cancancan 2.3.0 → 3.2.2

data/lib/cancan/config.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+module CanCan
+  def self.valid_accessible_by_strategies
+    strategies = [:left_join]
+    strategies << :subquery unless does_not_support_subquery_strategy?
+    strategies
+  end
+
+  # Determines how CanCan should build queries when calling accessible_by,
+  # if the query will contain a join. The default strategy is `:subquery`.
+  #
+  #   # config/initializers/cancan.rb
+  #   CanCan.accessible_by_strategy = :subquery
+  #
+  # Valid strategies are:
+  # - :subquery - Creates a nested query with all joins, wrapped by a
+  #               WHERE IN query.
+  # - :left_join - Calls the joins directly using `left_joins`, and
+  #                ensures records are unique using `distinct`. Note that
+  #                `distinct` is not reliable in some cases. See
+  #                https://github.com/CanCanCommunity/cancancan/pull/605
+  def self.accessible_by_strategy
+    @accessible_by_strategy || default_accessible_by_strategy
+  end
+
+  def self.default_accessible_by_strategy
+    if does_not_support_subquery_strategy?
+      # see https://github.com/CanCanCommunity/cancancan/pull/655 for where this was added
+      # the `subquery` strategy (from https://github.com/CanCanCommunity/cancancan/pull/619
+      # only works in Rails 5 and higher
+      :left_join
+    else
+      :subquery
+    end
+  end
+
+  def self.accessible_by_strategy=(value)
+    unless valid_accessible_by_strategies.include?(value)
+      raise ArgumentError, "accessible_by_strategy must be one of #{valid_accessible_by_strategies.join(', ')}"
+    end
+
+    if value == :subquery && does_not_support_subquery_strategy?
+      raise ArgumentError, 'accessible_by_strategy = :subquery requires ActiveRecord 5 or newer'
+    end
+
+    @accessible_by_strategy = value
+  end
+
+  def self.does_not_support_subquery_strategy?
+    !defined?(CanCan::ModelAdapters::ActiveRecordAdapter) ||
+      CanCan::ModelAdapters::ActiveRecordAdapter.version_lower?('5.0.0')
+  end
+end

data/lib/cancan/controller_additions.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   # This module is automatically included into all controllers.
   # It also makes the "can?" and "cannot?" methods available to all views.
@@ -225,7 +227,7 @@ module CanCan
         cancan_skipper[:authorize][name] = options
       end
 
-      # Add this to a controller to ensure it performs authorization through +authorized+! or +authorize_resource+ call.
+      # Add this to a controller to ensure it performs authorization through +authorize+! or +authorize_resource+ call.
       # If neither of these authorization methods are called,
       # a CanCan::AuthorizationNotPerformed exception will be raised.
       # This is normally added to the ApplicationController to ensure all controller actions do authorization.
@@ -260,6 +262,7 @@ module CanCan
           next if controller.instance_variable_defined?(:@_authorized)
           next if options[:if] && !controller.send(options[:if])
           next if options[:unless] && controller.send(options[:unless])
+
           raise AuthorizationNotPerformed,
                 'This action failed the check_authorization because it does not authorize_resource. '\
                 'Add skip_authorization_check to bypass this check.'

data/lib/cancan/controller_resource.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative 'controller_resource_loader.rb'
 module CanCan
   # Handle the load and authorization controller logic
@@ -34,6 +36,7 @@ module CanCan
 
     def authorize_resource
       return if skip?(:authorize)
+
       @controller.authorize!(authorization_action, resource_instance || resource_class_with_parent)
     end
 
@@ -43,6 +46,7 @@ module CanCan
 
     def skip?(behavior)
       return false unless (options = @controller.class.cancan_skipper[behavior][@name])
+
       options == {} ||
         options[:except] && !action_exists_in?(options[:except]) ||
         action_exists_in?(options[:only])
@@ -90,6 +94,7 @@ module CanCan
 
     def resource_instance
       return unless load_instance? && @controller.instance_variable_defined?("@#{instance_name}")
+
       @controller.instance_variable_get("@#{instance_name}")
     end
 
@@ -99,6 +104,7 @@ module CanCan
 
     def collection_instance
       return unless @controller.instance_variable_defined?("@#{instance_name.to_s.pluralize}")
+
       @controller.instance_variable_get("@#{instance_name.to_s.pluralize}")
     end
 

data/lib/cancan/controller_resource_builder.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   module ControllerResourceBuilder
     protected

data/lib/cancan/controller_resource_finder.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   module ControllerResourceFinder
     protected

data/lib/cancan/controller_resource_loader.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative 'controller_resource_finder.rb'
 require_relative 'controller_resource_name_finder.rb'
 require_relative 'controller_resource_builder.rb'
@@ -11,6 +13,7 @@ module CanCan
 
     def load_resource
       return if skip?(:load)
+
       if load_instance?
         self.resource_instance ||= load_resource_instance
       elsif load_collection?
@@ -26,6 +29,7 @@ module CanCan
 
     def resource_params_by_key(key)
       return unless @options[key] && @params.key?(extract_key(@options[key]))
+
       @params[extract_key(@options[key])]
     end
 

data/lib/cancan/controller_resource_name_finder.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   module ControllerResourceNameFinder
     protected

data/lib/cancan/controller_resource_sanitizer.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   module ControllerResourceSanitizer
     protected

data/lib/cancan/exceptions.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   # A general CanCan exception
   class Error < StandardError; end
@@ -8,9 +10,15 @@ module CanCan
   # Raised when removed code is called, an alternative solution is provided in message.
   class ImplementationRemoved < Error; end
 
-  # Raised when using check_authorization without calling authorized!
+  # Raised when using check_authorization without calling authorize!
   class AuthorizationNotPerformed < Error; end
 
+  # Raised when a rule is created with both a block and a hash of conditions
+  class BlockAndConditionsError < Error; end
+
+  # Raised when an unexpected argument is passed as an attribute
+  class AttributeArgumentError < Error; end
+
   # Raised when using a wrong association name
   class WrongAssociationName < Error; end
 
@@ -33,7 +41,7 @@ module CanCan
   #   exception.default_message = "Default error message"
   #   exception.message # => "Default error message"
   #
-  # See ControllerAdditions#authorized! for more information on rescuing from this exception
+  # See ControllerAdditions#authorize! for more information on rescuing from this exception
   # and customizing the message using I18n.
   class AccessDenied < Error
     attr_reader :action, :subject, :conditions
@@ -50,5 +58,13 @@ module CanCan
     def to_s
       @message || @default_message
     end
+
+    def inspect
+      details = %i[action subject conditions message].map do |attribute|
+        value = instance_variable_get "@#{attribute}"
+        "#{attribute}: #{value.inspect}" if value.present?
+      end.compact.join(', ')
+      "#<#{self.class.name} #{details}>"
+    end
   end
 end

data/lib/cancan/matchers.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 rspec_module = defined?(RSpec::Core) ? 'RSpec' : 'Spec' # RSpec 1 compatability
 
 if rspec_module == 'RSpec'
@@ -12,6 +14,7 @@ Kernel.const_get(rspec_module)::Matchers.define :be_able_to do |*args|
     actions = args.first
     if actions.is_a? Array
       break false if actions.empty?
+
       actions.all? { |action| ability.can?(action, *args[1..-1]) }
     else
       ability.can?(*args)

data/lib/cancan/model_adapters/abstract_adapter.rb

@@ -1,9 +1,11 @@
+# frozen_string_literal: true
+
 module CanCan
   module ModelAdapters
     class AbstractAdapter
       def self.inherited(subclass)
         @subclasses ||= []
-        @subclasses << subclass
+        @subclasses.insert(0, subclass)
       end
 
       def self.adapter_class(model_class)

data/lib/cancan/model_adapters/active_record_4_adapter.rb

@@ -1,27 +1,30 @@
+# frozen_string_literal: true
+
 module CanCan
   module ModelAdapters
-    class ActiveRecord4Adapter < AbstractAdapter
-      include ActiveRecordAdapter
-      def self.for_class?(model_class)
-        ActiveRecord::VERSION::MAJOR == 4 && model_class <= ActiveRecord::Base
-      end
+    class ActiveRecord4Adapter < ActiveRecordAdapter
+      AbstractAdapter.inherited(self)
 
-      # TODO: this should be private
-      def self.override_condition_matching?(subject, name, _value)
-        subject.class.defined_enums.include?(name.to_s)
-      end
+      class << self
+        def for_class?(model_class)
+          version_lower?('5.0.0') && model_class <= ActiveRecord::Base
+        end
 
-      # TODO: this should be private
-      def self.matches_condition?(subject, name, value)
-        # Get the mapping from enum strings to values.
-        enum = subject.class.send(name.to_s.pluralize)
-        # Get the value of the attribute as an integer.
-        attribute = enum[subject.send(name)]
-        # Check to see if the value matches the condition.
-        if value.is_a?(Enumerable)
-          value.include? attribute
-        else
-          attribute == value
+        def override_condition_matching?(subject, name, _value)
+          subject.class.defined_enums.include?(name.to_s)
+        end
+
+        def matches_condition?(subject, name, value)
+          # Get the mapping from enum strings to values.
+          enum = subject.class.send(name.to_s.pluralize)
+          # Get the value of the attribute as an integer.
+          attribute = enum[subject.send(name)]
+          # Check to see if the value matches the condition.
+          if value.is_a?(Enumerable)
+            value.include? attribute
+          else
+            attribute == value
+          end
         end
       end
 
@@ -31,15 +34,13 @@ module CanCan
       # look inside the where clause to decide to outer join tables
       # you're using in the where. Instead, `references()` is required
       # in addition to `includes()` to force the outer join.
-      def build_relation(*where_conditions)
-        relation = @model_class.where(*where_conditions)
-        relation = relation.includes(joins).references(joins) if joins.present?
-        relation
+      def build_joins_relation(relation, *_where_conditions)
+        relation.includes(joins).references(joins)
       end
 
       # Rails 4.2 deprecates `sanitize_sql_hash_for_conditions`
       def sanitize_sql(conditions)
-        if ActiveRecord::VERSION::MINOR >= 2 && conditions.is_a?(Hash)
+        if self.class.version_greater_or_equal?('4.2.0') && conditions.is_a?(Hash)
           sanitize_sql_activerecord4(conditions)
         else
           @model_class.send(:sanitize_sql, conditions)

data/lib/cancan/model_adapters/active_record_5_adapter.rb

@@ -1,10 +1,12 @@
+# frozen_string_literal: true
+
 module CanCan
   module ModelAdapters
     class ActiveRecord5Adapter < ActiveRecord4Adapter
       AbstractAdapter.inherited(self)
 
       def self.for_class?(model_class)
-        ActiveRecord::VERSION::MAJOR == 5 && model_class <= ActiveRecord::Base
+        version_greater_or_equal?('5.0.0') && model_class <= ActiveRecord::Base
       end
 
       # rails 5 is capable of using strings in enum
@@ -13,26 +15,25 @@ module CanCan
         return super if Array.wrap(value).all? { |x| x.is_a? Integer }
 
         attribute = subject.send(name)
-        if value.is_a?(Enumerable)
-          value.map(&:to_s).include? attribute
-        else
-          attribute == value.to_s
-        end
+        raw_attribute = subject.class.send(name.to_s.pluralize)[attribute]
+        !(Array(value).map(&:to_s) & [attribute, raw_attribute]).empty?
       end
 
       private
 
-      # As of rails 4, `includes()` no longer causes active record to
-      # look inside the where clause to decide to outer join tables
-      # you're using in the where. Instead, `references()` is required
-      # in addition to `includes()` to force the outer join.
-      def build_relation(*where_conditions)
-        relation = @model_class.where(*where_conditions)
-        relation = relation.includes(joins).references(joins) if joins.present?
-        relation
+      def build_joins_relation(relation, *where_conditions)
+        case CanCan.accessible_by_strategy
+        when :subquery
+          inner = @model_class.unscoped do
+            @model_class.left_joins(joins).where(*where_conditions)
+          end
+          @model_class.where(@model_class.primary_key => inner)
+
+        when :left_join
+          relation.left_joins(joins).distinct
+        end
       end
 
-      # Rails 4.2 deprecates `sanitize_sql_hash_for_conditions`
       def sanitize_sql(conditions)
         if conditions.is_a?(Hash)
           sanitize_sql_activerecord5(conditions)
@@ -46,23 +47,17 @@ module CanCan
         table_metadata = ActiveRecord::TableMetadata.new(@model_class, table)
         predicate_builder = ActiveRecord::PredicateBuilder.new(table_metadata)
 
-        conditions = predicate_builder.resolve_column_aliases(conditions)
-
-        conditions.stringify_keys!
-
-        predicate_builder.build_from_hash(conditions).map do |b|
-          visit_nodes(b)
-        end.join(' AND ')
+        predicate_builder.build_from_hash(conditions.stringify_keys).map { |b| visit_nodes(b) }.join(' AND ')
       end
 
-      def visit_nodes(b)
+      def visit_nodes(node)
         # Rails 5.2 adds a BindParam node that prevents the visitor method from properly compiling the SQL query
-        if ActiveRecord::VERSION::MINOR >= 2
+        if self.class.version_greater_or_equal?('5.2.0')
           connection = @model_class.send(:connection)
           collector = Arel::Collectors::SubstituteBinds.new(connection, Arel::Collectors::SQLString.new)
-          connection.visitor.accept(b, collector).value
+          connection.visitor.accept(node, collector).value
         else
-          @model_class.send(:connection).visitor.compile(b)
+          @model_class.send(:connection).visitor.compile(node)
         end
       end
     end

data/lib/cancan/model_adapters/active_record_adapter.rb

@@ -1,10 +1,22 @@
-require_relative 'can_can/model_adapters/active_record_adapter/joins.rb'
-require_relative 'conditions_extractor.rb'
-require 'cancan/rules_compressor'
+# frozen_string_literal: true
+
 module CanCan
   module ModelAdapters
-    module ActiveRecordAdapter
-      include CanCan::ModelAdapters::ActiveRecordAdapter::Joins
+    class ActiveRecordAdapter < AbstractAdapter
+      def self.version_greater_or_equal?(version)
+        Gem::Version.new(ActiveRecord.version).release >= Gem::Version.new(version)
+      end
+
+      def self.version_lower?(version)
+        Gem::Version.new(ActiveRecord.version).release < Gem::Version.new(version)
+      end
+
+      def initialize(model_class, rules)
+        super
+        @compressed_rules = RulesCompressor.new(@rules.reverse).rules_collapsed.reverse
+        StiNormalizer.normalize(@compressed_rules)
+        ConditionsNormalizer.normalize(model_class, @compressed_rules)
+      end
 
       # Returns conditions intended to be used inside a database query. Normally you will not call this
       # method directly, but instead go through ModelAdditions#accessible_by.
@@ -22,13 +34,12 @@ module CanCan
       #   query(:manage, User).conditions # => "not (self_managed = 't') AND ((manager_id = 1) OR (id = 1))"
       #
       def conditions
-        compressed_rules = RulesCompressor.new(@rules.reverse).rules_collapsed.reverse
         conditions_extractor = ConditionsExtractor.new(@model_class)
-        if compressed_rules.size == 1 && compressed_rules.first.base_behavior
+        if @compressed_rules.size == 1 && @compressed_rules.first.base_behavior
           # Return the conditions directly if there's just one definition
-          conditions_extractor.tableize_conditions(compressed_rules.first.conditions).dup
+          conditions_extractor.tableize_conditions(@compressed_rules.first.conditions).dup
         else
-          extract_multiple_conditions(conditions_extractor, compressed_rules)
+          extract_multiple_conditions(conditions_extractor, @compressed_rules)
         end
       end
 
@@ -42,27 +53,58 @@ module CanCan
         if override_scope
           @model_class.where(nil).merge(override_scope)
         elsif @model_class.respond_to?(:where) && @model_class.respond_to?(:joins)
-          mergeable_conditions? ? build_relation(conditions) : build_relation(*@rules.map(&:conditions))
+          build_relation(conditions)
         else
           @model_class.all(conditions: conditions, joins: joins)
         end
       end
 
+      def build_relation(*where_conditions)
+        relation = @model_class.where(*where_conditions)
+        return relation unless joins.present?
+
+        # subclasses must implement `build_joins_relation`
+        build_joins_relation(relation, *where_conditions)
+      end
+
+      # Returns the associations used in conditions for the :joins option of a search.
+      # See ModelAdditions#accessible_by
+      def joins
+        joins_hash = {}
+        @compressed_rules.reverse_each do |rule|
+          deep_merge(joins_hash, rule.associations_hash)
+        end
+        deep_clean(joins_hash) unless joins_hash.empty?
+      end
+
       private
 
-      def mergeable_conditions?
-        @rules.find(&:unmergeable?).blank?
+      # Removes empty hashes and moves everything into arrays.
+      def deep_clean(joins_hash)
+        joins_hash.map { |name, nested| nested.empty? ? name : { name => deep_clean(nested) } }
+      end
+
+      # Takes two hashes and does a deep merge.
+      def deep_merge(base_hash, added_hash)
+        added_hash.each do |key, value|
+          if base_hash[key].is_a?(Hash)
+            deep_merge(base_hash[key], value) unless value.empty?
+          else
+            base_hash[key] = value
+          end
+        end
       end
 
       def override_scope
-        conditions = @rules.map(&:conditions).compact
+        conditions = @compressed_rules.map(&:conditions).compact
         return unless conditions.any? { |c| c.is_a?(ActiveRecord::Relation) }
         return conditions.first if conditions.size == 1
+
         raise_override_scope_error
       end
 
       def raise_override_scope_error
-        rule_found = @rules.detect { |rule| rule.conditions.is_a?(ActiveRecord::Relation) }
+        rule_found = @compressed_rules.detect { |rule| rule.conditions.is_a?(ActiveRecord::Relation) }
         raise Error,
               'Unable to merge an Active Record scope with other conditions. '\
               "Instead use a hash or SQL for #{rule_found.actions.first} #{rule_found.subjects.first} ability."