cancancan 2.3.0 → 3.3.0

data/lib/cancan/exceptions.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   # A general CanCan exception
   class Error < StandardError; end
@@ -8,9 +10,15 @@ module CanCan
   # Raised when removed code is called, an alternative solution is provided in message.
   class ImplementationRemoved < Error; end
 
-  # Raised when using check_authorization without calling authorized!
+  # Raised when using check_authorization without calling authorize!
   class AuthorizationNotPerformed < Error; end
 
+  # Raised when a rule is created with both a block and a hash of conditions
+  class BlockAndConditionsError < Error; end
+
+  # Raised when an unexpected argument is passed as an attribute
+  class AttributeArgumentError < Error; end
+
   # Raised when using a wrong association name
   class WrongAssociationName < Error; end
 
@@ -33,7 +41,7 @@ module CanCan
   #   exception.default_message = "Default error message"
   #   exception.message # => "Default error message"
   #
-  # See ControllerAdditions#authorized! for more information on rescuing from this exception
+  # See ControllerAdditions#authorize! for more information on rescuing from this exception
   # and customizing the message using I18n.
   class AccessDenied < Error
     attr_reader :action, :subject, :conditions
@@ -50,5 +58,13 @@ module CanCan
     def to_s
       @message || @default_message
     end
+
+    def inspect
+      details = %i[action subject conditions message].map do |attribute|
+        value = instance_variable_get "@#{attribute}"
+        "#{attribute}: #{value.inspect}" if value.present?
+      end.compact.join(', ')
+      "#<#{self.class.name} #{details}>"
+    end
   end
 end

data/lib/cancan/matchers.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 rspec_module = defined?(RSpec::Core) ? 'RSpec' : 'Spec' # RSpec 1 compatability
 
 if rspec_module == 'RSpec'
@@ -12,6 +14,7 @@ Kernel.const_get(rspec_module)::Matchers.define :be_able_to do |*args|
     actions = args.first
     if actions.is_a? Array
       break false if actions.empty?
+
       actions.all? { |action| ability.can?(action, *args[1..-1]) }
     else
       ability.can?(*args)

data/lib/cancan/model_adapters/abstract_adapter.rb

@@ -1,9 +1,11 @@
+# frozen_string_literal: true
+
 module CanCan
   module ModelAdapters
     class AbstractAdapter
       def self.inherited(subclass)
         @subclasses ||= []
-        @subclasses << subclass
+        @subclasses.insert(0, subclass)
       end
 
       def self.adapter_class(model_class)

data/lib/cancan/model_adapters/active_record_4_adapter.rb

@@ -1,27 +1,30 @@
+# frozen_string_literal: true
+
 module CanCan
   module ModelAdapters
-    class ActiveRecord4Adapter < AbstractAdapter
-      include ActiveRecordAdapter
-      def self.for_class?(model_class)
-        ActiveRecord::VERSION::MAJOR == 4 && model_class <= ActiveRecord::Base
-      end
+    class ActiveRecord4Adapter < ActiveRecordAdapter
+      AbstractAdapter.inherited(self)
 
-      # TODO: this should be private
-      def self.override_condition_matching?(subject, name, _value)
-        subject.class.defined_enums.include?(name.to_s)
-      end
+      class << self
+        def for_class?(model_class)
+          version_lower?('5.0.0') && model_class <= ActiveRecord::Base
+        end
 
-      # TODO: this should be private
-      def self.matches_condition?(subject, name, value)
-        # Get the mapping from enum strings to values.
-        enum = subject.class.send(name.to_s.pluralize)
-        # Get the value of the attribute as an integer.
-        attribute = enum[subject.send(name)]
-        # Check to see if the value matches the condition.
-        if value.is_a?(Enumerable)
-          value.include? attribute
-        else
-          attribute == value
+        def override_condition_matching?(subject, name, _value)
+          subject.class.defined_enums.include?(name.to_s)
+        end
+
+        def matches_condition?(subject, name, value)
+          # Get the mapping from enum strings to values.
+          enum = subject.class.send(name.to_s.pluralize)
+          # Get the value of the attribute as an integer.
+          attribute = enum[subject.send(name)]
+          # Check to see if the value matches the condition.
+          if value.is_a?(Enumerable)
+            value.include? attribute
+          else
+            attribute == value
+          end
         end
       end
 
@@ -31,15 +34,13 @@ module CanCan
       # look inside the where clause to decide to outer join tables
       # you're using in the where. Instead, `references()` is required
       # in addition to `includes()` to force the outer join.
-      def build_relation(*where_conditions)
-        relation = @model_class.where(*where_conditions)
-        relation = relation.includes(joins).references(joins) if joins.present?
-        relation
+      def build_joins_relation(relation, *_where_conditions)
+        relation.includes(joins).references(joins)
       end
 
       # Rails 4.2 deprecates `sanitize_sql_hash_for_conditions`
       def sanitize_sql(conditions)
-        if ActiveRecord::VERSION::MINOR >= 2 && conditions.is_a?(Hash)
+        if self.class.version_greater_or_equal?('4.2.0') && conditions.is_a?(Hash)
           sanitize_sql_activerecord4(conditions)
         else
           @model_class.send(:sanitize_sql, conditions)

data/lib/cancan/model_adapters/active_record_5_adapter.rb

@@ -1,10 +1,12 @@
+# frozen_string_literal: true
+
 module CanCan
   module ModelAdapters
     class ActiveRecord5Adapter < ActiveRecord4Adapter
       AbstractAdapter.inherited(self)
 
       def self.for_class?(model_class)
-        ActiveRecord::VERSION::MAJOR == 5 && model_class <= ActiveRecord::Base
+        version_greater_or_equal?('5.0.0') && model_class <= ActiveRecord::Base
       end
 
       # rails 5 is capable of using strings in enum
@@ -13,26 +15,25 @@ module CanCan
         return super if Array.wrap(value).all? { |x| x.is_a? Integer }
 
         attribute = subject.send(name)
-        if value.is_a?(Enumerable)
-          value.map(&:to_s).include? attribute
-        else
-          attribute == value.to_s
-        end
+        raw_attribute = subject.class.send(name.to_s.pluralize)[attribute]
+        !(Array(value).map(&:to_s) & [attribute, raw_attribute]).empty?
       end
 
       private
 
-      # As of rails 4, `includes()` no longer causes active record to
-      # look inside the where clause to decide to outer join tables
-      # you're using in the where. Instead, `references()` is required
-      # in addition to `includes()` to force the outer join.
-      def build_relation(*where_conditions)
-        relation = @model_class.where(*where_conditions)
-        relation = relation.includes(joins).references(joins) if joins.present?
-        relation
+      def build_joins_relation(relation, *where_conditions)
+        case CanCan.accessible_by_strategy
+        when :subquery
+          inner = @model_class.unscoped do
+            @model_class.left_joins(joins).where(*where_conditions)
+          end
+          @model_class.where(@model_class.primary_key => inner)
+
+        when :left_join
+          relation.left_joins(joins).distinct
+        end
       end
 
-      # Rails 4.2 deprecates `sanitize_sql_hash_for_conditions`
       def sanitize_sql(conditions)
         if conditions.is_a?(Hash)
           sanitize_sql_activerecord5(conditions)
@@ -46,23 +47,17 @@ module CanCan
         table_metadata = ActiveRecord::TableMetadata.new(@model_class, table)
         predicate_builder = ActiveRecord::PredicateBuilder.new(table_metadata)
 
-        conditions = predicate_builder.resolve_column_aliases(conditions)
-
-        conditions.stringify_keys!
-
-        predicate_builder.build_from_hash(conditions).map do |b|
-          visit_nodes(b)
-        end.join(' AND ')
+        predicate_builder.build_from_hash(conditions.stringify_keys).map { |b| visit_nodes(b) }.join(' AND ')
       end
 
-      def visit_nodes(b)
+      def visit_nodes(node)
         # Rails 5.2 adds a BindParam node that prevents the visitor method from properly compiling the SQL query
-        if ActiveRecord::VERSION::MINOR >= 2
+        if self.class.version_greater_or_equal?('5.2.0')
           connection = @model_class.send(:connection)
           collector = Arel::Collectors::SubstituteBinds.new(connection, Arel::Collectors::SQLString.new)
-          connection.visitor.accept(b, collector).value
+          connection.visitor.accept(node, collector).value
         else
-          @model_class.send(:connection).visitor.compile(b)
+          @model_class.send(:connection).visitor.compile(node)
         end
       end
     end

data/lib/cancan/model_adapters/active_record_adapter.rb

@@ -1,10 +1,22 @@
-require_relative 'can_can/model_adapters/active_record_adapter/joins.rb'
-require_relative 'conditions_extractor.rb'
-require 'cancan/rules_compressor'
+# frozen_string_literal: true
+
 module CanCan
   module ModelAdapters
-    module ActiveRecordAdapter
-      include CanCan::ModelAdapters::ActiveRecordAdapter::Joins
+    class ActiveRecordAdapter < AbstractAdapter
+      def self.version_greater_or_equal?(version)
+        Gem::Version.new(ActiveRecord.version).release >= Gem::Version.new(version)
+      end
+
+      def self.version_lower?(version)
+        Gem::Version.new(ActiveRecord.version).release < Gem::Version.new(version)
+      end
+
+      def initialize(model_class, rules)
+        super
+        @compressed_rules = RulesCompressor.new(@rules.reverse).rules_collapsed.reverse
+        StiNormalizer.normalize(@compressed_rules)
+        ConditionsNormalizer.normalize(model_class, @compressed_rules)
+      end
 
       # Returns conditions intended to be used inside a database query. Normally you will not call this
       # method directly, but instead go through ModelAdditions#accessible_by.
@@ -22,13 +34,12 @@ module CanCan
       #   query(:manage, User).conditions # => "not (self_managed = 't') AND ((manager_id = 1) OR (id = 1))"
       #
       def conditions
-        compressed_rules = RulesCompressor.new(@rules.reverse).rules_collapsed.reverse
         conditions_extractor = ConditionsExtractor.new(@model_class)
-        if compressed_rules.size == 1 && compressed_rules.first.base_behavior
+        if @compressed_rules.size == 1 && @compressed_rules.first.base_behavior
           # Return the conditions directly if there's just one definition
-          conditions_extractor.tableize_conditions(compressed_rules.first.conditions).dup
+          conditions_extractor.tableize_conditions(@compressed_rules.first.conditions).dup
         else
-          extract_multiple_conditions(conditions_extractor, compressed_rules)
+          extract_multiple_conditions(conditions_extractor, @compressed_rules)
         end
       end
 
@@ -42,27 +53,58 @@ module CanCan
         if override_scope
           @model_class.where(nil).merge(override_scope)
         elsif @model_class.respond_to?(:where) && @model_class.respond_to?(:joins)
-          mergeable_conditions? ? build_relation(conditions) : build_relation(*@rules.map(&:conditions))
+          build_relation(conditions)
         else
           @model_class.all(conditions: conditions, joins: joins)
         end
       end
 
+      def build_relation(*where_conditions)
+        relation = @model_class.where(*where_conditions)
+        return relation unless joins.present?
+
+        # subclasses must implement `build_joins_relation`
+        build_joins_relation(relation, *where_conditions)
+      end
+
+      # Returns the associations used in conditions for the :joins option of a search.
+      # See ModelAdditions#accessible_by
+      def joins
+        joins_hash = {}
+        @compressed_rules.reverse_each do |rule|
+          deep_merge(joins_hash, rule.associations_hash)
+        end
+        deep_clean(joins_hash) unless joins_hash.empty?
+      end
+
       private
 
-      def mergeable_conditions?
-        @rules.find(&:unmergeable?).blank?
+      # Removes empty hashes and moves everything into arrays.
+      def deep_clean(joins_hash)
+        joins_hash.map { |name, nested| nested.empty? ? name : { name => deep_clean(nested) } }
+      end
+
+      # Takes two hashes and does a deep merge.
+      def deep_merge(base_hash, added_hash)
+        added_hash.each do |key, value|
+          if base_hash[key].is_a?(Hash)
+            deep_merge(base_hash[key], value) unless value.empty?
+          else
+            base_hash[key] = value
+          end
+        end
       end
 
       def override_scope
-        conditions = @rules.map(&:conditions).compact
+        conditions = @compressed_rules.map(&:conditions).compact
         return unless conditions.any? { |c| c.is_a?(ActiveRecord::Relation) }
         return conditions.first if conditions.size == 1
+
         raise_override_scope_error
       end
 
       def raise_override_scope_error
-        rule_found = @rules.detect { |rule| rule.conditions.is_a?(ActiveRecord::Relation) }
+        rule_found = @compressed_rules.detect { |rule| rule.conditions.is_a?(ActiveRecord::Relation) }
         raise Error,
               'Unable to merge an Active Record scope with other conditions. '\
               "Instead use a hash or SQL for #{rule_found.actions.first} #{rule_found.subjects.first} ability."

data/lib/cancan/model_adapters/conditions_extractor.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # this class is responsible of converting the hash of conditions
 # in "where conditions" to generate the sql query
 # it consists of a names_cache that helps calculating the next name given to the association
@@ -12,6 +14,7 @@ module CanCan
 
       def tableize_conditions(conditions, model_class = @root_model_class, path_to_key = 0)
         return conditions unless conditions.is_a? Hash
+
         conditions.each_with_object({}) do |(key, value), result_hash|
           if value.is_a? Hash
             result_hash.merge!(calculate_result_hash(key, model_class, path_to_key, result_hash, value))
@@ -26,9 +29,6 @@ module CanCan
 
       def calculate_result_hash(key, model_class, path_to_key, result_hash, value)
         reflection = model_class.reflect_on_association(key)
-        unless reflection
-          raise WrongAssociationName, "association #{key} not defined in model #{model_class.name}"
-        end
         nested_resulted = calculate_nested(model_class, result_hash, key, value.dup, path_to_key)
         association_class = reflection.klass.name.constantize
         tableize_conditions(nested_resulted, association_class, "#{path_to_key}_#{key}")

data/lib/cancan/model_adapters/conditions_normalizer.rb

@@ -0,0 +1,49 @@
+# this class is responsible of normalizing the hash of conditions
+# by exploding has_many through associations
+# when a condition is defined with an has_many thorugh association this is exploded in all its parts
+# TODO: it could identify STI and normalize it
+module CanCan
+  module ModelAdapters
+    class ConditionsNormalizer
+      class << self
+        def normalize(model_class, rules)
+          rules.each { |rule| rule.conditions = normalize_conditions(model_class, rule.conditions) }
+        end
+
+        def normalize_conditions(model_class, conditions)
+          return conditions unless conditions.is_a? Hash
+
+          conditions.each_with_object({}) do |(key, value), result_hash|
+            if value.is_a? Hash
+              result_hash.merge!(calculate_result_hash(model_class, key, value))
+            else
+              result_hash[key] = value
+            end
+            result_hash
+          end
+        end
+
+        private
+
+        def calculate_result_hash(model_class, key, value)
+          reflection = model_class.reflect_on_association(key)
+          unless reflection
+            raise WrongAssociationName, "Association '#{key}' not defined in model '#{model_class.name}'"
+          end
+
+          if normalizable_association? reflection
+            key = reflection.options[:through]
+            value = { reflection.source_reflection_name => value }
+            reflection = model_class.reflect_on_association(key)
+          end
+
+          { key => normalize_conditions(reflection.klass.name.constantize, value) }
+        end
+
+        def normalizable_association?(reflection)
+          reflection.options[:through].present? && !reflection.options[:source_type].present?
+        end
+      end
+    end
+  end
+end

data/lib/cancan/model_adapters/default_adapter.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   module ModelAdapters
     class DefaultAdapter < AbstractAdapter

data/lib/cancan/model_adapters/sti_normalizer.rb

@@ -0,0 +1,39 @@
+# this class is responsible for detecting sti classes and creating new rules for the
+# relevant subclasses, using the inheritance_column as a merger
+module CanCan
+  module ModelAdapters
+    class StiNormalizer
+      class << self
+        def normalize(rules)
+          rules_cache = []
+          return unless defined?(ActiveRecord::Base)
+
+          rules.delete_if do |rule|
+            subjects = rule.subjects.select do |subject|
+              update_rule(subject, rule, rules_cache)
+            end
+            subjects.length == rule.subjects.length
+          end
+          rules_cache.each { |rule| rules.push(rule) }
+        end
+
+        private
+
+        def update_rule(subject, rule, rules_cache)
+          return false unless subject.respond_to?(:descends_from_active_record?)
+          return false if subject == :all || subject.descends_from_active_record?
+          return false unless subject < ActiveRecord::Base
+
+          rules_cache.push(build_rule_for_subclass(rule, subject))
+          true
+        end
+
+        # create a new rule for the subclasses that links on the inheritance_column
+        def build_rule_for_subclass(rule, subject)
+          CanCan::Rule.new(rule.base_behavior, rule.actions, subject.superclass,
+                           rule.conditions.merge(subject.inheritance_column => subject.name), rule.block)
+        end
+      end
+    end
+  end
+end

data/lib/cancan/model_additions.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   # This module adds the accessible_by class method to a model. It is included in the model adapters.
   module ModelAdditions
@@ -18,8 +20,10 @@ module CanCan
       #   @articles = Article.accessible_by(current_ability, :update)
       #
       # Here only the articles which the user can update are returned.
-      def accessible_by(ability, action = :index)
-        ability.model_adapter(self, action).database_records
+      def accessible_by(ability, action = :index, strategy: CanCan.accessible_by_strategy)
+        CanCan.with_accessible_by_strategy(strategy) do
+          ability.model_adapter(self, action).database_records
+        end
       end
     end
 

data/lib/cancan/parameter_validators.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module CanCan
+  module ParameterValidators
+    def valid_attribute_param?(attribute)
+      attribute.nil? || attribute.is_a?(Symbol) || (attribute.is_a?(Array) && attribute.all? { |a| a.is_a?(Symbol) })
+    end
+  end
+end

data/lib/cancan/relevant.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module CanCan
+  module Relevant
+    # Matches both the action, subject, and attribute, not necessarily the conditions
+    def relevant?(action, subject)
+      subject = subject.values.first if subject.class == Hash
+      @match_all || (matches_action?(action) && matches_subject?(subject))
+    end
+
+    private
+
+    def matches_action?(action)
+      @expanded_actions.include?(:manage) || @expanded_actions.include?(action)
+    end
+
+    def matches_subject?(subject)
+      @subjects.include?(:all) || @subjects.include?(subject) || matches_subject_class?(subject)
+    end
+
+    def matches_subject_class?(subject)
+      @subjects.any? do |sub|
+        sub.is_a?(Module) && (subject.is_a?(sub) ||
+            subject.class.to_s == sub.to_s ||
+            (subject.is_a?(Module) && subject.ancestors.include?(sub)))
+      end
+    end
+  end
+end

data/lib/cancan/rule.rb

@@ -1,29 +1,53 @@
+# frozen_string_literal: true
+
 require_relative 'conditions_matcher.rb'
+require_relative 'class_matcher.rb'
+require_relative 'relevant.rb'
+
 module CanCan
   # This class is used internally and should only be called through Ability.
   # it holds the information about a "can" call made on Ability and provides
   # helpful methods to determine permission checking and conditions hash generation.
   class Rule # :nodoc:
     include ConditionsMatcher
-    attr_reader :base_behavior, :subjects, :actions, :conditions
-    attr_writer :expanded_actions
+    include Relevant
+    include ParameterValidators
+    attr_reader :base_behavior, :subjects, :actions, :conditions, :attributes, :block
+    attr_writer :expanded_actions, :conditions
 
     # The first argument when initializing is the base_behavior which is a true/false
     # value. True for "can" and false for "cannot". The next two arguments are the action
     # and subject respectively (such as :read, @project). The third argument is a hash
     # of conditions and the last one is the block passed to the "can" call.
-    def initialize(base_behavior, action, subject, conditions, block)
-      both_block_and_hash_error = 'You are not able to supply a block with a hash of conditions in '\
-                                  "#{action} #{subject} ability. Use either one."
-      raise Error, both_block_and_hash_error if conditions.is_a?(Hash) && block
+    def initialize(base_behavior, action, subject, *extra_args, &block)
+      # for backwards compatibility, attributes are an optional parameter. Check if
+      # attributes were passed or are actually conditions
+      attributes, extra_args = parse_attributes_from_extra_args(extra_args)
+      condition_and_block_check(extra_args, block, action, subject)
       @match_all = action.nil? && subject.nil?
+      raise Error, "Subject is required for #{action}" if action && subject.nil?
+
       @base_behavior = base_behavior
-      @actions = Array(action)
-      @subjects = Array(subject)
-      @conditions = conditions || {}
+      @actions = wrap(action)
+      @subjects = wrap(subject)
+      @attributes = wrap(attributes)
+      @conditions = extra_args || {}
       @block = block
     end
 
+    def inspect
+      repr = "#<#{self.class.name}"
+      repr += "#{@base_behavior ? 'can' : 'cannot'} #{@actions.inspect}, #{@subjects.inspect}, #{@attributes.inspect}"
+
+      if with_scope?
+        repr += ", #{@conditions.where_values_hash}"
+      elsif [Hash, String].include?(@conditions.class)
+        repr += ", #{@conditions.inspect}"
+      end
+
+      repr + '>'
+    end
+
     def can_rule?
       base_behavior
     end
@@ -33,13 +57,8 @@ module CanCan
     end
 
     def catch_all?
-      [nil, false, [], {}, '', ' '].include? @conditions
-    end
-
-    # Matches both the subject and action, not necessarily the conditions
-    def relevant?(action, subject)
-      subject = subject.values.first if subject.class == Hash
-      @match_all || (matches_action?(action) && matches_subject?(subject))
+      (with_scope? && @conditions.where_values_hash.empty?) ||
+        (!with_scope? && [nil, false, [], {}, '', ' '].include?(@conditions))
     end
 
     def only_block?
@@ -50,9 +69,8 @@ module CanCan
       @block.nil? && !conditions_empty? && !@conditions.is_a?(Hash)
     end
 
-    def unmergeable?
-      @conditions.respond_to?(:keys) && @conditions.present? &&
-        (!@conditions.keys.first.is_a? Symbol)
+    def with_scope?
+      @conditions.is_a?(ActiveRecord::Relation)
     end
 
     def associations_hash(conditions = @conditions)
@@ -75,6 +93,13 @@ module CanCan
       attributes
     end
 
+    def matches_attributes?(attribute)
+      return true if @attributes.empty?
+      return @base_behavior if attribute.nil?
+
+      @attributes.include?(attribute.to_sym)
+    end
+
     private
 
     def matches_action?(action)
@@ -86,10 +111,29 @@ module CanCan
     end
 
     def matches_subject_class?(subject)
-      @subjects.any? do |sub|
-        sub.is_a?(Module) && (subject.is_a?(sub) ||
-          subject.class.to_s == sub.to_s ||
-          (subject.is_a?(Module) && subject.ancestors.include?(sub)))
+      SubjectClassMatcher.matches_subject_class?(@subjects, subject)
+    end
+
+    def parse_attributes_from_extra_args(args)
+      attributes = args.shift if valid_attribute_param?(args.first)
+      extra_args = args.shift
+      [attributes, extra_args]
+    end
+
+    def condition_and_block_check(conditions, block, action, subject)
+      return unless conditions.is_a?(Hash) && block
+
+      raise BlockAndConditionsError, 'A hash of conditions is mutually exclusive with a block. '\
+        "Check \":#{action} #{subject}\" ability."
+    end
+
+    def wrap(object)
+      if object.nil?
+        []
+      elsif object.respond_to?(:to_ary)
+        object.to_ary || [object]
+      else
+        [object]
       end
     end
   end

data/lib/cancan/rules_compressor.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative 'conditions_matcher.rb'
 module CanCan
   class RulesCompressor
@@ -11,6 +13,7 @@ module CanCan
     def compress(array)
       idx = array.rindex(&:catch_all?)
       return array unless idx
+
       value = array[idx]
       array[idx..-1]
         .drop_while { |n| n.base_behavior == value.base_behavior }