cancancan 1.7.0

data/spec/cancan/model_adapters/data_mapper_adapter_spec.rb

@@ -0,0 +1,118 @@
+if ENV["MODEL_ADAPTER"] == "data_mapper"
+  require "spec_helper"
+
+  DataMapper.setup(:default, 'sqlite::memory:')
+
+  class Article
+    include DataMapper::Resource
+    property :id, Serial
+    property :published, Boolean, :default => false
+    property :secret, Boolean, :default => false
+    property :priority, Integer
+    has n, :comments
+  end
+
+  class Comment
+    include DataMapper::Resource
+    property :id, Serial
+    property :spam, Boolean, :default => false
+    belongs_to :article
+  end
+
+  DataMapper.finalize
+  DataMapper.auto_migrate!
+
+  describe CanCan::ModelAdapters::DataMapperAdapter do
+    before(:each) do
+      Article.destroy
+      Comment.destroy
+      (@ability = double).extend(CanCan::Ability)
+    end
+
+    it "is for only data mapper classes" do
+      expect(CanCan::ModelAdapters::DataMapperAdapter).not_to be_for_class(Object)
+      expect(CanCan::ModelAdapters::DataMapperAdapter).to be_for_class(Article)
+      expect(CanCan::ModelAdapters::AbstractAdapter.adapter_class(Article)).to eq(CanCan::ModelAdapters::DataMapperAdapter)
+    end
+
+    it "finds record" do
+      article = Article.create
+      expect(CanCan::ModelAdapters::DataMapperAdapter.find(Article, article.id)).to eq(article)
+    end
+
+    it "does not fetch any records when no abilities are defined" do
+      Article.create
+      expect(Article.accessible_by(@ability)).to be_empty
+    end
+
+    it "fetches all articles when one can read all" do
+      @ability.can :read, Article
+      article = Article.create
+      expect(Article.accessible_by(@ability)).to eq([article])
+    end
+
+    it "fetches only the articles that are published" do
+      @ability.can :read, Article, :published => true
+      article1 = Article.create(:published => true)
+      article2 = Article.create(:published => false)
+      expect(Article.accessible_by(@ability)).to eq([article1])
+    end
+
+    it "fetches any articles which are published or secret" do
+      @ability.can :read, Article, :published => true
+      @ability.can :read, Article, :secret => true
+      article1 = Article.create(:published => true, :secret => false)
+      article2 = Article.create(:published => true, :secret => true)
+      article3 = Article.create(:published => false, :secret => true)
+      article4 = Article.create(:published => false, :secret => false)
+      expect(Article.accessible_by(@ability)).to eq([article1, article2, article3])
+    end
+
+    it "fetches only the articles that are published and not secret" do
+      @ability.can :read, Article, :published => true
+      @ability.cannot :read, Article, :secret => true
+      article1 = Article.create(:published => true, :secret => false)
+      article2 = Article.create(:published => true, :secret => true)
+      article3 = Article.create(:published => false, :secret => true)
+      article4 = Article.create(:published => false, :secret => false)
+      expect(Article.accessible_by(@ability)).to eq([article1])
+    end
+
+    it "only reads comments for articles which are published" do
+      @ability.can :read, Comment, :article => { :published => true }
+      comment1 = Comment.create(:article => Article.create!(:published => true))
+      comment2 = Comment.create(:article => Article.create!(:published => false))
+      expect(Comment.accessible_by(@ability)).to eq([comment1])
+    end
+
+    it "allows conditions in SQL and merge with hash conditions" do
+      @ability.can :read, Article, :published => true
+      @ability.can :read, Article, ["secret=?", true]
+      article1 = Article.create(:published => true, :secret => false)
+      article4 = Article.create(:published => false, :secret => false)
+      expect(Article.accessible_by(@ability)).to eq([article1])
+    end
+
+    it "matches gt comparison" do
+      @ability.can :read, Article, :priority.gt => 3
+      article1 = Article.create(:priority => 4)
+      article2 = Article.create(:priority => 3)
+      expect(Article.accessible_by(@ability)).to eq([article1])
+      expect(@ability).to be_able_to(:read, article1)
+      expect(@ability).not_to be_able_to(:read, article2)
+    end
+
+    it "matches gte comparison" do
+      @ability.can :read, Article, :priority.gte => 3
+      article1 = Article.create(:priority => 4)
+      article2 = Article.create(:priority => 3)
+      article3 = Article.create(:priority => 2)
+      expect(Article.accessible_by(@ability)).to eq([article1, article2])
+      expect(@ability).to be_able_to(:read, article1)
+      expect(@ability).to be_able_to(:read, article2)
+      expect(@ability).not_to be_able_to(:read, article3)
+    end
+
+    # TODO: add more comparison specs
+  end
+end

data/spec/cancan/model_adapters/default_adapter_spec.rb

@@ -0,0 +1,7 @@
+require "spec_helper"
+
+describe CanCan::ModelAdapters::DefaultAdapter do
+  it "is default for generic classes" do
+    expect(CanCan::ModelAdapters::AbstractAdapter.adapter_class(Object)).to eq(CanCan::ModelAdapters::DefaultAdapter)
+  end
+end

data/spec/cancan/model_adapters/mongoid_adapter_spec.rb

@@ -0,0 +1,226 @@
+if ENV["MODEL_ADAPTER"] == "mongoid"
+  require "spec_helper"
+
+  class MongoidCategory
+    include Mongoid::Document
+
+    references_many :mongoid_projects
+  end
+
+  class MongoidProject
+    include Mongoid::Document
+
+    referenced_in :mongoid_category
+  end
+
+  Mongoid.configure do |config|
+    config.master = Mongo::Connection.new('127.0.0.1', 27017).db("cancan_mongoid_spec")
+  end
+
+  describe CanCan::ModelAdapters::MongoidAdapter do
+    context "Mongoid defined" do
+      before(:each) do
+        (@ability = double).extend(CanCan::Ability)
+      end
+
+      after(:each) do
+        Mongoid.master.collections.select do |collection|
+          collection.name !~ /system/
+        end.each(&:drop)
+      end
+
+      it "is for only Mongoid classes" do
+        expect(CanCan::ModelAdapters::MongoidAdapter).not_to be_for_class(Object)
+        expect(CanCan::ModelAdapters::MongoidAdapter).to be_for_class(MongoidProject)
+        expect(CanCan::ModelAdapters::AbstractAdapter.adapter_class(MongoidProject)).to eq(CanCan::ModelAdapters::MongoidAdapter)
+      end
+
+      it "finds record" do
+        project = MongoidProject.create
+        expect(CanCan::ModelAdapters::MongoidAdapter.find(MongoidProject, project.id)).to eq(project)
+      end
+
+      it "compares properties on mongoid documents with the conditions hash" do
+        model = MongoidProject.new
+        @ability.can :read, MongoidProject, :id => model.id
+        expect(@ability).to be_able_to(:read, model)
+      end
+
+      it "is able to read hashes when field is array" do
+        one_to_three = MongoidProject.create(:numbers => ['one', 'two', 'three'])
+        two_to_five  = MongoidProject.create(:numbers => ['two', 'three', 'four', 'five'])
+
+        @ability.can :foo, MongoidProject, :numbers => 'one'
+        expect(@ability).to be_able_to(:foo, one_to_three)
+        expect(@ability).not_to be_able_to(:foo, two_to_five)
+      end
+
+      it "returns [] when no ability is defined so no records are found" do
+        MongoidProject.create(:title => 'Sir')
+        MongoidProject.create(:title => 'Lord')
+        MongoidProject.create(:title => 'Dude')
+
+        expect(MongoidProject.accessible_by(@ability, :read).entries).to eq([])
+      end
+
+      it "returns the correct records based on the defined ability" do
+        @ability.can :read, MongoidProject, :title => "Sir"
+        sir   = MongoidProject.create(:title => 'Sir')
+        lord  = MongoidProject.create(:title => 'Lord')
+        dude  = MongoidProject.create(:title => 'Dude')
+
+        expect(MongoidProject.accessible_by(@ability, :read).entries).to eq([sir])
+      end
+
+      it "returns the correct records when a mix of can and cannot rules in defined ability" do
+        @ability.can :manage, MongoidProject, :title => 'Sir'
+        @ability.cannot :destroy, MongoidProject
+
+        sir   = MongoidProject.create(:title => 'Sir')
+        lord  = MongoidProject.create(:title => 'Lord')
+        dude  = MongoidProject.create(:title => 'Dude')
+
+        expect(MongoidProject.accessible_by(@ability, :destroy).entries).to eq([sir])
+      end
+
+      it "is able to mix empty conditions and hashes" do
+        @ability.can :read, MongoidProject
+        @ability.can :read, MongoidProject, :title => 'Sir'
+        sir  = MongoidProject.create(:title => 'Sir')
+        lord = MongoidProject.create(:title => 'Lord')
+
+        expect(MongoidProject.accessible_by(@ability, :read).count).to eq(2)
+      end
+
+      it "returns everything when the defined ability is access all" do
+        @ability.can :manage, :all
+        sir   = MongoidProject.create(:title => 'Sir')
+        lord  = MongoidProject.create(:title => 'Lord')
+        dude  = MongoidProject.create(:title => 'Dude')
+
+        expect(MongoidProject.accessible_by(@ability, :read).entries).to eq([sir, lord, dude])
+      end
+
+      it "allows a scope for conditions" do
+        @ability.can :read, MongoidProject, MongoidProject.where(:title => 'Sir')
+        sir   = MongoidProject.create(:title => 'Sir')
+        lord  = MongoidProject.create(:title => 'Lord')
+        dude  = MongoidProject.create(:title => 'Dude')
+
+        expect(MongoidProject.accessible_by(@ability, :read).entries).to eq([sir])
+      end
+
+      describe "Mongoid::Criteria where clause Symbol extensions using MongoDB expressions" do
+        it "handles :field.in" do
+          obj = MongoidProject.create(:title => 'Sir')
+          @ability.can :read, MongoidProject, :title.in => ["Sir", "Madam"]
+          expect(@ability.can?(:read, obj)).to eq(true)
+          expect(MongoidProject.accessible_by(@ability, :read)).to eq([obj])
+
+          obj2 = MongoidProject.create(:title => 'Lord')
+          expect(@ability.can?(:read, obj2)).to be_false
+        end
+
+        describe "activates only when there are Criteria in the hash" do
+          it "Calls where on the model class when there are criteria" do
+            obj = MongoidProject.create(:title => 'Bird')
+            @conditions = {:title.nin => ["Fork", "Spoon"]}
+
+            @ability.can :read, MongoidProject, @conditions
+            expect(@ability).to be_able_to(:read, obj)
+          end
+          it "Calls the base version if there are no mongoid criteria" do
+            obj = MongoidProject.new(:title => 'Bird')
+            @conditions = {:id => obj.id}
+            @ability.can :read, MongoidProject, @conditions
+            expect(@ability).to be_able_to(:read, obj)
+          end
+        end
+
+        it "handles :field.nin" do
+          obj = MongoidProject.create(:title => 'Sir')
+          @ability.can :read, MongoidProject, :title.nin => ["Lord", "Madam"]
+          expect(@ability.can?(:read, obj)).to eq(true)
+          expect(MongoidProject.accessible_by(@ability, :read)).to eq([obj])
+
+          obj2 = MongoidProject.create(:title => 'Lord')
+          expect(@ability.can?(:read, obj2)).to be_false
+        end
+
+        it "handles :field.size" do
+          obj = MongoidProject.create(:titles => ['Palatin', 'Margrave'])
+          @ability.can :read, MongoidProject, :titles.size => 2
+          expect(@ability.can?(:read, obj)).to eq(true)
+          expect(MongoidProject.accessible_by(@ability, :read)).to eq([obj])
+
+          obj2 = MongoidProject.create(:titles => ['Palatin', 'Margrave', 'Marquis'])
+          expect(@ability.can?(:read, obj2)).to be_false
+        end
+
+        it "handles :field.exists" do
+          obj = MongoidProject.create(:titles => ['Palatin', 'Margrave'])
+          @ability.can :read, MongoidProject, :titles.exists => true
+          expect(@ability.can?(:read, obj)).to eq(true)
+          expect(MongoidProject.accessible_by(@ability, :read)).to eq([obj])
+
+          obj2 = MongoidProject.create
+          expect(@ability.can?(:read, obj2)).to be_false
+        end
+
+        it "handles :field.gt" do
+          obj = MongoidProject.create(:age => 50)
+          @ability.can :read, MongoidProject, :age.gt => 45
+          expect(@ability.can?(:read, obj)).to eq(true)
+          expect(MongoidProject.accessible_by(@ability, :read)).to eq([obj])
+
+          obj2 = MongoidProject.create(:age => 40)
+          expect(@ability.can?(:read, obj2)).to be_false
+        end
+
+        it "handles instance not saved to database" do
+          obj = MongoidProject.new(:title => 'Sir')
+          @ability.can :read, MongoidProject, :title.in => ["Sir", "Madam"]
+          expect(@ability.can?(:read, obj)).to eq(true)
+
+          # accessible_by only returns saved records
+          expect(MongoidProject.accessible_by(@ability, :read).entries).to eq([])
+
+          obj2 = MongoidProject.new(:title => 'Lord')
+          expect(@ability.can?(:read, obj2)).to be_false
+        end
+      end
+
+      it "calls where with matching ability conditions" do
+        obj = MongoidProject.create(:foo => {:bar => 1})
+        @ability.can :read, MongoidProject, :foo => {:bar => 1}
+        expect(MongoidProject.accessible_by(@ability, :read).entries.first).to eq(obj)
+      end
+
+      it "excludes from the result if set to cannot" do
+        obj = MongoidProject.create(:bar => 1)
+        obj2 = MongoidProject.create(:bar => 2)
+        @ability.can :read, MongoidProject
+        @ability.cannot :read, MongoidProject, :bar => 2
+        expect(MongoidProject.accessible_by(@ability, :read).entries).to eq([obj])
+      end
+
+      it "combines the rules" do
+        obj = MongoidProject.create(:bar => 1)
+        obj2 = MongoidProject.create(:bar => 2)
+        obj3 = MongoidProject.create(:bar => 3)
+        @ability.can :read, MongoidProject, :bar => 1
+        @ability.can :read, MongoidProject, :bar => 2
+        expect(MongoidProject.accessible_by(@ability, :read).entries).to match_array([obj, obj2])
+      end
+
+      it "does not allow to fetch records when ability with just block present" do
+        @ability.can :read, MongoidProject do
+          false
+        end
+        expect {
+          MongoidProject.accessible_by(@ability)
+        }.to raise_error(CanCan::Error)
+      end
+    end
+  end
+end

data/spec/cancan/rule_spec.rb

@@ -0,0 +1,52 @@
+require "spec_helper"
+require "ostruct" # for OpenStruct below
+
+# Most of Rule functionality is tested in Ability specs
+describe CanCan::Rule do
+  before(:each) do
+    @conditions = {}
+    @rule = CanCan::Rule.new(true, :read, Integer, @conditions, nil)
+  end
+
+  it "returns no association joins if none exist" do
+    expect(@rule.associations_hash).to eq({})
+  end
+
+  it "returns no association for joins if just attributes" do
+    @conditions[:foo] = :bar
+    expect(@rule.associations_hash).to eq({})
+  end
+
+  it "returns single association for joins" do
+    @conditions[:foo] = {:bar => 1}
+    expect(@rule.associations_hash).to eq({:foo => {}})
+  end
+
+  it "returns multiple associations for joins" do
+    @conditions[:foo] = {:bar => 1}
+    @conditions[:test] = {1 => 2}
+    expect(@rule.associations_hash).to eq({:foo => {}, :test => {}})
+  end
+
+  it "returns nested associations for joins" do
+    @conditions[:foo] = {:bar => {1 => 2}}
+    expect(@rule.associations_hash).to eq({:foo => {:bar => {}}})
+  end
+
+  it "returns no association joins if conditions is nil" do
+    rule = CanCan::Rule.new(true, :read, Integer, nil, nil)
+    expect(rule.associations_hash).to eq({})
+  end
+
+  it "is not mergeable if conditions are not simple hashes" do
+    meta_where = OpenStruct.new(:name => 'metawhere', :column => 'test')
+    @conditions[meta_where] = :bar
+
+    expect(@rule).to be_unmergeable
+  end
+
+  it "is not mergeable if conditions is an empty hash" do
+    @conditions = {}
+    expect(@rule).to_not be_unmergeable
+  end
+end

data/spec/matchers.rb

@@ -0,0 +1,13 @@
+RSpec::Matchers.define :orderlessly_match do |original_string|
+  match do |given_string|
+    original_string.split('').sort == given_string.split('').sort
+  end
+
+  failure_message_for_should do |given_string|
+    "expected \"#{given_string}\" to have the same characters as \"#{original_string}\""
+  end
+
+  failure_message_for_should_not do |given_string|
+    "expected \"#{given_string}\" not to have the same characters as \"#{original_string}\""
+  end
+end

data/spec/spec.opts

@@ -0,0 +1,2 @@
+--color
+--backtrace

data/spec/spec_helper.rb

@@ -0,0 +1,77 @@
+require 'rubygems'
+require 'bundler/setup'
+
+Bundler.require(:default)
+
+require 'supermodel' # shouldn't Bundler do this already?
+require 'active_support/all'
+require 'matchers'
+require 'cancan/matchers'
+
+RSpec.configure do |config|
+  config.treat_symbols_as_metadata_keys_with_true_values = true
+  config.filter_run :focus => true
+  config.run_all_when_everything_filtered = true
+  config.mock_with :rspec
+
+  config.expect_with :rspec do |c|
+    c.syntax = :expect
+  end
+
+  config.before(:each) do
+    Project.delete_all
+    Category.delete_all
+  end
+  config.extend WithModel if ENV["MODEL_ADAPTER"].nil? || ENV["MODEL_ADAPTER"] == "active_record"
+end
+
+# Working around CVE-2012-5664 requires us to convert all ID params
+# to strings. Let's switch to using string IDs in tests, otherwise
+# SuperModel and/or RR will fail (as strings are not fixnums).
+
+module SuperModel
+  class Base
+    def generate_id
+      object_id.to_s
+    end
+  end
+end
+
+class Ability
+  include CanCan::Ability
+
+  def initialize(user)
+  end
+end
+
+class Category < SuperModel::Base
+  has_many :projects
+end
+
+module Sub
+  class Project < SuperModel::Base
+    belongs_to :category
+    attr_accessor :category # why doesn't SuperModel do this automatically?
+
+    def self.respond_to?(method, include_private = false)
+      if method.to_s == "find_by_name!" # hack to simulate ActiveRecord
+        true
+      else
+        super
+      end
+    end
+  end
+end
+
+class Project < SuperModel::Base
+  belongs_to :category
+  attr_accessor :category # why doesn't SuperModel do this automatically?
+
+  def self.respond_to?(method, include_private = false)
+    if method.to_s == "find_by_name!" # hack to simulate ActiveRecord
+      true
+    else
+      super
+    end
+  end
+end