should not allow to can? when raw sql without block is present

ryanb · Oct 4, 2010 · 12037d7 · 12037d7
1 parent 1f81b8d
commit 12037d7
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 1 deletion.
diff --git a/lib/cancan/ability.rb b/lib/cancan/ability.rb
@@ -54,7 +54,7 @@ module Ability
     #
     # Also see the RSpec Matchers to aid in testing.
     def can?(action, subject, *extra_args)
-      match = relevant_can_definitions(action, subject).detect do |can_definition|
+      match = relevant_can_definitions_for_match(action, subject).detect do |can_definition|
         can_definition.matches_conditions?(action, subject, extra_args)
       end
       match ? match.base_behavior : false
@@ -224,6 +224,10 @@ def attributes_for(action, subject)
     def has_block?(action, subject)
       relevant_can_definitions(action, subject).any?(&:only_block?)
     end
+
+    def has_raw_sql?(action, subject)
+      relevant_can_definitions(action, subject).any?(&:only_raw_sql?)
+    end
 
     private
 
@@ -267,6 +271,14 @@ def relevant_can_definitions(action, subject)
         can_definition.relevant? action, subject
       end
     end
+
+    def relevant_can_definitions_for_match(action, subject)
+      relevant_can_definitions(action, subject).each do |can_definition|
+        if can_definition.only_raw_sql?
+          raise Error, "The can? and cannot? call cannot be used with a raw sql 'can' definition. The checking code cannot be determined for #{action.inspect} #{subject.inspect}"
+        end
+      end
+    end
 
     def relevant_can_definitions_for_query(action, subject)
       relevant_can_definitions(action, subject).each do |can_definition|

diff --git a/lib/cancan/can_definition.rb b/lib/cancan/can_definition.rb
@@ -55,6 +55,10 @@ def tableized_conditions(conditions = @conditions)
     def only_block?
       conditions_empty? && !@block.nil?
     end
+
+    def only_raw_sql?
+      @block.nil? && !conditions_empty? && !@conditions.kind_of?(Hash)
+    end
 
     def conditions_empty?
       @conditions == {} || @conditions.nil?

diff --git a/spec/cancan/ability_spec.rb b/spec/cancan/ability_spec.rb
@@ -317,6 +317,13 @@ class A; include B; end
     end
     @ability.should have_block(:read, :foo)
   end
+
+  it "should know when raw sql is used in conditions" do
+    @ability.can :read, :foo
+    @ability.should_not have_raw_sql(:read, :foo)
+    @ability.can :read, :foo, 'false'
+    @ability.should have_raw_sql(:read, :foo)
+  end
 
   it "should raise access denied exception with default message if not specified" do
     begin

diff --git a/spec/cancan/active_record_additions_spec.rb b/spec/cancan/active_record_additions_spec.rb
@@ -56,4 +56,18 @@
     stub(@model_class).scoped{|*args| args.inspect}
     @model_class.accessible_by(@ability).should == :found_records
   end
+
+  it "should not allow to fetch records when ability with just block present" do
+    @ability.can :read, @model_class do false end
+    lambda {
+      @model_class.accessible_by(@ability)
+    }.should raise_error(CanCan::Error)
+  end
+
+  it "should not allow to check ability on object when nonhash sql ability definition without block present" do
+    @ability.can :read, @model_class, ['bar = ?', 1]
+    lambda {
+      @ability.can? :read, @model_class.new
+    }.should raise_error(CanCan::Error)
+  end
 end