Spin off non-rails core

[thomasyip]

Majority of functionality and implementation of Cancan is not rails specific.

However, it is tightly coupled, making it impossible to be used with lighter framework, like with Rack directly or with Sinatra.

I think Cancan can be spitted into two projects, like how Devise / Warden split.

[hazah]

Seconded! Was about to make the same suggestion, luckily stumbled onto your post first. I believe CanCan is the right context for such a split. Having the ability class as a model is convenient, but it's fundamentally the wrong location for the logic because it has far tighter coupling to the controller.

The current implementation could definitely be moved to a strategy like class as done in Warden for authentication.

Then the merge with rails can be handled as a thin layer on top like Devise:

1) Augment ActiveRecords validations and before_destroy filter for authorization. First step is to add a single validate and before_destroy call to each secured model that will delegate to a set of blocks stored at class level. Second step, create a harden (or similar) method that takes either a set of hashes or blocks as arguments that specify conditions for create/retrieve/update/delete, and block to yield to. Final step, when called, the method converts the arguments to blocks and stores them in the class, allowing valid? and invalid? to be called on the object to check authorization && prevent unauthorized action. For create and read the block is used to setup model scoping for the duration of the yield. For destroy the block will be used with the before_destroy filter. At the end of the method call, all blocks are removed, allowing for normal access we've all been used to.

2) Augment ActionController::Base with a harden (or similar) method that sets up an around filter that sets up the arguments to be passed to each involved model's harden method. Because this is done in the controller, the blocks will have access to the necessary data from the request to do the validating/scoping/filtering. The filter's yield call will be executed with all security hardening applied.

This is of course the roughest outline of the scheme, and it is the first time its been formulated into actual words. I myself, am in need of this split, and am working towards that direction. So far I'm a lone ranger in my cause. I'd be interested in any feedback anyone may have.

[derekprior]

Tagging with discuss to see if Ryan has feedback on the direction.

[xhoy]

Dear submitter, Since cancan/raynB hasn't been active for more than 6 months and no body else then ryam himself has commit permissions the cancan project is on a stand still. Since cancan has several issues including missing support for rails 4 cancan is moving forward to cancancan. More details on: #994

If your feel that your pull request or bug is still applicable (and hasn't been merged in to cancan) it would be really appreciated if you would resubmit it to cancancan (https://github.com/cancancommunity/cancancan)

We hope to see you on the other side!