should not allow to can? when raw sql without block is present

12037d7f · Sokolov Yura · Ryan Bates · 1f81b8dd · 12037d7f · 12037d7f
Commit 12037d7f authored 14 years ago by Sokolov Yura Committed by Ryan Bates 14 years ago
--- a/lib/cancan/ability.rb
+++ b/lib/cancan/ability.rb
@@ -54,7 +54,7 @@ module CanCan
    #
    # Also see the RSpec Matchers to aid in testing.
    def can?(action, subject, *extra_args)
-      match = relevant_can_definitions(action, subject).detect do |can_definition|
+      match = relevant_can_definitions_for_match(action, subject).detect do |can_definition|
        can_definition.matches_conditions?(action, subject, extra_args)
      end
      match ? match.base_behavior : false
@@ -224,6 +224,10 @@ module CanCan
    def has_block?(action, subject)
      relevant_can_definitions(action, subject).any?(&:only_block?)
    end
+    def has_raw_sql?(action, subject)
+      relevant_can_definitions(action, subject).any?(&:only_raw_sql?)
+    end
    private
@@ -267,6 +271,14 @@ module CanCan
        can_definition.relevant? action, subject
      end
    end
+    def relevant_can_definitions_for_match(action, subject)
+      relevant_can_definitions(action, subject).each do |can_definition|
+        if can_definition.only_raw_sql?
+          raise Error, "The can? and cannot? call cannot be used with a raw sql 'can' definition. The checking code cannot be determined for #{action.inspect} #{subject.inspect}"
+        end
+      end
+    end
    def relevant_can_definitions_for_query(action, subject)
      relevant_can_definitions(action, subject).each do |can_definition|

--- a/lib/cancan/can_definition.rb
+++ b/lib/cancan/can_definition.rb
@@ -55,6 +55,10 @@ module CanCan
    def only_block?
      conditions_empty? && !@block.nil?
    end
+    def only_raw_sql?
+      @block.nil? && !conditions_empty? && !@conditions.kind_of?(Hash)
+    end
    def conditions_empty?
      @conditions == {} || @conditions.nil?

--- a/spec/cancan/ability_spec.rb
+++ b/spec/cancan/ability_spec.rb
@@ -317,6 +317,13 @@ describe CanCan::Ability do
    end
    @ability.should have_block(:read, :foo)
  end
+  it "should know when raw sql is used in conditions" do
+    @ability.can :read, :foo
+    @ability.should_not have_raw_sql(:read, :foo)
+    @ability.can :read, :foo, 'false'
+    @ability.should have_raw_sql(:read, :foo)
+  end
  it "should raise access denied exception with default message if not specified" do
    begin

--- a/spec/cancan/active_record_additions_spec.rb
+++ b/spec/cancan/active_record_additions_spec.rb
@@ -56,4 +56,18 @@ describe CanCan::ActiveRecordAdditions do
    stub(@model_class).scoped{|*args| args.inspect}
    @model_class.accessible_by(@ability).should == :found_records
  end
+  it "should not allow to fetch records when ability with just block present" do
+    @ability.can :read, @model_class do false end
+    lambda {
+      @model_class.accessible_by(@ability)
+    }.should raise_error(CanCan::Error)
+  end
+  it "should not allow to check ability on object when nonhash sql ability definition without block present" do
+    @ability.can :read, @model_class, ['bar = ?', 1]
+    lambda {
+      @ability.can? :read, @model_class.new
+    }.should raise_error(CanCan::Error)
+  end
 end