cancancan 1.7.0

data/lib/cancan/rule.rb

@@ -0,0 +1,147 @@
+module CanCan
+  # This class is used internally and should only be called through Ability.
+  # it holds the information about a "can" call made on Ability and provides
+  # helpful methods to determine permission checking and conditions hash generation.
+  class Rule # :nodoc:
+    attr_reader :base_behavior, :subjects, :actions, :conditions
+    attr_writer :expanded_actions
+
+    # The first argument when initializing is the base_behavior which is a true/false
+    # value. True for "can" and false for "cannot". The next two arguments are the action
+    # and subject respectively (such as :read, @project). The third argument is a hash
+    # of conditions and the last one is the block passed to the "can" call.
+    def initialize(base_behavior, action, subject, conditions, block)
+      raise Error, "You are not able to supply a block with a hash of conditions in #{action} #{subject} ability. Use either one." if conditions.kind_of?(Hash) && !block.nil?
+      @match_all = action.nil? && subject.nil?
+      @base_behavior = base_behavior
+      @actions = [action].flatten
+      @subjects = [subject].flatten
+      @conditions = conditions || {}
+      @block = block
+    end
+
+    # Matches both the subject and action, not necessarily the conditions
+    def relevant?(action, subject)
+      subject = subject.values.first if subject.class == Hash
+      @match_all || (matches_action?(action) && matches_subject?(subject))
+    end
+
+    # Matches the block or conditions hash
+    def matches_conditions?(action, subject, extra_args)
+      if @match_all
+        call_block_with_all(action, subject, extra_args)
+      elsif @block && !subject_class?(subject)
+        @block.call(subject, *extra_args)
+      elsif @conditions.kind_of?(Hash) && subject.class == Hash
+        nested_subject_matches_conditions?(subject)
+      elsif @conditions.kind_of?(Hash) && !subject_class?(subject)
+        matches_conditions_hash?(subject)
+      else
+        # Don't stop at "cannot" definitions when there are conditions.
+        conditions_empty? ? true : @base_behavior
+      end
+    end
+
+    def only_block?
+      conditions_empty? && !@block.nil?
+    end
+
+    def only_raw_sql?
+      @block.nil? && !conditions_empty? && !@conditions.kind_of?(Hash)
+    end
+
+    def conditions_empty?
+      @conditions == {} || @conditions.nil?
+    end
+
+    def unmergeable?
+      @conditions.respond_to?(:keys) && @conditions.present? &&
+        (!@conditions.keys.first.kind_of? Symbol)
+    end
+
+    def associations_hash(conditions = @conditions)
+      hash = {}
+      conditions.map do |name, value|
+        hash[name] = associations_hash(value) if value.kind_of? Hash
+      end if conditions.kind_of? Hash
+      hash
+    end
+
+    def attributes_from_conditions
+      attributes = {}
+      @conditions.each do |key, value|
+        attributes[key] = value unless [Array, Range, Hash].include? value.class
+      end if @conditions.kind_of? Hash
+      attributes
+    end
+
+    private
+
+    def subject_class?(subject)
+      klass = (subject.kind_of?(Hash) ? subject.values.first : subject).class
+      klass == Class || klass == Module
+    end
+
+    def matches_action?(action)
+      @expanded_actions.include?(:manage) || @expanded_actions.include?(action)
+    end
+
+    def matches_subject?(subject)
+      @subjects.include?(:all) || @subjects.include?(subject) || matches_subject_class?(subject)
+    end
+
+    def matches_subject_class?(subject)
+      @subjects.any? { |sub| sub.kind_of?(Module) && (subject.kind_of?(sub) || subject.class.to_s == sub.to_s || subject.kind_of?(Module) && subject.ancestors.include?(sub)) }
+    end
+
+    # Checks if the given subject matches the given conditions hash.
+    # This behavior can be overriden by a model adapter by defining two class methods:
+    # override_matching_for_conditions?(subject, conditions) and
+    # matches_conditions_hash?(subject, conditions)
+    def matches_conditions_hash?(subject, conditions = @conditions)
+      if conditions.empty?
+        true
+      else
+        if model_adapter(subject).override_conditions_hash_matching? subject, conditions
+          model_adapter(subject).matches_conditions_hash? subject, conditions
+        else
+          conditions.all? do |name, value|
+            if model_adapter(subject).override_condition_matching? subject, name, value
+              model_adapter(subject).matches_condition? subject, name, value
+            else
+              attribute = subject.send(name)
+              if value.kind_of?(Hash)
+                if attribute.kind_of?(Array) || attribute.kind_of?(ActiveRecord::Relation)
+                  attribute.any? { |element| matches_conditions_hash? element, value }
+                else
+                  !attribute.nil? && matches_conditions_hash?(attribute, value)
+                end
+              elsif !value.is_a?(String) && value.kind_of?(Enumerable)
+                value.include? attribute
+              else
+                attribute == value
+              end
+            end
+          end
+        end
+      end
+    end
+
+    def nested_subject_matches_conditions?(subject_hash)
+      parent, child = subject_hash.first
+      matches_conditions_hash?(parent, @conditions[parent.class.name.downcase.to_sym] || {})
+    end
+
+    def call_block_with_all(action, subject, extra_args)
+      if subject.class == Class
+        @block.call(action, subject, nil, *extra_args)
+      else
+        @block.call(action, subject.class, subject, *extra_args)
+      end
+    end
+
+    def model_adapter(subject)
+      CanCan::ModelAdapters::AbstractAdapter.adapter_class(subject_class?(subject) ? subject : subject.class)
+    end
+  end
+end

data/lib/cancancan.rb

@@ -0,0 +1 @@
+require 'cancan'

data/lib/generators/cancan/ability/USAGE

@@ -0,0 +1,4 @@
+Description:
+  The cancan:ability generator creates an Ability class in the models
+  directory. You can move this file anywhere you want as long as it
+  is in the load path.

data/lib/generators/cancan/ability/ability_generator.rb

@@ -0,0 +1,11 @@
+module Cancan
+  module Generators
+    class AbilityGenerator < Rails::Generators::Base
+      source_root File.expand_path('../templates', __FILE__)
+
+      def generate_ability
+        copy_file "ability.rb", "app/models/ability.rb"
+      end
+    end
+  end
+end

data/lib/generators/cancan/ability/templates/ability.rb

@@ -0,0 +1,32 @@
+class Ability
+  include CanCan::Ability
+
+  def initialize(user)
+    # Define abilities for the passed in user here. For example:
+    #
+    #   user ||= User.new # guest user (not logged in)
+    #   if user.admin?
+    #     can :manage, :all
+    #   else
+    #     can :read, :all
+    #   end
+    #
+    # The first argument to `can` is the action you are giving the user
+    # permission to do.
+    # If you pass :manage it will apply to every action. Other common actions
+    # here are :read, :create, :update and :destroy.
+    #
+    # The second argument is the resource the user can perform the action on.
+    # If you pass :all it will apply to every resource. Otherwise pass a Ruby
+    # class of the resource.
+    #
+    # The third argument is an optional hash of conditions to further filter the
+    # objects.
+    # For example, here the user can only update published articles.
+    #
+    #   can :update, Article, :published => true
+    #
+    # See the wiki for details:
+    # https://github.com/bryanrite/cancancan/wiki/Defining-Abilities
+  end
+end

data/spec/README.rdoc

@@ -0,0 +1,28 @@
+= CanCan Specs
+
+== Running the specs
+
+To run the specs first run the +bundle+ command to install the necessary gems and the +rake+ command to run the specs.
+
+  bundle
+  rake
+
+The specs currently require Ruby 1.8.7. Ruby 1.9.2 support will be coming soon.
+
+
+== Model Adapters
+
+CanCan offers separate specs for different model adapters (such as Mongoid and Data Mapper). By default it will use Active Record but you can change this by setting the +MODEL_ADAPTER+ environment variable before running. You can run the +bundle+ command with this as well to ensure you have the installed gems.
+
+  MODEL_ADAPTER=data_mapper bundle
+  MODEL_ADAPTER=data_mapper rake
+
+The different model adapters you can specify are:
+
+* active_record (default)
+* data_mapper
+* mongoid
+
+You can also run the +spec_all+ rake task to run specs for each adapter.
+
+  rake spec_all

data/spec/cancan/ability_spec.rb

@@ -0,0 +1,455 @@
+require "spec_helper"
+
+describe CanCan::Ability do
+  before(:each) do
+    (@ability = double).extend(CanCan::Ability)
+  end
+
+  it "is able to :read anything" do
+    @ability.can :read, :all
+    expect(@ability.can?(:read, String)).to be_true
+    expect(@ability.can?(:read, 123)).to be_true
+  end
+
+  it "does not have permission to do something it doesn't know about" do
+    expect(@ability.can?(:foodfight, String)).to be_false
+  end
+
+  it "passes true to `can?` when non false/nil is returned in block" do
+    @ability.can :read, :all
+    @ability.can :read, Symbol do |sym|
+      "foo" # TODO test that sym is nil when no instance is passed
+    end
+    expect(@ability.can?(:read, :some_symbol)).to be_true
+  end
+
+  it "passes nil to a block when no instance is passed" do
+    @ability.can :read, Symbol do |sym|
+      expect(sym).to be_nil
+      true
+    end
+    expect(@ability.can?(:read, Symbol)).to be_true
+  end
+
+  it "passes to previous rule, if block returns false or nil" do
+    @ability.can :read, Symbol
+    @ability.can :read, Integer do |i|
+      i < 5
+    end
+    @ability.can :read, Integer do |i|
+      i > 10
+    end
+    expect(@ability.can?(:read, Symbol)).to be_true
+    expect(@ability.can?(:read, 11)).to be_true
+    expect(@ability.can?(:read, 1)).to be_true
+    expect(@ability.can?(:read, 6)).to be_false
+  end
+
+  it "does not pass class with object if :all objects are accepted" do
+    @ability.can :preview, :all do |object|
+      expect(object).to eq(123)
+      @block_called = true
+    end
+    @ability.can?(:preview, 123)
+    expect(@block_called).to be_true
+  end
+
+  it "does not call block when only class is passed, only return true" do
+    @block_called = false
+    @ability.can :preview, :all do |object|
+      @block_called = true
+    end
+    expect(@ability.can?(:preview, Hash)).to be_true
+    expect(@block_called).to be_false
+  end
+
+  it "passes only object for global manage actions" do
+    @ability.can :manage, String do |object|
+      expect(object).to eq("foo")
+      @block_called = true
+    end
+    expect(@ability.can?(:stuff, "foo")).to be_true
+    expect(@block_called).to be_true
+  end
+
+  it "makes alias for update or destroy actions to modify action" do
+    @ability.alias_action :update, :destroy, :to => :modify
+    @ability.can :modify, :all
+    expect(@ability.can?(:update, 123)).to be_true
+    expect(@ability.can?(:destroy, 123)).to be_true
+  end
+
+  it "allows deeply nested aliased actions" do
+    @ability.alias_action :increment, :to => :sort
+    @ability.alias_action :sort, :to => :modify
+    @ability.can :modify, :all
+    expect(@ability.can?(:increment, 123)).to be_true
+  end
+
+  it "raises an Error if alias target is an exist action" do
+    expect { @ability.alias_action :show, :to => :show }.to raise_error(CanCan::Error, "You can't specify target (show) as alias because it is real action name")
+  end
+
+  it "always calls block with arguments when passing no arguments to can" do
+    @ability.can do |action, object_class, object|
+      expect(action).to eq(:foo)
+      expect(object_class).to eq(123.class)
+      expect(object).to eq(123)
+      @block_called = true
+    end
+    @ability.can?(:foo, 123)
+    expect(@block_called).to be_true
+  end
+
+  it "passes nil to object when comparing class with can check" do
+    @ability.can do |action, object_class, object|
+      expect(action).to eq(:foo)
+      expect(object_class).to eq(Hash)
+      expect(object).to be_nil
+      @block_called = true
+    end
+    @ability.can?(:foo, Hash)
+    expect(@block_called).to be_true
+  end
+
+  it "automatically makes alias for index and show into read calls" do
+    @ability.can :read, :all
+    expect(@ability.can?(:index, 123)).to be_true
+    expect(@ability.can?(:show, 123)).to be_true
+  end
+
+  it "automatically makes alias for new and edit into create and update respectively" do
+    @ability.can :create, :all
+    @ability.can :update, :all
+    expect(@ability.can?(:new, 123)).to be_true
+    expect(@ability.can?(:edit, 123)).to be_true
+  end
+
+  it "does not respond to prepare (now using initialize)" do
+    expect(@ability).to_not respond_to(:prepare)
+  end
+
+  it "offers cannot? method which is simply invert of can?" do
+    expect(@ability.cannot?(:tie, String)).to be_true
+  end
+
+  it "is able to specify multiple actions and match any" do
+    @ability.can [:read, :update], :all
+    expect(@ability.can?(:read, 123)).to be_true
+    expect(@ability.can?(:update, 123)).to be_true
+    expect(@ability.can?(:count, 123)).to be_false
+  end
+
+  it "is able to specify multiple classes and match any" do
+    @ability.can :update, [String, Range]
+    expect(@ability.can?(:update, "foo")).to be_true
+    expect(@ability.can?(:update, 1..3)).to be_true
+    expect(@ability.can?(:update, 123)).to be_false
+  end
+
+  it "supports custom objects in the rule" do
+    @ability.can :read, :stats
+    expect(@ability.can?(:read, :stats)).to be_true
+    expect(@ability.can?(:update, :stats)).to be_false
+    expect(@ability.can?(:read, :nonstats)).to be_false
+  end
+
+  it "checks ancestors of class" do
+    @ability.can :read, Numeric
+    expect(@ability.can?(:read, Integer)).to be_true
+    expect(@ability.can?(:read, 1.23)).to be_true
+    expect(@ability.can?(:read, "foo")).to be_false
+  end
+
+  it "supports 'cannot' method to define what user cannot do" do
+    @ability.can :read, :all
+    @ability.cannot :read, Integer
+    expect(@ability.can?(:read, "foo")).to be_true
+    expect(@ability.can?(:read, 123)).to be_false
+  end
+
+  it "passes to previous rule, if block returns false or nil" do
+    @ability.can :read, :all
+    @ability.cannot :read, Integer do |int|
+      int > 10 ? nil : ( int > 5 )
+    end
+    expect(@ability.can?(:read, "foo")).to be_true
+    expect(@ability.can?(:read, 3)).to be_true
+    expect(@ability.can?(:read, 8)).to be_false
+    expect(@ability.can?(:read, 123)).to be_true
+  end
+
+  it "always returns `false` for single cannot definition" do
+    @ability.cannot :read, Integer do |int|
+      int > 10 ? nil : ( int > 5 )
+    end
+    expect(@ability.can?(:read, "foo")).to be_false
+    expect(@ability.can?(:read, 3)).to be_false
+    expect(@ability.can?(:read, 8)).to be_false
+    expect(@ability.can?(:read, 123)).to be_false
+  end
+
+  it "passes to previous cannot definition, if block returns false or nil" do
+    @ability.cannot :read, :all
+    @ability.can :read, Integer do |int|
+      int > 10 ? nil : ( int > 5 )
+    end
+    expect(@ability.can?(:read, "foo")).to be_false
+    expect(@ability.can?(:read, 3)).to be_false
+    expect(@ability.can?(:read, 10)).to be_true
+    expect(@ability.can?(:read, 123)).to be_false
+  end
+
+  it "appends aliased actions" do
+    @ability.alias_action :update, :to => :modify
+    @ability.alias_action :destroy, :to => :modify
+    expect(@ability.aliased_actions[:modify]).to eq([:update, :destroy])
+  end
+
+  it "clears aliased actions" do
+    @ability.alias_action :update, :to => :modify
+    @ability.clear_aliased_actions
+    expect(@ability.aliased_actions[:modify]).to be_nil
+  end
+
+  it "passes additional arguments to block from can?" do
+    @ability.can :read, Integer do |int, x|
+      int > x
+    end
+    expect(@ability.can?(:read, 2, 1)).to be_true
+    expect(@ability.can?(:read, 2, 3)).to be_false
+  end
+
+  it "uses conditions as third parameter and determine abilities from it" do
+    @ability.can :read, Range, :begin => 1, :end => 3
+    expect(@ability.can?(:read, 1..3)).to be_true
+    expect(@ability.can?(:read, 1..4)).to be_false
+    expect(@ability.can?(:read, Range)).to be_true
+  end
+
+  it "allows an array of options in conditions hash" do
+    @ability.can :read, Range, :begin => [1, 3, 5]
+    expect(@ability.can?(:read, 1..3)).to be_true
+    expect(@ability.can?(:read, 2..4)).to be_false
+    expect(@ability.can?(:read, 3..5)).to be_true
+  end
+
+  it "allows a range of options in conditions hash" do
+    @ability.can :read, Range, :begin => 1..3
+    expect(@ability.can?(:read, 1..10)).to be_true
+    expect(@ability.can?(:read, 3..30)).to be_true
+    expect(@ability.can?(:read, 4..40)).to be_false
+  end
+
+  it "allows nested hashes in conditions hash" do
+    @ability.can :read, Range, :begin => { :to_i => 5 }
+    expect(@ability.can?(:read, 5..7)).to be_true
+    expect(@ability.can?(:read, 6..8)).to be_false
+  end
+
+  it "matches any element passed in to nesting if it's an array (for has_many associations)" do
+    @ability.can :read, Range, :to_a => { :to_i => 3 }
+    expect(@ability.can?(:read, 1..5)).to be_true
+    expect(@ability.can?(:read, 4..6)).to be_false
+  end
+
+  it "accepts a set as a condition value" do
+    expect(object_with_foo_2 = double(:foo => 2)).to receive(:foo)
+    expect(object_with_foo_3 = double(:foo => 3)).to receive(:foo) 
+    @ability.can :read, Object, :foo => [1, 2, 5].to_set
+    expect(@ability.can?(:read, object_with_foo_2)).to be_true
+    expect(@ability.can?(:read, object_with_foo_3)).to be_false
+  end
+
+  it "does not match subjects return nil for methods that must match nested a nested conditions hash" do
+    expect(object_with_foo = double(:foo => :bar)).to receive(:foo)
+    @ability.can :read, Array, :first => { :foo => :bar }
+    expect(@ability.can?(:read, [object_with_foo])).to be_true
+    expect(@ability.can?(:read, [])).to be_false
+  end
+
+  it "matches strings but not substrings specified in a conditions hash" do
+    @ability.can :read, String, :presence => "declassified"
+    expect(@ability.can?(:read, "declassified")).to be_true
+    expect(@ability.can?(:read, "classified")).to be_false
+  end
+
+  it "does not stop at cannot definition when comparing class" do
+    @ability.can :read, Range
+    @ability.cannot :read, Range, :begin => 1
+    expect(@ability.can?(:read, 2..5)).to be_true
+    expect(@ability.can?(:read, 1..5)).to be_false
+    expect(@ability.can?(:read, Range)).to be_true
+  end
+
+  it "stops at cannot definition when no hash is present" do
+    @ability.can :read, :all
+    @ability.cannot :read, Range
+    expect(@ability.can?(:read, 1..5)).to be_false
+    expect(@ability.can?(:read, Range)).to be_false
+  end
+
+  it "allows to check ability for Module" do
+    module B; end
+    class A; include B; end
+    @ability.can :read, B
+    expect(@ability.can?(:read, A)).to be_true
+    expect(@ability.can?(:read, A.new)).to be_true
+  end
+
+  it "passes nil to a block for ability on Module when no instance is passed" do
+    module B; end
+    class A; include B; end
+    @ability.can :read, B do |sym|
+      expect(sym).to be_nil
+      true
+    end
+    expect(@ability.can?(:read, B)).to be_true
+    expect(@ability.can?(:read, A)).to be_true
+  end
+
+  it "checks permissions through association when passing a hash of subjects" do
+    @ability.can :read, Range, :string => {:length => 3}
+    expect(@ability.can?(:read, "foo" => Range)).to be_true
+    expect(@ability.can?(:read, "foobar" => Range)).to be_false
+    expect(@ability.can?(:read, 123 => Range)).to be_true
+  end
+
+  it "checks permissions correctly when passing a hash of subjects with multiple definitions" do
+    @ability.can :read, Range, :string => {:length => 4}
+    @ability.can [:create, :read], Range, :string => {:upcase => 'FOO'}
+    expect(@ability.can?(:read, "foo" => Range)).to be_true
+    expect(@ability.can?(:read, "foobar" => Range)).to be_false
+    expect(@ability.can?(:read, 1234 => Range)).to be_true
+  end
+
+  it "allows to check ability on Hash-like object" do
+    class Container < Hash; end
+    @ability.can :read, Container
+    expect(@ability.can?(:read, Container.new)).to be_true
+  end
+
+  it "has initial attributes based on hash conditions of 'new' action" do
+    @ability.can :manage, Range, :foo => "foo", :hash => {:skip => "hashes"}
+    @ability.can :create, Range, :bar => 123, :array => %w[skip arrays]
+    @ability.can :new, Range, :baz => "baz", :range => 1..3
+    @ability.cannot :new, Range, :ignore => "me"
+    expect(@ability.attributes_for(:new, Range)).to eq({:foo => "foo", :bar => 123, :baz => "baz"})
+  end
+
+  it "raises access denied exception if ability us unauthorized to perform a certain action" do
+    begin
+      @ability.authorize! :read, :foo, 1, 2, 3, :message => "Access denied!"
+    rescue CanCan::AccessDenied => e
+      expect(e.message).to eq("Access denied!")
+      expect(e.action).to eq(:read)
+      expect(e.subject).to eq(:foo)
+    else
+      fail "Expected CanCan::AccessDenied exception to be raised"
+    end
+  end
+
+  it "does not raise access denied exception if ability is authorized to perform an action and return subject" do
+    @ability.can :read, :foo
+    expect {
+      expect(@ability.authorize!(:read, :foo)).to eq(:foo)
+    }.to_not raise_error
+  end
+
+  it "knows when block is used in conditions" do
+    @ability.can :read, :foo
+    expect(@ability).to_not have_block(:read, :foo)
+    @ability.can :read, :foo do |foo|
+      false
+    end
+    expect(@ability).to have_block(:read, :foo)
+  end
+
+  it "knows when raw sql is used in conditions" do
+    @ability.can :read, :foo
+    expect(@ability).to_not have_raw_sql(:read, :foo)
+    @ability.can :read, :foo, 'false'
+    expect(@ability).to have_raw_sql(:read, :foo)
+  end
+
+  it "raises access denied exception with default message if not specified" do
+    begin
+      @ability.authorize! :read, :foo
+    rescue CanCan::AccessDenied => e
+      e.default_message = "Access denied!"
+      expect(e.message).to eq("Access denied!")
+    else
+      fail "Expected CanCan::AccessDenied exception to be raised"
+    end
+  end
+
+  it "determines model adapterO class by asking AbstractAdapter" do
+    adapter_class, model_class = double, double
+    allow(CanCan::ModelAdapters::AbstractAdapter).to receive(:adapter_class).with(model_class) { adapter_class }
+    allow(adapter_class).to receive(:new).with(model_class, []) { :adapter_instance }
+    expect(@ability.model_adapter(model_class, :read)).to eq(:adapter_instance)
+  end
+
+  it "raises an error when attempting to use a block with a hash condition since it's not likely what they want" do
+    expect {
+      @ability.can :read, Array, :published => true do
+        false
+      end
+    }.to raise_error(CanCan::Error, "You are not able to supply a block with a hash of conditions in read Array ability. Use either one.")
+  end
+
+  describe "unauthorized message" do
+    after(:each) do
+      I18n.backend = nil
+    end
+
+    it "uses action/subject in i18n" do
+      I18n.backend.store_translations :en, :unauthorized => {:update => {:array => "foo"}}
+      expect(@ability.unauthorized_message(:update, Array)).to eq("foo")
+      expect(@ability.unauthorized_message(:update, [1, 2, 3])).to eq("foo")
+      expect(@ability.unauthorized_message(:update, :missing)).to be_nil
+    end
+
+    it "uses symbol as subject directly" do
+      I18n.backend.store_translations :en, :unauthorized => {:has => {:cheezburger => "Nom nom nom. I eated it."}}
+      expect(@ability.unauthorized_message(:has, :cheezburger)).to eq("Nom nom nom. I eated it.")
+    end
+
+    it "falls back to 'manage' and 'all'" do
+      I18n.backend.store_translations :en, :unauthorized => {
+        :manage => {:all => "manage all", :array => "manage array"},
+        :update => {:all => "update all", :array => "update array"}
+      }
+      expect(@ability.unauthorized_message(:update, Array)).to eq("update array")
+      expect(@ability.unauthorized_message(:update, Hash)).to eq("update all")
+      expect(@ability.unauthorized_message(:foo, Array)).to eq("manage array")
+      expect(@ability.unauthorized_message(:foo, Hash)).to eq("manage all")
+    end
+
+    it "follows aliased actions" do
+      I18n.backend.store_translations :en, :unauthorized => {:modify => {:array => "modify array"}}
+      @ability.alias_action :update, :to => :modify
+      expect(@ability.unauthorized_message(:update, Array)).to eq("modify array")
+      expect(@ability.unauthorized_message(:edit, Array)).to eq("modify array")
+    end
+
+    it "has variables for action and subject" do
+      I18n.backend.store_translations :en, :unauthorized => {:manage => {:all => "%{action} %{subject}"}} # old syntax for now in case testing with old I18n
+      expect(@ability.unauthorized_message(:update, Array)).to eq("update array")
+      expect(@ability.unauthorized_message(:update, ArgumentError)).to eq("update argument error")
+      expect(@ability.unauthorized_message(:edit, 1..3)).to eq("edit range")
+    end
+  end
+
+  describe "#merge" do
+    it "adds the rules from the given ability" do
+      @ability.can :use, :tools
+      (another_ability = double).extend(CanCan::Ability)
+      another_ability.can :use, :search
+
+      @ability.merge(another_ability)
+      expect(@ability.can?(:use, :search)).to be_true
+      expect(@ability.send(:rules).size).to eq(2)
+    end
+  end
+end