module CanCan # This module is designed to be included into an Ability clas

1. module CanCan
2.  
3. # This module is designed to be included into an Ability class. This will
4. # provide the "can" methods for defining and checking abilities.
5. #
6. # class Ability
7. # include CanCan::Ability
8. #
9. # def initialize(user)
10. # if user.admin?
11. # can :manage, :all
12. # else
13. # can :read, :all
14. # end
15. # end
16. # end
17. #
18. module Ability
19. attr_accessor :user
20.  
21. # Use to check the user's permission for a given action and object.
22. #
23. # can? :destroy, @project
24. #
25. # You can also pass the class instead of an instance (if you don't have one handy).
26. #
27. # can? :create, Project
28. #
29. # Not only can you use the can? method in the controller and view (see ControllerAdditions),
30. # but you can also call it directly on an ability instance.
31. #
32. # ability.can? :destroy, @project
33. #
34. # This makes testing a user's abilities very easy.
35. #
36. # def test "user can only destroy projects which he owns"
37. # user = User.new
38. # ability = Ability.new(user)
39. # assert ability.can?(:destroy, Project.new(:user => user))
40. # assert ability.cannot?(:destroy, Project.new)
41. # end
42. #
43. def can?(action, noun, *can_params)
44. (@can_definitions || []).reverse.each do |base_behavior, defined_action, defined_noun, defined_block|
45. defined_actions = expand_actions(defined_action)
46. defined_nouns = [defined_noun].flatten
47. if includes_action?(defined_actions, action) && includes_noun?(defined_nouns, noun)
48. result = can_perform_action?(action, noun, defined_actions, defined_nouns, defined_block, can_params)
49. return base_behavior ? result : !result
50. end
51. end
52. false
53. end
54.  
55. # Convenience method which works the same as "can?" but returns the opposite value.
56. #
57. # cannot? :destroy, @project
58. #
59. def cannot?(*args)
60. !can?(*args)
61. end
62.  
63. # Defines which abilities are allowed using two arguments. The first one is the action
64. # you're setting the permission for, the second one is the class of object you're setting it on.
65. #
66. # can :update, Article
67. #
68. # You can pass an array for either of these parameters to match any one.
69. #
70. # can [:update, :destroy], [Article, Comment]
71. #
72. # In this case the user has the ability to update or destroy both articles and comments.
73. #
74. # You can pass a block to provide logic based on the article's attributes.
75. #
76. # can :update, Article do |article|
77. # article && article.user == user
78. # end
79. #
80. # If the block returns true then the user has that :update ability for that article, otherwise he
81. # will be denied access. It's possible for the passed in model to be nil if one isn't specified,
82. # so be sure to take that into consideration.
83. #
84. # You can pass :all to reference every type of object. In this case the object type will be passed
85. # into the block as well (just in case object is nil).
86. #
87. # can :read, :all do |object_class, object|
88. # object_class != Order
89. # end
90. #
91. # Here the user has permission to read all objects except orders.
92. #
93. # You can also pass :manage as the action which will match any action. In this case the action is
94. # passed to the block.
95. #
96. # can :manage, Comment do |action, comment|
97. # action != :destroy
98. # end
99. #
100. # You can pass custom objects into this "can" method, this is usually done through a symbol
101. # and is useful if a class isn't available to define permissions on.
102. #
103. # can :read, :stats
104. # can? :read, :stats # => true
105. #
106. def can(action, noun, &block)
107. @can_definitions ||= []
108. @can_definitions << [true, action, noun, block]
109. end
110.  
111. # Define an ability which cannot be done. Accepts the same arguments as "can".
112. #
113. # can :read, :all
114. # cannot :read, Comment
115. #
116. # A block can be passed just like "can", however if the logic is complex it is recommended
117. # to use the "can" method.
118. #
119. # cannot :read, Product do |product|
120. # product.invisible?
121. # end
122. #
123. def cannot(action, noun, &block)
124. @can_definitions ||= []
125. @can_definitions << [false, action, noun, block]
126. end
127.  
128. # Alias one or more actions into another one.
129. #
130. # alias_action :update, :destroy, :to => :modify
131. # can :modify, Comment
132. #
133. # Then :modify permission will apply to both :update and :destroy requests.
134. #
135. # can? :update, Comment # => true
136. # can? :destroy, Comment # => true
137. #
138. # This only works in one direction. Passing the aliased action into the "can?" call
139. # will not work because aliases are meant to generate more generic actions.
140. #
141. # alias_action :update, :destroy, :to => :modify
142. # can :update, Comment
143. # can? :modify, Comment # => false
144. #
145. # Unless that exact alias is used.
146. #
147. # can :modify, Comment
148. # can? :modify, Comment # => true
149. #
150. # The following aliases are added by default for conveniently mapping common controller actions.
151. #
152. # alias_action :index, :show, :to => :read
153. # alias_action :new, :to => :create
154. # alias_action :edit, :to => :update
155. #
156. # This way one can use params[:action] in the controller to determine the permission.
157. def alias_action(*args)
158. target = args.pop[:to]
159. aliased_actions[target] ||= []
160. aliased_actions[target] += args
161. end
162.  
163. # Returns a hash of aliased actions. The key is the target and the value is an array of actions aliasing the key.
164. def aliased_actions
165. @aliased_actions ||= default_alias_actions
166. end
167.  
168. # Removes previously aliased actions including the defaults.
169. def clear_aliased_actions
170. @aliased_actions = {}
171. end
172.  
173. private
174.  
175. def default_alias_actions
176. {
177. :read => [:index, :show],
178. :create => [:new],
179. :update => [:edit],
180. }
181. end
182.  
183. def expand_actions(actions)
184. [actions].flatten.map do |action|
185. if aliased_actions[action]
186. [action, *aliased_actions[action]]
187. else
188. action
189. end
190. end.flatten
191. end
192.  
193. def can_perform_action?(action, noun, defined_actions, defined_nouns, defined_block, can_params)
194. if defined_block.nil?
195. true
196. else
197. block_args = []
198. block_args << action if defined_actions.include?(:manage)
199. block_args << (noun.class == Class ? noun : noun.class) if defined_nouns.include?(:all)
200. block_args << (noun.class == Class ? nil : noun)
201. block_args += can_params
202. return defined_block.call(*block_args)
203. end
204. end
205.  
206. def includes_action?(actions, action)
207. actions.include?(:manage) || actions.include?(action)
208. end
209.  
210. def includes_noun?(nouns, noun)
211. nouns.include?(:all) || nouns.include?(noun) || nouns.any? { |c| c.kind_of?(Class) && noun.kind_of?(c) }
212. end
213. end
214. end