cancancan 2.1.0 → 2.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9115e4337e5f3acf25ada77c66a9e2eef4627cd8
-  data.tar.gz: 530b77ec0c2f974624e814a65d798864b30324b8
+  metadata.gz: a754d91858c1b6c433c9b7c12d6b4e99440c0cc0
+  data.tar.gz: 31d2172742361e8a5ee8e7d74d2d5ca3a8e0e681
 SHA512:
-  metadata.gz: 8e4091db3eb5acc0567e7d9c80df489974013021a5ee54010a4f9406727680d753c48d955b31e4285fb6903aedfda66089f9a12c2afc07e9e55b90545f31de69
-  data.tar.gz: 438619dd7cde250eb3598ed34cdc28f514a7d9ce2fa18221cdc3c945312a855ab5cb3c378e5c7737367551353f39f2fdf4e37fd16371e4af3d18b88eb9985da3
+  metadata.gz: 6a15feefdba0ac03be2609772608006b2a4546d8ce5bcfd1e1a656a136ad87c837a2b3506bc57c8ae57747b47c6464d4e5912c5252c41b5acc4f625a3aaa01bc
+  data.tar.gz: 6492f1fd59db034738c473a7c25677037d7ab37aabb644b4cffb057ed97e53519e25c9aa90d7048f2485088859094824af9dad7926d0ec27d3e2ff20b331ba33

data/lib/cancan.rb

@@ -10,6 +10,6 @@ require 'cancan/model_adapters/abstract_adapter'
 require 'cancan/model_adapters/default_adapter'
 
 if defined? ActiveRecord
-  require 'cancan/model_adapters/active_record_adapter'  
+  require 'cancan/model_adapters/active_record_adapter'
   require 'cancan/model_adapters/active_record_4_adapter'
 end

data/lib/cancan/ability.rb

@@ -1,3 +1,5 @@
+require_relative 'ability/rules.rb'
+require_relative 'ability/actions.rb'
 module CanCan
   # This module is designed to be included into an Ability class. This will
   # provide the "can" methods for defining and checking abilities.
@@ -15,6 +17,9 @@ module CanCan
   #   end
   #
   module Ability
+    include CanCan::Ability::Rules
+    include CanCan::Ability::Actions
+
     # Check if the user has permission to perform a given action on an object.
     #
     #   can? :destroy, @project
@@ -149,58 +154,12 @@ module CanCan
       add_rule(Rule.new(false, action, subject, conditions, block))
     end
 
-    # Alias one or more actions into another one.
-    #
-    #   alias_action :update, :destroy, :to => :modify
-    #   can :modify, Comment
-    #
-    # Then :modify permission will apply to both :update and :destroy requests.
-    #
-    #   can? :update, Comment # => true
-    #   can? :destroy, Comment # => true
-    #
-    # This only works in one direction. Passing the aliased action into the "can?" call
-    # will not work because aliases are meant to generate more generic actions.
-    #
-    #   alias_action :update, :destroy, :to => :modify
-    #   can :update, Comment
-    #   can? :modify, Comment # => false
-    #
-    # Unless that exact alias is used.
-    #
-    #   can :modify, Comment
-    #   can? :modify, Comment # => true
-    #
-    # The following aliases are added by default for conveniently mapping common controller actions.
-    #
-    #   alias_action :index, :show, :to => :read
-    #   alias_action :new, :to => :create
-    #   alias_action :edit, :to => :update
-    #
-    # This way one can use params[:action] in the controller to determine the permission.
-    def alias_action(*args)
-      target = args.pop[:to]
-      validate_target(target)
-      aliased_actions[target] ||= []
-      aliased_actions[target] += args
-    end
-
     # User shouldn't specify targets with names of real actions or it will cause Seg fault
     def validate_target(target)
       error_message = "You can't specify target (#{target}) as alias because it is real action name"
       raise Error, error_message if aliased_actions.values.flatten.include? target
     end
 
-    # Returns a hash of aliased actions. The key is the target and the value is an array of actions aliasing the key.
-    def aliased_actions
-      @aliased_actions ||= default_alias_actions
-    end
-
-    # Removes previously aliased actions including the defaults.
-    def clear_aliased_actions
-      @aliased_actions = {}
-    end
-
     def model_adapter(model_class, action)
       adapter_class = ModelAdapters::AbstractAdapter.adapter_class(model_class)
       adapter_class.new(model_class, relevant_rules_for_query(action, model_class))
@@ -262,29 +221,16 @@ module CanCan
     #   }
     def permissions
       permissions_list = { can: {}, cannot: {} }
-
-      rules.each do |rule|
-        subjects = rule.subjects
-        expand_actions(rule.actions).each do |action|
-          if rule.base_behavior
-            permissions_list[:can][action] ||= []
-            permissions_list[:can][action] += subjects.map(&:to_s)
-          else
-            permissions_list[:cannot][action] ||= []
-            permissions_list[:cannot][action] += subjects.map(&:to_s)
-          end
-        end
-      end
-
+      rules.each { |rule| extract_rule_in_permissions(permissions_list, rule) }
       permissions_list
     end
 
-    protected
-
-    # Must be protected as an ability can merge with other abilities.
-    # This means that an ability must expose their rules with another ability.
-    def rules
-      @rules ||= []
+    def extract_rule_in_permissions(permissions_list, rule)
+      expand_actions(rule.actions).each do |action|
+        container = rule.base_behavior ? :can : :cannot
+        permissions_list[container][action] ||= []
+        permissions_list[container][action] += rule.subjects.map(&:to_s)
+      end
     end
 
     private
@@ -297,26 +243,6 @@ module CanCan
       end
     end
 
-    # Accepts an array of actions and returns an array of actions which match.
-    # This should be called before "matches?" and other checking methods since they
-    # rely on the actions to be expanded.
-    def expand_actions(actions)
-      expanded_actions[actions] ||= begin
-        expanded = []
-        actions.each do |action|
-          expanded << action
-          if (aliases = aliased_actions[action])
-            expanded += expand_actions(aliases)
-          end
-        end
-        expanded
-      end
-    end
-
-    def expanded_actions
-      @expanded_actions ||= {}
-    end
-
     # It translates to an array the subject or the hash with multiple subjects given to can?.
     def extract_subjects(subject)
       if subject.is_a?(Hash) && subject.key?(:any)
@@ -326,97 +252,9 @@ module CanCan
       end
     end
 
-    # Given an action, it will try to find all of the actions which are aliased to it.
-    # This does the opposite kind of lookup as expand_actions.
-    def aliases_for_action(action)
-      results = [action]
-      aliased_actions.each do |aliased_action, actions|
-        results += aliases_for_action(aliased_action) if actions.include? action
-      end
-      results
-    end
-
-    def add_rule(rule)
-      rules << rule
-      add_rule_to_index(rule, rules.size - 1)
-    end
-
-    def add_rule_to_index(rule, position)
-      @rules_index ||= Hash.new { |h, k| h[k] = [] }
-
-      subjects = rule.subjects.compact
-      subjects << :all if subjects.empty?
-
-      subjects.each do |subject|
-        @rules_index[subject] << position
-      end
-    end
-
     def alternative_subjects(subject)
       subject = subject.class unless subject.is_a?(Module)
-      [:all, *subject.ancestors,  subject.class.to_s]
-    end
-
-    # Returns an array of Rule instances which match the action and subject
-    # This does not take into consideration any hash conditions or block statements
-    def relevant_rules(action, subject)
-      return [] unless @rules
-      relevant = possible_relevant_rules(subject).select do |rule|
-        rule.expanded_actions = expand_actions(rule.actions)
-        rule.relevant? action, subject
-      end
-      relevant.reverse!.uniq!
-      optimize_order! relevant
-      relevant
-    end
-
-    # Optimizes the order of the rules, so that rules with the :all subject are evaluated first.
-    def optimize_order!(rules)
-      first_can_in_group = -1
-      rules.each_with_index do |rule, i|
-        (first_can_in_group = -1) && next unless rule.base_behavior
-        (first_can_in_group = i) && next if first_can_in_group == -1
-        next unless rule.subjects == [:all]
-        rules[i] = rules[first_can_in_group]
-        rules[first_can_in_group] = rule
-        first_can_in_group += 1
-      end
-    end
-
-    def possible_relevant_rules(subject)
-      if subject.is_a?(Hash)
-        rules
-      else
-        positions = @rules_index.values_at(subject, *alternative_subjects(subject))
-        positions.flatten!.sort!
-        positions.map { |i| @rules[i] }
-      end
-    end
-
-    def relevant_rules_for_match(action, subject)
-      relevant_rules(action, subject).each do |rule|
-        next unless rule.only_raw_sql?
-        raise Error,
-              "The can? and cannot? call cannot be used with a raw sql 'can' definition."\
-              " The checking code cannot be determined for #{action.inspect} #{subject.inspect}"
-      end
-    end
-
-    def relevant_rules_for_query(action, subject)
-      relevant_rules(action, subject).each do |rule|
-        if rule.only_block?
-          raise Error, "The accessible_by call cannot be used with a block 'can' definition."\
-                       " The SQL cannot be determined for #{action.inspect} #{subject.inspect}"
-        end
-      end
-    end
-
-    def default_alias_actions
-      {
-        read: %i[index show],
-        create: [:new],
-        update: [:edit]
-      }
+      [:all, *subject.ancestors, subject.class.to_s]
     end
   end
 end

data/lib/cancan/ability/actions.rb

@@ -0,0 +1,91 @@
+module CanCan
+  module Ability
+    module Actions
+      # Alias one or more actions into another one.
+      #
+      #   alias_action :update, :destroy, :to => :modify
+      #   can :modify, Comment
+      #
+      # Then :modify permission will apply to both :update and :destroy requests.
+      #
+      #   can? :update, Comment # => true
+      #   can? :destroy, Comment # => true
+      #
+      # This only works in one direction. Passing the aliased action into the "can?" call
+      # will not work because aliases are meant to generate more generic actions.
+      #
+      #   alias_action :update, :destroy, :to => :modify
+      #   can :update, Comment
+      #   can? :modify, Comment # => false
+      #
+      # Unless that exact alias is used.
+      #
+      #   can :modify, Comment
+      #   can? :modify, Comment # => true
+      #
+      # The following aliases are added by default for conveniently mapping common controller actions.
+      #
+      #   alias_action :index, :show, :to => :read
+      #   alias_action :new, :to => :create
+      #   alias_action :edit, :to => :update
+      #
+      # This way one can use params[:action] in the controller to determine the permission.
+      def alias_action(*args)
+        target = args.pop[:to]
+        validate_target(target)
+        aliased_actions[target] ||= []
+        aliased_actions[target] += args
+      end
+
+      # Returns a hash of aliased actions. The key is the target and the value is an array of actions aliasing the key.
+      def aliased_actions
+        @aliased_actions ||= default_alias_actions
+      end
+
+      # Removes previously aliased actions including the defaults.
+      def clear_aliased_actions
+        @aliased_actions = {}
+      end
+
+      private
+
+      def default_alias_actions
+        {
+          read: %i[index show],
+          create: [:new],
+          update: [:edit]
+        }
+      end
+
+      # Given an action, it will try to find all of the actions which are aliased to it.
+      # This does the opposite kind of lookup as expand_actions.
+      def aliases_for_action(action)
+        results = [action]
+        aliased_actions.each do |aliased_action, actions|
+          results += aliases_for_action(aliased_action) if actions.include? action
+        end
+        results
+      end
+
+      def expanded_actions
+        @expanded_actions ||= {}
+      end
+
+      # Accepts an array of actions and returns an array of actions which match.
+      # This should be called before "matches?" and other checking methods since they
+      # rely on the actions to be expanded.
+      def expand_actions(actions)
+        expanded_actions[actions] ||= begin
+          expanded = []
+          actions.each do |action|
+            expanded << action
+            if (aliases = aliased_actions[action])
+              expanded += expand_actions(aliases)
+            end
+          end
+          expanded
+        end
+      end
+    end
+  end
+end

data/lib/cancan/ability/rules.rb

@@ -0,0 +1,85 @@
+module CanCan
+  module Ability
+    module Rules
+      protected
+
+      # Must be protected as an ability can merge with other abilities.
+      # This means that an ability must expose their rules with another ability.
+      def rules
+        @rules ||= []
+      end
+
+      private
+
+      def add_rule(rule)
+        rules << rule
+        add_rule_to_index(rule, rules.size - 1)
+      end
+
+      def add_rule_to_index(rule, position)
+        @rules_index ||= Hash.new { |h, k| h[k] = [] }
+
+        subjects = rule.subjects.compact
+        subjects << :all if subjects.empty?
+
+        subjects.each do |subject|
+          @rules_index[subject] << position
+        end
+      end
+
+      # Returns an array of Rule instances which match the action and subject
+      # This does not take into consideration any hash conditions or block statements
+      def relevant_rules(action, subject)
+        return [] unless @rules
+        relevant = possible_relevant_rules(subject).select do |rule|
+          rule.expanded_actions = expand_actions(rule.actions)
+          rule.relevant? action, subject
+        end
+        relevant.reverse!.uniq!
+        optimize_order! relevant
+        relevant
+      end
+
+      def possible_relevant_rules(subject)
+        if subject.is_a?(Hash)
+          rules
+        else
+          positions = @rules_index.values_at(subject, *alternative_subjects(subject))
+          positions.flatten!.sort!
+          positions.map { |i| @rules[i] }
+        end
+      end
+
+      def relevant_rules_for_match(action, subject)
+        relevant_rules(action, subject).each do |rule|
+          next unless rule.only_raw_sql?
+          raise Error,
+                "The can? and cannot? call cannot be used with a raw sql 'can' definition."\
+              " The checking code cannot be determined for #{action.inspect} #{subject.inspect}"
+        end
+      end
+
+      def relevant_rules_for_query(action, subject)
+        relevant_rules(action, subject).each do |rule|
+          if rule.only_block?
+            raise Error, "The accessible_by call cannot be used with a block 'can' definition."\
+                       " The SQL cannot be determined for #{action.inspect} #{subject.inspect}"
+          end
+        end
+      end
+
+      # Optimizes the order of the rules, so that rules with the :all subject are evaluated first.
+      def optimize_order!(rules)
+        first_can_in_group = -1
+        rules.each_with_index do |rule, i|
+          (first_can_in_group = -1) && next unless rule.base_behavior
+          (first_can_in_group = i) && next if first_can_in_group == -1
+          next unless rule.subjects == [:all]
+          rules[i] = rules[first_can_in_group]
+          rules[first_can_in_group] = rule
+          first_can_in_group += 1
+        end
+      end
+    end
+  end
+end

data/lib/cancan/conditions_matcher.rb

@@ -0,0 +1,93 @@
+module CanCan
+  module ConditionsMatcher
+    # Matches the block or conditions hash
+    def matches_conditions?(action, subject, extra_args)
+      return call_block_with_all(action, subject, extra_args) if @match_all
+      return @block.call(subject, *extra_args) if @block && !subject_class?(subject)
+      matches_non_block_conditions(subject)
+    end
+
+    private
+
+    def subject_class?(subject)
+      klass = (subject.is_a?(Hash) ? subject.values.first : subject).class
+      klass == Class || klass == Module
+    end
+
+    def matches_non_block_conditions(subject)
+      if @conditions.is_a?(Hash)
+        return nested_subject_matches_conditions?(subject) if subject.class == Hash
+        return matches_conditions_hash?(subject) unless subject_class?(subject)
+      end
+      # Don't stop at "cannot" definitions when there are conditions.
+      conditions_empty? ? true : @base_behavior
+    end
+
+    def nested_subject_matches_conditions?(subject_hash)
+      parent, _child = subject_hash.first
+      matches_conditions_hash?(parent, @conditions[parent.class.name.downcase.to_sym] || {})
+    end
+
+    # Checks if the given subject matches the given conditions hash.
+    # This behavior can be overriden by a model adapter by defining two class methods:
+    # override_matching_for_conditions?(subject, conditions) and
+    # matches_conditions_hash?(subject, conditions)
+    def matches_conditions_hash?(subject, conditions = @conditions)
+      return true if conditions.empty?
+      adapter = model_adapter(subject)
+
+      if adapter.override_conditions_hash_matching?(subject, conditions)
+        return adapter.matches_conditions_hash?(subject, conditions)
+      end
+
+      matches_all_conditions?(adapter, conditions, subject)
+    end
+
+    def matches_all_conditions?(adapter, conditions, subject)
+      conditions.all? do |name, value|
+        if adapter.override_condition_matching?(subject, name, value)
+          adapter.matches_condition?(subject, name, value)
+        else
+          condition_match?(subject.send(name), value)
+        end
+      end
+    end
+
+    def condition_match?(attribute, value)
+      case value
+      when Hash
+        hash_condition_match?(attribute, value)
+      when Range
+        value.cover?(attribute)
+      when Enumerable
+        value.include?(attribute)
+      else
+        attribute == value
+      end
+    end
+
+    def hash_condition_match?(attribute, value)
+      if attribute.is_a?(Array) || (defined?(ActiveRecord) && attribute.is_a?(ActiveRecord::Relation))
+        attribute.any? { |element| matches_conditions_hash?(element, value) }
+      else
+        attribute && matches_conditions_hash?(attribute, value)
+      end
+    end
+
+    def call_block_with_all(action, subject, extra_args)
+      if subject.class == Class
+        @block.call(action, subject, nil, *extra_args)
+      else
+        @block.call(action, subject.class, subject, *extra_args)
+      end
+    end
+
+    def model_adapter(subject)
+      CanCan::ModelAdapters::AbstractAdapter.adapter_class(subject_class?(subject) ? subject : subject.class)
+    end
+
+    def conditions_empty?
+      @conditions == {} || @conditions.nil?
+    end
+  end
+end