culturecode-cancan 2.0.0.alpha

data/lib/cancan/controller_resource.rb

@@ -0,0 +1,266 @@
+module CanCan
+  # Handle the load and authorization controller logic so we don't clutter up all controllers with non-interface methods.
+  # This class is used internally, so you do not need to call methods directly on it.
+  class ControllerResource # :nodoc:
+    def self.add_before_filter(controller_class, behavior, *args)
+      options = args.extract_options!.merge(behavior)
+      resource_name = args.first
+      before_filter_method = options.delete(:prepend) ? :prepend_before_filter : :before_filter
+      controller_class.send(before_filter_method, options.slice(:only, :except, :if, :unless)) do |controller|
+        controller.class.cancan_resource_class.new(controller, resource_name, options.except(:only, :except, :if, :unless)).process
+      end
+    end
+
+    def initialize(controller, *args)
+      @controller = controller
+      @params = controller.params
+      @options = args.extract_options!
+      @name = args.first
+    end
+
+    def process
+      if @options[:load]
+        if load_instance?
+          self.resource_instance ||= load_resource_instance
+        elsif load_collection?
+          self.collection_instance ||= load_collection
+          current_ability.fully_authorized! @params[:action], @params[:controller]
+        end
+      end
+      if @options[:authorize]
+        if resource_instance
+          if resource_params && (authorization_action == :create || authorization_action == :update)
+            resource_params.each do |key, value|
+              @controller.authorize!(authorization_action, resource_instance, key.to_sym)
+            end
+          else
+            @controller.authorize!(authorization_action, resource_instance)
+          end
+        end
+      end
+    end
+
+    def parent?
+      @options.has_key?(:parent) ? @options[:parent] : @name && @name != name_from_controller.to_sym
+    end
+
+    # def skip?(behavior) # This could probably use some refactoring
+    #   options = @controller.class.cancan_skipper[behavior][@name]
+    #   if options.nil?
+    #     false
+    #   elsif options == {}
+    #     true
+    #   elsif options[:except] && ![options[:except]].flatten.include?(@params[:action].to_sym)
+    #     true
+    #   elsif [options[:only]].flatten.include?(@params[:action].to_sym)
+    #     true
+    #   end
+    # end
+
+    protected
+
+    def load_resource_instance
+      if !parent? && new_actions.include?(@params[:action].to_sym)
+        build_resource
+      elsif id_param || @options[:singleton]
+        find_and_update_resource
+      end
+    end
+
+    def load_instance?
+      parent? || member_action?
+    end
+
+    def load_collection?
+      resource_base.respond_to?(:accessible_by) && !current_ability.has_block?(authorization_action, subject_name)
+    end
+
+    def load_collection
+      resource_base.accessible_by(current_ability, authorization_action)
+    end
+
+    def build_resource
+      resource = resource_base.new(resource_params || {})
+      assign_attributes(resource)
+    end
+
+    def assign_attributes(resource)
+      initial_attributes.each do |attr_name, value|
+        resource.send("#{attr_name}=", value)
+      end
+
+      resource.send("#{parent_name}=", parent_resource) if @options[:singleton] && parent_resource
+      resource
+    end
+
+    def initial_attributes
+      current_ability.attributes_for(@params[:action].to_sym, subject_name).delete_if do |key, value|
+        resource_params && resource_params.include?(key)
+      end
+    end
+
+    def find_and_update_resource
+      resource = find_resource
+      if resource_params
+        @controller.authorize!(authorization_action, resource) if @options[:authorize]
+        resource.attributes = resource_params
+      end
+      resource
+    end
+
+    def find_resource
+      if @options[:singleton] && parent_resource.respond_to?(name)
+        parent_resource.send(name)
+      else
+        if @options[:find_by]
+          if resource_base.respond_to? "find_by_#{@options[:find_by]}!"
+            resource_base.send("find_by_#{@options[:find_by]}!", id_param)
+          else
+            resource_base.send(@options[:find_by], id_param)
+          end
+        else
+          adapter.find(resource_base, id_param)
+        end
+      end
+    end
+
+    def adapter
+      ModelAdapters::AbstractAdapter.adapter_class(resource_class)
+    end
+
+    def authorization_action
+      parent? ? :show : @params[:action].to_sym
+    end
+
+    def id_param
+      if @options[:id_param]
+        @params[@options[:id_param]]
+      else
+        @params[parent? ? :"#{name}_id" : :id]
+      end
+    end
+
+    def member_action?
+      new_actions.include?(@params[:action].to_sym) || @options[:singleton] || ( (@params[:id] || @params[@options[:id_param]]) && !collection_actions.include?(@params[:action].to_sym))
+    end
+
+    # Returns the class used for this resource. This can be overriden by the :class option.
+    # If +false+ is passed in it will use the resource name as a symbol in which case it should
+    # only be used for authorization, not loading since there's no class to load through.
+    def resource_class
+      case @options[:class]
+      when false  then name.to_sym
+      when nil    then namespaced_name.to_s.camelize.constantize
+      when String then @options[:class].constantize
+      else @options[:class]
+      end
+    end
+
+    def subject_name
+      resource_class.to_s.underscore.pluralize.to_sym
+    end
+
+    def subject_name_with_parent
+      parent_resource ? {parent_resource => subject_name} : subject_name
+    end
+
+    def resource_instance=(instance)
+      @controller.instance_variable_set("@#{instance_name}", instance)
+    end
+
+    def resource_instance
+      if load_instance?
+        if @controller.instance_variable_defined? "@#{instance_name}"
+          @controller.instance_variable_get("@#{instance_name}")
+        elsif @controller.respond_to?(instance_name, true)
+          @controller.send(instance_name)
+        end
+      end
+    end
+
+    def collection_instance=(instance)
+      @controller.instance_variable_set("@#{instance_name.to_s.pluralize}", instance)
+    end
+
+    def collection_instance
+      @controller.instance_variable_get("@#{instance_name.to_s.pluralize}")
+    end
+
+    # The object that methods (such as "find", "new" or "build") are called on.
+    # If the :through option is passed it will go through an association on that instance.
+    # If the :shallow option is passed it will use the resource_class if there's no parent
+    # If the :singleton option is passed it won't use the association because it needs to be handled later.
+    def resource_base
+      if @options[:through]
+        if parent_resource
+          @options[:singleton] ? resource_class : parent_resource.send(@options[:through_association] || name.to_s.pluralize)
+        elsif @options[:shallow]
+          resource_class
+        else
+          raise Unauthorized.new(nil, authorization_action, @params[:controller].to_sym) # maybe this should be a record not found error instead?
+        end
+      else
+        resource_class
+      end
+    end
+
+    def parent_name
+      @options[:through] && [@options[:through]].flatten.detect { |i| fetch_parent(i) }
+    end
+
+    # The object to load this resource through.
+    def parent_resource
+      parent_name && fetch_parent(parent_name)
+    end
+
+    def fetch_parent(name)
+      if @controller.instance_variable_defined? "@#{name}"
+        @controller.instance_variable_get("@#{name}")
+      elsif @controller.respond_to?(name, true)
+        @controller.send(name)
+      end
+    end
+
+    def current_ability
+      @controller.send(:current_ability)
+    end
+
+    def name
+      @name || name_from_controller
+    end
+
+    def resource_params
+      if @options[:class]
+        @params[@options[:class].to_s.underscore.gsub('/', '_')]
+      else
+        @params[namespaced_name.to_s.underscore.gsub("/", "_")]
+      end
+    end
+
+    def namespace
+      @params[:controller].split(/::|\//)[0..-2]
+    end
+
+    def namespaced_name
+      [namespace, name.camelize].join('::').singularize.camelize.constantize
+    rescue NameError
+      name
+    end
+
+    def name_from_controller
+      @params[:controller].sub("Controller", "").underscore.split('/').last.singularize
+    end
+
+    def instance_name
+      @options[:instance_name] || name
+    end
+
+    def collection_actions
+      [:index] + [@options[:collection]].flatten
+    end
+
+    def new_actions
+      [:new, :create] + [@options[:new]].flatten
+    end
+  end
+end

data/lib/cancan/exceptions.rb

@@ -0,0 +1,53 @@
+module CanCan
+  # A general CanCan exception
+  class Error < StandardError; end
+
+  # Raised when behavior is not implemented, usually used in an abstract class.
+  class NotImplemented < Error; end
+
+  # Raised when removed code is called, an alternative solution is provided in message.
+  class ImplementationRemoved < Error; end
+
+  # Raised when using check_authorization without calling authorized!
+  class AuthorizationNotPerformed < Error; end
+
+  # Raised when enable_authorization is used and not fully authorized by the end of the action
+  class InsufficientAuthorizationCheck < Error; end
+
+  # This error is raised when a user isn't allowed to access a given controller action.
+  # This usually happens within a call to ControllerAdditions#authorize! but can be
+  # raised manually.
+  #
+  #   raise CanCan::Unauthorized.new("Not authorized!", :read, Article)
+  #
+  # The passed message, action, and subject are optional and can later be retrieved when
+  # rescuing from the exception.
+  #
+  #   exception.message # => "Not authorized!"
+  #   exception.action # => :read
+  #   exception.subject # => Article
+  #
+  # If the message is not specified (or is nil) it will default to "You are not authorized
+  # to access this page." This default can be overridden by setting default_message.
+  #
+  #   exception.default_message = "Default error message"
+  #   exception.message # => "Default error message"
+  #
+  # See ControllerAdditions#authorize! for more information on rescuing from this exception
+  # and customizing the message using I18n.
+  class Unauthorized < Error
+    attr_reader :action, :subject
+    attr_writer :default_message
+
+    def initialize(message = nil, action = nil, subject = nil)
+      @message = message
+      @action = action
+      @subject = subject
+      @default_message = I18n.t(:"unauthorized.default", :default => "You are not authorized to access this page.")
+    end
+
+    def to_s
+      @message || @default_message
+    end
+  end
+end

data/lib/cancan/inherited_resource.rb

@@ -0,0 +1,20 @@
+module CanCan
+  # For use with Inherited Resources
+  class InheritedResource < ControllerResource # :nodoc:
+    def load_resource_instance
+      if parent?
+        @controller.send :association_chain
+        @controller.instance_variable_get("@#{instance_name}")
+      elsif new_actions.include? @params[:action].to_sym
+        resource = @controller.send :build_resource
+        assign_attributes(resource)
+      else
+        @controller.send :resource
+      end
+    end
+
+    def resource_base
+      @controller.send :end_of_association_chain
+    end
+  end
+end

data/lib/cancan/matchers.rb

@@ -0,0 +1,14 @@
+rspec_module = defined?(RSpec::Core) ? 'RSpec' : 'Spec'  # for RSpec 1 compatability
+Kernel.const_get(rspec_module)::Matchers.define :be_able_to do |*args|
+  match do |ability|
+    ability.can?(*args)
+  end
+
+  failure_message_for_should do |ability|
+    "expected to be able to #{args.map(&:inspect).join(" ")}"
+  end
+
+  failure_message_for_should_not do |ability|
+    "expected not to be able to #{args.map(&:inspect).join(" ")}"
+  end
+end

data/lib/cancan/model_adapters/abstract_adapter.rb

@@ -0,0 +1,56 @@
+module CanCan
+  module ModelAdapters
+    class AbstractAdapter
+      def self.inherited(subclass)
+        @subclasses ||= []
+        @subclasses << subclass
+      end
+
+      def self.adapter_class(model_class)
+        @subclasses.detect { |subclass| subclass.for_class?(model_class) } || DefaultAdapter
+      end
+
+      # Used to determine if the given adapter should be used for the passed in class.
+      def self.for_class?(member_class)
+        false # override in subclass
+      end
+
+      # Override if you need custom find behavior
+      def self.find(model_class, id)
+        model_class.find(id)
+      end
+
+      # Used to determine if this model adapter will override the matching behavior for a hash of conditions.
+      # If this returns true then matches_conditions_hash? will be called. See Rule#matches_conditions_hash
+      def self.override_conditions_hash_matching?(subject, conditions)
+        false
+      end
+
+      # Override if override_conditions_hash_matching? returns true
+      def self.matches_conditions_hash?(subject, conditions)
+        raise NotImplemented, "This model adapter does not support matching on a conditions hash."
+      end
+
+      # Used to determine if this model adapter will override the matching behavior for a specific condition.
+      # If this returns true then matches_condition? will be called. See Rule#matches_conditions_hash
+      def self.override_condition_matching?(subject, name, value)
+        false
+      end
+
+      # Override if override_condition_matching? returns true
+      def self.matches_condition?(subject, name, value)
+        raise NotImplemented, "This model adapter does not support matching on a specific condition."
+      end
+
+      def initialize(model_class, rules)
+        @model_class = model_class
+        @rules = rules
+      end
+
+      def database_records
+        # This should be overridden in a subclass to return records which match @rules
+        raise NotImplemented, "This model adapter does not support fetching records from the database."
+      end
+    end
+  end
+end

data/lib/cancan/model_adapters/active_record_adapter.rb

@@ -0,0 +1,172 @@
+module CanCan
+  module ModelAdapters
+    class ActiveRecordAdapter < AbstractAdapter
+      def self.for_class?(model_class)
+        model_class <= ActiveRecord::Base
+      end
+
+      def self.override_condition_matching?(subject, name, value)
+        name.kind_of?(MetaWhere::Column) if defined? MetaWhere
+      end
+
+      def self.matches_condition?(subject, name, value)
+        subject_value = subject.send(name.column)
+        if name.method.to_s.ends_with? "_any"
+          value.any? { |v| meta_where_match? subject_value, name.method.to_s.sub("_any", ""), v }
+        elsif name.method.to_s.ends_with? "_all"
+          value.all? { |v| meta_where_match? subject_value, name.method.to_s.sub("_all", ""), v }
+        else
+          meta_where_match? subject_value, name.method, value
+        end
+      end
+
+      def self.meta_where_match?(subject_value, method, value)
+        case method.to_sym
+        when :eq      then subject_value == value
+        when :not_eq  then subject_value != value
+        when :in      then value.include?(subject_value)
+        when :not_in  then !value.include?(subject_value)
+        when :lt      then subject_value < value
+        when :lteq    then subject_value <= value
+        when :gt      then subject_value > value
+        when :gteq    then subject_value >= value
+        when :matches then subject_value =~ Regexp.new("^" + Regexp.escape(value).gsub("%", ".*") + "$", true)
+        when :does_not_match then !meta_where_match?(subject_value, :matches, value)
+        else raise NotImplemented, "The #{method} MetaWhere condition is not supported."
+        end
+      end
+
+      # Returns conditions intended to be used inside a database query. Normally you will not call this
+      # method directly, but instead go through ModelAdditions#accessible_by.
+      #
+      # If there is only one "can" definition, a hash of conditions will be returned matching the one defined.
+      #
+      #   can :manage, User, :id => 1
+      #   query(:manage, User).conditions # => { :id => 1 }
+      #
+      # If there are multiple "can" definitions, a SQL string will be returned to handle complex cases.
+      #
+      #   can :manage, User, :id => 1
+      #   can :manage, User, :manager_id => 1
+      #   cannot :manage, User, :self_managed => true
+      #   query(:manage, User).conditions # => "not (self_managed = 't') AND ((manager_id = 1) OR (id = 1))"
+      #
+      def conditions
+        if @rules.size == 1 && @rules.first.base_behavior
+          # Return the conditions directly if there's just one definition
+          tableized_conditions(@rules.first.conditions).dup
+        else
+          @rules.reverse.inject(false_sql) do |sql, rule|
+            merge_conditions(sql, tableized_conditions(rule.conditions).dup, rule.base_behavior)
+          end
+        end
+      end
+
+      def tableized_conditions(conditions, model_class = @model_class)
+        return conditions unless conditions.kind_of? Hash
+        conditions.inject({}) do |result_hash, (name, value)|
+          if value.kind_of? Hash
+            association_class = model_class.reflect_on_association(name).class_name.constantize
+            name = model_class.reflect_on_association(name).table_name.to_sym
+            value = tableized_conditions(value, association_class)
+          end
+          result_hash[name] = value
+          result_hash
+        end
+      end
+
+      # Returns the associations used in conditions for the :joins option of a search.
+      # See ModelAdditions#accessible_by
+      def joins
+        joins_hash = {}
+        @rules.each do |rule|
+          merge_joins(joins_hash, rule.associations_hash)
+        end
+        clean_joins(joins_hash) unless joins_hash.empty?
+      end
+
+      def database_records
+        if override_scope
+          @model_class.scoped.merge(override_scope)
+        elsif @model_class.respond_to?(:where) && @model_class.respond_to?(:joins)
+          mergeable_conditions = @rules.select {|rule| rule.unmergeable? }.blank?
+          if mergeable_conditions
+            @model_class.where(conditions).joins(joins)
+          else
+            @model_class.where(*(@rules.map(&:conditions))).joins(joins)
+          end
+        else
+          @model_class.scoped(:conditions => conditions, :joins => joins)
+        end
+      end
+
+      private
+
+      def override_scope
+        conditions = @rules.map(&:conditions).compact
+        if defined?(ActiveRecord::Relation) && conditions.any? { |c| c.kind_of?(ActiveRecord::Relation) }
+          if conditions.size == 1
+            conditions.first
+          else
+            rule = @rules.detect { |rule| rule.conditions.kind_of?(ActiveRecord::Relation) }
+            raise Error, "Unable to merge an Active Record scope with other conditions. Instead use a hash or SQL for #{rule.actions.first} #{rule.subjects.first} ability."
+          end
+        end
+      end
+
+      def merge_conditions(sql, conditions_hash, behavior)
+        if conditions_hash.blank?
+          behavior ? true_sql : false_sql
+        else
+          conditions = sanitize_sql(conditions_hash)
+          case sql
+          when true_sql
+            behavior ? true_sql : "not (#{conditions})"
+          when false_sql
+            behavior ? conditions : false_sql
+          else
+            behavior ? "(#{conditions}) OR (#{sql})" : "not (#{conditions}) AND (#{sql})"
+          end
+        end
+      end
+
+      def false_sql
+        sanitize_sql(['?=?', true, false])
+      end
+
+      def true_sql
+        sanitize_sql(['?=?', true, true])
+      end
+
+      def sanitize_sql(conditions)
+        @model_class.send(:sanitize_sql, conditions)
+      end
+
+      # Takes two hashes and does a deep merge.
+      def merge_joins(base, add)
+        add.each do |name, nested|
+          if base[name].is_a?(Hash) && !nested.empty?
+            merge_joins(base[name], nested)
+          else
+            base[name] = nested
+          end
+        end
+      end
+
+      # Removes empty hashes and moves everything into arrays.
+      def clean_joins(joins_hash)
+        joins = []
+        joins_hash.each do |name, nested|
+          joins << (nested.empty? ? name : {name => clean_joins(nested)})
+        end
+        joins
+      end
+    end
+  end
+end
+
+ActiveSupport.on_load(:active_record) do
+  ActiveRecord::Base.class_eval do
+    include CanCan::ModelAdditions
+  end
+end