Drop support for CanCan, use its successor CanCanCan

Author: mshibuya

.travis.yml

@@ -68,9 +68,6 @@ matrix:
     - rvm: 2.6.3
       env: CI_ORM=active_record CI_DB_ADAPTER=postgresql CI_DB_USERNAME=postgres
       gemfile: gemfiles/rails_6.0.gemfile
-    - rvm: 2.6.3
-      env: CI_ORM=active_record CI_DB_ADAPTER=sqlite3
-      gemfile: gemfiles/cancan.gemfile
     - rvm: ruby-head
       env: CI_ORM=mongoid
       gemfile: gemfiles/rails_5.2.gemfile

Appraisals

@@ -107,13 +107,3 @@ appraise "rails-6.0" do
     gem 'paper_trail', '>= 5.0'
   end
 end
-
-appraise "cancan" do
-  gem 'rails', '~> 5.1.0'
-  gem 'sassc-rails', '~> 2.1'
-  gem 'devise', '~> 4.0'
-
-  group :test do
-    gem 'cancan', '>= 1.6'
-  end
-end

gemfiles/cancan.gemfile

@@ -8,8 +8,8 @@ RailsAdmin.config do |config|
   # end
   # config.current_user_method(&:current_user)
 
-  ## == Cancan ==
-  # config.authorize_with :cancan
+  ## == CancanCan ==
+  # config.authorize_with :cancancan
 
   ## == Pundit ==
   # config.authorize_with :pundit

lib/generators/rails_admin/templates/initializer.erb

@@ -2,7 +2,6 @@
 require 'rails_admin/abstract_model'
 require 'rails_admin/config'
 require 'rails_admin/extension'
-require 'rails_admin/extensions/cancan'
 require 'rails_admin/extensions/cancancan'
 require 'rails_admin/extensions/pundit'
 require 'rails_admin/extensions/paper_trail'

lib/rails_admin.rb

@@ -141,11 +141,11 @@ def audit_with(*args, &block)
       #   end
       #
       # To use an authorization adapter, pass the name of the adapter. For example,
-      # to use with CanCan[https://github.com/ryanb/cancan], pass it like this.
+      # to use with CanCanCan[https://github.com/CanCanCommunity/cancancan/], pass it like this.
       #
-      # @example CanCan
+      # @example CanCanCan
       #   RailsAdmin.config do |config|
-      #     config.authorize_with :cancan
+      #     config.authorize_with :cancancan
       #   end
       #
       # See the wiki[https://github.com/sferik/rails_admin/wiki] for more on authorization.

lib/rails_admin/config.rb

@@ -99,7 +99,7 @@ class Base
           key.to_sym
         end
 
-        # For Cancan and the like
+        # For CanCanCan and the like
         register_instance_option :authorization_key do
           key.to_sym
         end

lib/rails_admin/config/actions/base.rb

@@ -2,7 +2,28 @@ module RailsAdmin
   module Extensions
     module CanCanCan
       # This adapter is for the CanCanCan[https://github.com/CanCanCommunity/cancancan] authorization library.
-      class AuthorizationAdapter < RailsAdmin::Extensions::CanCan::AuthorizationAdapter
+      class AuthorizationAdapter
+        module ControllerExtension
+          def current_ability
+            # use _current_user instead of default current_user so it works with
+            # whatever current user method is defined with RailsAdmin
+            @current_ability ||= @ability.new(_current_user)
+          end
+        end
+
+        # See the +authorize_with+ config method for where the initialization happens.
+        def initialize(controller, ability = ::Ability)
+          @controller = controller
+          @controller.instance_variable_set '@ability', ability
+          @controller.extend ControllerExtension
+          @controller.current_ability.authorize! :access, :rails_admin
+        end
+
+        # This method is called in every controller action and should raise an exception
+        # when the authorization fails. The first argument is the name of the controller
+        # action as a symbol (:create, :bulk_delete, etc.). The second argument is the
+        # AbstractModel instance that applies. The third argument is the actual model
+        # instance if it is available.
         def authorize(action, abstract_model = nil, model_object = nil)
           return unless action
           subject = model_object || abstract_model && abstract_model.model
@@ -13,13 +34,31 @@ def authorize(action, abstract_model = nil, model_object = nil)
           end
         end
 
+        # This method is called primarily from the view to determine whether the given user
+        # has access to perform the action on a given model. It should return true when authorized.
+        # This takes the same arguments as +authorize+. The difference is that this will
+        # return a boolean whereas +authorize+ will raise an exception when not authorized.
         def authorized?(action, abstract_model = nil, model_object = nil)
           return unless action
           subject = model_object || abstract_model && abstract_model.model
           authorized_for_dashboard_in_legacy_way?(action, true) ||
             @controller.current_ability.can?(*resolve_with_compatibility(action, subject))
         end
 
+        # This is called when needing to scope a database query. It is called within the list
+        # and bulk_delete/destroy actions and should return a scope which limits the records
+        # to those which the user can perform the given action on.
+        def query(action, abstract_model)
+          abstract_model.model.accessible_by(@controller.current_ability, action)
+        end
+
+        # This is called in the new/create actions to determine the initial attributes for new
+        # records. It should return a hash of attributes which match what the user
+        # is authorized to create.
+        def attributes_for(action, abstract_model)
+          @controller.current_ability.attributes_for(action, abstract_model && abstract_model.model)
+        end
+
       private
 
         def authorized_for_dashboard_in_legacy_way?(action, silent = false)