Do not execute the scope condition on class permission checks.

@conditions.empty? calls ActiveRecord::Relation#empty? when a scoped condition is provided. ActiveRecord::Relation#empty? will query the database while CanCan only needs to check if conditions are set on the rule.
CanCanCommunity · Jan 27, 2014 · d3e4fd7 · d3e4fd7
1 parent a1ba470
commit d3e4fd7
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 2 deletions.
diff --git a/lib/cancan/rule.rb b/lib/cancan/rule.rb
@@ -38,7 +38,7 @@ def matches_conditions?(action, subject, extra_args)
         matches_conditions_hash?(subject)
       else
         # Don't stop at "cannot" definitions when there are conditions.
-        @conditions.empty? ? true : @base_behavior
+        conditions_empty? ? true : @base_behavior
       end
     end
 

diff --git a/spec/cancan/model_adapters/active_record_adapter_spec.rb b/spec/cancan/model_adapters/active_record_adapter_spec.rb
@@ -326,5 +326,17 @@
       # adapter.matches_condition?(article1, :name.nlike, "%helo%").should be_true
       # adapter.matches_condition?(article1, :name.nlike, "%ello worl%").should be_false
     end
+
+    it 'should not execute a scope when checking ability on the class' do
+      relation = Article.where(:secret => true)
+      @ability.can :read, Article, relation do |article|
+        article.secret == true
+      end
+
+      # Ensure the ActiveRecord::Relation condition does not trigger a count query
+      stub(relation).count { fail 'Unexpected scope execution.' }
+
+      expect { @ability.can? :read, Article }.not_to raise_error
+    end
   end
-end
+end