cancancan 3.4.0 → 3.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fc128fc4996aed8edaee7dcce7178ec47d06c63591bf03c7cb98dd3deec5c213
-  data.tar.gz: 4e3ee983874f8fbeb3f566c6e12aaba275990581e77938b73d0349ec1e867f6e
+  metadata.gz: bebbba60e68460ec234fc11e8d3cf0414e578a56c0347862c673396eb917dff9
+  data.tar.gz: bb07244a17dcf45d1852cf6677864084c2f0db5630ea9b72bdcc0c6055b5c4b6
 SHA512:
-  metadata.gz: 4511dd58be6c2a2ce4bc28b382ece40ad367a1cf72f56d521fe2f38ca038eb6cb11a249a1d029346038cfec0e1828acadddf8ff9be14d6d59e5228b165811d49
-  data.tar.gz: 8d24834c3362f708a9979079eee089537975aefa25144a65eea006c137a75297f1341b6df24877c0c517b0e1c33e935a7c4d82bbedcca84e00100d0806812ff5
+  metadata.gz: be9f2b03ae43651ea70a451b97a44fd6ec6e0a09ca444ddf625b91ae3815a245e0669bb80b4d3b0687ca327bc0c4fe81028f7736cb6493ef636b43a4140f4f49
+  data.tar.gz: db75441929e737d12699f57324d031e894b5d2cdbe1555451857977c42b0ef28148cc63bb718981c32ac08bafd2873623d2151ba8e98c442f217b3f4affecda9

data/cancancan.gemspec

@@ -25,5 +25,5 @@ Gem::Specification.new do |s|
   s.add_development_dependency 'bundler', '~> 2.0'
   s.add_development_dependency 'rake', '~> 10.1', '>= 10.1.1'
   s.add_development_dependency 'rspec', '~> 3.2', '>= 3.2.0'
-  s.add_development_dependency 'rubocop', '~> 1.26'
+  s.add_development_dependency 'rubocop', '~> 1.31.1'
 end

data/lib/cancan/ability/rules.rb

@@ -61,8 +61,8 @@ module CanCan
           next unless rule.only_raw_sql?
 
           raise Error,
-                "The can? and cannot? call cannot be used with a raw sql 'can' definition."\
-                " The checking code cannot be determined for #{action.inspect} #{subject.inspect}"
+                "The can? and cannot? call cannot be used with a raw sql 'can' definition. " \
+                "The checking code cannot be determined for #{action.inspect} #{subject.inspect}"
         end
       end
 
@@ -72,7 +72,7 @@ module CanCan
           rule.base_behavior == false && rule.attributes.present?
         end
         if rules.any?(&:only_block?)
-          raise Error, "The accessible_by call cannot be used with a block 'can' definition."\
+          raise Error, "The accessible_by call cannot be used with a block 'can' definition." \
             "The SQL cannot be determined for #{action.inspect} #{subject.inspect}"
         end
         rules

data/lib/cancan/conditions_matcher.rb

@@ -18,10 +18,14 @@ module CanCan
       [Class, Module].include? klass
     end
 
-    def matches_block_conditions(subject, *extra_args)
+    def matches_block_conditions(subject, attribute, *extra_args)
       return @base_behavior if subject_class?(subject)
 
-      @block.call(subject, *extra_args.compact)
+      if attribute
+        @block.call(subject, attribute, *extra_args)
+      else
+        @block.call(subject, *extra_args)
+      end
     end
 
     def matches_non_block_conditions(subject)
@@ -35,11 +39,13 @@ module CanCan
     def nested_subject_matches_conditions?(subject_hash)
       parent, child = subject_hash.first
 
-      matches_base_parent_conditions = matches_conditions_hash?(parent,
-                                                                @conditions[parent.class.name.downcase.to_sym] || {})
-
       adapter = model_adapter(parent)
 
+      parent_condition_name = adapter.parent_condition_name(parent, child)
+
+      matches_base_parent_conditions = matches_conditions_hash?(parent,
+                                                                @conditions[parent_condition_name] || {})
+
       matches_base_parent_conditions &&
         (!adapter.override_nested_subject_conditions_matching?(parent, child, @conditions) ||
           adapter.nested_subject_matches_conditions?(parent, child, @conditions))
@@ -63,16 +69,15 @@ module CanCan
 
     def matches_all_conditions?(adapter, subject, conditions)
       if conditions.is_a?(Hash)
-        matches_hash_conditions(adapter, subject, conditions)
+        matches_hash_conditions?(adapter, subject, conditions)
       elsif conditions.respond_to?(:include?)
         conditions.include?(subject)
       else
-        puts "does #{subject} match #{conditions}?"
         subject == conditions
       end
     end
 
-    def matches_hash_conditions(adapter, subject, conditions)
+    def matches_hash_conditions?(adapter, subject, conditions)
       conditions.all? do |name, value|
         if adapter.override_condition_matching?(subject, name, value)
           adapter.matches_condition?(subject, name, value)
@@ -97,12 +102,29 @@ module CanCan
 
     def hash_condition_match?(attribute, value)
       if attribute.is_a?(Array) || (defined?(ActiveRecord) && attribute.is_a?(ActiveRecord::Relation))
-        attribute.to_a.any? { |element| matches_conditions_hash?(element, value) }
+        array_like_matches_condition_hash?(attribute, value)
       else
         attribute && matches_conditions_hash?(attribute, value)
       end
     end
 
+    def array_like_matches_condition_hash?(attribute, value)
+      if attribute.any?
+        attribute.any? { |element| matches_conditions_hash?(element, value) }
+      else
+        # you can use `nil`s in your ability definition to tell cancancan to find
+        # objects that *don't* have any children in a has_many relationship.
+        #
+        # for example, given ability:
+        # => can :read, Article, comments: { id: nil }
+        # cancancan will return articles where `article.comments == []`
+        #
+        # this is implemented here. `attribute` is `article.comments`, and it's an empty array.
+        # the expression below returns true if this was expected.
+        !value.values.empty? && value.values.all?(&:nil?)
+      end
+    end
+
     def call_block_with_all(action, subject, *extra_args)
       if subject.class == Class
         @block.call(action, subject, nil, *extra_args)

data/lib/cancan/config.rb

@@ -11,6 +11,29 @@ module CanCan
     strategies
   end
 
+  # You can disable the rules compressor if it's causing unexpected issues.
+  def self.rules_compressor_enabled
+    return @rules_compressor_enabled if defined?(@rules_compressor_enabled)
+
+    @rules_compressor_enabled = true
+  end
+
+  def self.rules_compressor_enabled=(value)
+    @rules_compressor_enabled = value
+  end
+
+  def self.with_rules_compressor_enabled(value)
+    return yield if value == rules_compressor_enabled
+
+    begin
+      rules_compressor_enabled_was = rules_compressor_enabled
+      @rules_compressor_enabled = value
+      yield
+    ensure
+      @rules_compressor_enabled = rules_compressor_enabled_was
+    end
+  end
+
   # Determines how CanCan should build queries when calling accessible_by,
   # if the query will contain a join. The default strategy is `:subquery`.
   #

data/lib/cancan/controller_additions.rb

@@ -264,7 +264,7 @@ module CanCan
           next if options[:unless] && controller.send(options[:unless])
 
           raise AuthorizationNotPerformed,
-                'This action failed the check_authorization because it does not authorize_resource. '\
+                'This action failed the check_authorization because it does not authorize_resource. ' \
                 'Add skip_authorization_check to bypass this check.'
         end
 

data/lib/cancan/model_adapters/abstract_adapter.rb

@@ -35,6 +35,11 @@ module CanCan
         raise NotImplemented, 'This model adapter does not support matching on a conditions hash.'
       end
 
+      # Override if parent condition could be under a different key in conditions
+      def self.parent_condition_name(parent, _child)
+        parent.class.name.downcase.to_sym
+      end
+
       # Used above override_conditions_hash_matching to determine if this model adapter will override the
       # matching behavior for nested subject.
       # If this returns true then nested_subject_matches_conditions? will be called.

data/lib/cancan/model_adapters/active_record_adapter.rb

@@ -15,7 +15,11 @@ module CanCan
 
       def initialize(model_class, rules)
         super
-        @compressed_rules = RulesCompressor.new(@rules.reverse).rules_collapsed.reverse
+        @compressed_rules = if CanCan.rules_compressor_enabled
+                              RulesCompressor.new(@rules.reverse).rules_collapsed.reverse
+                            else
+                              @rules
+                            end
         StiNormalizer.normalize(@compressed_rules)
         ConditionsNormalizer.normalize(model_class, @compressed_rules)
       end
@@ -38,11 +42,53 @@ module CanCan
 
         def parent_child_conditions(parent, child, all_conditions)
           child_class = child.is_a?(Class) ? child : child.class
+          parent_class = parent.is_a?(Class) ? parent : parent.class
+
           foreign_key = child_class.reflect_on_all_associations(:belongs_to).find do |association|
-                          association.klass == parent.class
-                        end&.foreign_key&.to_sym
+            # Do not match on polymorphic associations or it will throw an error (klass cannot be determined)
+            !association.polymorphic? && association.klass == parent.class
+          end&.foreign_key&.to_sym
+
+          # Search again in case of polymorphic associations, this time matching on the :has_many side
+          # via the :as option, as well as klass
+          foreign_key ||= parent_class.reflect_on_all_associations(:has_many).find do |has_many_assoc|
+            !matching_parent_child_polymorphic_association(has_many_assoc, child_class).nil?
+          end&.foreign_key&.to_sym
+
           foreign_key.nil? ? nil : all_conditions[foreign_key]
         end
+
+        def matching_parent_child_polymorphic_association(parent_assoc, child_class)
+          return nil unless parent_assoc.klass == child_class
+          return nil if parent_assoc&.options[:as].nil?
+  
+          child_class.reflect_on_all_associations(:belongs_to).find do |child_assoc|
+            # Only match this way for polymorphic associations
+            child_assoc.polymorphic? && child_assoc.name == parent_assoc.options[:as]
+          end
+        end
+
+        def child_association_to_parent(parent, child)
+          child_class = child.is_a?(Class) ? child : child.class
+          parent_class = parent.is_a?(Class) ? parent : parent.class
+
+          association = child_class.reflect_on_all_associations(:belongs_to).find do |association|
+            # Do not match on polymorphic associations or it will throw an error (klass cannot be determined)
+            !association.polymorphic? && association.klass == parent.class
+          end
+
+          return association unless association.nil?
+
+          parent_class.reflect_on_all_associations(:has_many).each do |has_many_assoc|
+            association ||= matching_parent_child_polymorphic_association(has_many_assoc, child_class)
+          end
+
+          association
+        end
+
+        def parent_condition_name(parent, child)
+          child_association_to_parent(parent, child)&.name || parent.class.name.downcase.to_sym
+        end
       end
 
       # Returns conditions intended to be used inside a database query. Normally you will not call this
@@ -133,7 +179,7 @@ module CanCan
       def raise_override_scope_error
         rule_found = @compressed_rules.detect { |rule| rule.conditions.is_a?(ActiveRecord::Relation) }
         raise Error,
-              'Unable to merge an Active Record scope with other conditions. '\
+              'Unable to merge an Active Record scope with other conditions. ' \
               "Instead use a hash or SQL for #{rule_found.actions.first} #{rule_found.subjects.first} ability."
       end
 

data/lib/cancan/model_adapters/sti_normalizer.rb

@@ -30,8 +30,16 @@ module CanCan
 
         # create a new rule for the subclasses that links on the inheritance_column
         def build_rule_for_subclass(rule, subject)
+          sti_conditions = { subject.inheritance_column => subject.sti_name }
+          new_rule_conditions =
+            if rule.with_scope?
+              rule.conditions.where(sti_conditions)
+            else
+              rule.conditions.merge(sti_conditions)
+            end
+
           CanCan::Rule.new(rule.base_behavior, rule.actions, subject.superclass,
-                           rule.conditions.merge(subject.inheritance_column => subject.sti_name), rule.block)
+                           new_rule_conditions, rule.block)
         end
       end
     end

data/lib/cancan/rule.rb

@@ -123,7 +123,7 @@ module CanCan
     def condition_and_block_check(conditions, block, action, subject)
       return unless conditions.is_a?(Hash) && block
 
-      raise BlockAndConditionsError, 'A hash of conditions is mutually exclusive with a block. '\
+      raise BlockAndConditionsError, 'A hash of conditions is mutually exclusive with a block. ' \
         "Check \":#{action} #{subject}\" ability."
     end
 

data/lib/cancan/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module CanCan
-  VERSION = '3.4.0'.freeze
+  VERSION = '3.5.0'.freeze
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cancancan
 version: !ruby/object:Gem::Version
-  version: 3.4.0
+  version: 3.5.0
 platform: ruby
 authors:
 - Alessandro Rodi (Renuo AG)
@@ -11,7 +11,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-06-23 00:00:00.000000000 Z
+date: 2023-03-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: appraisal
@@ -93,14 +93,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.26'
+        version: 1.31.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.26'
+        version: 1.31.1
 description: Simple authorization solution for Rails. All permissions are stored in
   a single location.
 email: alessandro.rodi@renuo.ch
@@ -172,7 +172,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.3
+rubygems_version: 3.3.7
 signing_key:
 specification_version: 4
 summary: Simple authorization solution for Rails.