cancancan 2.2.0 → 3.5.0

data/lib/cancan/model_adapters/conditions_normalizer.rb

@@ -0,0 +1,49 @@
+# this class is responsible of normalizing the hash of conditions
+# by exploding has_many through associations
+# when a condition is defined with an has_many through association this is exploded in all its parts
+# TODO: it could identify STI and normalize it
+module CanCan
+  module ModelAdapters
+    class ConditionsNormalizer
+      class << self
+        def normalize(model_class, rules)
+          rules.each { |rule| rule.conditions = normalize_conditions(model_class, rule.conditions) }
+        end
+
+        def normalize_conditions(model_class, conditions)
+          return conditions unless conditions.is_a? Hash
+
+          conditions.each_with_object({}) do |(key, value), result_hash|
+            if value.is_a? Hash
+              result_hash.merge!(calculate_result_hash(model_class, key, value))
+            else
+              result_hash[key] = value
+            end
+            result_hash
+          end
+        end
+
+        private
+
+        def calculate_result_hash(model_class, key, value)
+          reflection = model_class.reflect_on_association(key)
+          unless reflection
+            raise WrongAssociationName, "Association '#{key}' not defined in model '#{model_class.name}'"
+          end
+
+          if normalizable_association? reflection
+            key = reflection.options[:through]
+            value = { reflection.source_reflection_name => value }
+            reflection = model_class.reflect_on_association(key)
+          end
+
+          { key => normalize_conditions(reflection.klass.name.constantize, value) }
+        end
+
+        def normalizable_association?(reflection)
+          reflection.options[:through].present? && !reflection.options[:source_type].present?
+        end
+      end
+    end
+  end
+end

data/lib/cancan/model_adapters/default_adapter.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   module ModelAdapters
     class DefaultAdapter < AbstractAdapter

data/lib/cancan/model_adapters/sti_normalizer.rb

@@ -0,0 +1,47 @@
+require_relative '../sti_detector'
+
+# this class is responsible for detecting sti classes and creating new rules for the
+# relevant subclasses, using the inheritance_column as a merger
+module CanCan
+  module ModelAdapters
+    class StiNormalizer
+      class << self
+        def normalize(rules)
+          rules_cache = []
+          return unless defined?(ActiveRecord::Base)
+
+          rules.delete_if do |rule|
+            subjects = rule.subjects.select do |subject|
+              update_rule(subject, rule, rules_cache)
+            end
+            subjects.length == rule.subjects.length
+          end
+          rules_cache.each { |rule| rules.push(rule) }
+        end
+
+        private
+
+        def update_rule(subject, rule, rules_cache)
+          return false unless StiDetector.sti_class?(subject)
+
+          rules_cache.push(build_rule_for_subclass(rule, subject))
+          true
+        end
+
+        # create a new rule for the subclasses that links on the inheritance_column
+        def build_rule_for_subclass(rule, subject)
+          sti_conditions = { subject.inheritance_column => subject.sti_name }
+          new_rule_conditions =
+            if rule.with_scope?
+              rule.conditions.where(sti_conditions)
+            else
+              rule.conditions.merge(sti_conditions)
+            end
+
+          CanCan::Rule.new(rule.base_behavior, rule.actions, subject.superclass,
+                           new_rule_conditions, rule.block)
+        end
+      end
+    end
+  end
+end

data/lib/cancan/model_adapters/strategies/base.rb

@@ -0,0 +1,40 @@
+module CanCan
+  module ModelAdapters
+    class Strategies
+      class Base
+        attr_reader :adapter, :relation, :where_conditions
+
+        delegate(
+          :compressed_rules,
+          :extract_multiple_conditions,
+          :joins,
+          :model_class,
+          :quoted_primary_key,
+          :quoted_aliased_table_name,
+          :quoted_table_name,
+          to: :adapter
+        )
+        delegate :connection, :quoted_primary_key, to: :model_class
+        delegate :quote_table_name, to: :connection
+
+        def initialize(adapter:, relation:, where_conditions:)
+          @adapter = adapter
+          @relation = relation
+          @where_conditions = where_conditions
+        end
+
+        def aliased_table_name
+          @aliased_table_name ||= "#{model_class.table_name}_alias"
+        end
+
+        def quoted_aliased_table_name
+          @quoted_aliased_table_name ||= quote_table_name(aliased_table_name)
+        end
+
+        def quoted_table_name
+          @quoted_table_name ||= quote_table_name(model_class.table_name)
+        end
+      end
+    end
+  end
+end

data/lib/cancan/model_adapters/strategies/joined_alias_each_rule_as_exists_subquery.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: false
+
+module CanCan
+  module ModelAdapters
+    class Strategies
+      class JoinedAliasEachRuleAsExistsSubquery < Base
+        def execute!
+          model_class
+            .joins(
+              "JOIN #{quoted_table_name} AS #{quoted_aliased_table_name} ON " \
+              "#{quoted_aliased_table_name}.#{quoted_primary_key} = #{quoted_table_name}.#{quoted_primary_key}"
+            )
+            .where(double_exists_sql)
+        end
+
+        def double_exists_sql
+          double_exists_sql = ''
+
+          compressed_rules.each_with_index do |rule, index|
+            double_exists_sql << ' OR ' if index.positive?
+            double_exists_sql << "EXISTS (#{sub_query_for_rule(rule).to_sql})"
+          end
+
+          double_exists_sql
+        end
+
+        def sub_query_for_rule(rule)
+          conditions_extractor = ConditionsExtractor.new(model_class)
+          rule_where_conditions = extract_multiple_conditions(conditions_extractor, [rule])
+          joins_hash, left_joins_hash = extract_joins_from_rule(rule)
+          sub_query_for_rules_and_join_hashes(rule_where_conditions, joins_hash, left_joins_hash)
+        end
+
+        def sub_query_for_rules_and_join_hashes(rule_where_conditions, joins_hash, left_joins_hash)
+          model_class
+            .select('1')
+            .joins(joins_hash)
+            .left_joins(left_joins_hash)
+            .where(
+              "#{quoted_table_name}.#{quoted_primary_key} = " \
+              "#{quoted_aliased_table_name}.#{quoted_primary_key}"
+            )
+            .where(rule_where_conditions)
+            .limit(1)
+        end
+
+        def extract_joins_from_rule(rule)
+          joins = {}
+          left_joins = {}
+
+          extra_joins_recursive([], rule.conditions, joins, left_joins)
+          [joins, left_joins]
+        end
+
+        def extra_joins_recursive(current_path, conditions, joins, left_joins)
+          conditions.each do |key, value|
+            if value.is_a?(Hash)
+              current_path << key
+              extra_joins_recursive(current_path, value, joins, left_joins)
+              current_path.pop
+            else
+              extra_joins_recursive_merge_joins(current_path, value, joins, left_joins)
+            end
+          end
+        end
+
+        def extra_joins_recursive_merge_joins(current_path, value, joins, left_joins)
+          hash_joins = current_path_to_hash(current_path)
+
+          if value.nil?
+            left_joins.deep_merge!(hash_joins)
+          else
+            joins.deep_merge!(hash_joins)
+          end
+        end
+
+        # Converts an array like [:child, :grand_child] into a hash like {child: {grand_child: {}}
+        def current_path_to_hash(current_path)
+          hash_joins = {}
+          current_hash_joins = hash_joins
+
+          current_path.each do |path_part|
+            new_hash = {}
+            current_hash_joins[path_part] = new_hash
+            current_hash_joins = new_hash
+          end
+
+          hash_joins
+        end
+      end
+    end
+  end
+end

data/lib/cancan/model_adapters/strategies/joined_alias_exists_subquery.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module CanCan
+  module ModelAdapters
+    class Strategies
+      class JoinedAliasExistsSubquery < Base
+        def execute!
+          model_class
+            .joins(
+              "JOIN #{quoted_table_name} AS #{quoted_aliased_table_name} ON " \
+              "#{quoted_aliased_table_name}.#{quoted_primary_key} = #{quoted_table_name}.#{quoted_primary_key}"
+            )
+            .where("EXISTS (#{joined_alias_exists_subquery_inner_query.to_sql})")
+        end
+
+        def joined_alias_exists_subquery_inner_query
+          model_class
+            .unscoped
+            .select('1')
+            .left_joins(joins)
+            .where(*where_conditions)
+            .where(
+              "#{quoted_table_name}.#{quoted_primary_key} = " \
+              "#{quoted_aliased_table_name}.#{quoted_primary_key}"
+            )
+            .limit(1)
+        end
+      end
+    end
+  end
+end

data/lib/cancan/model_adapters/strategies/left_join.rb

@@ -0,0 +1,11 @@
+module CanCan
+  module ModelAdapters
+    class Strategies
+      class LeftJoin < Base
+        def execute!
+          relation.left_joins(joins).distinct
+        end
+      end
+    end
+  end
+end

data/lib/cancan/model_adapters/strategies/subquery.rb

@@ -0,0 +1,18 @@
+module CanCan
+  module ModelAdapters
+    class Strategies
+      class Subquery < Base
+        def execute!
+          build_joins_relation_subquery(where_conditions)
+        end
+
+        def build_joins_relation_subquery(where_conditions)
+          inner = model_class.unscoped do
+            model_class.left_joins(joins).where(*where_conditions)
+          end
+          model_class.where(model_class.primary_key => inner)
+        end
+      end
+    end
+  end
+end

data/lib/cancan/model_additions.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   # This module adds the accessible_by class method to a model. It is included in the model adapters.
   module ModelAdditions
@@ -18,8 +20,10 @@ module CanCan
       #   @articles = Article.accessible_by(current_ability, :update)
       #
       # Here only the articles which the user can update are returned.
-      def accessible_by(ability, action = :index)
-        ability.model_adapter(self, action).database_records
+      def accessible_by(ability, action = :index, strategy: CanCan.accessible_by_strategy)
+        CanCan.with_accessible_by_strategy(strategy) do
+          ability.model_adapter(self, action).database_records
+        end
       end
     end
 

data/lib/cancan/parameter_validators.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module CanCan
+  module ParameterValidators
+    def valid_attribute_param?(attribute)
+      attribute.nil? || attribute.is_a?(Symbol) || (attribute.is_a?(Array) && attribute.all? { |a| a.is_a?(Symbol) })
+    end
+  end
+end

data/lib/cancan/relevant.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module CanCan
+  module Relevant
+    # Matches both the action, subject, and attribute, not necessarily the conditions
+    def relevant?(action, subject)
+      subject = subject.values.first if subject.class == Hash
+      @match_all || (matches_action?(action) && matches_subject?(subject))
+    end
+
+    private
+
+    def matches_action?(action)
+      @expanded_actions.include?(:manage) || @expanded_actions.include?(action)
+    end
+
+    def matches_subject?(subject)
+      @subjects.include?(:all) || @subjects.include?(subject) || matches_subject_class?(subject)
+    end
+
+    def matches_subject_class?(subject)
+      @subjects.any? do |sub|
+        sub.is_a?(Module) && (subject.is_a?(sub) ||
+            subject.class.to_s == sub.to_s ||
+            (subject.is_a?(Module) && subject.ancestors.include?(sub)))
+      end
+    end
+  end
+end

data/lib/cancan/rule.rb

@@ -1,33 +1,64 @@
+# frozen_string_literal: true
+
 require_relative 'conditions_matcher.rb'
+require_relative 'class_matcher.rb'
+require_relative 'relevant.rb'
+
 module CanCan
   # This class is used internally and should only be called through Ability.
   # it holds the information about a "can" call made on Ability and provides
   # helpful methods to determine permission checking and conditions hash generation.
   class Rule # :nodoc:
     include ConditionsMatcher
-    attr_reader :base_behavior, :subjects, :actions, :conditions
-    attr_writer :expanded_actions
+    include Relevant
+    include ParameterValidators
+    attr_reader :base_behavior, :subjects, :actions, :conditions, :attributes, :block
+    attr_writer :expanded_actions, :conditions
 
     # The first argument when initializing is the base_behavior which is a true/false
     # value. True for "can" and false for "cannot". The next two arguments are the action
     # and subject respectively (such as :read, @project). The third argument is a hash
     # of conditions and the last one is the block passed to the "can" call.
-    def initialize(base_behavior, action, subject, conditions, block)
-      both_block_and_hash_error = 'You are not able to supply a block with a hash of conditions in '\
-                                  "#{action} #{subject} ability. Use either one."
-      raise Error, both_block_and_hash_error if conditions.is_a?(Hash) && block
+    def initialize(base_behavior, action, subject, *extra_args, &block)
+      # for backwards compatibility, attributes are an optional parameter. Check if
+      # attributes were passed or are actually conditions
+      attributes, extra_args = parse_attributes_from_extra_args(extra_args)
+      condition_and_block_check(extra_args, block, action, subject)
       @match_all = action.nil? && subject.nil?
+      raise Error, "Subject is required for #{action}" if action && subject.nil?
+
       @base_behavior = base_behavior
-      @actions = Array(action)
-      @subjects = Array(subject)
-      @conditions = conditions || {}
+      @actions = wrap(action)
+      @subjects = wrap(subject)
+      @attributes = wrap(attributes)
+      @conditions = extra_args || {}
       @block = block
     end
 
-    # Matches both the subject and action, not necessarily the conditions
-    def relevant?(action, subject)
-      subject = subject.values.first if subject.class == Hash
-      @match_all || (matches_action?(action) && matches_subject?(subject))
+    def inspect
+      repr = "#<#{self.class.name}"
+      repr += "#{@base_behavior ? 'can' : 'cannot'} #{@actions.inspect}, #{@subjects.inspect}, #{@attributes.inspect}"
+
+      if with_scope?
+        repr += ", #{@conditions.where_values_hash}"
+      elsif [Hash, String].include?(@conditions.class)
+        repr += ", #{@conditions.inspect}"
+      end
+
+      repr + '>'
+    end
+
+    def can_rule?
+      base_behavior
+    end
+
+    def cannot_catch_all?
+      !can_rule? && catch_all?
+    end
+
+    def catch_all?
+      (with_scope? && @conditions.where_values_hash.empty?) ||
+        (!with_scope? && [nil, false, [], {}, '', ' '].include?(@conditions))
     end
 
     def only_block?
@@ -38,9 +69,8 @@ module CanCan
       @block.nil? && !conditions_empty? && !@conditions.is_a?(Hash)
     end
 
-    def unmergeable?
-      @conditions.respond_to?(:keys) && @conditions.present? &&
-        (!@conditions.keys.first.is_a? Symbol)
+    def with_scope?
+      defined?(ActiveRecord) && @conditions.is_a?(ActiveRecord::Relation)
     end
 
     def associations_hash(conditions = @conditions)
@@ -63,6 +93,13 @@ module CanCan
       attributes
     end
 
+    def matches_attributes?(attribute)
+      return true if @attributes.empty?
+      return @base_behavior if attribute.nil?
+
+      @attributes.include?(attribute.to_sym)
+    end
+
     private
 
     def matches_action?(action)
@@ -74,10 +111,29 @@ module CanCan
     end
 
     def matches_subject_class?(subject)
-      @subjects.any? do |sub|
-        sub.is_a?(Module) && (subject.is_a?(sub) ||
-          subject.class.to_s == sub.to_s ||
-          (subject.is_a?(Module) && subject.ancestors.include?(sub)))
+      SubjectClassMatcher.matches_subject_class?(@subjects, subject)
+    end
+
+    def parse_attributes_from_extra_args(args)
+      attributes = args.shift if valid_attribute_param?(args.first)
+      extra_args = args.shift
+      [attributes, extra_args]
+    end
+
+    def condition_and_block_check(conditions, block, action, subject)
+      return unless conditions.is_a?(Hash) && block
+
+      raise BlockAndConditionsError, 'A hash of conditions is mutually exclusive with a block. ' \
+        "Check \":#{action} #{subject}\" ability."
+    end
+
+    def wrap(object)
+      if object.nil?
+        []
+      elsif object.respond_to?(:to_ary)
+        object.to_ary || [object]
+      else
+        [object]
       end
     end
   end

data/lib/cancan/rules_compressor.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require_relative 'conditions_matcher.rb'
+module CanCan
+  class RulesCompressor
+    attr_reader :initial_rules, :rules_collapsed
+
+    def initialize(rules)
+      @initial_rules = rules
+      @rules_collapsed = compress(@initial_rules)
+    end
+
+    def compress(array)
+      idx = array.rindex(&:catch_all?)
+      return array unless idx
+
+      value = array[idx]
+      array[idx..-1]
+        .drop_while { |n| n.base_behavior == value.base_behavior }
+        .tap { |a| a.unshift(value) unless value.cannot_catch_all? }
+    end
+  end
+end

data/lib/cancan/sti_detector.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+class StiDetector
+  def self.sti_class?(subject)
+    return false unless defined?(ActiveRecord::Base)
+    return false unless subject.respond_to?(:descends_from_active_record?)
+    return false if subject == :all || subject.descends_from_active_record?
+    return false unless subject < ActiveRecord::Base
+
+    true
+  end
+end

data/lib/cancan/unauthorized_message_resolver.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module CanCan
+  module UnauthorizedMessageResolver
+    def unauthorized_message(action, subject)
+      subject = subject.values.last if subject.is_a?(Hash)
+      keys = unauthorized_message_keys(action, subject)
+      variables = {}
+      variables[:action] = I18n.translate("actions.#{action}", default: action.to_s)
+      variables[:subject] = translate_subject(subject)
+      message = I18n.translate(keys.shift, **variables.merge(scope: :unauthorized, default: keys + ['']))
+      message.blank? ? nil : message
+    end
+
+    def translate_subject(subject)
+      klass = (subject.class == Class ? subject : subject.class)
+      if klass.respond_to?(:model_name)
+        klass.model_name.human
+      else
+        klass.to_s.underscore.humanize.downcase
+      end
+    end
+  end
+end

data/lib/cancan/version.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
-  VERSION = '2.2.0'.freeze
+  VERSION = '3.5.0'.freeze
 end

data/lib/cancan.rb

@@ -1,4 +1,8 @@
+# frozen_string_literal: true
+
 require 'cancan/version'
+require 'cancan/config'
+require 'cancan/parameter_validators'
 require 'cancan/ability'
 require 'cancan/rule'
 require 'cancan/controller_resource'
@@ -8,9 +12,18 @@ require 'cancan/exceptions'
 
 require 'cancan/model_adapters/abstract_adapter'
 require 'cancan/model_adapters/default_adapter'
+require 'cancan/rules_compressor'
 
 if defined? ActiveRecord
+  require 'cancan/model_adapters/conditions_extractor'
+  require 'cancan/model_adapters/conditions_normalizer'
+  require 'cancan/model_adapters/sti_normalizer'
   require 'cancan/model_adapters/active_record_adapter'
   require 'cancan/model_adapters/active_record_4_adapter'
   require 'cancan/model_adapters/active_record_5_adapter'
+  require 'cancan/model_adapters/strategies/base'
+  require 'cancan/model_adapters/strategies/joined_alias_each_rule_as_exists_subquery'
+  require 'cancan/model_adapters/strategies/joined_alias_exists_subquery'
+  require 'cancan/model_adapters/strategies/left_join'
+  require 'cancan/model_adapters/strategies/subquery'
 end

data/lib/cancancan.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'cancan'
 
 module CanCanCan

data/lib/generators/cancan/ability/ability_generator.rb

@@ -1,7 +1,9 @@
+# frozen_string_literal: true
+
 module Cancan
   module Generators
     class AbilityGenerator < Rails::Generators::Base
-      source_root File.expand_path('../templates', __FILE__)
+      source_root File.expand_path('templates', __dir__)
 
       def generate_ability
         copy_file 'ability.rb', 'app/models/ability.rb'

data/lib/generators/cancan/ability/templates/ability.rb

@@ -1,15 +1,15 @@
+# frozen_string_literal: true
+
 class Ability
   include CanCan::Ability
 
   def initialize(user)
-    # Define abilities for the passed in user here. For example:
+    # Define abilities for the user here. For example:
     #
-    #   user ||= User.new # guest user (not logged in)
-    #   if user.admin?
-    #     can :manage, :all
-    #   else
-    #     can :read, :all
-    #   end
+    #   return unless user.present?
+    #   can :read, :all
+    #   return unless user.admin?
+    #   can :manage, :all
     #
     # The first argument to `can` is the action you are giving the user
     # permission to do.
@@ -24,9 +24,9 @@ class Ability
     # objects.
     # For example, here the user can only update published articles.
     #
-    #   can :update, Article, :published => true
+    #   can :update, Article, published: true
     #
     # See the wiki for details:
-    # https://github.com/CanCanCommunity/cancancan/wiki/Defining-Abilities
+    # https://github.com/CanCanCommunity/cancancan/blob/develop/docs/define_check_abilities.md
   end
 end