simple_cancan 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 081a175eb3429fa16be74dee2c7a57b5b5d6bf91
+  data.tar.gz: 86dc6d52dd8e69ced01b2c142a864d7dccbf16c8
+SHA512:
+  metadata.gz: 83e050bc2577d86e994c2d1a294224bb6a0971faf5a772aef0d7efcaf14a8a9c2a4c42cedcd081fb2cdf506779d600bcc487ff24427bb9adba997684103f1f3f
+  data.tar.gz: 9640b98e04a5c430118807289294e5e58a321568eef48541193530d10959828b45486661d95175efb0f10d0ab220de1e62521e200933e691c38414991500ff88

data/lib/simple_cancan.rb

@@ -0,0 +1,5 @@
+require "simple_cancan/version"
+require 'simple_cancan/ability'
+require 'simple_cancan/rule'
+require 'simple_cancan/controller_additions'
+require 'simple_cancan/exceptions'

data/lib/simple_cancan/ability.rb

@@ -0,0 +1,260 @@
+module SimpleCancan
+
+  module Ability
+    
+    def can?(action, subject, *extra_args)
+      match = relevant_rules_for_match(action, subject).detect do |rule|
+        rule.matches_conditions?(action, subject, extra_args)
+      end
+      match ? match.base_behavior : false
+    end
+
+    # Convenience method which works the same as "can?" but returns the opposite value.
+    #
+    #   cannot? :destroy, @project
+    #
+    def cannot?(*args)
+      !can?(*args)
+    end
+
+    # Defines which abilities are allowed using two arguments. The first one is the action
+    # you're setting the permission for, the second one is the class of object you're setting it on.
+    #
+    #   can :update, Article
+    #
+    # You can pass an array for either of these parameters to match any one.
+    # Here the user has the ability to update or destroy both articles and comments.
+    #
+    #   can [:update, :destroy], [Article, Comment]
+    #
+    # You can pass :all to match any object and :manage to match any action. Here are some examples.
+    #
+    #   can :manage, :all
+    #   can :update, :all
+    #   can :manage, Project
+    #
+    # You can pass a hash of conditions as the third argument. Here the user can only see active projects which he owns.
+    #
+    #   can :read, Project, :active => true, :user_id => user.id
+    #
+    # See ActiveRecordAdditions#accessible_by for how to use this in database queries. These conditions
+    # are also used for initial attributes when building a record in ControllerAdditions#load_resource.
+    #
+    # If the conditions hash does not give you enough control over defining abilities, you can use a block
+    # along with any Ruby code you want.
+    #
+    #   can :update, Project do |project|
+    #     project.groups.include?(user.group)
+    #   end
+    #
+    # If the block returns true then the user has that :update ability for that project, otherwise he
+    # will be denied access. The downside to using a block is that it cannot be used to generate
+    # conditions for database queries.
+    #
+    # You can pass custom objects into this "can" method, this is usually done with a symbol
+    # and is useful if a class isn't available to define permissions on.
+    #
+    #   can :read, :stats
+    #   can? :read, :stats # => true
+    #
+    # IMPORTANT: Neither a hash of conditions or a block will be used when checking permission on a class.
+    #
+    #   can :update, Project, :priority => 3
+    #   can? :update, Project # => true
+    #
+    # If you pass no arguments to +can+, the action, class, and object will be passed to the block and the
+    # block will always be executed. This allows you to override the full behavior if the permissions are
+    # defined in an external source such as the database.
+    #
+    #   can do |action, object_class, object|
+    #     # check the database and return true/false
+    #   end
+    #
+    def can(action = nil, subject = nil, conditions = nil, &block)
+      rules << Rule.new(true, action, subject, conditions, block)
+    end
+
+    # Defines an ability which cannot be done. Accepts the same arguments as "can".
+    #
+    #   can :read, :all
+    #   cannot :read, Comment
+    #
+    # A block can be passed just like "can", however if the logic is complex it is recommended
+    # to use the "can" method.
+    #
+    #   cannot :read, Product do |product|
+    #     product.invisible?
+    #   end
+    #
+    def cannot(action = nil, subject = nil, conditions = nil, &block)
+      rules << Rule.new(false, action, subject, conditions, block)
+    end
+
+    # Alias one or more actions into another one.
+    #
+    #   alias_action :update, :destroy, :to => :modify
+    #   can :modify, Comment
+    #
+    # Then :modify permission will apply to both :update and :destroy requests.
+    #
+    #   can? :update, Comment # => true
+    #   can? :destroy, Comment # => true
+    #
+    # This only works in one direction. Passing the aliased action into the "can?" call
+    # will not work because aliases are meant to generate more generic actions.
+    #
+    #   alias_action :update, :destroy, :to => :modify
+    #   can :update, Comment
+    #   can? :modify, Comment # => false
+    #
+    # Unless that exact alias is used.
+    #
+    #   can :modify, Comment
+    #   can? :modify, Comment # => true
+    #
+    # The following aliases are added by default for conveniently mapping common controller actions.
+    #
+    #   alias_action :index, :show, :to => :read
+    #   alias_action :new, :to => :create
+    #   alias_action :edit, :to => :update
+    #
+    # This way one can use params[:action] in the controller to determine the permission.
+    def alias_action(*args)
+      target = args.pop[:to]
+      validate_target(target)
+      aliased_actions[target] ||= []
+      aliased_actions[target] += args
+    end
+
+    # User shouldn't specify targets with names of real actions or it will cause Seg fault
+    def validate_target(target)
+      raise Error, "You can't specify target (#{target}) as alias because it is real action name" if aliased_actions.values.flatten.include? target
+    end
+
+    # Returns a hash of aliased actions. The key is the target and the value is an array of actions aliasing the key.
+    def aliased_actions
+      @aliased_actions ||= default_alias_actions
+    end
+
+    # Removes previously aliased actions including the defaults.
+    def clear_aliased_actions
+      @aliased_actions = {}
+    end
+
+    def model_adapter(model_class, action)
+      adapter_class = ModelAdapters::AbstractAdapter.adapter_class(model_class)
+      adapter_class.new(model_class, relevant_rules_for_query(action, model_class))
+    end
+
+    # See ControllerAdditions#authorize! for documentation.
+    def authorize!(action, subject, *args)
+      message = nil
+      if args.last.kind_of?(Hash) && args.last.has_key?(:message)
+        message = args.pop[:message]
+      end
+      if cannot?(action, subject, *args)
+        message ||= unauthorized_message(action, subject)
+        raise AccessDenied.new(message, action, subject)
+      end
+      subject
+    end
+
+    def unauthorized_message(action, subject)
+      keys = unauthorized_message_keys(action, subject)
+      variables = {:action => action.to_s}
+      variables[:subject] = (subject.class == Class ? subject : subject.class).to_s.underscore.humanize.downcase
+      message = I18n.translate(nil, variables.merge(:scope => :unauthorized, :default => keys + [""]))
+      message.blank? ? nil : message
+    end
+
+    def attributes_for(action, subject)
+      attributes = {}
+      relevant_rules(action, subject).map do |rule|
+        attributes.merge!(rule.attributes_from_conditions) if rule.base_behavior
+      end
+      attributes
+    end
+
+    def has_block?(action, subject)
+      relevant_rules(action, subject).any?(&:only_block?)
+    end
+
+    def has_raw_sql?(action, subject)
+      relevant_rules(action, subject).any?(&:only_raw_sql?)
+    end
+
+    def merge(ability)
+      ability.send(:rules).each do |rule|
+        rules << rule.dup
+      end
+      self
+    end
+
+    private
+
+    def unauthorized_message_keys(action, subject)
+      subject = (subject.class == Class ? subject : subject.class).name.underscore unless subject.kind_of? Symbol
+      [subject, :all].map do |try_subject|
+        [aliases_for_action(action), :manage].flatten.map do |try_action|
+          :"#{try_action}.#{try_subject}"
+        end
+      end.flatten
+    end
+
+    # Accepts an array of actions and returns an array of actions which match.
+    # This should be called before "matches?" and other checking methods since they
+    # rely on the actions to be expanded.
+    def expand_actions(actions)
+      actions.map do |action|
+        aliased_actions[action] ? [action, *expand_actions(aliased_actions[action])] : action
+      end.flatten
+    end
+
+    # Given an action, it will try to find all of the actions which are aliased to it.
+    # This does the opposite kind of lookup as expand_actions.
+    def aliases_for_action(action)
+      results = [action]
+      aliased_actions.each do |aliased_action, actions|
+        results += aliases_for_action(aliased_action) if actions.include? action
+      end
+      results
+    end
+
+    def rules
+      @rules ||= []
+    end
+
+    # Returns an array of Rule instances which match the action and subject
+    # This does not take into consideration any hash conditions or block statements
+    def relevant_rules(action, subject)
+      rules.reverse.select do |rule|
+        rule.expanded_actions = expand_actions(rule.actions)
+        rule.relevant? action, subject
+      end
+    end
+
+    def relevant_rules_for_match(action, subject)
+      relevant_rules(action, subject).each do |rule|
+        if rule.only_raw_sql?
+          raise Error, "The can? and cannot? call cannot be used with a raw sql 'can' definition. The checking code cannot be determined for #{action.inspect} #{subject.inspect}"
+        end
+      end
+    end
+
+    def relevant_rules_for_query(action, subject)
+      relevant_rules(action, subject).each do |rule|
+        if rule.only_block?
+          raise Error, "The accessible_by call cannot be used with a block 'can' definition. The SQL cannot be determined for #{action.inspect} #{subject.inspect}"
+        end
+      end
+    end
+
+    def default_alias_actions
+      {
+        :read => [:index, :show],
+        :create => [:new],
+        :update => [:edit],
+      }
+    end
+  end
+end

data/lib/simple_cancan/controller_additions.rb

@@ -0,0 +1,91 @@
+module SimpleCancan
+
+  module ControllerAdditions
+    module ClassMethods
+      def load_and_authorize_resource(*args)
+        cancan_resource_class.add_before_filter(self, :load_and_authorize_resource, *args)
+      end
+
+      def load_resource(*args)
+        cancan_resource_class.add_before_filter(self, :load_resource, *args)
+      end
+
+      def authorize_resource(*args)
+        cancan_resource_class.add_before_filter(self, :authorize_resource, *args)
+      end
+
+      def skip_load_and_authorize_resource(*args)
+        skip_load_resource(*args)
+        skip_authorize_resource(*args)
+      end
+      
+      def skip_load_resource(*args)
+        options = args.extract_options!
+        name = args.first
+        cancan_skipper[:load][name] = options
+      end
+
+      def skip_authorize_resource(*args)
+        options = args.extract_options!
+        name = args.first
+        cancan_skipper[:authorize][name] = options
+      end
+
+      def check_authorization(options = {})
+        self.after_filter(options.slice(:only, :except)) do |controller|
+          next if controller.instance_variable_defined?(:@_authorized)
+          next if options[:if] && !controller.send(options[:if])
+          next if options[:unless] && controller.send(options[:unless])
+          raise AuthorizationNotPerformed, "This action failed the check_authorization because it does not authorize_resource. Add skip_authorization_check to bypass this check."
+        end
+      end
+
+      def skip_authorization_check(*args)
+        self.before_filter(*args) do |controller|
+          controller.instance_variable_set(:@_authorized, true)
+        end
+      end
+
+      def skip_authorization(*args)
+        raise ImplementationRemoved, "The CanCan skip_authorization method has been renamed to skip_authorization_check. Please update your code."
+      end
+
+      def cancan_resource_class
+        if ancestors.map(&:to_s).include? "InheritedResources::Actions"
+          InheritedResource
+        else
+          ControllerResource
+        end
+      end
+
+      def cancan_skipper
+        @_cancan_skipper ||= {:authorize => {}, :load => {}}
+      end
+    end
+
+    def self.included(base)
+      base.extend ClassMethods
+    end
+
+    def authorize!(*args)
+      @_authorized = true
+      current_ability.authorize!(*args)
+    end
+
+    def unauthorized!(message = nil)
+      raise ImplementationRemoved, "The unauthorized! method has been removed from CanCan, use authorize! instead."
+    end
+
+    def current_ability
+      @current_ability ||= ::Ability.new(current_account)
+    end
+
+    def can?(*args)
+      current_ability.can?(*args)
+    end
+
+    def cannot?(*args)
+      current_ability.cannot?(*args)
+    end
+  end
+end

data/lib/simple_cancan/exceptions.rb

@@ -0,0 +1,50 @@
+module SimpleCancan
+  # A general CanCan exception
+  class Error < StandardError; end
+
+  # Raised when behavior is not implemented, usually used in an abstract class.
+  class NotImplemented < Error; end
+
+  # Raised when removed code is called, an alternative solution is provided in message.
+  class ImplementationRemoved < Error; end
+
+  # Raised when using check_authorization without calling authorized!
+  class AuthorizationNotPerformed < Error; end
+
+  # This error is raised when a user isn't allowed to access a given controller action.
+  # This usually happens within a call to ControllerAdditions#authorize! but can be
+  # raised manually.
+  #
+  #   raise CanCan::AccessDenied.new("Not authorized!", :read, Article)
+  #
+  # The passed message, action, and subject are optional and can later be retrieved when
+  # rescuing from the exception.
+  #
+  #   exception.message # => "Not authorized!"
+  #   exception.action # => :read
+  #   exception.subject # => Article
+  #
+  # If the message is not specified (or is nil) it will default to "You are not authorized
+  # to access this page." This default can be overridden by setting default_message.
+  #
+  #   exception.default_message = "Default error message"
+  #   exception.message # => "Default error message"
+  #
+  # See ControllerAdditions#authorized! for more information on rescuing from this exception
+  # and customizing the message using I18n.
+  class AccessDenied < Error
+    attr_reader :action, :subject
+    attr_writer :default_message
+
+    def initialize(message = nil, action = nil, subject = nil)
+      @message = message
+      @action = action
+      @subject = subject
+      @default_message = I18n.t(:"unauthorized.default", :default => "You are not authorized to access this page.")
+    end
+
+    def to_s
+      @message || @default_message
+    end
+  end
+end

data/lib/simple_cancan/rule.rb

@@ -0,0 +1,147 @@
+module SimpleCancan
+  # This class is used internally and should only be called through Ability.
+  # it holds the information about a "can" call made on Ability and provides
+  # helpful methods to determine permission checking and conditions hash generation.
+  class Rule # :nodoc:
+    attr_reader :base_behavior, :subjects, :actions, :conditions
+    attr_writer :expanded_actions
+
+    # The first argument when initializing is the base_behavior which is a true/false
+    # value. True for "can" and false for "cannot". The next two arguments are the action
+    # and subject respectively (such as :read, @project). The third argument is a hash
+    # of conditions and the last one is the block passed to the "can" call.
+    def initialize(base_behavior, action, subject, conditions, block)
+      raise Error, "You are not able to supply a block with a hash of conditions in #{action} #{subject} ability. Use either one." if conditions.kind_of?(Hash) && !block.nil?
+      @match_all = action.nil? && subject.nil?
+      @base_behavior = base_behavior
+      @actions = [action].flatten
+      @subjects = [subject].flatten
+      @conditions = conditions || {}
+      @block = block
+    end
+
+    # Matches both the subject and action, not necessarily the conditions
+    def relevant?(action, subject)
+      subject = subject.values.first if subject.class == Hash
+      @match_all || (matches_action?(action) && matches_subject?(subject))
+    end
+
+    # Matches the block or conditions hash
+    def matches_conditions?(action, subject, extra_args)
+      if @match_all
+        call_block_with_all(action, subject, extra_args)
+      elsif @block && !subject_class?(subject)
+        @block.call(subject, *extra_args)
+      elsif @conditions.kind_of?(Hash) && subject.class == Hash
+        nested_subject_matches_conditions?(subject)
+      elsif @conditions.kind_of?(Hash) && !subject_class?(subject)
+        matches_conditions_hash?(subject)
+      else
+        # Don't stop at "cannot" definitions when there are conditions.
+        @conditions.empty? ? true : @base_behavior
+      end
+    end
+
+    def only_block?
+      conditions_empty? && !@block.nil?
+    end
+
+    def only_raw_sql?
+      @block.nil? && !conditions_empty? && !@conditions.kind_of?(Hash)
+    end
+
+    def conditions_empty?
+      @conditions == {} || @conditions.nil?
+    end
+
+    def unmergeable?
+      @conditions.respond_to?(:keys) && @conditions.present? &&
+        (!@conditions.keys.first.kind_of? Symbol)
+    end
+
+    def associations_hash(conditions = @conditions)
+      hash = {}
+      conditions.map do |name, value|
+        hash[name] = associations_hash(value) if value.kind_of? Hash
+      end if conditions.kind_of? Hash
+      hash
+    end
+
+    def attributes_from_conditions
+      attributes = {}
+      @conditions.each do |key, value|
+        attributes[key] = value unless [Array, Range, Hash].include? value.class
+      end if @conditions.kind_of? Hash
+      attributes
+    end
+
+    private
+
+    def subject_class?(subject)
+      klass = (subject.kind_of?(Hash) ? subject.values.first : subject).class
+      klass == Class || klass == Module
+    end
+
+    def matches_action?(action)
+      @expanded_actions.include?(:manage) || @expanded_actions.include?(action)
+    end
+
+    def matches_subject?(subject)
+      @subjects.include?(:all) || @subjects.include?(subject) || matches_subject_class?(subject)
+    end
+
+    def matches_subject_class?(subject)
+      @subjects.any? { |sub| sub.kind_of?(Module) && (subject.kind_of?(sub) || subject.class.to_s == sub.to_s || subject.kind_of?(Module) && subject.ancestors.include?(sub)) }
+    end
+
+    # Checks if the given subject matches the given conditions hash.
+    # This behavior can be overriden by a model adapter by defining two class methods:
+    # override_matching_for_conditions?(subject, conditions) and
+    # matches_conditions_hash?(subject, conditions)
+    def matches_conditions_hash?(subject, conditions = @conditions)
+      if conditions.empty?
+        true
+      else
+        if model_adapter(subject).override_conditions_hash_matching? subject, conditions
+          model_adapter(subject).matches_conditions_hash? subject, conditions
+        else
+          conditions.all? do |name, value|
+            if model_adapter(subject).override_condition_matching? subject, name, value
+              model_adapter(subject).matches_condition? subject, name, value
+            else
+              attribute = subject.send(name)
+              if value.kind_of?(Hash)
+                if attribute.kind_of? Array
+                  attribute.any? { |element| matches_conditions_hash? element, value }
+                else
+                  !attribute.nil? && matches_conditions_hash?(attribute, value)
+                end
+              elsif !value.is_a?(String) && value.kind_of?(Enumerable)
+                value.include? attribute
+              else
+                attribute == value
+              end
+            end
+          end
+        end
+      end
+    end
+
+    def nested_subject_matches_conditions?(subject_hash)
+      parent, child = subject_hash.first
+      matches_conditions_hash?(parent, @conditions[parent.class.name.downcase.to_sym] || {})
+    end
+
+    def call_block_with_all(action, subject, extra_args)
+      if subject.class == Class
+        @block.call(action, subject, nil, *extra_args)
+      else
+        @block.call(action, subject.class, subject, *extra_args)
+      end
+    end
+
+    def model_adapter(subject)
+      CanCan::ModelAdapters::AbstractAdapter.adapter_class(subject_class?(subject) ? subject : subject.class)
+    end
+  end
+end

data/lib/simple_cancan/version.rb

@@ -0,0 +1,3 @@
+module SimpleCancan
+  VERSION = "0.1.0"
+end

metadata

@@ -0,0 +1,80 @@
+--- !ruby/object:Gem::Specification
+name: simple_cancan
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Tianliang Bai
+- Fuhao Xu
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2015-08-29 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.10'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '10.0'
+description: A simpler cancan for padrino
+email:
+- happybyronbai@gmail.com
+- xufuhaomap@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/simple_cancan.rb
+- lib/simple_cancan/ability.rb
+- lib/simple_cancan/controller_additions.rb
+- lib/simple_cancan/exceptions.rb
+- lib/simple_cancan/rule.rb
+- lib/simple_cancan/version.rb
+homepage: https://rubygems.org/gems/simple_cancan
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.8
+signing_key: 
+specification_version: 4
+summary: A simpler cancan for padrino
+test_files: []