Collection.new(subject.query, [ subject ])
+        !!collection.first(conditions)
+      end
+
+      def database_records
+        scope = @model_class.all(:conditions => ["0 = 1"])
+        cans, cannots = @rules.partition { |r| r.base_behavior }
+        return scope if cans.empty?
+        # apply unions first, then differences. this mean cannot overrides can
+        cans.each    { |r| scope += @model_class.all(:conditions => r.conditions) }
+        cannots.each { |r| scope -= @model_class.all(:conditions => r.conditions) }
+        scope
+      end
+    end # class DataMapper
+  end # module ModelAdapters
+end # module CanCan
+
+DataMapper::Model.append_extensions(CanCan::ModelAdditions::ClassMethods)

data/lib/cancan/model_adapters/default_adapter.rb

@@ -0,0 +1,7 @@
+module CanCan
+  module ModelAdapters
+    class DefaultAdapter < AbstractAdapter
+      # This adapter is used when no matching adapter is found
+    end
+  end
+end

data/lib/cancan/model_adapters/mongoid_adapter.rb

@@ -0,0 +1,54 @@
+module CanCan
+  module ModelAdapters
+    class MongoidAdapter < AbstractAdapter
+      def self.for_class?(model_class)
+        model_class <= Mongoid::Document
+      end
+
+      def self.override_conditions_hash_matching?(subject, conditions)
+        conditions.any? do |k,v|
+          key_is_not_symbol = lambda { !k.kind_of?(Symbol) }
+          subject_value_is_array = lambda do
+            subject.respond_to?(k) && subject.send(k).is_a?(Array)
+          end
+
+          key_is_not_symbol.call || subject_value_is_array.call
+        end
+      end
+
+      def self.matches_conditions_hash?(subject, conditions)
+        # To avoid hitting the db, retrieve the raw Mongo selector from
+        # the Mongoid Criteria and use Mongoid::Matchers#matches?
+        subject.matches?( subject.class.where(conditions).selector )
+      end
+
+      def database_records
+        if @rules.size == 0
+          @model_class.where(:_id => {'$exists' => false, '$type' => 7}) # return no records in Mongoid
+        elsif @rules.size == 1 && @rules[0].conditions.is_a?(Mongoid::Criteria)
+          @rules[0].conditions
+        else
+          # we only need to process can rules if
+          # there are no rules with empty conditions
+          rules = @rules.reject { |rule| rule.conditions.empty? && rule.base_behavior }
+          process_can_rules = @rules.count == rules.count
+
+          rules.inject(@model_class.all) do |records, rule|
+            if process_can_rules && rule.base_behavior
+              records.or rule.conditions
+            elsif !rule.base_behavior
+              records.excludes rule.conditions
+            else
+              records
+            end
+          end
+        end
+      end
+    end
+  end
+end
+
+# simplest way to add `accessible_by` to all Mongoid Documents
+module Mongoid::Document::ClassMethods
+  include CanCan::ModelAdditions::ClassMethods
+end

data/lib/cancan/model_additions.rb

@@ -0,0 +1,31 @@
+module CanCan
+
+  # This module adds the accessible_by class method to a model. It is included in the model adapters.
+  module ModelAdditions
+    module ClassMethods
+      # Returns a scope which fetches only the records that the passed ability
+      # can perform a given action on. The action defaults to :index. This
+      # is usually called from a controller and passed the +current_ability+.
+      #
+      #   @articles = Article.accessible_by(current_ability)
+      #
+      # Here only the articles which the user is able to read will be returned.
+      # If the user does not have permission to read any articles then an empty
+      # result is returned. Since this is a scope it can be combined with any
+      # other scopes or pagination.
+      #
+      # An alternative action can optionally be passed as a second argument.
+      #
+      #   @articles = Article.accessible_by(current_ability, :update)
+      #
+      # Here only the articles which the user can update are returned.
+      def accessible_by(ability, action = :index)
+        ability.model_adapter(self, action).database_records
+      end
+    end
+
+    def self.included(base)
+      base.extend ClassMethods
+    end
+  end
+end