cancancan 2.3.0 → 3.0.0.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f63f1d6ab266068caab6e7baf2b628ae72a7e03a134116eda91473861b9df359
-  data.tar.gz: fbf6337f058ece9a2f01c990a55398489e0ea56888f0a5ce3b9f8d5e203c31ae
+  metadata.gz: d745990a81dbfa8dfaf8802b76bbe6a09d11291562383b429320c1db96355e20
+  data.tar.gz: 579e1848a8c8a5c096a747306c7aa08b2a156bcd404f2c6b6d5b418c02026324
 SHA512:
-  metadata.gz: 24fcc98ce0592b263add65cf0bc75a7020d75777fea7c6902216f97bbc9c13a36b4d379194a142cd8a5e5a24dc1ae82c82a61d6d99143c30a9afe11133048528
-  data.tar.gz: 8873b440698a941314f67a748db86c2abe33e89417ae54d9f35769c29f904edc9eff5736d0bf55d53badc494b9bca9e0ac1761c1920067238628d23dc8e0c643
+  metadata.gz: 91d38cda2159ce1c061101d599aae4abf8bb1358bfd1fe43b4432e7eba0ce9e4002b52d055a1e693138a05e185b70fbc504b6f696e2d02d6e8086b8a6f9976ac
+  data.tar.gz: eb23bb3c5b8a3feaa55d27226443fa8e3fd15175a23d7fa6810c4253ca8646fdbd88150138e3bc81e473d7a27302584ec5ebdb5e31e0fd1dfdf54458b52b3fea

data/cancancan.gemspec

@@ -1,6 +1,6 @@
-# coding: utf-8
+# frozen_string_literal: true
 
-lib = File.expand_path('../lib', __FILE__)
+lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'cancan/version'
 
@@ -20,9 +20,9 @@ Gem::Specification.new do |s|
 
   s.required_ruby_version = '>= 2.2.0'
 
-  s.add_development_dependency 'bundler', '~> 1.3'
-  s.add_development_dependency 'rubocop', '~> 0.48.1'
+  s.add_development_dependency 'appraisal', '~> 2.0', '>= 2.0.0'
+  s.add_development_dependency 'bundler', '~> 2.0'
   s.add_development_dependency 'rake', '~> 10.1', '>= 10.1.1'
   s.add_development_dependency 'rspec', '~> 3.2', '>= 3.2.0'
-  s.add_development_dependency 'appraisal', '~> 2.0', '>= 2.0.0'
+  s.add_development_dependency 'rubocop', '~> 0.63.1'
 end

data/init.rb

@@ -1 +1,3 @@
+# frozen_string_literal: true
+
 require 'cancan'

data/lib/cancan.rb

@@ -1,4 +1,7 @@
+# frozen_string_literal: true
+
 require 'cancan/version'
+require 'cancan/parameter_validators'
 require 'cancan/ability'
 require 'cancan/rule'
 require 'cancan/controller_resource'
@@ -12,6 +15,7 @@ require 'cancan/rules_compressor'
 
 if defined? ActiveRecord
   require 'cancan/model_adapters/conditions_extractor'
+  require 'cancan/model_adapters/conditions_normalizer'
   require 'cancan/model_adapters/active_record_adapter'
   require 'cancan/model_adapters/active_record_4_adapter'
   require 'cancan/model_adapters/active_record_5_adapter'

data/lib/cancan/ability.rb

@@ -1,5 +1,10 @@
+# frozen_string_literal: true
+
 require_relative 'ability/rules.rb'
 require_relative 'ability/actions.rb'
+require_relative 'unauthorized_message_resolver.rb'
+require_relative 'ability/strong_parameter_support'
+
 module CanCan
   # This module is designed to be included into an Ability class. This will
   # provide the "can" methods for defining and checking abilities.
@@ -19,6 +24,8 @@ module CanCan
   module Ability
     include CanCan::Ability::Rules
     include CanCan::Ability::Actions
+    include CanCan::UnauthorizedMessageResolver
+    include StrongParameterSupport
 
     # Check if the user has permission to perform a given action on an object.
     #
@@ -64,10 +71,10 @@ module CanCan
     #   end
     #
     # Also see the RSpec Matchers to aid in testing.
-    def can?(action, subject, *extra_args)
+    def can?(action, subject, attribute = nil, *extra_args)
       match = extract_subjects(subject).lazy.map do |a_subject|
         relevant_rules_for_match(action, a_subject).detect do |rule|
-          rule.matches_conditions?(action, a_subject, extra_args)
+          rule.matches_conditions?(action, a_subject, attribute, *extra_args) && rule.matches_attributes?(attribute)
         end
       end.reject(&:nil?).first
       match ? match.base_behavior : false
@@ -134,8 +141,8 @@ module CanCan
     #     # check the database and return true/false
     #   end
     #
-    def can(action = nil, subject = nil, conditions = nil, &block)
-      add_rule(Rule.new(true, action, subject, conditions, block))
+    def can(action = nil, subject = nil, *attributes_and_conditions, &block)
+      add_rule(Rule.new(true, action, subject, *attributes_and_conditions, &block))
     end
 
     # Defines an ability which cannot be done. Accepts the same arguments as "can".
@@ -150,8 +157,8 @@ module CanCan
     #     product.invisible?
     #   end
     #
-    def cannot(action = nil, subject = nil, conditions = nil, &block)
-      add_rule(Rule.new(false, action, subject, conditions, block))
+    def cannot(action = nil, subject = nil, *attributes_and_conditions, &block)
+      add_rule(Rule.new(false, action, subject, *attributes_and_conditions, &block))
     end
 
     # User shouldn't specify targets with names of real actions or it will cause Seg fault
@@ -167,10 +174,7 @@ module CanCan
 
     # See ControllerAdditions#authorize! for documentation.
     def authorize!(action, subject, *args)
-      message = nil
-      if args.last.is_a?(Hash) && args.last.key?(:message)
-        message = args.pop[:message]
-      end
+      message = args.last.is_a?(Hash) && args.last.key?(:message) ? args.pop[:message] : nil
       if cannot?(action, subject, *args)
         message ||= unauthorized_message(action, subject)
         raise AccessDenied.new(message, action, subject, args)
@@ -178,14 +182,6 @@ module CanCan
       subject
     end
 
-    def unauthorized_message(action, subject)
-      keys = unauthorized_message_keys(action, subject)
-      variables = { action: action.to_s }
-      variables[:subject] = (subject.class == Class ? subject : subject.class).to_s.underscore.humanize.downcase
-      message = I18n.translate(keys.shift, variables.merge(scope: :unauthorized, default: keys + ['']))
-      message.blank? ? nil : message
-    end
-
     def attributes_for(action, subject)
       attributes = {}
       relevant_rules(action, subject).map do |rule|
@@ -202,12 +198,13 @@ module CanCan
       relevant_rules(action, subject).any?(&:only_raw_sql?)
     end
 
-    # Copies all rules of the given +CanCan::Ability+ and adds them to +self+.
+    # Copies all rules and aliased actions of the given +CanCan::Ability+ and adds them to +self+.
     #   class ReadAbility
     #     include CanCan::Ability
     #
     #     def initialize
     #       can :read, User
+    #       alias_action :show, :index, to: :see
     #     end
     #   end
     #
@@ -216,6 +213,7 @@ module CanCan
     #
     #     def initialize
     #       can :edit, User
+    #       alias_action :create, :update, to: :modify
     #     end
     #   end
     #
@@ -223,11 +221,35 @@ module CanCan
     #   read_ability.can? :edit, User.new #=> false
     #   read_ability.merge(WritingAbility.new)
     #   read_ability.can? :edit, User.new #=> true
+    #   read_ability.aliased_actions #=> [:see => [:show, :index], :modify => [:create, :update]]
+    #
+    # If there are collisions when merging the +aliased_actions+, the actions on +self+ will be
+    # overwritten.
+    #
+    # class ReadAbility
+    #   include CanCan::Ability
     #
+    #   def initialize
+    #     alias_action :show, :index, to: :see
+    #   end
+    # end
+    #
+    # class ShowAbility
+    #   include CanCan::Ability
+    #
+    #   def initialize
+    #     alias_action :show, to: :see
+    #   end
+    # end
+    #
+    # read_ability = ReadAbility.new
+    # read_ability.merge(ShowAbility)
+    # read_ability.aliased_actions #=> [:see => [:show]]
     def merge(ability)
       ability.rules.each do |rule|
         add_rule(rule.dup)
       end
+      @aliased_actions = aliased_actions.merge(ability.aliased_actions)
       self
     end
 
@@ -239,10 +261,13 @@ module CanCan
     #
     # Where can_hash and cannot_hash are formatted thusly:
     #   {
-    #     action: array_of_objects
+    #     action: { subject: [attributes] }
     #   }
     def permissions
-      permissions_list = { can: {}, cannot: {} }
+      permissions_list = {
+        can: Hash.new { |actions, k1| actions[k1] = Hash.new { |subjects, k2| subjects[k2] = [] } },
+        cannot: Hash.new { |actions, k1| actions[k1] = Hash.new { |subjects, k2| subjects[k2] = [] } }
+      }
       rules.each { |rule| extract_rule_in_permissions(permissions_list, rule) }
       permissions_list
     end
@@ -250,8 +275,9 @@ module CanCan
     def extract_rule_in_permissions(permissions_list, rule)
       expand_actions(rule.actions).each do |action|
         container = rule.base_behavior ? :can : :cannot
-        permissions_list[container][action] ||= []
-        permissions_list[container][action] += rule.subjects.map(&:to_s)
+        rule.subjects.each do |subject|
+          permissions_list[container][action][subject.to_s] += rule.attributes
+        end
       end
     end
 

data/lib/cancan/ability/actions.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   module Ability
     module Actions

data/lib/cancan/ability/rules.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   module Ability
     module Rules
@@ -31,6 +33,7 @@ module CanCan
       # This does not take into consideration any hash conditions or block statements
       def relevant_rules(action, subject)
         return [] unless @rules
+
         relevant = possible_relevant_rules(subject).select do |rule|
           rule.expanded_actions = expand_actions(rule.actions)
           rule.relevant? action, subject
@@ -53,19 +56,23 @@ module CanCan
       def relevant_rules_for_match(action, subject)
         relevant_rules(action, subject).each do |rule|
           next unless rule.only_raw_sql?
+
           raise Error,
                 "The can? and cannot? call cannot be used with a raw sql 'can' definition."\
-              " The checking code cannot be determined for #{action.inspect} #{subject.inspect}"
+                " The checking code cannot be determined for #{action.inspect} #{subject.inspect}"
         end
       end
 
       def relevant_rules_for_query(action, subject)
-        relevant_rules(action, subject).each do |rule|
-          if rule.only_block?
-            raise Error, "The accessible_by call cannot be used with a block 'can' definition."\
-                       " The SQL cannot be determined for #{action.inspect} #{subject.inspect}"
-          end
+        rules = relevant_rules(action, subject).reject do |rule|
+          # reject 'cannot' rules with attributes when doing queries
+          rule.base_behavior == false && rule.attributes.present?
+        end
+        if rules.any?(&:only_block?)
+          raise Error, "The accessible_by call cannot be used with a block 'can' definition."\
+            "The SQL cannot be determined for #{action.inspect} #{subject.inspect}"
         end
+        rules
       end
 
       # Optimizes the order of the rules, so that rules with the :all subject are evaluated first.
@@ -75,6 +82,7 @@ module CanCan
           (first_can_in_group = -1) && next unless rule.base_behavior
           (first_can_in_group = i) && next if first_can_in_group == -1
           next unless rule.subjects == [:all]
+
           rules[i] = rules[first_can_in_group]
           rules[first_can_in_group] = rule
           first_can_in_group += 1

data/lib/cancan/ability/strong_parameter_support.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module CanCan
+  module Ability
+    module StrongParameterSupport
+      # Returns an array of attributes suitable for use with strong parameters
+      #
+      # Note: reversing the relevant rules is important. Normal order means that 'cannot'
+      # rules will come before 'can' rules. However, you can't remove attributes before
+      # they are added. The 'reverse' is so that attributes will be added before the
+      # 'cannot' rules remove them.
+      def permitted_attributes(action, subject)
+        relevant_rules(action, subject)
+          .reverse
+          .select { |rule| rule.matches_conditions? action, subject }
+          .each_with_object(Set.new) do |rule, set|
+          attributes = get_attributes(rule, subject)
+          # add attributes for 'can', remove them for 'cannot'
+          rule.base_behavior ? set.merge(attributes) : set.subtract(attributes)
+        end.to_a
+      end
+
+      private
+
+      def subject_class?(subject)
+        klass = (subject.is_a?(Hash) ? subject.values.first : subject).class
+        [Class, Module].include? klass
+      end
+
+      def get_attributes(rule, subject)
+        klass = subject_class?(subject) ? subject : subject.class
+        # empty attributes is an 'all'
+        if rule.attributes.empty? && klass < ActiveRecord::Base
+          klass.column_names.map(&:to_sym) - Array(klass.primary_key)
+        else
+          rule.attributes
+        end
+      end
+    end
+  end
+end

data/lib/cancan/conditions_matcher.rb

@@ -1,26 +1,35 @@
+# frozen_string_literal: true
+
 module CanCan
   module ConditionsMatcher
     # Matches the block or conditions hash
-    def matches_conditions?(action, subject, extra_args)
+    def matches_conditions?(action, subject, attribute = nil, *extra_args)
       return call_block_with_all(action, subject, extra_args) if @match_all
-      return @block.call(subject, *extra_args) if @block && !subject_class?(subject)
-      matches_non_block_conditions(subject)
+      return matches_block_conditions(subject, attribute, *extra_args) if @block
+      return matches_non_block_conditions(subject) unless conditions_empty?
+
+      true
     end
 
     private
 
     def subject_class?(subject)
       klass = (subject.is_a?(Hash) ? subject.values.first : subject).class
-      klass == Class || klass == Module
+      [Class, Module].include? klass
+    end
+
+    def matches_block_conditions(subject, *extra_args)
+      return @base_behavior if subject_class?(subject)
+
+      @block.call(subject, *extra_args)
     end
 
     def matches_non_block_conditions(subject)
-      if @conditions.is_a?(Hash)
-        return nested_subject_matches_conditions?(subject) if subject.class == Hash
-        return matches_conditions_hash?(subject) unless subject_class?(subject)
-      end
+      return nested_subject_matches_conditions?(subject) if subject.class == Hash
+      return matches_conditions_hash?(subject) unless subject_class?(subject)
+
       # Don't stop at "cannot" definitions when there are conditions.
-      conditions_empty? ? true : @base_behavior
+      @base_behavior
     end
 
     def nested_subject_matches_conditions?(subject_hash)
@@ -34,6 +43,7 @@ module CanCan
     # matches_conditions_hash?(subject, conditions)
     def matches_conditions_hash?(subject, conditions = @conditions)
       return true if conditions.empty?
+
       adapter = model_adapter(subject)
 
       if adapter.override_conditions_hash_matching?(subject, conditions)
@@ -74,7 +84,7 @@ module CanCan
       end
     end
 
-    def call_block_with_all(action, subject, extra_args)
+    def call_block_with_all(action, subject, *extra_args)
       if subject.class == Class
         @block.call(action, subject, nil, *extra_args)
       else

data/lib/cancan/controller_additions.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   # This module is automatically included into all controllers.
   # It also makes the "can?" and "cannot?" methods available to all views.
@@ -225,7 +227,7 @@ module CanCan
         cancan_skipper[:authorize][name] = options
       end
 
-      # Add this to a controller to ensure it performs authorization through +authorized+! or +authorize_resource+ call.
+      # Add this to a controller to ensure it performs authorization through +authorize+! or +authorize_resource+ call.
       # If neither of these authorization methods are called,
       # a CanCan::AuthorizationNotPerformed exception will be raised.
       # This is normally added to the ApplicationController to ensure all controller actions do authorization.
@@ -260,6 +262,7 @@ module CanCan
           next if controller.instance_variable_defined?(:@_authorized)
           next if options[:if] && !controller.send(options[:if])
           next if options[:unless] && controller.send(options[:unless])
+
           raise AuthorizationNotPerformed,
                 'This action failed the check_authorization because it does not authorize_resource. '\
                 'Add skip_authorization_check to bypass this check.'

data/lib/cancan/controller_resource.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative 'controller_resource_loader.rb'
 module CanCan
   # Handle the load and authorization controller logic
@@ -34,6 +36,7 @@ module CanCan
 
     def authorize_resource
       return if skip?(:authorize)
+
       @controller.authorize!(authorization_action, resource_instance || resource_class_with_parent)
     end
 
@@ -43,6 +46,7 @@ module CanCan
 
     def skip?(behavior)
       return false unless (options = @controller.class.cancan_skipper[behavior][@name])
+
       options == {} ||
         options[:except] && !action_exists_in?(options[:except]) ||
         action_exists_in?(options[:only])
@@ -90,6 +94,7 @@ module CanCan
 
     def resource_instance
       return unless load_instance? && @controller.instance_variable_defined?("@#{instance_name}")
+
       @controller.instance_variable_get("@#{instance_name}")
     end
 
@@ -99,6 +104,7 @@ module CanCan
 
     def collection_instance
       return unless @controller.instance_variable_defined?("@#{instance_name.to_s.pluralize}")
+
       @controller.instance_variable_get("@#{instance_name.to_s.pluralize}")
     end
 

data/lib/cancan/controller_resource_builder.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   module ControllerResourceBuilder
     protected

data/lib/cancan/controller_resource_finder.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   module ControllerResourceFinder
     protected

data/lib/cancan/controller_resource_loader.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative 'controller_resource_finder.rb'
 require_relative 'controller_resource_name_finder.rb'
 require_relative 'controller_resource_builder.rb'
@@ -11,6 +13,7 @@ module CanCan
 
     def load_resource
       return if skip?(:load)
+
       if load_instance?
         self.resource_instance ||= load_resource_instance
       elsif load_collection?
@@ -26,6 +29,7 @@ module CanCan
 
     def resource_params_by_key(key)
       return unless @options[key] && @params.key?(extract_key(@options[key]))
+
       @params[extract_key(@options[key])]
     end
 

data/lib/cancan/controller_resource_name_finder.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   module ControllerResourceNameFinder
     protected

data/lib/cancan/controller_resource_sanitizer.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   module ControllerResourceSanitizer
     protected

data/lib/cancan/exceptions.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   # A general CanCan exception
   class Error < StandardError; end
@@ -8,9 +10,15 @@ module CanCan
   # Raised when removed code is called, an alternative solution is provided in message.
   class ImplementationRemoved < Error; end
 
-  # Raised when using check_authorization without calling authorized!
+  # Raised when using check_authorization without calling authorize!
   class AuthorizationNotPerformed < Error; end
 
+  # Raised when a rule is created with both a block and a hash of conditions
+  class BlockAndConditionsError < Error; end
+
+  # Raised when an unexpected argument is passed as an attribute
+  class AttributeArgumentError < Error; end
+
   # Raised when using a wrong association name
   class WrongAssociationName < Error; end
 
@@ -33,7 +41,7 @@ module CanCan
   #   exception.default_message = "Default error message"
   #   exception.message # => "Default error message"
   #
-  # See ControllerAdditions#authorized! for more information on rescuing from this exception
+  # See ControllerAdditions#authorize! for more information on rescuing from this exception
   # and customizing the message using I18n.
   class AccessDenied < Error
     attr_reader :action, :subject, :conditions

data/lib/cancan/matchers.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 rspec_module = defined?(RSpec::Core) ? 'RSpec' : 'Spec' # RSpec 1 compatability
 
 if rspec_module == 'RSpec'
@@ -12,6 +14,7 @@ Kernel.const_get(rspec_module)::Matchers.define :be_able_to do |*args|
     actions = args.first
     if actions.is_a? Array
       break false if actions.empty?
+
       actions.all? { |action| ability.can?(action, *args[1..-1]) }
     else
       ability.can?(*args)

data/lib/cancan/model_adapters/abstract_adapter.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   module ModelAdapters
     class AbstractAdapter

data/lib/cancan/model_adapters/active_record_4_adapter.rb

@@ -1,27 +1,30 @@
+# frozen_string_literal: true
+
 module CanCan
   module ModelAdapters
-    class ActiveRecord4Adapter < AbstractAdapter
-      include ActiveRecordAdapter
-      def self.for_class?(model_class)
-        ActiveRecord::VERSION::MAJOR == 4 && model_class <= ActiveRecord::Base
-      end
+    class ActiveRecord4Adapter < ActiveRecordAdapter
+      AbstractAdapter.inherited(self)
 
-      # TODO: this should be private
-      def self.override_condition_matching?(subject, name, _value)
-        subject.class.defined_enums.include?(name.to_s)
-      end
+      class << self
+        def for_class?(model_class)
+          version_lower?('5.0.0') && model_class <= ActiveRecord::Base
+        end
 
-      # TODO: this should be private
-      def self.matches_condition?(subject, name, value)
-        # Get the mapping from enum strings to values.
-        enum = subject.class.send(name.to_s.pluralize)
-        # Get the value of the attribute as an integer.
-        attribute = enum[subject.send(name)]
-        # Check to see if the value matches the condition.
-        if value.is_a?(Enumerable)
-          value.include? attribute
-        else
-          attribute == value
+        def override_condition_matching?(subject, name, _value)
+          subject.class.defined_enums.include?(name.to_s)
+        end
+
+        def matches_condition?(subject, name, value)
+          # Get the mapping from enum strings to values.
+          enum = subject.class.send(name.to_s.pluralize)
+          # Get the value of the attribute as an integer.
+          attribute = enum[subject.send(name)]
+          # Check to see if the value matches the condition.
+          if value.is_a?(Enumerable)
+            value.include? attribute
+          else
+            attribute == value
+          end
         end
       end
 
@@ -39,7 +42,7 @@ module CanCan
 
       # Rails 4.2 deprecates `sanitize_sql_hash_for_conditions`
       def sanitize_sql(conditions)
-        if ActiveRecord::VERSION::MINOR >= 2 && conditions.is_a?(Hash)
+        if self.class.version_greater_or_equal?('4.2.0') && conditions.is_a?(Hash)
           sanitize_sql_activerecord4(conditions)
         else
           @model_class.send(:sanitize_sql, conditions)

data/lib/cancan/model_adapters/active_record_5_adapter.rb

@@ -1,10 +1,12 @@
+# frozen_string_literal: true
+
 module CanCan
   module ModelAdapters
     class ActiveRecord5Adapter < ActiveRecord4Adapter
       AbstractAdapter.inherited(self)
 
       def self.for_class?(model_class)
-        ActiveRecord::VERSION::MAJOR == 5 && model_class <= ActiveRecord::Base
+        version_greater_or_equal?('5.0.0') && model_class <= ActiveRecord::Base
       end
 
       # rails 5 is capable of using strings in enum
@@ -13,22 +15,15 @@ module CanCan
         return super if Array.wrap(value).all? { |x| x.is_a? Integer }
 
         attribute = subject.send(name)
-        if value.is_a?(Enumerable)
-          value.map(&:to_s).include? attribute
-        else
-          attribute == value.to_s
-        end
+        raw_attribute = subject.class.send(name.to_s.pluralize)[attribute]
+        !(Array(value).map(&:to_s) & [attribute, raw_attribute]).empty?
       end
 
       private
 
-      # As of rails 4, `includes()` no longer causes active record to
-      # look inside the where clause to decide to outer join tables
-      # you're using in the where. Instead, `references()` is required
-      # in addition to `includes()` to force the outer join.
       def build_relation(*where_conditions)
         relation = @model_class.where(*where_conditions)
-        relation = relation.includes(joins).references(joins) if joins.present?
+        relation = relation.left_joins(joins).distinct if joins.present?
         relation
       end
 
@@ -50,19 +45,17 @@ module CanCan
 
         conditions.stringify_keys!
 
-        predicate_builder.build_from_hash(conditions).map do |b|
-          visit_nodes(b)
-        end.join(' AND ')
+        predicate_builder.build_from_hash(conditions).map { |b| visit_nodes(b) }.join(' AND ')
       end
 
-      def visit_nodes(b)
+      def visit_nodes(node)
         # Rails 5.2 adds a BindParam node that prevents the visitor method from properly compiling the SQL query
-        if ActiveRecord::VERSION::MINOR >= 2
+        if self.class.version_greater_or_equal?('5.2.0')
           connection = @model_class.send(:connection)
           collector = Arel::Collectors::SubstituteBinds.new(connection, Arel::Collectors::SQLString.new)
-          connection.visitor.accept(b, collector).value
+          connection.visitor.accept(node, collector).value
         else
-          @model_class.send(:connection).visitor.compile(b)
+          @model_class.send(:connection).visitor.compile(node)
         end
       end
     end

data/lib/cancan/model_adapters/active_record_adapter.rb

@@ -1,10 +1,23 @@
-require_relative 'can_can/model_adapters/active_record_adapter/joins.rb'
+# frozen_string_literal: true
+
 require_relative 'conditions_extractor.rb'
 require 'cancan/rules_compressor'
 module CanCan
   module ModelAdapters
-    module ActiveRecordAdapter
-      include CanCan::ModelAdapters::ActiveRecordAdapter::Joins
+    class ActiveRecordAdapter < AbstractAdapter
+      def self.version_greater_or_equal?(version)
+        Gem::Version.new(ActiveRecord.version).release >= Gem::Version.new(version)
+      end
+
+      def self.version_lower?(version)
+        Gem::Version.new(ActiveRecord.version).release < Gem::Version.new(version)
+      end
+
+      def initialize(model_class, rules)
+        super
+        @compressed_rules = RulesCompressor.new(@rules.reverse).rules_collapsed.reverse
+        ConditionsNormalizer.normalize(model_class, @compressed_rules)
+      end
 
       # Returns conditions intended to be used inside a database query. Normally you will not call this
       # method directly, but instead go through ModelAdditions#accessible_by.
@@ -22,13 +35,12 @@ module CanCan
       #   query(:manage, User).conditions # => "not (self_managed = 't') AND ((manager_id = 1) OR (id = 1))"
       #
       def conditions
-        compressed_rules = RulesCompressor.new(@rules.reverse).rules_collapsed.reverse
         conditions_extractor = ConditionsExtractor.new(@model_class)
-        if compressed_rules.size == 1 && compressed_rules.first.base_behavior
+        if @compressed_rules.size == 1 && @compressed_rules.first.base_behavior
           # Return the conditions directly if there's just one definition
-          conditions_extractor.tableize_conditions(compressed_rules.first.conditions).dup
+          conditions_extractor.tableize_conditions(@compressed_rules.first.conditions).dup
         else
-          extract_multiple_conditions(conditions_extractor, compressed_rules)
+          extract_multiple_conditions(conditions_extractor, @compressed_rules)
         end
       end
 
@@ -42,27 +54,50 @@ module CanCan
         if override_scope
           @model_class.where(nil).merge(override_scope)
         elsif @model_class.respond_to?(:where) && @model_class.respond_to?(:joins)
-          mergeable_conditions? ? build_relation(conditions) : build_relation(*@rules.map(&:conditions))
+          build_relation(conditions)
         else
           @model_class.all(conditions: conditions, joins: joins)
         end
       end
 
+      # Returns the associations used in conditions for the :joins option of a search.
+      # See ModelAdditions#accessible_by
+      def joins
+        joins_hash = {}
+        @compressed_rules.reverse_each do |rule|
+          deep_merge(joins_hash, rule.associations_hash)
+        end
+        deep_clean(joins_hash) unless joins_hash.empty?
+      end
+
       private
 
-      def mergeable_conditions?
-        @rules.find(&:unmergeable?).blank?
+      # Removes empty hashes and moves everything into arrays.
+      def deep_clean(joins_hash)
+        joins_hash.map { |name, nested| nested.empty? ? name : { name => deep_clean(nested) } }
+      end
+
+      # Takes two hashes and does a deep merge.
+      def deep_merge(base_hash, added_hash)
+        added_hash.each do |key, value|
+          if base_hash[key].is_a?(Hash)
+            deep_merge(base_hash[key], value) unless value.empty?
+          else
+            base_hash[key] = value
+          end
+        end
       end
 
       def override_scope
-        conditions = @rules.map(&:conditions).compact
+        conditions = @compressed_rules.map(&:conditions).compact
         return unless conditions.any? { |c| c.is_a?(ActiveRecord::Relation) }
         return conditions.first if conditions.size == 1
+
         raise_override_scope_error
       end
 
       def raise_override_scope_error
-        rule_found = @rules.detect { |rule| rule.conditions.is_a?(ActiveRecord::Relation) }
+        rule_found = @compressed_rules.detect { |rule| rule.conditions.is_a?(ActiveRecord::Relation) }
         raise Error,
               'Unable to merge an Active Record scope with other conditions. '\
               "Instead use a hash or SQL for #{rule_found.actions.first} #{rule_found.subjects.first} ability."

data/lib/cancan/model_adapters/conditions_extractor.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # this class is responsible of converting the hash of conditions
 # in "where conditions" to generate the sql query
 # it consists of a names_cache that helps calculating the next name given to the association
@@ -12,6 +14,7 @@ module CanCan
 
       def tableize_conditions(conditions, model_class = @root_model_class, path_to_key = 0)
         return conditions unless conditions.is_a? Hash
+
         conditions.each_with_object({}) do |(key, value), result_hash|
           if value.is_a? Hash
             result_hash.merge!(calculate_result_hash(key, model_class, path_to_key, result_hash, value))
@@ -26,9 +29,6 @@ module CanCan
 
       def calculate_result_hash(key, model_class, path_to_key, result_hash, value)
         reflection = model_class.reflect_on_association(key)
-        unless reflection
-          raise WrongAssociationName, "association #{key} not defined in model #{model_class.name}"
-        end
         nested_resulted = calculate_nested(model_class, result_hash, key, value.dup, path_to_key)
         association_class = reflection.klass.name.constantize
         tableize_conditions(nested_resulted, association_class, "#{path_to_key}_#{key}")

data/lib/cancan/model_adapters/conditions_normalizer.rb

@@ -0,0 +1,45 @@
+# this class is responsible of normalizing the hash of conditions
+# by exploding has_many through associations
+# when a condition is defined with an has_many thorugh association this is exploded in all its parts
+# TODO: it could identify STI and normalize it
+module CanCan
+  module ModelAdapters
+    class ConditionsNormalizer
+      class << self
+        def normalize(model_class, rules)
+          rules.each { |rule| rule.conditions = normalize_conditions(model_class, rule.conditions) }
+        end
+
+        def normalize_conditions(model_class, conditions)
+          return conditions unless conditions.is_a? Hash
+
+          conditions.each_with_object({}) do |(key, value), result_hash|
+            if value.is_a? Hash
+              result_hash.merge!(calculate_result_hash(model_class, key, value))
+            else
+              result_hash[key] = value
+            end
+            result_hash
+          end
+        end
+
+        private
+
+        def calculate_result_hash(model_class, key, value)
+          reflection = model_class.reflect_on_association(key)
+          unless reflection
+            raise WrongAssociationName, "Association '#{key}' not defined in model '#{model_class.name}'"
+          end
+
+          if reflection.options[:through].present?
+            key = reflection.options[:through]
+            value = { reflection.source_reflection_name => value }
+            reflection = model_class.reflect_on_association(key)
+          end
+
+          { key => normalize_conditions(reflection.klass.name.constantize, value) }
+        end
+      end
+    end
+  end
+end

data/lib/cancan/model_adapters/default_adapter.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   module ModelAdapters
     class DefaultAdapter < AbstractAdapter

data/lib/cancan/model_additions.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
   # This module adds the accessible_by class method to a model. It is included in the model adapters.
   module ModelAdditions

data/lib/cancan/parameter_validators.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module CanCan
+  module ParameterValidators
+    def valid_attribute_param?(attribute)
+      attribute.nil? || attribute.is_a?(Symbol) || (attribute.is_a?(Array) && attribute.all? { |a| a.is_a?(Symbol) })
+    end
+  end
+end

data/lib/cancan/rule.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative 'conditions_matcher.rb'
 module CanCan
   # This class is used internally and should only be called through Ability.
@@ -5,25 +7,41 @@ module CanCan
   # helpful methods to determine permission checking and conditions hash generation.
   class Rule # :nodoc:
     include ConditionsMatcher
-    attr_reader :base_behavior, :subjects, :actions, :conditions
-    attr_writer :expanded_actions
+    include ParameterValidators
+    attr_reader :base_behavior, :subjects, :actions, :conditions, :attributes
+    attr_writer :expanded_actions, :conditions
 
     # The first argument when initializing is the base_behavior which is a true/false
     # value. True for "can" and false for "cannot". The next two arguments are the action
     # and subject respectively (such as :read, @project). The third argument is a hash
     # of conditions and the last one is the block passed to the "can" call.
-    def initialize(base_behavior, action, subject, conditions, block)
-      both_block_and_hash_error = 'You are not able to supply a block with a hash of conditions in '\
-                                  "#{action} #{subject} ability. Use either one."
-      raise Error, both_block_and_hash_error if conditions.is_a?(Hash) && block
+    def initialize(base_behavior, action, subject, *extra_args, &block)
+      # for backwards compatibility, attributes are an optional parameter. Check if
+      # attributes were passed or are actually conditions
+      attributes, extra_args = parse_attributes_from_extra_args(extra_args)
+      condition_and_block_check(extra_args, block, action, subject)
       @match_all = action.nil? && subject.nil?
+      raise Error, "Subject is required for #{action}" if action && subject.nil?
+
       @base_behavior = base_behavior
       @actions = Array(action)
       @subjects = Array(subject)
-      @conditions = conditions || {}
+      @attributes = Array(attributes)
+      @conditions = extra_args || {}
       @block = block
     end
 
+    def inspect
+      repr = "#<#{self.class.name}"
+      repr += "#{@base_behavior ? 'can' : 'cannot'} #{@actions.inspect}, #{@subjects.inspect}, #{@attributes.inspect}"
+      repr += if with_scope?
+                ", #{@conditions.where_values_hash}"
+              elsif [Hash, String].include?(@conditions.class)
+                ", #{@conditions.inspect}"
+              end
+      repr + '>'
+    end
+
     def can_rule?
       base_behavior
     end
@@ -33,10 +51,11 @@ module CanCan
     end
 
     def catch_all?
-      [nil, false, [], {}, '', ' '].include? @conditions
+      (with_scope? && @conditions.where_values_hash.empty?) ||
+        (!with_scope? && [nil, false, [], {}, '', ' '].include?(@conditions))
     end
 
-    # Matches both the subject and action, not necessarily the conditions
+    # Matches both the action, subject, and attribute, not necessarily the conditions
     def relevant?(action, subject)
       subject = subject.values.first if subject.class == Hash
       @match_all || (matches_action?(action) && matches_subject?(subject))
@@ -50,9 +69,8 @@ module CanCan
       @block.nil? && !conditions_empty? && !@conditions.is_a?(Hash)
     end
 
-    def unmergeable?
-      @conditions.respond_to?(:keys) && @conditions.present? &&
-        (!@conditions.keys.first.is_a? Symbol)
+    def with_scope?
+      @conditions.is_a?(ActiveRecord::Relation)
     end
 
     def associations_hash(conditions = @conditions)
@@ -75,6 +93,13 @@ module CanCan
       attributes
     end
 
+    def matches_attributes?(attribute)
+      return true if @attributes.empty?
+      return @base_behavior if attribute.nil?
+
+      @attributes.include?(attribute.to_sym)
+    end
+
     private
 
     def matches_action?(action)
@@ -92,5 +117,18 @@ module CanCan
           (subject.is_a?(Module) && subject.ancestors.include?(sub)))
       end
     end
+
+    def parse_attributes_from_extra_args(args)
+      attributes = args.shift if valid_attribute_param?(args.first)
+      extra_args = args.shift
+      [attributes, extra_args]
+    end
+
+    def condition_and_block_check(conditions, block, action, subject)
+      return unless conditions.is_a?(Hash) && block
+
+      raise BlockAndConditionsError, 'A hash of conditions is mutually exclusive with a block. '\
+        "Check \":#{action} #{subject}\" ability."
+    end
   end
 end

data/lib/cancan/rules_compressor.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative 'conditions_matcher.rb'
 module CanCan
   class RulesCompressor
@@ -11,6 +13,7 @@ module CanCan
     def compress(array)
       idx = array.rindex(&:catch_all?)
       return array unless idx
+
       value = array[idx]
       array[idx..-1]
         .drop_while { |n| n.base_behavior == value.base_behavior }

data/lib/cancan/unauthorized_message_resolver.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module CanCan
+  module UnauthorizedMessageResolver
+    def unauthorized_message(action, subject)
+      keys = unauthorized_message_keys(action, subject)
+      variables = { action: action.to_s }
+      variables[:subject] = translate_subject(subject)
+      message = I18n.translate(keys.shift, variables.merge(scope: :unauthorized, default: keys + ['']))
+      message.blank? ? nil : message
+    end
+
+    def translate_subject(subject)
+      klass = (subject.class == Class ? subject : subject.class)
+      if klass.respond_to?(:model_name)
+        klass.model_name.human
+      else
+        klass.to_s.underscore.humanize.downcase
+      end
+    end
+  end
+end

data/lib/cancan/version.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CanCan
-  VERSION = '2.3.0'.freeze
+  VERSION = '3.0.0.rc1'.freeze
 end

data/lib/cancancan.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'cancan'
 
 module CanCanCan

data/lib/generators/cancan/ability/ability_generator.rb

@@ -1,7 +1,9 @@
+# frozen_string_literal: true
+
 module Cancan
   module Generators
     class AbilityGenerator < Rails::Generators::Base
-      source_root File.expand_path('../templates', __FILE__)
+      source_root File.expand_path('templates', __dir__)
 
       def generate_ability
         copy_file 'ability.rb', 'app/models/ability.rb'

data/lib/generators/cancan/ability/templates/ability.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class Ability
   include CanCan::Ability
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cancancan
 version: !ruby/object:Gem::Version
-  version: 2.3.0
+  version: 3.0.0.rc1
 platform: ruby
 authors:
 - Alessandro Rodi (Renuo AG)
@@ -11,36 +11,42 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-09-16 00:00:00.000000000 Z
+date: 2019-03-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: bundler
+  name: appraisal
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: '2.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: '2.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.0
 - !ruby/object:Gem::Dependency
-  name: rubocop
+  name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.48.1
+        version: '2.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.48.1
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -82,25 +88,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 3.2.0
 - !ruby/object:Gem::Dependency
-  name: appraisal
+  name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.0.0
+        version: 0.63.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.0.0
+        version: 0.63.1
 description: Simple authorization solution for Rails. All permissions are stored in
   a single location.
 email: alessandro.rodi@renuo.ch
@@ -114,6 +114,7 @@ files:
 - lib/cancan/ability.rb
 - lib/cancan/ability/actions.rb
 - lib/cancan/ability/rules.rb
+- lib/cancan/ability/strong_parameter_support.rb
 - lib/cancan/conditions_matcher.rb
 - lib/cancan/controller_additions.rb
 - lib/cancan/controller_resource.rb
@@ -128,12 +129,14 @@ files:
 - lib/cancan/model_adapters/active_record_4_adapter.rb
 - lib/cancan/model_adapters/active_record_5_adapter.rb
 - lib/cancan/model_adapters/active_record_adapter.rb
-- lib/cancan/model_adapters/can_can/model_adapters/active_record_adapter/joins.rb
 - lib/cancan/model_adapters/conditions_extractor.rb
+- lib/cancan/model_adapters/conditions_normalizer.rb
 - lib/cancan/model_adapters/default_adapter.rb
 - lib/cancan/model_additions.rb
+- lib/cancan/parameter_validators.rb
 - lib/cancan/rule.rb
 - lib/cancan/rules_compressor.rb
+- lib/cancan/unauthorized_message_resolver.rb
 - lib/cancan/version.rb
 - lib/cancancan.rb
 - lib/generators/cancan/ability/USAGE
@@ -154,12 +157,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 2.2.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.4
+rubygems_version: 2.7.6
 signing_key: 
 specification_version: 4
 summary: Simple authorization solution for Rails.

data/lib/cancan/model_adapters/can_can/model_adapters/active_record_adapter/joins.rb

@@ -1,39 +0,0 @@
-module CanCan
-  module ModelAdapters
-    module ActiveRecordAdapter
-      module Joins
-        # Returns the associations used in conditions for the :joins option of a search.
-        # See ModelAdditions#accessible_by
-        def joins
-          joins_hash = {}
-          @rules.reverse.each do |rule|
-            merge_joins(joins_hash, rule.associations_hash)
-          end
-          clean_joins(joins_hash) unless joins_hash.empty?
-        end
-
-        private
-
-        # Removes empty hashes and moves everything into arrays.
-        def clean_joins(joins_hash)
-          joins = []
-          joins_hash.each do |name, nested|
-            joins << (nested.empty? ? name : { name => clean_joins(nested) })
-          end
-          joins
-        end
-
-        # Takes two hashes and does a deep merge.
-        def merge_joins(base, add)
-          add.each do |name, nested|
-            if base[name].is_a?(Hash)
-              merge_joins(base[name], nested) unless nested.empty?
-            else
-              base[name] = nested
-            end
-          end
-        end
-      end
-    end
-  end
-end