cancancan 3.0.0 → 3.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 77676f7b21c8e3000fc960cf841b10bc2e41b46d0131928683411b1aa44f8d3a
-  data.tar.gz: b14fb24388906a0e6309fbc3f5f729aa222f9b9bac4bc8fc7388c62d642047f8
+  metadata.gz: d109d94a089119e1183b6ed77e78316e212b3d78506b8ed10aabb1e8e0e090ce
+  data.tar.gz: '09d6acb72b55c2892be6d7c614bbf9a55b4f60ca3eee1e6aa898e1213e0e807d'
 SHA512:
-  metadata.gz: 7a35baf8436bac8174101d920996e1680249e9dfb8040035ec5a3a770938d1257c12047cdcc3c3d408900e32f1bf5e366f8c4d4d524fe9b8a4c31823369b9269
-  data.tar.gz: bd6472ac5d5adb531146f7af7c374f0e7c996d01797a4d39e8b8da94a597bc4e66586f810382186a58cb95fd1412ba6d0a04007b1706162b22167b66407f1666
+  metadata.gz: c708dbbefc7a0d120cf9dbacb3d478e2a6155dbb72800563be83b2fced563118b79454a6d9f6eb372bad88f7c4835ebefa636058d055f161b395a6076d154781
+  data.tar.gz: 269ff0d42f16aff0db8882473364fee508504c5f8dd5e4e8d271810d7420e76bebf3c64a16b58a81ed2754e9b1c7fdb9f576c5bc3804c6d26d5b19386e3e9f8e

data/lib/cancan.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'cancan/version'
+require 'cancan/config'
 require 'cancan/parameter_validators'
 require 'cancan/ability'
 require 'cancan/rule'
@@ -16,6 +17,7 @@ require 'cancan/rules_compressor'
 if defined? ActiveRecord
   require 'cancan/model_adapters/conditions_extractor'
   require 'cancan/model_adapters/conditions_normalizer'
+  require 'cancan/model_adapters/sti_normalizer'
   require 'cancan/model_adapters/active_record_adapter'
   require 'cancan/model_adapters/active_record_4_adapter'
   require 'cancan/model_adapters/active_record_5_adapter'

data/lib/cancan/ability.rb

@@ -302,7 +302,11 @@ module CanCan
 
     def alternative_subjects(subject)
       subject = subject.class unless subject.is_a?(Module)
-      [:all, *subject.ancestors, subject.class.to_s]
+      if subject.respond_to?(:subclasses) && defined?(ActiveRecord::Base) && subject < ActiveRecord::Base
+        [:all, *(subject.ancestors + subject.subclasses), subject.class.to_s]
+      else
+        [:all, *subject.ancestors, subject.class.to_s]
+      end
     end
   end
 end

data/lib/cancan/class_matcher.rb

@@ -0,0 +1,26 @@
+# This class is responsible for matching classes and their subclasses as well as
+# upmatching classes to their ancestors.
+# This is used to generate sti connections
+class SubjectClassMatcher
+  def self.matches_subject_class?(subjects, subject)
+    subjects.any? do |sub|
+      has_subclasses = subject.respond_to?(:subclasses)
+      matching_class_check(subject, sub, has_subclasses)
+    end
+  end
+
+  def self.matching_class_check(subject, sub, has_subclasses)
+    matches = matches_class_or_is_related(subject, sub)
+    if has_subclasses
+      matches || subject.subclasses.include?(sub)
+    else
+      matches
+    end
+  end
+
+  def self.matches_class_or_is_related(subject, sub)
+    sub.is_a?(Module) && (subject.is_a?(sub) ||
+        subject.class.to_s == sub.to_s ||
+        (subject.is_a?(Module) && subject.ancestors.include?(sub)))
+  end
+end

data/lib/cancan/conditions_matcher.rb

@@ -21,7 +21,7 @@ module CanCan
     def matches_block_conditions(subject, *extra_args)
       return @base_behavior if subject_class?(subject)
 
-      @block.call(subject, *extra_args)
+      @block.call(subject, *extra_args.compact)
     end
 
     def matches_non_block_conditions(subject)
@@ -78,7 +78,7 @@ module CanCan
 
     def hash_condition_match?(attribute, value)
       if attribute.is_a?(Array) || (defined?(ActiveRecord) && attribute.is_a?(ActiveRecord::Relation))
-        attribute.any? { |element| matches_conditions_hash?(element, value) }
+        attribute.to_a.any? { |element| matches_conditions_hash?(element, value) }
       else
         attribute && matches_conditions_hash?(attribute, value)
       end
@@ -97,7 +97,10 @@ module CanCan
     end
 
     def conditions_empty?
-      @conditions == {} || @conditions.nil?
+      # @conditions might be an ActiveRecord::Associations::CollectionProxy
+      # which it's `==` implementation will fetch all records for comparison
+
+      (@conditions.is_a?(Hash) && @conditions == {}) || @conditions.nil?
     end
   end
 end

data/lib/cancan/config.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+module CanCan
+  def self.valid_accessible_by_strategies
+    strategies = [:left_join]
+    strategies << :subquery unless does_not_support_subquery_strategy?
+    strategies
+  end
+
+  # Determines how CanCan should build queries when calling accessible_by,
+  # if the query will contain a join. The default strategy is `:subquery`.
+  #
+  #   # config/initializers/cancan.rb
+  #   CanCan.accessible_by_strategy = :subquery
+  #
+  # Valid strategies are:
+  # - :subquery - Creates a nested query with all joins, wrapped by a
+  #               WHERE IN query.
+  # - :left_join - Calls the joins directly using `left_joins`, and
+  #                ensures records are unique using `distinct`. Note that
+  #                `distinct` is not reliable in some cases. See
+  #                https://github.com/CanCanCommunity/cancancan/pull/605
+  def self.accessible_by_strategy
+    @accessible_by_strategy || default_accessible_by_strategy
+  end
+
+  def self.default_accessible_by_strategy
+    if does_not_support_subquery_strategy?
+      # see https://github.com/CanCanCommunity/cancancan/pull/655 for where this was added
+      # the `subquery` strategy (from https://github.com/CanCanCommunity/cancancan/pull/619
+      # only works in Rails 5 and higher
+      :left_join
+    else
+      :subquery
+    end
+  end
+
+  def self.accessible_by_strategy=(value)
+    unless valid_accessible_by_strategies.include?(value)
+      raise ArgumentError, "accessible_by_strategy must be one of #{valid_accessible_by_strategies.join(', ')}"
+    end
+
+    if value == :subquery && does_not_support_subquery_strategy?
+      raise ArgumentError, 'accessible_by_strategy = :subquery requires ActiveRecord 5 or newer'
+    end
+
+    @accessible_by_strategy = value
+  end
+
+  def self.does_not_support_subquery_strategy?
+    !defined?(CanCan::ModelAdapters::ActiveRecordAdapter) ||
+      CanCan::ModelAdapters::ActiveRecordAdapter.version_lower?('5.0.0')
+  end
+end

data/lib/cancan/exceptions.rb

@@ -58,5 +58,13 @@ module CanCan
     def to_s
       @message || @default_message
     end
+
+    def inspect
+      details = %i[action subject conditions message].map do |attribute|
+        value = instance_variable_get "@#{attribute}"
+        "#{attribute}: #{value.inspect}" if value.present?
+      end.compact.join(', ')
+      "#<#{self.class.name} #{details}>"
+    end
   end
 end

data/lib/cancan/model_adapters/abstract_adapter.rb

@@ -5,7 +5,7 @@ module CanCan
     class AbstractAdapter
       def self.inherited(subclass)
         @subclasses ||= []
-        @subclasses << subclass
+        @subclasses.insert(0, subclass)
       end
 
       def self.adapter_class(model_class)

data/lib/cancan/model_adapters/active_record_4_adapter.rb

@@ -34,10 +34,8 @@ module CanCan
       # look inside the where clause to decide to outer join tables
       # you're using in the where. Instead, `references()` is required
       # in addition to `includes()` to force the outer join.
-      def build_relation(*where_conditions)
-        relation = @model_class.where(*where_conditions)
-        relation = relation.includes(joins).references(joins) if joins.present?
-        relation
+      def build_joins_relation(relation, *_where_conditions)
+        relation.includes(joins).references(joins)
       end
 
       # Rails 4.2 deprecates `sanitize_sql_hash_for_conditions`

data/lib/cancan/model_adapters/active_record_5_adapter.rb

@@ -21,13 +21,19 @@ module CanCan
 
       private
 
-      def build_relation(*where_conditions)
-        relation = @model_class.where(*where_conditions)
-        relation = relation.left_joins(joins).distinct if joins.present?
-        relation
+      def build_joins_relation(relation, *where_conditions)
+        case CanCan.accessible_by_strategy
+        when :subquery
+          inner = @model_class.unscoped do
+            @model_class.left_joins(joins).where(*where_conditions)
+          end
+          @model_class.where(@model_class.primary_key => inner)
+
+        when :left_join
+          relation.left_joins(joins).distinct
+        end
       end
 
-      # Rails 4.2 deprecates `sanitize_sql_hash_for_conditions`
       def sanitize_sql(conditions)
         if conditions.is_a?(Hash)
           sanitize_sql_activerecord5(conditions)
@@ -41,11 +47,7 @@ module CanCan
         table_metadata = ActiveRecord::TableMetadata.new(@model_class, table)
         predicate_builder = ActiveRecord::PredicateBuilder.new(table_metadata)
 
-        conditions = predicate_builder.resolve_column_aliases(conditions)
-
-        conditions.stringify_keys!
-
-        predicate_builder.build_from_hash(conditions).map { |b| visit_nodes(b) }.join(' AND ')
+        predicate_builder.build_from_hash(conditions.stringify_keys).map { |b| visit_nodes(b) }.join(' AND ')
       end
 
       def visit_nodes(node)

data/lib/cancan/model_adapters/active_record_adapter.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require_relative 'conditions_extractor.rb'
-require 'cancan/rules_compressor'
 module CanCan
   module ModelAdapters
     class ActiveRecordAdapter < AbstractAdapter
@@ -16,6 +14,7 @@ module CanCan
       def initialize(model_class, rules)
         super
         @compressed_rules = RulesCompressor.new(@rules.reverse).rules_collapsed.reverse
+        StiNormalizer.normalize(@compressed_rules)
         ConditionsNormalizer.normalize(model_class, @compressed_rules)
       end
 
@@ -60,6 +59,14 @@ module CanCan
         end
       end
 
+      def build_relation(*where_conditions)
+        relation = @model_class.where(*where_conditions)
+        return relation unless joins.present?
+
+        # subclasses must implement `build_joins_relation`
+        build_joins_relation(relation, *where_conditions)
+      end
+
       # Returns the associations used in conditions for the :joins option of a search.
       # See ModelAdditions#accessible_by
       def joins

data/lib/cancan/model_adapters/conditions_normalizer.rb

@@ -31,7 +31,7 @@ module CanCan
             raise WrongAssociationName, "Association '#{key}' not defined in model '#{model_class.name}'"
           end
 
-          if reflection.options[:through].present?
+          if normalizable_association? reflection
             key = reflection.options[:through]
             value = { reflection.source_reflection_name => value }
             reflection = model_class.reflect_on_association(key)
@@ -39,6 +39,10 @@ module CanCan
 
           { key => normalize_conditions(reflection.klass.name.constantize, value) }
         end
+
+        def normalizable_association?(reflection)
+          reflection.options[:through].present? && !reflection.options[:source_type].present?
+        end
       end
     end
   end

data/lib/cancan/model_adapters/sti_normalizer.rb

@@ -0,0 +1,39 @@
+# this class is responsible for detecting sti classes and creating new rules for the
+# relevant subclasses, using the inheritance_column as a merger
+module CanCan
+  module ModelAdapters
+    class StiNormalizer
+      class << self
+        def normalize(rules)
+          rules_cache = []
+          return unless defined?(ActiveRecord::Base)
+
+          rules.delete_if do |rule|
+            subjects = rule.subjects.select do |subject|
+              update_rule(subject, rule, rules_cache)
+            end
+            subjects.length == rule.subjects.length
+          end
+          rules_cache.each { |rule| rules.push(rule) }
+        end
+
+        private
+
+        def update_rule(subject, rule, rules_cache)
+          return false unless subject.respond_to?(:descends_from_active_record?)
+          return false if subject == :all || subject.descends_from_active_record?
+          return false unless subject < ActiveRecord::Base
+
+          rules_cache.push(build_rule_for_subclass(rule, subject))
+          true
+        end
+
+        # create a new rule for the subclasses that links on the inheritance_column
+        def build_rule_for_subclass(rule, subject)
+          CanCan::Rule.new(rule.base_behavior, rule.actions, subject.superclass,
+                           rule.conditions.merge(subject.inheritance_column => subject.name), rule.block)
+        end
+      end
+    end
+  end
+end

data/lib/cancan/relevant.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module CanCan
+  module Relevant
+    # Matches both the action, subject, and attribute, not necessarily the conditions
+    def relevant?(action, subject)
+      subject = subject.values.first if subject.class == Hash
+      @match_all || (matches_action?(action) && matches_subject?(subject))
+    end
+
+    private
+
+    def matches_action?(action)
+      @expanded_actions.include?(:manage) || @expanded_actions.include?(action)
+    end
+
+    def matches_subject?(subject)
+      @subjects.include?(:all) || @subjects.include?(subject) || matches_subject_class?(subject)
+    end
+
+    def matches_subject_class?(subject)
+      @subjects.any? do |sub|
+        sub.is_a?(Module) && (subject.is_a?(sub) ||
+            subject.class.to_s == sub.to_s ||
+            (subject.is_a?(Module) && subject.ancestors.include?(sub)))
+      end
+    end
+  end
+end

data/lib/cancan/rule.rb

@@ -1,14 +1,18 @@
 # frozen_string_literal: true
 
 require_relative 'conditions_matcher.rb'
+require_relative 'class_matcher.rb'
+require_relative 'relevant.rb'
+
 module CanCan
   # This class is used internally and should only be called through Ability.
   # it holds the information about a "can" call made on Ability and provides
   # helpful methods to determine permission checking and conditions hash generation.
   class Rule # :nodoc:
     include ConditionsMatcher
+    include Relevant
     include ParameterValidators
-    attr_reader :base_behavior, :subjects, :actions, :conditions, :attributes
+    attr_reader :base_behavior, :subjects, :actions, :conditions, :attributes, :block
     attr_writer :expanded_actions, :conditions
 
     # The first argument when initializing is the base_behavior which is a true/false
@@ -24,9 +28,9 @@ module CanCan
       raise Error, "Subject is required for #{action}" if action && subject.nil?
 
       @base_behavior = base_behavior
-      @actions = Array(action)
-      @subjects = Array(subject)
-      @attributes = Array(attributes)
+      @actions = wrap(action)
+      @subjects = wrap(subject)
+      @attributes = wrap(attributes)
       @conditions = extra_args || {}
       @block = block
     end
@@ -34,11 +38,13 @@ module CanCan
     def inspect
       repr = "#<#{self.class.name}"
       repr += "#{@base_behavior ? 'can' : 'cannot'} #{@actions.inspect}, #{@subjects.inspect}, #{@attributes.inspect}"
-      repr += if with_scope?
-                ", #{@conditions.where_values_hash}"
-              elsif [Hash, String].include?(@conditions.class)
-                ", #{@conditions.inspect}"
-              end
+
+      if with_scope?
+        repr += ", #{@conditions.where_values_hash}"
+      elsif [Hash, String].include?(@conditions.class)
+        repr += ", #{@conditions.inspect}"
+      end
+
       repr + '>'
     end
 
@@ -55,12 +61,6 @@ module CanCan
         (!with_scope? && [nil, false, [], {}, '', ' '].include?(@conditions))
     end
 
-    # Matches both the action, subject, and attribute, not necessarily the conditions
-    def relevant?(action, subject)
-      subject = subject.values.first if subject.class == Hash
-      @match_all || (matches_action?(action) && matches_subject?(subject))
-    end
-
     def only_block?
       conditions_empty? && @block
     end
@@ -111,11 +111,7 @@ module CanCan
     end
 
     def matches_subject_class?(subject)
-      @subjects.any? do |sub|
-        sub.is_a?(Module) && (subject.is_a?(sub) ||
-          subject.class.to_s == sub.to_s ||
-          (subject.is_a?(Module) && subject.ancestors.include?(sub)))
-      end
+      SubjectClassMatcher.matches_subject_class?(@subjects, subject)
     end
 
     def parse_attributes_from_extra_args(args)
@@ -130,5 +126,15 @@ module CanCan
       raise BlockAndConditionsError, 'A hash of conditions is mutually exclusive with a block. '\
         "Check \":#{action} #{subject}\" ability."
     end
+
+    def wrap(object)
+      if object.nil?
+        []
+      elsif object.respond_to?(:to_ary)
+        object.to_ary || [object]
+      else
+        [object]
+      end
+    end
   end
 end

data/lib/cancan/unauthorized_message_resolver.rb

@@ -3,10 +3,12 @@
 module CanCan
   module UnauthorizedMessageResolver
     def unauthorized_message(action, subject)
+      subject = subject.values.last if subject.is_a?(Hash)
       keys = unauthorized_message_keys(action, subject)
-      variables = { action: action.to_s }
+      variables = {}
+      variables[:action] = I18n.translate("actions.#{action}", default: action.to_s)
       variables[:subject] = translate_subject(subject)
-      message = I18n.translate(keys.shift, variables.merge(scope: :unauthorized, default: keys + ['']))
+      message = I18n.translate(keys.shift, **variables.merge(scope: :unauthorized, default: keys + ['']))
       message.blank? ? nil : message
     end
 

data/lib/cancan/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module CanCan
-  VERSION = '3.0.0'.freeze
+  VERSION = '3.2.1'.freeze
 end

metadata

@@ -1,38 +1,38 @@
 --- !ruby/object:Gem::Specification
 name: cancancan
 version: !ruby/object:Gem::Version
-  version: 3.0.0
+  version: 3.2.1
 platform: ruby
 authors:
 - Alessandro Rodi (Renuo AG)
 - Bryan Rite
 - Ryan Bates
 - Richard Wilson
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-04-03 00:00:00.000000000 Z
+date: 2020-12-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: appraisal
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.0'
     - - ">="
       - !ruby/object:Gem::Version
         version: 2.0.0
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.0'
     - - ">="
       - !ruby/object:Gem::Version
         version: 2.0.0
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -71,22 +71,22 @@ dependencies:
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.2'
     - - ">="
       - !ruby/object:Gem::Version
         version: 3.2.0
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.2'
     - - ">="
       - !ruby/object:Gem::Version
         version: 3.2.0
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
@@ -115,7 +115,9 @@ files:
 - lib/cancan/ability/actions.rb
 - lib/cancan/ability/rules.rb
 - lib/cancan/ability/strong_parameter_support.rb
+- lib/cancan/class_matcher.rb
 - lib/cancan/conditions_matcher.rb
+- lib/cancan/config.rb
 - lib/cancan/controller_additions.rb
 - lib/cancan/controller_resource.rb
 - lib/cancan/controller_resource_builder.rb
@@ -132,8 +134,10 @@ files:
 - lib/cancan/model_adapters/conditions_extractor.rb
 - lib/cancan/model_adapters/conditions_normalizer.rb
 - lib/cancan/model_adapters/default_adapter.rb
+- lib/cancan/model_adapters/sti_normalizer.rb
 - lib/cancan/model_additions.rb
 - lib/cancan/parameter_validators.rb
+- lib/cancan/relevant.rb
 - lib/cancan/rule.rb
 - lib/cancan/rules_compressor.rb
 - lib/cancan/unauthorized_message_resolver.rb
@@ -146,7 +150,7 @@ homepage: https://github.com/CanCanCommunity/cancancan
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -161,9 +165,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
-signing_key: 
+rubygems_version: 3.0.6
+signing_key:
 specification_version: 4
 summary: Simple authorization solution for Rails.
 test_files: []