cancancan 2.3.0 → 3.2.2

data/lib/cancan/model_adapters/conditions_extractor.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # this class is responsible of converting the hash of conditions
 # in "where conditions" to generate the sql query
 # it consists of a names_cache that helps calculating the next name given to the association
@@ -12,6 +14,7 @@ module CanCan
 
       def tableize_conditions(conditions, model_class = @root_model_class, path_to_key = 0)
         return conditions unless conditions.is_a? Hash
+
         conditions.each_with_object({}) do |(key, value), result_hash|
           if value.is_a? Hash
             result_hash.merge!(calculate_result_hash(key, model_class, path_to_key, result_hash, value))
@@ -26,9 +29,6 @@ module CanCan
 
       def calculate_result_hash(key, model_class, path_to_key, result_hash, value)
         reflection = model_class.reflect_on_association(key)
-        unless reflection
-          raise WrongAssociationName, "association #{key} not defined in model #{model_class.name}"
-        end
         nested_resulted = calculate_nested(model_class, result_hash, key, value.dup, path_to_key)
         association_class = reflection.klass.name.constantize
         tableize_conditions(nested_resulted, association_class, "#{path_to_key}_#{key}")

data/lib/cancan/model_adapters/conditions_normalizer.rb

@@ -0,0 +1,49 @@
+# this class is responsible of normalizing the hash of conditions
+# by exploding has_many through associations
+# when a condition is defined with an has_many thorugh association this is exploded in all its parts
+# TODO: it could identify STI and normalize it
+module CanCan
+  module ModelAdapters
+    class ConditionsNormalizer
+      class << self
+        def normalize(model_class, rules)
+          rules.each { |rule| rule.conditions = normalize_conditions(model_class, rule.conditions) }
+        end
+
+        def normalize_conditions(model_class, conditions)
+          return conditions unless conditions.is_a? Hash
+
+          conditions.each_with_object({}) do |(key, value), result_hash|
+            if value.is_a? Hash
+              result_hash.merge!(calculate_result_hash(model_class, key, value))
+            else
+              result_hash[key] = value
+            end
+            result_hash
+          end
+        end
+
+        private
+
+        def calculate_result_hash(model_class, key, value)
+          reflection = model_class.reflect_on_association(key)
+          unless reflection
+            raise WrongAssociationName, "Association '#{key}' not defined in model '#{model_class.name}'"
+          end
+
+          if normalizable_association? reflection
+            key = reflection.options[:through]
+            value = { reflection.source_reflection_name => value }
+            reflection = model_class.reflect_on_association(key)
+          end
+
+          { key => normalize_conditions(reflection.klass.name.constantize, value) }
+        end
+
+        def normalizable_association?(reflection)
+          reflection.options[:through].present? && !reflection.options[:source_type].present?
+        end
+      end
+    end
+  end
+end

data/lib/cancan/model_adapters/default_adapter.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   module ModelAdapters
     class DefaultAdapter < AbstractAdapter

data/lib/cancan/model_adapters/sti_normalizer.rb

@@ -0,0 +1,39 @@
+# this class is responsible for detecting sti classes and creating new rules for the
+# relevant subclasses, using the inheritance_column as a merger
+module CanCan
+  module ModelAdapters
+    class StiNormalizer
+      class << self
+        def normalize(rules)
+          rules_cache = []
+          return unless defined?(ActiveRecord::Base)
+
+          rules.delete_if do |rule|
+            subjects = rule.subjects.select do |subject|
+              update_rule(subject, rule, rules_cache)
+            end
+            subjects.length == rule.subjects.length
+          end
+          rules_cache.each { |rule| rules.push(rule) }
+        end
+
+        private
+
+        def update_rule(subject, rule, rules_cache)
+          return false unless subject.respond_to?(:descends_from_active_record?)
+          return false if subject == :all || subject.descends_from_active_record?
+          return false unless subject < ActiveRecord::Base
+
+          rules_cache.push(build_rule_for_subclass(rule, subject))
+          true
+        end
+
+        # create a new rule for the subclasses that links on the inheritance_column
+        def build_rule_for_subclass(rule, subject)
+          CanCan::Rule.new(rule.base_behavior, rule.actions, subject.superclass,
+                           rule.conditions.merge(subject.inheritance_column => subject.name), rule.block)
+        end
+      end
+    end
+  end
+end

data/lib/cancan/model_additions.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   # This module adds the accessible_by class method to a model. It is included in the model adapters.
   module ModelAdditions

data/lib/cancan/parameter_validators.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module CanCan
+  module ParameterValidators
+    def valid_attribute_param?(attribute)
+      attribute.nil? || attribute.is_a?(Symbol) || (attribute.is_a?(Array) && attribute.all? { |a| a.is_a?(Symbol) })
+    end
+  end
+end

data/lib/cancan/relevant.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module CanCan
+  module Relevant
+    # Matches both the action, subject, and attribute, not necessarily the conditions
+    def relevant?(action, subject)
+      subject = subject.values.first if subject.class == Hash
+      @match_all || (matches_action?(action) && matches_subject?(subject))
+    end
+
+    private
+
+    def matches_action?(action)
+      @expanded_actions.include?(:manage) || @expanded_actions.include?(action)
+    end
+
+    def matches_subject?(subject)
+      @subjects.include?(:all) || @subjects.include?(subject) || matches_subject_class?(subject)
+    end
+
+    def matches_subject_class?(subject)
+      @subjects.any? do |sub|
+        sub.is_a?(Module) && (subject.is_a?(sub) ||
+            subject.class.to_s == sub.to_s ||
+            (subject.is_a?(Module) && subject.ancestors.include?(sub)))
+      end
+    end
+  end
+end

data/lib/cancan/rule.rb

@@ -1,29 +1,53 @@
+# frozen_string_literal: true
+
 require_relative 'conditions_matcher.rb'
+require_relative 'class_matcher.rb'
+require_relative 'relevant.rb'
+
 module CanCan
   # This class is used internally and should only be called through Ability.
   # it holds the information about a "can" call made on Ability and provides
   # helpful methods to determine permission checking and conditions hash generation.
   class Rule # :nodoc:
     include ConditionsMatcher
-    attr_reader :base_behavior, :subjects, :actions, :conditions
-    attr_writer :expanded_actions
+    include Relevant
+    include ParameterValidators
+    attr_reader :base_behavior, :subjects, :actions, :conditions, :attributes, :block
+    attr_writer :expanded_actions, :conditions
 
     # The first argument when initializing is the base_behavior which is a true/false
     # value. True for "can" and false for "cannot". The next two arguments are the action
     # and subject respectively (such as :read, @project). The third argument is a hash
     # of conditions and the last one is the block passed to the "can" call.
-    def initialize(base_behavior, action, subject, conditions, block)
-      both_block_and_hash_error = 'You are not able to supply a block with a hash of conditions in '\
-                                  "#{action} #{subject} ability. Use either one."
-      raise Error, both_block_and_hash_error if conditions.is_a?(Hash) && block
+    def initialize(base_behavior, action, subject, *extra_args, &block)
+      # for backwards compatibility, attributes are an optional parameter. Check if
+      # attributes were passed or are actually conditions
+      attributes, extra_args = parse_attributes_from_extra_args(extra_args)
+      condition_and_block_check(extra_args, block, action, subject)
       @match_all = action.nil? && subject.nil?
+      raise Error, "Subject is required for #{action}" if action && subject.nil?
+
       @base_behavior = base_behavior
-      @actions = Array(action)
-      @subjects = Array(subject)
-      @conditions = conditions || {}
+      @actions = wrap(action)
+      @subjects = wrap(subject)
+      @attributes = wrap(attributes)
+      @conditions = extra_args || {}
       @block = block
     end
 
+    def inspect
+      repr = "#<#{self.class.name}"
+      repr += "#{@base_behavior ? 'can' : 'cannot'} #{@actions.inspect}, #{@subjects.inspect}, #{@attributes.inspect}"
+
+      if with_scope?
+        repr += ", #{@conditions.where_values_hash}"
+      elsif [Hash, String].include?(@conditions.class)
+        repr += ", #{@conditions.inspect}"
+      end
+
+      repr + '>'
+    end
+
     def can_rule?
       base_behavior
     end
@@ -33,13 +57,8 @@ module CanCan
     end
 
     def catch_all?
-      [nil, false, [], {}, '', ' '].include? @conditions
-    end
-
-    # Matches both the subject and action, not necessarily the conditions
-    def relevant?(action, subject)
-      subject = subject.values.first if subject.class == Hash
-      @match_all || (matches_action?(action) && matches_subject?(subject))
+      (with_scope? && @conditions.where_values_hash.empty?) ||
+        (!with_scope? && [nil, false, [], {}, '', ' '].include?(@conditions))
     end
 
     def only_block?
@@ -50,9 +69,8 @@ module CanCan
       @block.nil? && !conditions_empty? && !@conditions.is_a?(Hash)
     end
 
-    def unmergeable?
-      @conditions.respond_to?(:keys) && @conditions.present? &&
-        (!@conditions.keys.first.is_a? Symbol)
+    def with_scope?
+      @conditions.is_a?(ActiveRecord::Relation)
     end
 
     def associations_hash(conditions = @conditions)
@@ -75,6 +93,13 @@ module CanCan
       attributes
     end
 
+    def matches_attributes?(attribute)
+      return true if @attributes.empty?
+      return @base_behavior if attribute.nil?
+
+      @attributes.include?(attribute.to_sym)
+    end
+
     private
 
     def matches_action?(action)
@@ -86,10 +111,29 @@ module CanCan
     end
 
     def matches_subject_class?(subject)
-      @subjects.any? do |sub|
-        sub.is_a?(Module) && (subject.is_a?(sub) ||
-          subject.class.to_s == sub.to_s ||
-          (subject.is_a?(Module) && subject.ancestors.include?(sub)))
+      SubjectClassMatcher.matches_subject_class?(@subjects, subject)
+    end
+
+    def parse_attributes_from_extra_args(args)
+      attributes = args.shift if valid_attribute_param?(args.first)
+      extra_args = args.shift
+      [attributes, extra_args]
+    end
+
+    def condition_and_block_check(conditions, block, action, subject)
+      return unless conditions.is_a?(Hash) && block
+
+      raise BlockAndConditionsError, 'A hash of conditions is mutually exclusive with a block. '\
+        "Check \":#{action} #{subject}\" ability."
+    end
+
+    def wrap(object)
+      if object.nil?
+        []
+      elsif object.respond_to?(:to_ary)
+        object.to_ary || [object]
+      else
+        [object]
       end
     end
   end

data/lib/cancan/rules_compressor.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative 'conditions_matcher.rb'
 module CanCan
   class RulesCompressor
@@ -11,6 +13,7 @@ module CanCan
     def compress(array)
       idx = array.rindex(&:catch_all?)
       return array unless idx
+
       value = array[idx]
       array[idx..-1]
         .drop_while { |n| n.base_behavior == value.base_behavior }

data/lib/cancan/unauthorized_message_resolver.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module CanCan
+  module UnauthorizedMessageResolver
+    def unauthorized_message(action, subject)
+      subject = subject.values.last if subject.is_a?(Hash)
+      keys = unauthorized_message_keys(action, subject)
+      variables = {}
+      variables[:action] = I18n.translate("actions.#{action}", default: action.to_s)
+      variables[:subject] = translate_subject(subject)
+      message = I18n.translate(keys.shift, **variables.merge(scope: :unauthorized, default: keys + ['']))
+      message.blank? ? nil : message
+    end
+
+    def translate_subject(subject)
+      klass = (subject.class == Class ? subject : subject.class)
+      if klass.respond_to?(:model_name)
+        klass.model_name.human
+      else
+        klass.to_s.underscore.humanize.downcase
+      end
+    end
+  end
+end

data/lib/cancan/version.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
-  VERSION = '2.3.0'.freeze
+  VERSION = '3.2.2'.freeze
 end

data/lib/cancancan.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'cancan'
 
 module CanCanCan

data/lib/generators/cancan/ability/ability_generator.rb

@@ -1,7 +1,9 @@
+# frozen_string_literal: true
+
 module Cancan
   module Generators
     class AbilityGenerator < Rails::Generators::Base
-      source_root File.expand_path('../templates', __FILE__)
+      source_root File.expand_path('templates', __dir__)
 
       def generate_ability
         copy_file 'ability.rb', 'app/models/ability.rb'

data/lib/generators/cancan/ability/templates/ability.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class Ability
   include CanCan::Ability
 

metadata

@@ -1,46 +1,52 @@
 --- !ruby/object:Gem::Specification
 name: cancancan
 version: !ruby/object:Gem::Version
-  version: 2.3.0
+  version: 3.2.2
 platform: ruby
 authors:
 - Alessandro Rodi (Renuo AG)
 - Bryan Rite
 - Ryan Bates
 - Richard Wilson
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-09-16 00:00:00.000000000 Z
+date: 2021-05-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: bundler
+  name: appraisal
   requirement: !ruby/object:Gem::Requirement
     requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.0
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: '2.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.0
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
-  name: rubocop
+  name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.48.1
+        version: '2.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.48.1
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -65,42 +71,36 @@ dependencies:
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.2'
     - - ">="
       - !ruby/object:Gem::Version
         version: 3.2.0
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.2'
     - - ">="
       - !ruby/object:Gem::Version
         version: 3.2.0
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
 - !ruby/object:Gem::Dependency
-  name: appraisal
+  name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.0.0
+        version: 0.63.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.0.0
+        version: 0.63.1
 description: Simple authorization solution for Rails. All permissions are stored in
   a single location.
 email: alessandro.rodi@renuo.ch
@@ -114,7 +114,10 @@ files:
 - lib/cancan/ability.rb
 - lib/cancan/ability/actions.rb
 - lib/cancan/ability/rules.rb
+- lib/cancan/ability/strong_parameter_support.rb
+- lib/cancan/class_matcher.rb
 - lib/cancan/conditions_matcher.rb
+- lib/cancan/config.rb
 - lib/cancan/controller_additions.rb
 - lib/cancan/controller_resource.rb
 - lib/cancan/controller_resource_builder.rb
@@ -128,12 +131,16 @@ files:
 - lib/cancan/model_adapters/active_record_4_adapter.rb
 - lib/cancan/model_adapters/active_record_5_adapter.rb
 - lib/cancan/model_adapters/active_record_adapter.rb
-- lib/cancan/model_adapters/can_can/model_adapters/active_record_adapter/joins.rb
 - lib/cancan/model_adapters/conditions_extractor.rb
+- lib/cancan/model_adapters/conditions_normalizer.rb
 - lib/cancan/model_adapters/default_adapter.rb
+- lib/cancan/model_adapters/sti_normalizer.rb
 - lib/cancan/model_additions.rb
+- lib/cancan/parameter_validators.rb
+- lib/cancan/relevant.rb
 - lib/cancan/rule.rb
 - lib/cancan/rules_compressor.rb
+- lib/cancan/unauthorized_message_resolver.rb
 - lib/cancan/version.rb
 - lib/cancancan.rb
 - lib/generators/cancan/ability/USAGE
@@ -142,8 +149,9 @@ files:
 homepage: https://github.com/CanCanCommunity/cancancan
 licenses:
 - MIT
-metadata: {}
-post_install_message: 
+metadata:
+  funding_uri: https://github.com/sponsors/coorasse
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -158,9 +166,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.4
-signing_key: 
+rubygems_version: 3.0.6
+signing_key:
 specification_version: 4
 summary: Simple authorization solution for Rails.
 test_files: []