cancancan 1.8.0 → 1.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7079b16052c2f98ebe67d6ce08e390188bca856d
-  data.tar.gz: faa43141ca3124dbe3d40ceb30a76ca78bc56117
+  metadata.gz: 59fd5f683924f32658036d91ec731a03dc2620f0
+  data.tar.gz: 80ada1d8d82e08dae4f39afa0f4fc6e0bba1a43b
 SHA512:
-  metadata.gz: 8168024035574501d8bef61033f458facb1b7173ed98d901b9b51aedc0c659470f6210beb308273de9cd437e4d75027eb39321f104a9e8dc8f933593f1a67aa1
-  data.tar.gz: e71e7aa4f2a66f0f660aa9ce224dff3c0de2efc3b0fb85d461113175e5349700bf4475f5f9ca7abf16c56457488a33b3b5d954e753b021f162428c5827e28cd5
+  metadata.gz: f7854cb0fd225fc65ca36e2ae8b3d257e2509ebc092801a1802686bd2537dcb3c53f0e522f3d9a43b15ded9765a026c9d11c3588f4a4ff28bd752606fa01788c
+  data.tar.gz: e98f2b6d8defb75df838a82a5c0a28befdec610db7be82f119e70a922d953963fc7c268d014668ccf28c5fd54ccabbda9ca8d8bba4e175b587a36093f4da76b4

data/.travis.yml

@@ -11,6 +11,8 @@ gemfile:
   - gemfiles/activerecord_3.0.gemfile
   - gemfiles/activerecord_3.1.gemfile
   - gemfiles/activerecord_3.2.gemfile
+  - gemfiles/activerecord_4.0.gemfile
+  - gemfiles/activerecord_4.1.gemfile
   - gemfiles/datamapper_1.x.gemfile
   - gemfiles/mongoid_2.x.gemfile
   - gemfiles/sequel_3.x.gemfile
@@ -19,6 +21,19 @@ services:
 matrix:
   allow_failures:
     - rvm: rbx
+  exclude:
+    - rvm: 1.8.7
+      gemfile: gemfiles/activerecord_4.0.gemfile
+    - rvm: 1.8.7
+      gemfile: gemfiles/activerecord_4.1.gemfile
+    - rvm: 1.9.2
+      gemfile: gemfiles/activerecord_4.0.gemfile
+    - rvm: 1.9.2
+      gemfile: gemfiles/activerecord_4.1.gemfile
+    - rvm: ree
+      gemfile: gemfiles/activerecord_4.0.gemfile
+    - rvm: ree
+      gemfile: gemfiles/activerecord_4.1.gemfile
 notifications:
   recipients:
     - bryan@bryanrite.com

data/Appraisals

@@ -39,6 +39,34 @@ appraise "activerecord_3.2" do
   end
 end
 
+appraise "activerecord_4.0" do
+  gem "activerecord", "~> 4.0.5", :require => "active_record"
+  gem 'activesupport', '~> 4.0.5', :require => 'active_support/all'
+
+  gemfile.platforms :jruby do
+    gem "activerecord-jdbcsqlite3-adapter"
+    gem "jdbc-sqlite3"
+  end
+
+  gemfile.platforms :ruby, :mswin, :mingw do
+    gem "sqlite3"
+  end
+end
+
+appraise "activerecord_4.1" do
+  gem "activerecord", "~> 4.1.1", :require => "active_record"
+  gem 'activesupport', '~> 4.1.1', :require => 'active_support/all'
+
+  gemfile.platforms :jruby do
+    gem "activerecord-jdbcsqlite3-adapter"
+    gem "jdbc-sqlite3"
+  end
+
+  gemfile.platforms :ruby, :mswin, :mingw do
+    gem "sqlite3"
+  end
+end
+
 appraise "datamapper_1.x" do
   gem 'activesupport', '~> 3.0', :require => 'active_support/all'
   gem "dm-core", "~> 1.0.2"
@@ -64,7 +92,6 @@ appraise "sequel_3.x" do
   gem 'activesupport', '~> 3.0', :require => 'active_support/all'
 
   gemfile.platforms :jruby do
-    gem "activerecord-jdbcsqlite3-adapter"
     gem "jdbc-sqlite3"
   end
 

data/CHANGELOG.rdoc

@@ -1,6 +1,35 @@
 Develop
 
 
+1.9.0 (July 20th, 2014)
+
+* Fix cancancan#59 - Parameters are automatically detected and santitized for all actions, not just create and update. (bryanrite)
+
+* Fix cancancan#97, 72, 40, 39, 26 - Support Active Record 4 properly with references on nested permissions. (scpike, tdg5, Crystark)
+
+
+1.8.4 (June 24th, 2014)
+
+* Fix cancancan#86 - Fixes previous RSpec 3 update as there was a bug in the fix for RSpec 2.99. (bryanrite)
+
+
+1.8.3 (June 24th, 2014)
+
+* Fix cancancan#85 - Remove deprecation notices for RSpec 3 and continue backwards compatibility. (andypike, bryanrite, porteta)
+
+
+1.8.2 (June 5th, 2014)
+
+* Fix cancancan#75 - More specific hash-like object check. (bryanrite)
+
+
+1.8.1 (May 27th, 2014)
+
+* Fix cancancan#67 - Sequel tests are run properly for JRuby. (bryanrite)
+
+* Fix cancancan#68 - Checks for hash-like objects in subject better. (bryanrite)
+
+
 1.8.0 (May 8th, 2014)
 
 * Feature cancan#884 - Add a Sequel model adapter (szetobo)

data/README.rdoc

@@ -2,7 +2,7 @@
 {<img src="https://badge.fury.io/rb/cancancan.png" alt="Gem Version" />}[http://badge.fury.io/rb/cancancan]
 {<img src="https://travis-ci.org/CanCanCommunity/cancancan.png?branch=master" alt="Build Status" />}[https://travis-ci.org/CanCanCommunity/cancancan]
 {<img src="https://codeclimate.com/github/CanCanCommunity/cancancan.png" />}[https://codeclimate.com/github/CanCanCommunity/cancancan]
-{<img src="http://inch-pages.github.io/github/CanCanCommunity/cancancan.png" alt="Inline docs" />}[http://inch-pages.github.io/github/CanCanCommunity/cancancan]
+{<img src="http://inch-ci.org/github/CanCanCommunity/cancancan.png" alt="Inline docs" />}[http://inch-ci.org/github/CanCanCommunity/cancancan]
 
 Wiki[https://github.com/bryanrite/cancancan/wiki] | RDocs[http://rdoc.info/projects/ryanb/cancan] | Screencast[http://railscasts.com/episodes/192-authorization-with-cancan]
 
@@ -22,7 +22,7 @@ Any help is greatly appreciated, feel free to submit pull-requests or open issue
 
 In <b>Rails 3 and 4</b>, add this to your Gemfile and run the +bundle+ command.
 
-  gem 'cancancan', '~> 1.8'
+  gem 'cancancan', '~> 1.9'
 
 In <b>Rails 2</b>, add this to your environment.rb file.
 
@@ -173,7 +173,7 @@ Cancancan uses {appraisals}[https://github.com/thoughtbot/appraisal] to test the
 
 When first developing, you may need to run <tt>bundle install</tt> and then <tt>appraisal install</tt>, to install the different sets.
 
-You can then run all appraisal files (like CI does), with <tt>appraisal rake</tt> or just run a specific set <tt>appraisal rails_3.0 rake</tt>.
+You can then run all appraisal files (like CI does), with <tt>appraisal rake</tt> or just run a specific set <tt>appraisal activerecord_3.0 rake</tt>.
 
 See the {CONTRIBUTING}[https://github.com/CanCanCommunity/cancancan/blob/develop/CONTRIBUTING.md] and {spec/README}[https://github.com/bryanrite/cancancan/blob/master/spec/README.rdoc] for more information.
 

data/cancancan.gemspec

@@ -24,7 +24,7 @@ Gem::Specification.new do |s|
 
   s.add_development_dependency 'bundler', '~> 1.3'
   s.add_development_dependency 'rake', '~> 10.1.1'
-  s.add_development_dependency 'rspec', '~> 2.14'
+  s.add_development_dependency 'rspec', '~> 3.0.0'
   s.add_development_dependency 'appraisal', '>= 1.0.0'
 
   s.rubyforge_project = s.name

data/gemfiles/activerecord_4.0.gemfile

@@ -0,0 +1,17 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "activerecord", "~> 4.0.5", :require => "active_record"
+gem "activesupport", "~> 4.0.5", :require => "active_support/all"
+
+platforms :jruby do
+  gem "activerecord-jdbcsqlite3-adapter"
+  gem "jdbc-sqlite3"
+end
+
+platforms :ruby, :mswin, :mingw do
+  gem "sqlite3"
+end
+
+gemspec :path => "../"

data/gemfiles/activerecord_4.1.gemfile

@@ -0,0 +1,17 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "activerecord", "~> 4.1.1", :require => "active_record"
+gem "activesupport", "~> 4.1.1", :require => "active_support/all"
+
+platforms :jruby do
+  gem "activerecord-jdbcsqlite3-adapter"
+  gem "jdbc-sqlite3"
+end
+
+platforms :ruby, :mswin, :mingw do
+  gem "sqlite3"
+end
+
+gemspec :path => "../"

data/gemfiles/sequel_3.x.gemfile

@@ -6,7 +6,6 @@ gem "sequel", "~> 3.47.0"
 gem "activesupport", "~> 3.0", :require => "active_support/all"
 
 platforms :jruby do
-  gem "activerecord-jdbcsqlite3-adapter"
   gem "jdbc-sqlite3"
 end
 

data/lib/cancan/ability.rb

@@ -285,7 +285,7 @@ module CanCan
 
     # It translates to an array the subject or the hash with multiple subjects given to can?.
     def extract_subjects(subject)
-      subject = if subject.respond_to?(:keys) && subject.key?(:any)
+      subject = if subject.kind_of?(Hash) && subject.key?(:any)
         subject[:any]
       else
         [subject]

data/lib/cancan/controller_additions.rb

@@ -294,7 +294,7 @@ module CanCan
 
     def self.included(base)
       base.extend ClassMethods
-      base.helper_method :can?, :cannot?, :current_ability
+      base.helper_method :can?, :cannot?, :current_ability if base.respond_to? :helper_method
     end
 
     # Raises a CanCan::AccessDenied exception if the current_ability cannot

data/lib/cancan/controller_resource.rb

@@ -220,22 +220,29 @@ module CanCan
     end
 
     def resource_params
-      if param_actions.include?(@params[:action].to_sym) && params_method.present?
+      if parameters_require_sanitizing? && params_method.present?
         return case params_method
           when Symbol then @controller.send(params_method)
           when String then @controller.instance_eval(params_method)
           when Proc then params_method.call(@controller)
         end
-      elsif @options[:class]
-        params_key = extract_key(@options[:class])
-        return @params[params_key] if @params[params_key]
+      else
+        resource_params_by_namespaced_name
       end
+    end
 
-      resource_params_by_namespaced_name
+    def parameters_require_sanitizing?
+      save_actions.include?(@params[:action].to_sym) || resource_params_by_namespaced_name.present?
     end
 
     def resource_params_by_namespaced_name
-      @params[extract_key(namespaced_name)]
+      if @options[:instance_name] && @params.has_key?(extract_key(@options[:instance_name]))
+        @params[extract_key(@options[:instance_name])]
+      elsif @options[:class] && @params.has_key?(extract_key(@options[:class]))
+        @params[extract_key(@options[:class])]
+      else
+        @params[extract_key(namespaced_name)]
+      end
     end
 
     def params_method
@@ -277,7 +284,7 @@ module CanCan
       [:new, :create] + Array(@options[:new])
     end
 
-    def param_actions
+    def save_actions
       [:create, :update]
     end
 

data/lib/cancan/matchers.rb

@@ -4,7 +4,7 @@ if rspec_module == 'RSpec'
   require 'rspec/core'
   require 'rspec/expectations'
 else
-  ActiveSupport::Deprecation.warn("RSpec v1 will not be supported in the CanCanCan >= 2.0.0")
+  ActiveSupport::Deprecation.warn("RSpec < 3 will not be supported in the CanCanCan >= 2.0.0")
 end
 
 Kernel.const_get(rspec_module)::Matchers.define :be_able_to do |*args|
@@ -12,11 +12,17 @@ Kernel.const_get(rspec_module)::Matchers.define :be_able_to do |*args|
     ability.can?(*args)
   end
 
-  failure_message_for_should do |ability|
+  # Check that RSpec is < 2.99
+  if !respond_to?(:failure_message) && respond_to?(:failure_message_for_should)
+    alias :failure_message :failure_message_for_should
+    alias :failure_message_when_negated :failure_message_for_should_not
+  end
+
+  failure_message do |ability|
     "expected to be able to #{args.map(&:inspect).join(" ")}"
   end
 
-  failure_message_for_should_not do |ability|
+  failure_message_when_negated do |ability|
     "expected not to be able to #{args.map(&:inspect).join(" ")}"
   end
 end

data/lib/cancan/model_adapters/active_record_3_adapter.rb

@@ -0,0 +1,47 @@
+module CanCan
+  module ModelAdapters
+    class ActiveRecord3Adapter < AbstractAdapter
+      include ActiveRecordAdapter
+      def self.for_class?(model_class)
+        model_class <= ActiveRecord::Base
+      end
+
+      def self.override_condition_matching?(subject, name, value)
+        name.kind_of?(MetaWhere::Column) if defined? MetaWhere
+      end
+
+      def self.matches_condition?(subject, name, value)
+        subject_value = subject.send(name.column)
+        if name.method.to_s.ends_with? "_any"
+          value.any? { |v| meta_where_match? subject_value, name.method.to_s.sub("_any", ""), v }
+        elsif name.method.to_s.ends_with? "_all"
+          value.all? { |v| meta_where_match? subject_value, name.method.to_s.sub("_all", ""), v }
+        else
+          meta_where_match? subject_value, name.method, value
+        end
+      end
+
+      def self.meta_where_match?(subject_value, method, value)
+        case method.to_sym
+        when :eq      then subject_value == value
+        when :not_eq  then subject_value != value
+        when :in      then value.include?(subject_value)
+        when :not_in  then !value.include?(subject_value)
+        when :lt      then subject_value < value
+        when :lteq    then subject_value <= value
+        when :gt      then subject_value > value
+        when :gteq    then subject_value >= value
+        when :matches then subject_value =~ Regexp.new("^" + Regexp.escape(value).gsub("%", ".*") + "$", true)
+        when :does_not_match then !meta_where_match?(subject_value, :matches, value)
+        else raise NotImplemented, "The #{method} MetaWhere condition is not supported."
+        end
+      end
+
+      private
+
+      def build_relation(*where_conditions)
+        @model_class.where(*where_conditions).includes(joins)
+      end
+    end
+  end
+end

data/lib/cancan/model_adapters/active_record_4_adapter.rb

@@ -0,0 +1,21 @@
+module CanCan
+  module ModelAdapters
+    class ActiveRecord4Adapter < AbstractAdapter
+      include ActiveRecordAdapter
+      def self.for_class?(model_class)
+        model_class <= ActiveRecord::Base
+      end
+
+      private
+
+      # As of rails 4, `includes()` no longer causes active record to
+      # look inside the where clause to decide to outer join tables
+      # you're using in the where. Instead, `references()` is required
+      # in addition to `includes()` to force the outer join.
+      #
+      def build_relation(*where_conditions)
+        @model_class.where(*where_conditions).includes(joins).references(joins)
+      end
+    end
+  end
+end

data/lib/cancan/model_adapters/active_record_adapter.rb

@@ -1,41 +1,6 @@
 module CanCan
   module ModelAdapters
-    class ActiveRecordAdapter < AbstractAdapter
-      def self.for_class?(model_class)
-        model_class <= ActiveRecord::Base
-      end
-
-      def self.override_condition_matching?(subject, name, value)
-        name.kind_of?(MetaWhere::Column) if defined? MetaWhere
-      end
-
-      def self.matches_condition?(subject, name, value)
-        subject_value = subject.send(name.column)
-        if name.method.to_s.ends_with? "_any"
-          value.any? { |v| meta_where_match? subject_value, name.method.to_s.sub("_any", ""), v }
-        elsif name.method.to_s.ends_with? "_all"
-          value.all? { |v| meta_where_match? subject_value, name.method.to_s.sub("_all", ""), v }
-        else
-          meta_where_match? subject_value, name.method, value
-        end
-      end
-
-      def self.meta_where_match?(subject_value, method, value)
-        case method.to_sym
-        when :eq      then subject_value == value
-        when :not_eq  then subject_value != value
-        when :in      then value.include?(subject_value)
-        when :not_in  then !value.include?(subject_value)
-        when :lt      then subject_value < value
-        when :lteq    then subject_value <= value
-        when :gt      then subject_value > value
-        when :gteq    then subject_value >= value
-        when :matches then subject_value =~ Regexp.new("^" + Regexp.escape(value).gsub("%", ".*") + "$", true)
-        when :does_not_match then !meta_where_match?(subject_value, :matches, value)
-        else raise NotImplemented, "The #{method} MetaWhere condition is not supported."
-        end
-      end
-
+    module ActiveRecordAdapter
       # Returns conditions intended to be used inside a database query. Normally you will not call this
       # method directly, but instead go through ModelAdditions#accessible_by.
       #
@@ -99,11 +64,10 @@ module CanCan
         if override_scope
           @model_class.where(nil).merge(override_scope)
         elsif @model_class.respond_to?(:where) && @model_class.respond_to?(:joins)
-          mergeable_conditions = @rules.select {|rule| rule.unmergeable? }.blank?
-          if mergeable_conditions
-            @model_class.where(conditions).includes(joins)
+          if mergeable_conditions?
+            build_relation(conditions)
           else
-            @model_class.where(*(@rules.map(&:conditions))).includes(joins)
+            build_relation(*(@rules.map(&:conditions)))
           end
         else
           @model_class.all(:conditions => conditions, :joins => joins)
@@ -112,6 +76,10 @@ module CanCan
 
       private
 
+      def mergeable_conditions?
+        @rules.find {|rule| rule.unmergeable? }.blank?
+      end
+
       def override_scope
         conditions = @rules.map(&:conditions).compact
         if defined?(ActiveRecord::Relation) && conditions.any? { |c| c.kind_of?(ActiveRecord::Relation) }

data/lib/cancan/version.rb

@@ -1,3 +1,3 @@
 module CanCan
-  VERSION = "1.8.0"
+  VERSION = "1.9.0"
 end

data/lib/cancan.rb

@@ -9,7 +9,17 @@ require 'cancan/inherited_resource'
 
 require 'cancan/model_adapters/abstract_adapter'
 require 'cancan/model_adapters/default_adapter'
-require 'cancan/model_adapters/active_record_adapter' if defined? ActiveRecord
+
+if defined? ActiveRecord
+  require 'cancan/model_adapters/active_record_adapter'
+  if ActiveRecord.respond_to?(:version) &&
+      ActiveRecord.version >= Gem::Version.new("4")
+    require 'cancan/model_adapters/active_record_4_adapter'
+  else
+    require 'cancan/model_adapters/active_record_3_adapter'
+  end
+end
+
 require 'cancan/model_adapters/data_mapper_adapter' if defined? DataMapper
 require 'cancan/model_adapters/mongoid_adapter' if defined?(Mongoid) && defined?(Mongoid::Document)
 require 'cancan/model_adapters/sequel_adapter' if defined? Sequel

data/lib/generators/cancan/ability/templates/ability.rb

@@ -27,6 +27,6 @@ class Ability
     #   can :update, Article, :published => true
     #
     # See the wiki for details:
-    # https://github.com/bryanrite/cancancan/wiki/Defining-Abilities
+    # https://github.com/CanCanCommunity/cancancan/wiki/Defining-Abilities
   end
 end