cancancan 3.0.1 → 3.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ec5d008dea72d99ee804c69a710c9b474e39c8085cf23317cfa031f0ef3acd95
-  data.tar.gz: dfc2e52da361d4405ced63b2a229dbb34e80885abebad71bb531df4999d25fa1
+  metadata.gz: bebbba60e68460ec234fc11e8d3cf0414e578a56c0347862c673396eb917dff9
+  data.tar.gz: bb07244a17dcf45d1852cf6677864084c2f0db5630ea9b72bdcc0c6055b5c4b6
 SHA512:
-  metadata.gz: 43d51d793d5dad4d3e0b21f106c09ff3abcbb8862bbb6377b479b9748191af470bdd45d6005126a5622626c4d3a16e7f3242889a5ddf2a6da1b74c3f8f553edf
-  data.tar.gz: ad7df527d7267c980a229a81fde2d6e5d03129260786f808ffc8c0d4016db7d29d9fd275e18a608c7cf1d474108638d4e3bdf4ac2ab56c18bc946270f39f830e
+  metadata.gz: be9f2b03ae43651ea70a451b97a44fd6ec6e0a09ca444ddf625b91ae3815a245e0669bb80b4d3b0687ca327bc0c4fe81028f7736cb6493ef636b43a4140f4f49
+  data.tar.gz: db75441929e737d12699f57324d031e894b5d2cdbe1555451857977c42b0ef28148cc63bb718981c32ac08bafd2873623d2151ba8e98c442f217b3f4affecda9

data/cancancan.gemspec

@@ -10,6 +10,7 @@ Gem::Specification.new do |s|
   s.authors     = ['Alessandro Rodi (Renuo AG)', 'Bryan Rite', 'Ryan Bates', 'Richard Wilson']
   s.email       = 'alessandro.rodi@renuo.ch'
   s.homepage    = 'https://github.com/CanCanCommunity/cancancan'
+  s.metadata = { 'funding_uri' => 'https://github.com/sponsors/coorasse' }
   s.summary     = 'Simple authorization solution for Rails.'
   s.description = 'Simple authorization solution for Rails. All permissions are stored in a single location.'
   s.platform    = Gem::Platform::RUBY
@@ -24,5 +25,5 @@ Gem::Specification.new do |s|
   s.add_development_dependency 'bundler', '~> 2.0'
   s.add_development_dependency 'rake', '~> 10.1', '>= 10.1.1'
   s.add_development_dependency 'rspec', '~> 3.2', '>= 3.2.0'
-  s.add_development_dependency 'rubocop', '~> 0.63.1'
+  s.add_development_dependency 'rubocop', '~> 1.31.1'
 end

data/lib/cancan/ability/rules.rb

@@ -19,12 +19,13 @@ module CanCan
       end
 
       def add_rule_to_index(rule, position)
-        @rules_index ||= Hash.new { |h, k| h[k] = [] }
+        @rules_index ||= {}
 
         subjects = rule.subjects.compact
         subjects << :all if subjects.empty?
 
         subjects.each do |subject|
+          @rules_index[subject] ||= []
           @rules_index[subject] << position
         end
       end
@@ -48,7 +49,9 @@ module CanCan
           rules
         else
           positions = @rules_index.values_at(subject, *alternative_subjects(subject))
-          positions.flatten!.sort!
+          positions.compact!
+          positions.flatten!
+          positions.sort!
           positions.map { |i| @rules[i] }
         end
       end
@@ -58,8 +61,8 @@ module CanCan
           next unless rule.only_raw_sql?
 
           raise Error,
-                "The can? and cannot? call cannot be used with a raw sql 'can' definition."\
-                " The checking code cannot be determined for #{action.inspect} #{subject.inspect}"
+                "The can? and cannot? call cannot be used with a raw sql 'can' definition. " \
+                "The checking code cannot be determined for #{action.inspect} #{subject.inspect}"
         end
       end
 
@@ -69,7 +72,7 @@ module CanCan
           rule.base_behavior == false && rule.attributes.present?
         end
         if rules.any?(&:only_block?)
-          raise Error, "The accessible_by call cannot be used with a block 'can' definition."\
+          raise Error, "The accessible_by call cannot be used with a block 'can' definition." \
             "The SQL cannot be determined for #{action.inspect} #{subject.inspect}"
         end
         rules

data/lib/cancan/ability.rb

@@ -302,7 +302,11 @@ module CanCan
 
     def alternative_subjects(subject)
       subject = subject.class unless subject.is_a?(Module)
-      [:all, *subject.ancestors, subject.class.to_s]
+      if subject.respond_to?(:subclasses) && defined?(ActiveRecord::Base) && subject < ActiveRecord::Base
+        [:all, *(subject.ancestors + subject.subclasses), subject.class.to_s]
+      else
+        [:all, *subject.ancestors, subject.class.to_s]
+      end
     end
   end
 end

data/lib/cancan/class_matcher.rb

@@ -0,0 +1,30 @@
+require_relative 'sti_detector'
+
+# This class is responsible for matching classes and their subclasses as well as
+# upmatching classes to their ancestors.
+# This is used to generate sti connections
+class SubjectClassMatcher
+  def self.matches_subject_class?(subjects, subject)
+    subjects.any? do |sub|
+      has_subclasses = subject.respond_to?(:subclasses)
+      matching_class_check(subject, sub, has_subclasses)
+    end
+  end
+
+  def self.matching_class_check(subject, sub, has_subclasses)
+    matches = matches_class_or_is_related(subject, sub)
+    if has_subclasses
+      return matches unless StiDetector.sti_class?(sub)
+
+      matches || subject.subclasses.include?(sub)
+    else
+      matches
+    end
+  end
+
+  def self.matches_class_or_is_related(subject, sub)
+    sub.is_a?(Module) && (subject.is_a?(sub) ||
+        subject.class.to_s == sub.to_s ||
+        (subject.is_a?(Module) && subject.ancestors.include?(sub)))
+  end
+end

data/lib/cancan/conditions_matcher.rb

@@ -18,10 +18,14 @@ module CanCan
       [Class, Module].include? klass
     end
 
-    def matches_block_conditions(subject, *extra_args)
+    def matches_block_conditions(subject, attribute, *extra_args)
       return @base_behavior if subject_class?(subject)
 
-      @block.call(subject, *extra_args.compact)
+      if attribute
+        @block.call(subject, attribute, *extra_args)
+      else
+        @block.call(subject, *extra_args)
+      end
     end
 
     def matches_non_block_conditions(subject)
@@ -33,16 +37,26 @@ module CanCan
     end
 
     def nested_subject_matches_conditions?(subject_hash)
-      parent, _child = subject_hash.first
-      matches_conditions_hash?(parent, @conditions[parent.class.name.downcase.to_sym] || {})
+      parent, child = subject_hash.first
+
+      adapter = model_adapter(parent)
+
+      parent_condition_name = adapter.parent_condition_name(parent, child)
+
+      matches_base_parent_conditions = matches_conditions_hash?(parent,
+                                                                @conditions[parent_condition_name] || {})
+
+      matches_base_parent_conditions &&
+        (!adapter.override_nested_subject_conditions_matching?(parent, child, @conditions) ||
+          adapter.nested_subject_matches_conditions?(parent, child, @conditions))
     end
 
     # Checks if the given subject matches the given conditions hash.
-    # This behavior can be overriden by a model adapter by defining two class methods:
+    # This behavior can be overridden by a model adapter by defining two class methods:
     # override_matching_for_conditions?(subject, conditions) and
     # matches_conditions_hash?(subject, conditions)
     def matches_conditions_hash?(subject, conditions = @conditions)
-      return true if conditions.empty?
+      return true if conditions.is_a?(Hash) && conditions.empty?
 
       adapter = model_adapter(subject)
 
@@ -50,10 +64,20 @@ module CanCan
         return adapter.matches_conditions_hash?(subject, conditions)
       end
 
-      matches_all_conditions?(adapter, conditions, subject)
+      matches_all_conditions?(adapter, subject, conditions)
     end
 
-    def matches_all_conditions?(adapter, conditions, subject)
+    def matches_all_conditions?(adapter, subject, conditions)
+      if conditions.is_a?(Hash)
+        matches_hash_conditions?(adapter, subject, conditions)
+      elsif conditions.respond_to?(:include?)
+        conditions.include?(subject)
+      else
+        subject == conditions
+      end
+    end
+
+    def matches_hash_conditions?(adapter, subject, conditions)
       conditions.all? do |name, value|
         if adapter.override_condition_matching?(subject, name, value)
           adapter.matches_condition?(subject, name, value)
@@ -78,12 +102,29 @@ module CanCan
 
     def hash_condition_match?(attribute, value)
       if attribute.is_a?(Array) || (defined?(ActiveRecord) && attribute.is_a?(ActiveRecord::Relation))
-        attribute.any? { |element| matches_conditions_hash?(element, value) }
+        array_like_matches_condition_hash?(attribute, value)
       else
         attribute && matches_conditions_hash?(attribute, value)
       end
     end
 
+    def array_like_matches_condition_hash?(attribute, value)
+      if attribute.any?
+        attribute.any? { |element| matches_conditions_hash?(element, value) }
+      else
+        # you can use `nil`s in your ability definition to tell cancancan to find
+        # objects that *don't* have any children in a has_many relationship.
+        #
+        # for example, given ability:
+        # => can :read, Article, comments: { id: nil }
+        # cancancan will return articles where `article.comments == []`
+        #
+        # this is implemented here. `attribute` is `article.comments`, and it's an empty array.
+        # the expression below returns true if this was expected.
+        !value.values.empty? && value.values.all?(&:nil?)
+      end
+    end
+
     def call_block_with_all(action, subject, *extra_args)
       if subject.class == Class
         @block.call(action, subject, nil, *extra_args)
@@ -97,7 +138,10 @@ module CanCan
     end
 
     def conditions_empty?
-      @conditions == {} || @conditions.nil?
+      # @conditions might be an ActiveRecord::Associations::CollectionProxy
+      # which it's `==` implementation will fetch all records for comparison
+
+      (@conditions.is_a?(Hash) && @conditions == {}) || @conditions.nil?
     end
   end
 end

data/lib/cancan/config.rb

@@ -0,0 +1,101 @@
+# frozen_string_literal: true
+
+module CanCan
+  def self.valid_accessible_by_strategies
+    strategies = [:left_join]
+
+    unless does_not_support_subquery_strategy?
+      strategies.push(:joined_alias_exists_subquery, :joined_alias_each_rule_as_exists_subquery, :subquery)
+    end
+
+    strategies
+  end
+
+  # You can disable the rules compressor if it's causing unexpected issues.
+  def self.rules_compressor_enabled
+    return @rules_compressor_enabled if defined?(@rules_compressor_enabled)
+
+    @rules_compressor_enabled = true
+  end
+
+  def self.rules_compressor_enabled=(value)
+    @rules_compressor_enabled = value
+  end
+
+  def self.with_rules_compressor_enabled(value)
+    return yield if value == rules_compressor_enabled
+
+    begin
+      rules_compressor_enabled_was = rules_compressor_enabled
+      @rules_compressor_enabled = value
+      yield
+    ensure
+      @rules_compressor_enabled = rules_compressor_enabled_was
+    end
+  end
+
+  # Determines how CanCan should build queries when calling accessible_by,
+  # if the query will contain a join. The default strategy is `:subquery`.
+  #
+  #   # config/initializers/cancan.rb
+  #   CanCan.accessible_by_strategy = :subquery
+  #
+  # Valid strategies are:
+  # - :subquery - Creates a nested query with all joins, wrapped by a
+  #               WHERE IN query.
+  # - :left_join - Calls the joins directly using `left_joins`, and
+  #                ensures records are unique using `distinct`. Note that
+  #                `distinct` is not reliable in some cases. See
+  #                https://github.com/CanCanCommunity/cancancan/pull/605
+  def self.accessible_by_strategy
+    return @accessible_by_strategy if @accessible_by_strategy
+
+    @accessible_by_strategy = default_accessible_by_strategy
+  end
+
+  def self.default_accessible_by_strategy
+    if does_not_support_subquery_strategy?
+      # see https://github.com/CanCanCommunity/cancancan/pull/655 for where this was added
+      # the `subquery` strategy (from https://github.com/CanCanCommunity/cancancan/pull/619
+      # only works in Rails 5 and higher
+      :left_join
+    else
+      :subquery
+    end
+  end
+
+  def self.accessible_by_strategy=(value)
+    validate_accessible_by_strategy!(value)
+
+    if value == :subquery && does_not_support_subquery_strategy?
+      raise ArgumentError, 'accessible_by_strategy = :subquery requires ActiveRecord 5 or newer'
+    end
+
+    @accessible_by_strategy = value
+  end
+
+  def self.with_accessible_by_strategy(value)
+    return yield if value == accessible_by_strategy
+
+    validate_accessible_by_strategy!(value)
+
+    begin
+      strategy_was = accessible_by_strategy
+      @accessible_by_strategy = value
+      yield
+    ensure
+      @accessible_by_strategy = strategy_was
+    end
+  end
+
+  def self.validate_accessible_by_strategy!(value)
+    return if valid_accessible_by_strategies.include?(value)
+
+    raise ArgumentError, "accessible_by_strategy must be one of #{valid_accessible_by_strategies.join(', ')}"
+  end
+
+  def self.does_not_support_subquery_strategy?
+    !defined?(CanCan::ModelAdapters::ActiveRecordAdapter) ||
+      CanCan::ModelAdapters::ActiveRecordAdapter.version_lower?('5.0.0')
+  end
+end

data/lib/cancan/controller_additions.rb

@@ -264,7 +264,7 @@ module CanCan
           next if options[:unless] && controller.send(options[:unless])
 
           raise AuthorizationNotPerformed,
-                'This action failed the check_authorization because it does not authorize_resource. '\
+                'This action failed the check_authorization because it does not authorize_resource. ' \
                 'Add skip_authorization_check to bypass this check.'
         end
 

data/lib/cancan/controller_resource.rb

@@ -54,7 +54,7 @@ module CanCan
 
     protected
 
-    # Returns the class used for this resource. This can be overriden by the :class option.
+    # Returns the class used for this resource. This can be overridden by the :class option.
     # If +false+ is passed in it will use the resource name as a symbol in which case it should
     # only be used for authorization, not loading since there's no class to load through.
     def resource_class

data/lib/cancan/exceptions.rb

@@ -58,5 +58,13 @@ module CanCan
     def to_s
       @message || @default_message
     end
+
+    def inspect
+      details = %i[action subject conditions message].map do |attribute|
+        value = instance_variable_get "@#{attribute}"
+        "#{attribute}: #{value.inspect}" if value.present?
+      end.compact.join(', ')
+      "#<#{self.class.name} #{details}>"
+    end
   end
 end

data/lib/cancan/matchers.rb

@@ -13,9 +13,11 @@ Kernel.const_get(rspec_module)::Matchers.define :be_able_to do |*args|
   match do |ability|
     actions = args.first
     if actions.is_a? Array
-      break false if actions.empty?
-
-      actions.all? { |action| ability.can?(action, *args[1..-1]) }
+      if actions.empty?
+        false
+      else
+        actions.all? { |action| ability.can?(action, *args[1..-1]) }
+      end
     else
       ability.can?(*args)
     end

data/lib/cancan/model_adapters/abstract_adapter.rb

@@ -3,9 +3,11 @@
 module CanCan
   module ModelAdapters
     class AbstractAdapter
+      attr_reader :model_class
+
       def self.inherited(subclass)
         @subclasses ||= []
-        @subclasses << subclass
+        @subclasses.insert(0, subclass)
       end
 
       def self.adapter_class(model_class)
@@ -33,6 +35,23 @@ module CanCan
         raise NotImplemented, 'This model adapter does not support matching on a conditions hash.'
       end
 
+      # Override if parent condition could be under a different key in conditions
+      def self.parent_condition_name(parent, _child)
+        parent.class.name.downcase.to_sym
+      end
+
+      # Used above override_conditions_hash_matching to determine if this model adapter will override the
+      # matching behavior for nested subject.
+      # If this returns true then nested_subject_matches_conditions? will be called.
+      def self.override_nested_subject_conditions_matching?(_parent, _child, _all_conditions)
+        false
+      end
+
+      # Override if override_nested_subject_conditions_matching? returns true
+      def self.nested_subject_matches_conditions?(_parent, _child, _all_conditions)
+        raise NotImplemented, 'This model adapter does not support matching on a nested subject.'
+      end
+
       # Used to determine if this model adapter will override the matching behavior for a specific condition.
       # If this returns true then matches_condition? will be called. See Rule#matches_conditions_hash
       def self.override_condition_matching?(_subject, _name, _value)

data/lib/cancan/model_adapters/active_record_4_adapter.rb

@@ -34,10 +34,8 @@ module CanCan
       # look inside the where clause to decide to outer join tables
       # you're using in the where. Instead, `references()` is required
       # in addition to `includes()` to force the outer join.
-      def build_relation(*where_conditions)
-        relation = @model_class.where(*where_conditions)
-        relation = relation.includes(joins).references(joins) if joins.present?
-        relation
+      def build_joins_relation(relation, *_where_conditions)
+        relation.includes(joins).references(joins)
       end
 
       # Rails 4.2 deprecates `sanitize_sql_hash_for_conditions`

data/lib/cancan/model_adapters/active_record_5_adapter.rb

@@ -21,13 +21,15 @@ module CanCan
 
       private
 
-      def build_relation(*where_conditions)
-        relation = @model_class.where(*where_conditions)
-        relation = relation.left_joins(joins).distinct if joins.present?
-        relation
+      def build_joins_relation(relation, *where_conditions)
+        strategy_class.new(adapter: self, relation: relation, where_conditions: where_conditions).execute!
+      end
+
+      def strategy_class
+        strategy_class_name = CanCan.accessible_by_strategy.to_s.camelize
+        CanCan::ModelAdapters::Strategies.const_get(strategy_class_name)
       end
 
-      # Rails 4.2 deprecates `sanitize_sql_hash_for_conditions`
       def sanitize_sql(conditions)
         if conditions.is_a?(Hash)
           sanitize_sql_activerecord5(conditions)
@@ -41,11 +43,7 @@ module CanCan
         table_metadata = ActiveRecord::TableMetadata.new(@model_class, table)
         predicate_builder = ActiveRecord::PredicateBuilder.new(table_metadata)
 
-        conditions = predicate_builder.resolve_column_aliases(conditions)
-
-        conditions.stringify_keys!
-
-        predicate_builder.build_from_hash(conditions).map { |b| visit_nodes(b) }.join(' AND ')
+        predicate_builder.build_from_hash(conditions.stringify_keys).map { |b| visit_nodes(b) }.join(' AND ')
       end
 
       def visit_nodes(node)

data/lib/cancan/model_adapters/active_record_adapter.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require_relative 'conditions_extractor.rb'
-require 'cancan/rules_compressor'
 module CanCan
   module ModelAdapters
     class ActiveRecordAdapter < AbstractAdapter
@@ -13,12 +11,86 @@ module CanCan
         Gem::Version.new(ActiveRecord.version).release < Gem::Version.new(version)
       end
 
+      attr_reader :compressed_rules
+
       def initialize(model_class, rules)
         super
-        @compressed_rules = RulesCompressor.new(@rules.reverse).rules_collapsed.reverse
+        @compressed_rules = if CanCan.rules_compressor_enabled
+                              RulesCompressor.new(@rules.reverse).rules_collapsed.reverse
+                            else
+                              @rules
+                            end
+        StiNormalizer.normalize(@compressed_rules)
         ConditionsNormalizer.normalize(model_class, @compressed_rules)
       end
 
+      class << self
+        # When belongs_to parent_id is a condition for a model,
+        # we want to check the parent when testing ability for a hash {parent => model}
+        def override_nested_subject_conditions_matching?(parent, child, all_conditions)
+          parent_child_conditions(parent, child, all_conditions).present?
+        end
+
+        # parent_id condition can be an array of integer or one integer, we check the parent against this
+        def nested_subject_matches_conditions?(parent, child, all_conditions)
+          id_condition = parent_child_conditions(parent, child, all_conditions)
+          return id_condition.include?(parent.id) if id_condition.is_a? Array
+          return id_condition == parent.id if id_condition.is_a? Integer
+
+          false
+        end
+
+        def parent_child_conditions(parent, child, all_conditions)
+          child_class = child.is_a?(Class) ? child : child.class
+          parent_class = parent.is_a?(Class) ? parent : parent.class
+
+          foreign_key = child_class.reflect_on_all_associations(:belongs_to).find do |association|
+            # Do not match on polymorphic associations or it will throw an error (klass cannot be determined)
+            !association.polymorphic? && association.klass == parent.class
+          end&.foreign_key&.to_sym
+
+          # Search again in case of polymorphic associations, this time matching on the :has_many side
+          # via the :as option, as well as klass
+          foreign_key ||= parent_class.reflect_on_all_associations(:has_many).find do |has_many_assoc|
+            !matching_parent_child_polymorphic_association(has_many_assoc, child_class).nil?
+          end&.foreign_key&.to_sym
+
+          foreign_key.nil? ? nil : all_conditions[foreign_key]
+        end
+
+        def matching_parent_child_polymorphic_association(parent_assoc, child_class)
+          return nil unless parent_assoc.klass == child_class
+          return nil if parent_assoc&.options[:as].nil?
+  
+          child_class.reflect_on_all_associations(:belongs_to).find do |child_assoc|
+            # Only match this way for polymorphic associations
+            child_assoc.polymorphic? && child_assoc.name == parent_assoc.options[:as]
+          end
+        end
+
+        def child_association_to_parent(parent, child)
+          child_class = child.is_a?(Class) ? child : child.class
+          parent_class = parent.is_a?(Class) ? parent : parent.class
+
+          association = child_class.reflect_on_all_associations(:belongs_to).find do |association|
+            # Do not match on polymorphic associations or it will throw an error (klass cannot be determined)
+            !association.polymorphic? && association.klass == parent.class
+          end
+
+          return association unless association.nil?
+
+          parent_class.reflect_on_all_associations(:has_many).each do |has_many_assoc|
+            association ||= matching_parent_child_polymorphic_association(has_many_assoc, child_class)
+          end
+
+          association
+        end
+
+        def parent_condition_name(parent, child)
+          child_association_to_parent(parent, child)&.name || parent.class.name.downcase.to_sym
+        end
+      end
+
       # Returns conditions intended to be used inside a database query. Normally you will not call this
       # method directly, but instead go through ModelAdditions#accessible_by.
       #
@@ -60,6 +132,14 @@ module CanCan
         end
       end
 
+      def build_relation(*where_conditions)
+        relation = @model_class.where(*where_conditions)
+        return relation unless joins.present?
+
+        # subclasses must implement `build_joins_relation`
+        build_joins_relation(relation, *where_conditions)
+      end
+
       # Returns the associations used in conditions for the :joins option of a search.
       # See ModelAdditions#accessible_by
       def joins
@@ -99,7 +179,7 @@ module CanCan
       def raise_override_scope_error
         rule_found = @compressed_rules.detect { |rule| rule.conditions.is_a?(ActiveRecord::Relation) }
         raise Error,
-              'Unable to merge an Active Record scope with other conditions. '\
+              'Unable to merge an Active Record scope with other conditions. ' \
               "Instead use a hash or SQL for #{rule_found.actions.first} #{rule_found.subjects.first} ability."
       end
 

data/lib/cancan/model_adapters/conditions_extractor.rb

@@ -3,7 +3,7 @@
 # this class is responsible of converting the hash of conditions
 # in "where conditions" to generate the sql query
 # it consists of a names_cache that helps calculating the next name given to the association
-# it tries to reflect the bahavior of ActiveRecord when generating aliases for tables.
+# it tries to reflect the behavior of ActiveRecord when generating aliases for tables.
 module CanCan
   module ModelAdapters
     class ConditionsExtractor
@@ -50,18 +50,18 @@ module CanCan
       def generate_table_alias(model_class, relation_name, path_to_key)
         table_alias = model_class.reflect_on_association(relation_name).table_name.to_sym
 
-        if alredy_used?(table_alias, relation_name, path_to_key)
+        if already_used?(table_alias, relation_name, path_to_key)
           table_alias = "#{relation_name.to_s.pluralize}_#{model_class.table_name}".to_sym
 
           index = 1
-          while alredy_used?(table_alias, relation_name, path_to_key)
+          while already_used?(table_alias, relation_name, path_to_key)
             table_alias = "#{table_alias}_#{index += 1}".to_sym
           end
         end
         add_to_cache(table_alias, relation_name, path_to_key)
       end
 
-      def alredy_used?(table_alias, relation_name, path_to_key)
+      def already_used?(table_alias, relation_name, path_to_key)
         @names_cache[table_alias].try(:exclude?, "#{path_to_key}_#{relation_name}")
       end
 

data/lib/cancan/model_adapters/conditions_normalizer.rb

@@ -1,6 +1,6 @@
 # this class is responsible of normalizing the hash of conditions
 # by exploding has_many through associations
-# when a condition is defined with an has_many thorugh association this is exploded in all its parts
+# when a condition is defined with an has_many through association this is exploded in all its parts
 # TODO: it could identify STI and normalize it
 module CanCan
   module ModelAdapters
@@ -31,7 +31,7 @@ module CanCan
             raise WrongAssociationName, "Association '#{key}' not defined in model '#{model_class.name}'"
           end
 
-          if reflection.options[:through].present?
+          if normalizable_association? reflection
             key = reflection.options[:through]
             value = { reflection.source_reflection_name => value }
             reflection = model_class.reflect_on_association(key)
@@ -39,6 +39,10 @@ module CanCan
 
           { key => normalize_conditions(reflection.klass.name.constantize, value) }
         end
+
+        def normalizable_association?(reflection)
+          reflection.options[:through].present? && !reflection.options[:source_type].present?
+        end
       end
     end
   end

data/lib/cancan/model_adapters/sti_normalizer.rb

@@ -0,0 +1,47 @@
+require_relative '../sti_detector'
+
+# this class is responsible for detecting sti classes and creating new rules for the
+# relevant subclasses, using the inheritance_column as a merger
+module CanCan
+  module ModelAdapters
+    class StiNormalizer
+      class << self
+        def normalize(rules)
+          rules_cache = []
+          return unless defined?(ActiveRecord::Base)
+
+          rules.delete_if do |rule|
+            subjects = rule.subjects.select do |subject|
+              update_rule(subject, rule, rules_cache)
+            end
+            subjects.length == rule.subjects.length
+          end
+          rules_cache.each { |rule| rules.push(rule) }
+        end
+
+        private
+
+        def update_rule(subject, rule, rules_cache)
+          return false unless StiDetector.sti_class?(subject)
+
+          rules_cache.push(build_rule_for_subclass(rule, subject))
+          true
+        end
+
+        # create a new rule for the subclasses that links on the inheritance_column
+        def build_rule_for_subclass(rule, subject)
+          sti_conditions = { subject.inheritance_column => subject.sti_name }
+          new_rule_conditions =
+            if rule.with_scope?
+              rule.conditions.where(sti_conditions)
+            else
+              rule.conditions.merge(sti_conditions)
+            end
+
+          CanCan::Rule.new(rule.base_behavior, rule.actions, subject.superclass,
+                           new_rule_conditions, rule.block)
+        end
+      end
+    end
+  end
+end

data/lib/cancan/model_adapters/strategies/base.rb

@@ -0,0 +1,40 @@
+module CanCan
+  module ModelAdapters
+    class Strategies
+      class Base
+        attr_reader :adapter, :relation, :where_conditions
+
+        delegate(
+          :compressed_rules,
+          :extract_multiple_conditions,
+          :joins,
+          :model_class,
+          :quoted_primary_key,
+          :quoted_aliased_table_name,
+          :quoted_table_name,
+          to: :adapter
+        )
+        delegate :connection, :quoted_primary_key, to: :model_class
+        delegate :quote_table_name, to: :connection
+
+        def initialize(adapter:, relation:, where_conditions:)
+          @adapter = adapter
+          @relation = relation
+          @where_conditions = where_conditions
+        end
+
+        def aliased_table_name
+          @aliased_table_name ||= "#{model_class.table_name}_alias"
+        end
+
+        def quoted_aliased_table_name
+          @quoted_aliased_table_name ||= quote_table_name(aliased_table_name)
+        end
+
+        def quoted_table_name
+          @quoted_table_name ||= quote_table_name(model_class.table_name)
+        end
+      end
+    end
+  end
+end

data/lib/cancan/model_adapters/strategies/joined_alias_each_rule_as_exists_subquery.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: false
+
+module CanCan
+  module ModelAdapters
+    class Strategies
+      class JoinedAliasEachRuleAsExistsSubquery < Base
+        def execute!
+          model_class
+            .joins(
+              "JOIN #{quoted_table_name} AS #{quoted_aliased_table_name} ON " \
+              "#{quoted_aliased_table_name}.#{quoted_primary_key} = #{quoted_table_name}.#{quoted_primary_key}"
+            )
+            .where(double_exists_sql)
+        end
+
+        def double_exists_sql
+          double_exists_sql = ''
+
+          compressed_rules.each_with_index do |rule, index|
+            double_exists_sql << ' OR ' if index.positive?
+            double_exists_sql << "EXISTS (#{sub_query_for_rule(rule).to_sql})"
+          end
+
+          double_exists_sql
+        end
+
+        def sub_query_for_rule(rule)
+          conditions_extractor = ConditionsExtractor.new(model_class)
+          rule_where_conditions = extract_multiple_conditions(conditions_extractor, [rule])
+          joins_hash, left_joins_hash = extract_joins_from_rule(rule)
+          sub_query_for_rules_and_join_hashes(rule_where_conditions, joins_hash, left_joins_hash)
+        end
+
+        def sub_query_for_rules_and_join_hashes(rule_where_conditions, joins_hash, left_joins_hash)
+          model_class
+            .select('1')
+            .joins(joins_hash)
+            .left_joins(left_joins_hash)
+            .where(
+              "#{quoted_table_name}.#{quoted_primary_key} = " \
+              "#{quoted_aliased_table_name}.#{quoted_primary_key}"
+            )
+            .where(rule_where_conditions)
+            .limit(1)
+        end
+
+        def extract_joins_from_rule(rule)
+          joins = {}
+          left_joins = {}
+
+          extra_joins_recursive([], rule.conditions, joins, left_joins)
+          [joins, left_joins]
+        end
+
+        def extra_joins_recursive(current_path, conditions, joins, left_joins)
+          conditions.each do |key, value|
+            if value.is_a?(Hash)
+              current_path << key
+              extra_joins_recursive(current_path, value, joins, left_joins)
+              current_path.pop
+            else
+              extra_joins_recursive_merge_joins(current_path, value, joins, left_joins)
+            end
+          end
+        end
+
+        def extra_joins_recursive_merge_joins(current_path, value, joins, left_joins)
+          hash_joins = current_path_to_hash(current_path)
+
+          if value.nil?
+            left_joins.deep_merge!(hash_joins)
+          else
+            joins.deep_merge!(hash_joins)
+          end
+        end
+
+        # Converts an array like [:child, :grand_child] into a hash like {child: {grand_child: {}}
+        def current_path_to_hash(current_path)
+          hash_joins = {}
+          current_hash_joins = hash_joins
+
+          current_path.each do |path_part|
+            new_hash = {}
+            current_hash_joins[path_part] = new_hash
+            current_hash_joins = new_hash
+          end
+
+          hash_joins
+        end
+      end
+    end
+  end
+end

data/lib/cancan/model_adapters/strategies/joined_alias_exists_subquery.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module CanCan
+  module ModelAdapters
+    class Strategies
+      class JoinedAliasExistsSubquery < Base
+        def execute!
+          model_class
+            .joins(
+              "JOIN #{quoted_table_name} AS #{quoted_aliased_table_name} ON " \
+              "#{quoted_aliased_table_name}.#{quoted_primary_key} = #{quoted_table_name}.#{quoted_primary_key}"
+            )
+            .where("EXISTS (#{joined_alias_exists_subquery_inner_query.to_sql})")
+        end
+
+        def joined_alias_exists_subquery_inner_query
+          model_class
+            .unscoped
+            .select('1')
+            .left_joins(joins)
+            .where(*where_conditions)
+            .where(
+              "#{quoted_table_name}.#{quoted_primary_key} = " \
+              "#{quoted_aliased_table_name}.#{quoted_primary_key}"
+            )
+            .limit(1)
+        end
+      end
+    end
+  end
+end

data/lib/cancan/model_adapters/strategies/left_join.rb

@@ -0,0 +1,11 @@
+module CanCan
+  module ModelAdapters
+    class Strategies
+      class LeftJoin < Base
+        def execute!
+          relation.left_joins(joins).distinct
+        end
+      end
+    end
+  end
+end

data/lib/cancan/model_adapters/strategies/subquery.rb

@@ -0,0 +1,18 @@
+module CanCan
+  module ModelAdapters
+    class Strategies
+      class Subquery < Base
+        def execute!
+          build_joins_relation_subquery(where_conditions)
+        end
+
+        def build_joins_relation_subquery(where_conditions)
+          inner = model_class.unscoped do
+            model_class.left_joins(joins).where(*where_conditions)
+          end
+          model_class.where(model_class.primary_key => inner)
+        end
+      end
+    end
+  end
+end

data/lib/cancan/model_additions.rb

@@ -20,8 +20,10 @@ module CanCan
       #   @articles = Article.accessible_by(current_ability, :update)
       #
       # Here only the articles which the user can update are returned.
-      def accessible_by(ability, action = :index)
-        ability.model_adapter(self, action).database_records
+      def accessible_by(ability, action = :index, strategy: CanCan.accessible_by_strategy)
+        CanCan.with_accessible_by_strategy(strategy) do
+          ability.model_adapter(self, action).database_records
+        end
       end
     end
 

data/lib/cancan/relevant.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module CanCan
+  module Relevant
+    # Matches both the action, subject, and attribute, not necessarily the conditions
+    def relevant?(action, subject)
+      subject = subject.values.first if subject.class == Hash
+      @match_all || (matches_action?(action) && matches_subject?(subject))
+    end
+
+    private
+
+    def matches_action?(action)
+      @expanded_actions.include?(:manage) || @expanded_actions.include?(action)
+    end
+
+    def matches_subject?(subject)
+      @subjects.include?(:all) || @subjects.include?(subject) || matches_subject_class?(subject)
+    end
+
+    def matches_subject_class?(subject)
+      @subjects.any? do |sub|
+        sub.is_a?(Module) && (subject.is_a?(sub) ||
+            subject.class.to_s == sub.to_s ||
+            (subject.is_a?(Module) && subject.ancestors.include?(sub)))
+      end
+    end
+  end
+end

data/lib/cancan/rule.rb

@@ -1,14 +1,18 @@
 # frozen_string_literal: true
 
 require_relative 'conditions_matcher.rb'
+require_relative 'class_matcher.rb'
+require_relative 'relevant.rb'
+
 module CanCan
   # This class is used internally and should only be called through Ability.
   # it holds the information about a "can" call made on Ability and provides
   # helpful methods to determine permission checking and conditions hash generation.
   class Rule # :nodoc:
     include ConditionsMatcher
+    include Relevant
     include ParameterValidators
-    attr_reader :base_behavior, :subjects, :actions, :conditions, :attributes
+    attr_reader :base_behavior, :subjects, :actions, :conditions, :attributes, :block
     attr_writer :expanded_actions, :conditions
 
     # The first argument when initializing is the base_behavior which is a true/false
@@ -24,9 +28,9 @@ module CanCan
       raise Error, "Subject is required for #{action}" if action && subject.nil?
 
       @base_behavior = base_behavior
-      @actions = Array(action)
-      @subjects = Array(subject)
-      @attributes = Array(attributes)
+      @actions = wrap(action)
+      @subjects = wrap(subject)
+      @attributes = wrap(attributes)
       @conditions = extra_args || {}
       @block = block
     end
@@ -34,11 +38,13 @@ module CanCan
     def inspect
       repr = "#<#{self.class.name}"
       repr += "#{@base_behavior ? 'can' : 'cannot'} #{@actions.inspect}, #{@subjects.inspect}, #{@attributes.inspect}"
-      repr += if with_scope?
-                ", #{@conditions.where_values_hash}"
-              elsif [Hash, String].include?(@conditions.class)
-                ", #{@conditions.inspect}"
-              end
+
+      if with_scope?
+        repr += ", #{@conditions.where_values_hash}"
+      elsif [Hash, String].include?(@conditions.class)
+        repr += ", #{@conditions.inspect}"
+      end
+
       repr + '>'
     end
 
@@ -55,12 +61,6 @@ module CanCan
         (!with_scope? && [nil, false, [], {}, '', ' '].include?(@conditions))
     end
 
-    # Matches both the action, subject, and attribute, not necessarily the conditions
-    def relevant?(action, subject)
-      subject = subject.values.first if subject.class == Hash
-      @match_all || (matches_action?(action) && matches_subject?(subject))
-    end
-
     def only_block?
       conditions_empty? && @block
     end
@@ -70,7 +70,7 @@ module CanCan
     end
 
     def with_scope?
-      @conditions.is_a?(ActiveRecord::Relation)
+      defined?(ActiveRecord) && @conditions.is_a?(ActiveRecord::Relation)
     end
 
     def associations_hash(conditions = @conditions)
@@ -111,11 +111,7 @@ module CanCan
     end
 
     def matches_subject_class?(subject)
-      @subjects.any? do |sub|
-        sub.is_a?(Module) && (subject.is_a?(sub) ||
-          subject.class.to_s == sub.to_s ||
-          (subject.is_a?(Module) && subject.ancestors.include?(sub)))
-      end
+      SubjectClassMatcher.matches_subject_class?(@subjects, subject)
     end
 
     def parse_attributes_from_extra_args(args)
@@ -127,8 +123,18 @@ module CanCan
     def condition_and_block_check(conditions, block, action, subject)
       return unless conditions.is_a?(Hash) && block
 
-      raise BlockAndConditionsError, 'A hash of conditions is mutually exclusive with a block. '\
+      raise BlockAndConditionsError, 'A hash of conditions is mutually exclusive with a block. ' \
         "Check \":#{action} #{subject}\" ability."
     end
+
+    def wrap(object)
+      if object.nil?
+        []
+      elsif object.respond_to?(:to_ary)
+        object.to_ary || [object]
+      else
+        [object]
+      end
+    end
   end
 end

data/lib/cancan/sti_detector.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+class StiDetector
+  def self.sti_class?(subject)
+    return false unless defined?(ActiveRecord::Base)
+    return false unless subject.respond_to?(:descends_from_active_record?)
+    return false if subject == :all || subject.descends_from_active_record?
+    return false unless subject < ActiveRecord::Base
+
+    true
+  end
+end

data/lib/cancan/unauthorized_message_resolver.rb

@@ -3,10 +3,12 @@
 module CanCan
   module UnauthorizedMessageResolver
     def unauthorized_message(action, subject)
+      subject = subject.values.last if subject.is_a?(Hash)
       keys = unauthorized_message_keys(action, subject)
-      variables = { action: action.to_s }
+      variables = {}
+      variables[:action] = I18n.translate("actions.#{action}", default: action.to_s)
       variables[:subject] = translate_subject(subject)
-      message = I18n.translate(keys.shift, variables.merge(scope: :unauthorized, default: keys + ['']))
+      message = I18n.translate(keys.shift, **variables.merge(scope: :unauthorized, default: keys + ['']))
       message.blank? ? nil : message
     end
 

data/lib/cancan/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module CanCan
-  VERSION = '3.0.1'.freeze
+  VERSION = '3.5.0'.freeze
 end

data/lib/cancan.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'cancan/version'
+require 'cancan/config'
 require 'cancan/parameter_validators'
 require 'cancan/ability'
 require 'cancan/rule'
@@ -16,7 +17,13 @@ require 'cancan/rules_compressor'
 if defined? ActiveRecord
   require 'cancan/model_adapters/conditions_extractor'
   require 'cancan/model_adapters/conditions_normalizer'
+  require 'cancan/model_adapters/sti_normalizer'
   require 'cancan/model_adapters/active_record_adapter'
   require 'cancan/model_adapters/active_record_4_adapter'
   require 'cancan/model_adapters/active_record_5_adapter'
+  require 'cancan/model_adapters/strategies/base'
+  require 'cancan/model_adapters/strategies/joined_alias_each_rule_as_exists_subquery'
+  require 'cancan/model_adapters/strategies/joined_alias_exists_subquery'
+  require 'cancan/model_adapters/strategies/left_join'
+  require 'cancan/model_adapters/strategies/subquery'
 end

data/lib/generators/cancan/ability/templates/ability.rb

@@ -4,14 +4,12 @@ class Ability
   include CanCan::Ability
 
   def initialize(user)
-    # Define abilities for the passed in user here. For example:
+    # Define abilities for the user here. For example:
     #
-    #   user ||= User.new # guest user (not logged in)
-    #   if user.admin?
-    #     can :manage, :all
-    #   else
-    #     can :read, :all
-    #   end
+    #   return unless user.present?
+    #   can :read, :all
+    #   return unless user.admin?
+    #   can :manage, :all
     #
     # The first argument to `can` is the action you are giving the user
     # permission to do.
@@ -26,9 +24,9 @@ class Ability
     # objects.
     # For example, here the user can only update published articles.
     #
-    #   can :update, Article, :published => true
+    #   can :update, Article, published: true
     #
     # See the wiki for details:
-    # https://github.com/CanCanCommunity/cancancan/wiki/Defining-Abilities
+    # https://github.com/CanCanCommunity/cancancan/blob/develop/docs/define_check_abilities.md
   end
 end

metadata

@@ -1,17 +1,17 @@
 --- !ruby/object:Gem::Specification
 name: cancancan
 version: !ruby/object:Gem::Version
-  version: 3.0.1
+  version: 3.5.0
 platform: ruby
 authors:
 - Alessandro Rodi (Renuo AG)
 - Bryan Rite
 - Ryan Bates
 - Richard Wilson
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-04-16 00:00:00.000000000 Z
+date: 2023-03-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: appraisal
@@ -93,14 +93,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.63.1
+        version: 1.31.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.63.1
+        version: 1.31.1
 description: Simple authorization solution for Rails. All permissions are stored in
   a single location.
 email: alessandro.rodi@renuo.ch
@@ -115,7 +115,9 @@ files:
 - lib/cancan/ability/actions.rb
 - lib/cancan/ability/rules.rb
 - lib/cancan/ability/strong_parameter_support.rb
+- lib/cancan/class_matcher.rb
 - lib/cancan/conditions_matcher.rb
+- lib/cancan/config.rb
 - lib/cancan/controller_additions.rb
 - lib/cancan/controller_resource.rb
 - lib/cancan/controller_resource_builder.rb
@@ -132,10 +134,18 @@ files:
 - lib/cancan/model_adapters/conditions_extractor.rb
 - lib/cancan/model_adapters/conditions_normalizer.rb
 - lib/cancan/model_adapters/default_adapter.rb
+- lib/cancan/model_adapters/sti_normalizer.rb
+- lib/cancan/model_adapters/strategies/base.rb
+- lib/cancan/model_adapters/strategies/joined_alias_each_rule_as_exists_subquery.rb
+- lib/cancan/model_adapters/strategies/joined_alias_exists_subquery.rb
+- lib/cancan/model_adapters/strategies/left_join.rb
+- lib/cancan/model_adapters/strategies/subquery.rb
 - lib/cancan/model_additions.rb
 - lib/cancan/parameter_validators.rb
+- lib/cancan/relevant.rb
 - lib/cancan/rule.rb
 - lib/cancan/rules_compressor.rb
+- lib/cancan/sti_detector.rb
 - lib/cancan/unauthorized_message_resolver.rb
 - lib/cancan/version.rb
 - lib/cancancan.rb
@@ -145,8 +155,9 @@ files:
 homepage: https://github.com/CanCanCommunity/cancancan
 licenses:
 - MIT
-metadata: {}
-post_install_message: 
+metadata:
+  funding_uri: https://github.com/sponsors/coorasse
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -161,9 +172,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
-signing_key: 
+rubygems_version: 3.3.7
+signing_key:
 specification_version: 4
 summary: Simple authorization solution for Rails.
 test_files: []