cancancan 2.3.0 → 3.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f63f1d6ab266068caab6e7baf2b628ae72a7e03a134116eda91473861b9df359
-  data.tar.gz: fbf6337f058ece9a2f01c990a55398489e0ea56888f0a5ce3b9f8d5e203c31ae
+  metadata.gz: c4498ac94e1994faa4da80dc957d8c9564433d991048774f9ac2f051e60de580
+  data.tar.gz: 74209123c4c49adcd1d2d81df1de61c5f8cc2f243fdcdb4d01d3e41731e4c266
 SHA512:
-  metadata.gz: 24fcc98ce0592b263add65cf0bc75a7020d75777fea7c6902216f97bbc9c13a36b4d379194a142cd8a5e5a24dc1ae82c82a61d6d99143c30a9afe11133048528
-  data.tar.gz: 8873b440698a941314f67a748db86c2abe33e89417ae54d9f35769c29f904edc9eff5736d0bf55d53badc494b9bca9e0ac1761c1920067238628d23dc8e0c643
+  metadata.gz: eb7774650d12a7073d09bb713f7eedfd7d376689f6d6bb842620b325a814720172f4fec900705bcc0dd3bd90818a88d2ab7e3904ea3a5d004533e13b4bed1c4c
+  data.tar.gz: a7a6fff07fbd7d52816dd960d00ae0baea7d50c5ed41d0abf32ac3a0c2b6bc3c557a4309944717b57aad785ad7dc394870c079b6a820b62798a373a9d9f8c2b0

data/cancancan.gemspec

@@ -1,6 +1,6 @@
-# coding: utf-8
+# frozen_string_literal: true
 
-lib = File.expand_path('../lib', __FILE__)
+lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'cancan/version'
 
@@ -10,6 +10,7 @@ Gem::Specification.new do |s|
   s.authors     = ['Alessandro Rodi (Renuo AG)', 'Bryan Rite', 'Ryan Bates', 'Richard Wilson']
   s.email       = 'alessandro.rodi@renuo.ch'
   s.homepage    = 'https://github.com/CanCanCommunity/cancancan'
+  s.metadata = { 'funding_uri' => 'https://github.com/sponsors/coorasse' }
   s.summary     = 'Simple authorization solution for Rails.'
   s.description = 'Simple authorization solution for Rails. All permissions are stored in a single location.'
   s.platform    = Gem::Platform::RUBY
@@ -20,9 +21,9 @@ Gem::Specification.new do |s|
 
   s.required_ruby_version = '>= 2.2.0'
 
-  s.add_development_dependency 'bundler', '~> 1.3'
-  s.add_development_dependency 'rubocop', '~> 0.48.1'
+  s.add_development_dependency 'appraisal', '~> 2.0', '>= 2.0.0'
+  s.add_development_dependency 'bundler', '~> 2.0'
   s.add_development_dependency 'rake', '~> 10.1', '>= 10.1.1'
   s.add_development_dependency 'rspec', '~> 3.2', '>= 3.2.0'
-  s.add_development_dependency 'appraisal', '~> 2.0', '>= 2.0.0'
+  s.add_development_dependency 'rubocop', '~> 0.63.1'
 end

data/init.rb

@@ -1 +1,3 @@
+# frozen_string_literal: true
+
 require 'cancan'

data/lib/cancan/ability/actions.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   module Ability
     module Actions

data/lib/cancan/ability/rules.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   module Ability
     module Rules
@@ -17,12 +19,13 @@ module CanCan
       end
 
       def add_rule_to_index(rule, position)
-        @rules_index ||= Hash.new { |h, k| h[k] = [] }
+        @rules_index ||= {}
 
         subjects = rule.subjects.compact
         subjects << :all if subjects.empty?
 
         subjects.each do |subject|
+          @rules_index[subject] ||= []
           @rules_index[subject] << position
         end
       end
@@ -31,6 +34,7 @@ module CanCan
       # This does not take into consideration any hash conditions or block statements
       def relevant_rules(action, subject)
         return [] unless @rules
+
         relevant = possible_relevant_rules(subject).select do |rule|
           rule.expanded_actions = expand_actions(rule.actions)
           rule.relevant? action, subject
@@ -45,7 +49,9 @@ module CanCan
           rules
         else
           positions = @rules_index.values_at(subject, *alternative_subjects(subject))
-          positions.flatten!.sort!
+          positions.compact!
+          positions.flatten!
+          positions.sort!
           positions.map { |i| @rules[i] }
         end
       end
@@ -53,19 +59,23 @@ module CanCan
       def relevant_rules_for_match(action, subject)
         relevant_rules(action, subject).each do |rule|
           next unless rule.only_raw_sql?
+
           raise Error,
                 "The can? and cannot? call cannot be used with a raw sql 'can' definition."\
-              " The checking code cannot be determined for #{action.inspect} #{subject.inspect}"
+                " The checking code cannot be determined for #{action.inspect} #{subject.inspect}"
         end
       end
 
       def relevant_rules_for_query(action, subject)
-        relevant_rules(action, subject).each do |rule|
-          if rule.only_block?
-            raise Error, "The accessible_by call cannot be used with a block 'can' definition."\
-                       " The SQL cannot be determined for #{action.inspect} #{subject.inspect}"
-          end
+        rules = relevant_rules(action, subject).reject do |rule|
+          # reject 'cannot' rules with attributes when doing queries
+          rule.base_behavior == false && rule.attributes.present?
+        end
+        if rules.any?(&:only_block?)
+          raise Error, "The accessible_by call cannot be used with a block 'can' definition."\
+            "The SQL cannot be determined for #{action.inspect} #{subject.inspect}"
         end
+        rules
       end
 
       # Optimizes the order of the rules, so that rules with the :all subject are evaluated first.
@@ -75,6 +85,7 @@ module CanCan
           (first_can_in_group = -1) && next unless rule.base_behavior
           (first_can_in_group = i) && next if first_can_in_group == -1
           next unless rule.subjects == [:all]
+
           rules[i] = rules[first_can_in_group]
           rules[first_can_in_group] = rule
           first_can_in_group += 1

data/lib/cancan/ability/strong_parameter_support.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module CanCan
+  module Ability
+    module StrongParameterSupport
+      # Returns an array of attributes suitable for use with strong parameters
+      #
+      # Note: reversing the relevant rules is important. Normal order means that 'cannot'
+      # rules will come before 'can' rules. However, you can't remove attributes before
+      # they are added. The 'reverse' is so that attributes will be added before the
+      # 'cannot' rules remove them.
+      def permitted_attributes(action, subject)
+        relevant_rules(action, subject)
+          .reverse
+          .select { |rule| rule.matches_conditions? action, subject }
+          .each_with_object(Set.new) do |rule, set|
+          attributes = get_attributes(rule, subject)
+          # add attributes for 'can', remove them for 'cannot'
+          rule.base_behavior ? set.merge(attributes) : set.subtract(attributes)
+        end.to_a
+      end
+
+      private
+
+      def subject_class?(subject)
+        klass = (subject.is_a?(Hash) ? subject.values.first : subject).class
+        [Class, Module].include? klass
+      end
+
+      def get_attributes(rule, subject)
+        klass = subject_class?(subject) ? subject : subject.class
+        # empty attributes is an 'all'
+        if rule.attributes.empty? && klass < ActiveRecord::Base
+          klass.column_names.map(&:to_sym) - Array(klass.primary_key)
+        else
+          rule.attributes
+        end
+      end
+    end
+  end
+end

data/lib/cancan/ability.rb

@@ -1,5 +1,10 @@
+# frozen_string_literal: true
+
 require_relative 'ability/rules.rb'
 require_relative 'ability/actions.rb'
+require_relative 'unauthorized_message_resolver.rb'
+require_relative 'ability/strong_parameter_support'
+
 module CanCan
   # This module is designed to be included into an Ability class. This will
   # provide the "can" methods for defining and checking abilities.
@@ -19,6 +24,8 @@ module CanCan
   module Ability
     include CanCan::Ability::Rules
     include CanCan::Ability::Actions
+    include CanCan::UnauthorizedMessageResolver
+    include StrongParameterSupport
 
     # Check if the user has permission to perform a given action on an object.
     #
@@ -64,10 +71,10 @@ module CanCan
     #   end
     #
     # Also see the RSpec Matchers to aid in testing.
-    def can?(action, subject, *extra_args)
+    def can?(action, subject, attribute = nil, *extra_args)
       match = extract_subjects(subject).lazy.map do |a_subject|
         relevant_rules_for_match(action, a_subject).detect do |rule|
-          rule.matches_conditions?(action, a_subject, extra_args)
+          rule.matches_conditions?(action, a_subject, attribute, *extra_args) && rule.matches_attributes?(attribute)
         end
       end.reject(&:nil?).first
       match ? match.base_behavior : false
@@ -134,8 +141,8 @@ module CanCan
     #     # check the database and return true/false
     #   end
     #
-    def can(action = nil, subject = nil, conditions = nil, &block)
-      add_rule(Rule.new(true, action, subject, conditions, block))
+    def can(action = nil, subject = nil, *attributes_and_conditions, &block)
+      add_rule(Rule.new(true, action, subject, *attributes_and_conditions, &block))
     end
 
     # Defines an ability which cannot be done. Accepts the same arguments as "can".
@@ -150,8 +157,8 @@ module CanCan
     #     product.invisible?
     #   end
     #
-    def cannot(action = nil, subject = nil, conditions = nil, &block)
-      add_rule(Rule.new(false, action, subject, conditions, block))
+    def cannot(action = nil, subject = nil, *attributes_and_conditions, &block)
+      add_rule(Rule.new(false, action, subject, *attributes_and_conditions, &block))
     end
 
     # User shouldn't specify targets with names of real actions or it will cause Seg fault
@@ -167,10 +174,7 @@ module CanCan
 
     # See ControllerAdditions#authorize! for documentation.
     def authorize!(action, subject, *args)
-      message = nil
-      if args.last.is_a?(Hash) && args.last.key?(:message)
-        message = args.pop[:message]
-      end
+      message = args.last.is_a?(Hash) && args.last.key?(:message) ? args.pop[:message] : nil
       if cannot?(action, subject, *args)
         message ||= unauthorized_message(action, subject)
         raise AccessDenied.new(message, action, subject, args)
@@ -178,14 +182,6 @@ module CanCan
       subject
     end
 
-    def unauthorized_message(action, subject)
-      keys = unauthorized_message_keys(action, subject)
-      variables = { action: action.to_s }
-      variables[:subject] = (subject.class == Class ? subject : subject.class).to_s.underscore.humanize.downcase
-      message = I18n.translate(keys.shift, variables.merge(scope: :unauthorized, default: keys + ['']))
-      message.blank? ? nil : message
-    end
-
     def attributes_for(action, subject)
       attributes = {}
       relevant_rules(action, subject).map do |rule|
@@ -202,12 +198,13 @@ module CanCan
       relevant_rules(action, subject).any?(&:only_raw_sql?)
     end
 
-    # Copies all rules of the given +CanCan::Ability+ and adds them to +self+.
+    # Copies all rules and aliased actions of the given +CanCan::Ability+ and adds them to +self+.
     #   class ReadAbility
     #     include CanCan::Ability
     #
     #     def initialize
     #       can :read, User
+    #       alias_action :show, :index, to: :see
     #     end
     #   end
     #
@@ -216,6 +213,7 @@ module CanCan
     #
     #     def initialize
     #       can :edit, User
+    #       alias_action :create, :update, to: :modify
     #     end
     #   end
     #
@@ -223,11 +221,35 @@ module CanCan
     #   read_ability.can? :edit, User.new #=> false
     #   read_ability.merge(WritingAbility.new)
     #   read_ability.can? :edit, User.new #=> true
+    #   read_ability.aliased_actions #=> [:see => [:show, :index], :modify => [:create, :update]]
+    #
+    # If there are collisions when merging the +aliased_actions+, the actions on +self+ will be
+    # overwritten.
     #
+    # class ReadAbility
+    #   include CanCan::Ability
+    #
+    #   def initialize
+    #     alias_action :show, :index, to: :see
+    #   end
+    # end
+    #
+    # class ShowAbility
+    #   include CanCan::Ability
+    #
+    #   def initialize
+    #     alias_action :show, to: :see
+    #   end
+    # end
+    #
+    # read_ability = ReadAbility.new
+    # read_ability.merge(ShowAbility)
+    # read_ability.aliased_actions #=> [:see => [:show]]
     def merge(ability)
       ability.rules.each do |rule|
         add_rule(rule.dup)
       end
+      @aliased_actions = aliased_actions.merge(ability.aliased_actions)
       self
     end
 
@@ -239,10 +261,13 @@ module CanCan
     #
     # Where can_hash and cannot_hash are formatted thusly:
     #   {
-    #     action: array_of_objects
+    #     action: { subject: [attributes] }
     #   }
     def permissions
-      permissions_list = { can: {}, cannot: {} }
+      permissions_list = {
+        can: Hash.new { |actions, k1| actions[k1] = Hash.new { |subjects, k2| subjects[k2] = [] } },
+        cannot: Hash.new { |actions, k1| actions[k1] = Hash.new { |subjects, k2| subjects[k2] = [] } }
+      }
       rules.each { |rule| extract_rule_in_permissions(permissions_list, rule) }
       permissions_list
     end
@@ -250,8 +275,9 @@ module CanCan
     def extract_rule_in_permissions(permissions_list, rule)
       expand_actions(rule.actions).each do |action|
         container = rule.base_behavior ? :can : :cannot
-        permissions_list[container][action] ||= []
-        permissions_list[container][action] += rule.subjects.map(&:to_s)
+        rule.subjects.each do |subject|
+          permissions_list[container][action][subject.to_s] += rule.attributes
+        end
       end
     end
 
@@ -276,7 +302,11 @@ module CanCan
 
     def alternative_subjects(subject)
       subject = subject.class unless subject.is_a?(Module)
-      [:all, *subject.ancestors, subject.class.to_s]
+      if subject.respond_to?(:subclasses) && defined?(ActiveRecord::Base) && subject < ActiveRecord::Base
+        [:all, *(subject.ancestors + subject.subclasses), subject.class.to_s]
+      else
+        [:all, *subject.ancestors, subject.class.to_s]
+      end
     end
   end
 end

data/lib/cancan/class_matcher.rb

@@ -0,0 +1,26 @@
+# This class is responsible for matching classes and their subclasses as well as
+# upmatching classes to their ancestors.
+# This is used to generate sti connections
+class SubjectClassMatcher
+  def self.matches_subject_class?(subjects, subject)
+    subjects.any? do |sub|
+      has_subclasses = subject.respond_to?(:subclasses)
+      matching_class_check(subject, sub, has_subclasses)
+    end
+  end
+
+  def self.matching_class_check(subject, sub, has_subclasses)
+    matches = matches_class_or_is_related(subject, sub)
+    if has_subclasses
+      matches || subject.subclasses.include?(sub)
+    else
+      matches
+    end
+  end
+
+  def self.matches_class_or_is_related(subject, sub)
+    sub.is_a?(Module) && (subject.is_a?(sub) ||
+        subject.class.to_s == sub.to_s ||
+        (subject.is_a?(Module) && subject.ancestors.include?(sub)))
+  end
+end

data/lib/cancan/conditions_matcher.rb

@@ -1,26 +1,35 @@
+# frozen_string_literal: true
+
 module CanCan
   module ConditionsMatcher
     # Matches the block or conditions hash
-    def matches_conditions?(action, subject, extra_args)
+    def matches_conditions?(action, subject, attribute = nil, *extra_args)
       return call_block_with_all(action, subject, extra_args) if @match_all
-      return @block.call(subject, *extra_args) if @block && !subject_class?(subject)
-      matches_non_block_conditions(subject)
+      return matches_block_conditions(subject, attribute, *extra_args) if @block
+      return matches_non_block_conditions(subject) unless conditions_empty?
+
+      true
     end
 
     private
 
     def subject_class?(subject)
       klass = (subject.is_a?(Hash) ? subject.values.first : subject).class
-      klass == Class || klass == Module
+      [Class, Module].include? klass
+    end
+
+    def matches_block_conditions(subject, *extra_args)
+      return @base_behavior if subject_class?(subject)
+
+      @block.call(subject, *extra_args.compact)
     end
 
     def matches_non_block_conditions(subject)
-      if @conditions.is_a?(Hash)
-        return nested_subject_matches_conditions?(subject) if subject.class == Hash
-        return matches_conditions_hash?(subject) unless subject_class?(subject)
-      end
+      return nested_subject_matches_conditions?(subject) if subject.class == Hash
+      return matches_conditions_hash?(subject) unless subject_class?(subject)
+
       # Don't stop at "cannot" definitions when there are conditions.
-      conditions_empty? ? true : @base_behavior
+      @base_behavior
     end
 
     def nested_subject_matches_conditions?(subject_hash)
@@ -34,6 +43,7 @@ module CanCan
     # matches_conditions_hash?(subject, conditions)
     def matches_conditions_hash?(subject, conditions = @conditions)
       return true if conditions.empty?
+
       adapter = model_adapter(subject)
 
       if adapter.override_conditions_hash_matching?(subject, conditions)
@@ -68,13 +78,13 @@ module CanCan
 
     def hash_condition_match?(attribute, value)
       if attribute.is_a?(Array) || (defined?(ActiveRecord) && attribute.is_a?(ActiveRecord::Relation))
-        attribute.any? { |element| matches_conditions_hash?(element, value) }
+        attribute.to_a.any? { |element| matches_conditions_hash?(element, value) }
       else
         attribute && matches_conditions_hash?(attribute, value)
       end
     end
 
-    def call_block_with_all(action, subject, extra_args)
+    def call_block_with_all(action, subject, *extra_args)
       if subject.class == Class
         @block.call(action, subject, nil, *extra_args)
       else
@@ -87,7 +97,10 @@ module CanCan
     end
 
     def conditions_empty?
-      @conditions == {} || @conditions.nil?
+      # @conditions might be an ActiveRecord::Associations::CollectionProxy
+      # which it's `==` implementation will fetch all records for comparison
+
+      (@conditions.is_a?(Hash) && @conditions == {}) || @conditions.nil?
     end
   end
 end

data/lib/cancan/config.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+module CanCan
+  def self.valid_accessible_by_strategies
+    strategies = [:left_join]
+    strategies << :subquery unless does_not_support_subquery_strategy?
+    strategies
+  end
+
+  # Determines how CanCan should build queries when calling accessible_by,
+  # if the query will contain a join. The default strategy is `:subquery`.
+  #
+  #   # config/initializers/cancan.rb
+  #   CanCan.accessible_by_strategy = :subquery
+  #
+  # Valid strategies are:
+  # - :subquery - Creates a nested query with all joins, wrapped by a
+  #               WHERE IN query.
+  # - :left_join - Calls the joins directly using `left_joins`, and
+  #                ensures records are unique using `distinct`. Note that
+  #                `distinct` is not reliable in some cases. See
+  #                https://github.com/CanCanCommunity/cancancan/pull/605
+  def self.accessible_by_strategy
+    return @accessible_by_strategy if @accessible_by_strategy
+
+    @accessible_by_strategy = default_accessible_by_strategy
+  end
+
+  def self.default_accessible_by_strategy
+    if does_not_support_subquery_strategy?
+      # see https://github.com/CanCanCommunity/cancancan/pull/655 for where this was added
+      # the `subquery` strategy (from https://github.com/CanCanCommunity/cancancan/pull/619
+      # only works in Rails 5 and higher
+      :left_join
+    else
+      :subquery
+    end
+  end
+
+  def self.accessible_by_strategy=(value)
+    validate_accessible_by_strategy!(value)
+
+    if value == :subquery && does_not_support_subquery_strategy?
+      raise ArgumentError, 'accessible_by_strategy = :subquery requires ActiveRecord 5 or newer'
+    end
+
+    @accessible_by_strategy = value
+  end
+
+  def self.with_accessible_by_strategy(value)
+    return yield if value == accessible_by_strategy
+
+    validate_accessible_by_strategy!(value)
+
+    begin
+      strategy_was = accessible_by_strategy
+      @accessible_by_strategy = value
+      yield
+    ensure
+      @accessible_by_strategy = strategy_was
+    end
+  end
+
+  def self.validate_accessible_by_strategy!(value)
+    return if valid_accessible_by_strategies.include?(value)
+
+    raise ArgumentError, "accessible_by_strategy must be one of #{valid_accessible_by_strategies.join(', ')}"
+  end
+
+  def self.does_not_support_subquery_strategy?
+    !defined?(CanCan::ModelAdapters::ActiveRecordAdapter) ||
+      CanCan::ModelAdapters::ActiveRecordAdapter.version_lower?('5.0.0')
+  end
+end

data/lib/cancan/controller_additions.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   # This module is automatically included into all controllers.
   # It also makes the "can?" and "cannot?" methods available to all views.
@@ -225,7 +227,7 @@ module CanCan
         cancan_skipper[:authorize][name] = options
       end
 
-      # Add this to a controller to ensure it performs authorization through +authorized+! or +authorize_resource+ call.
+      # Add this to a controller to ensure it performs authorization through +authorize+! or +authorize_resource+ call.
       # If neither of these authorization methods are called,
       # a CanCan::AuthorizationNotPerformed exception will be raised.
       # This is normally added to the ApplicationController to ensure all controller actions do authorization.
@@ -260,6 +262,7 @@ module CanCan
           next if controller.instance_variable_defined?(:@_authorized)
           next if options[:if] && !controller.send(options[:if])
           next if options[:unless] && controller.send(options[:unless])
+
           raise AuthorizationNotPerformed,
                 'This action failed the check_authorization because it does not authorize_resource. '\
                 'Add skip_authorization_check to bypass this check.'

data/lib/cancan/controller_resource.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative 'controller_resource_loader.rb'
 module CanCan
   # Handle the load and authorization controller logic
@@ -34,6 +36,7 @@ module CanCan
 
     def authorize_resource
       return if skip?(:authorize)
+
       @controller.authorize!(authorization_action, resource_instance || resource_class_with_parent)
     end
 
@@ -43,6 +46,7 @@ module CanCan
 
     def skip?(behavior)
       return false unless (options = @controller.class.cancan_skipper[behavior][@name])
+
       options == {} ||
         options[:except] && !action_exists_in?(options[:except]) ||
         action_exists_in?(options[:only])
@@ -90,6 +94,7 @@ module CanCan
 
     def resource_instance
       return unless load_instance? && @controller.instance_variable_defined?("@#{instance_name}")
+
       @controller.instance_variable_get("@#{instance_name}")
     end
 
@@ -99,6 +104,7 @@ module CanCan
 
     def collection_instance
       return unless @controller.instance_variable_defined?("@#{instance_name.to_s.pluralize}")
+
       @controller.instance_variable_get("@#{instance_name.to_s.pluralize}")
     end
 

data/lib/cancan/controller_resource_builder.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   module ControllerResourceBuilder
     protected

data/lib/cancan/controller_resource_finder.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   module ControllerResourceFinder
     protected

data/lib/cancan/controller_resource_loader.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative 'controller_resource_finder.rb'
 require_relative 'controller_resource_name_finder.rb'
 require_relative 'controller_resource_builder.rb'
@@ -11,6 +13,7 @@ module CanCan
 
     def load_resource
       return if skip?(:load)
+
       if load_instance?
         self.resource_instance ||= load_resource_instance
       elsif load_collection?
@@ -26,6 +29,7 @@ module CanCan
 
     def resource_params_by_key(key)
       return unless @options[key] && @params.key?(extract_key(@options[key]))
+
       @params[extract_key(@options[key])]
     end
 

data/lib/cancan/controller_resource_name_finder.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   module ControllerResourceNameFinder
     protected

data/lib/cancan/controller_resource_sanitizer.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   module ControllerResourceSanitizer
     protected