While we wait for 1.6.11...

.ruby-version

@@ -0,0 +1 @@
+1.9.3

.travis.yml

@@ -1,6 +1,15 @@
 rvm:
   - 1.8.7
+  - 1.9.2
+  - 1.9.3
+  - 2.0.0
+  - 2.1.0
   - ree
+  - jruby
+  - rbx
+matrix:
+  allow_failures:
+    - rvm: rbx
 notifications:
   recipients:
     - [email protected]

CHANGELOG.rdoc

@@ -1,3 +1,7 @@
+Master
+
+* Adds support for strong_parameters (bryanrite)
+
 1.6.10 (May 7, 2013)
 
 * fix matches_conditons_hash for string values on 1.8 (thanks rrosen)

Gemfile

@@ -2,7 +2,10 @@ source "https://rubygems.org"
 
 case ENV["MODEL_ADAPTER"]
 when nil, "active_record"
-  gem "sqlite3"
+  # Sqlite for CRuby, Rubinius, including Windows and RubyInstaller
+  gem "sqlite3", :platform => [:ruby, :mswin, :mingw]
+  # Sqlite for JRuby
+  gem 'activerecord-jdbcsqlite3-adapter', :platform => :jruby
   gem "activerecord", '~> 3.0.9', :require => "active_record"
   gem "with_model", "~> 0.2.5"
   gem "meta_where"

README.rdoc

@@ -1,6 +1,6 @@
 = CanCan
-{<img src="https://fury-badge.herokuapp.com/rb/cancan.png" alt="Gem Version" />}[http://badge.fury.io/rb/cancan] 
-{<img src="https://secure.travis-ci.org/ryanb/cancan.png?branch=master" />}[http://travis-ci.org/ryanb/cancan] 
+{<img src="https://fury-badge.herokuapp.com/rb/cancan.png" alt="Gem Version" />}[http://badge.fury.io/rb/cancan]
+{<img src="https://secure.travis-ci.org/ryanb/cancan.png?branch=master" />}[http://travis-ci.org/ryanb/cancan]
 {<img src="https://codeclimate.com/github/ryanb/cancan.png" />}[https://codeclimate.com/github/ryanb/cancan]
 
 Wiki[https://github.com/ryanb/cancan/wiki] | RDocs[http://rdoc.info/projects/ryanb/cancan] | Screencast[http://railscasts.com/episodes/192-authorization-with-cancan]
@@ -34,7 +34,7 @@ User permissions are defined in an +Ability+ class. CanCan 1.5 includes a Rails
 
   rails g cancan:ability
 
-In Rails 2.3, just add a new class in `app/models/ability.rb` with the following contents:
+In Rails 2.3, just add a new class in <tt>app/models/ability.rb</tt> with the following contents:
 
   class Ability
     include CanCan::Ability
@@ -76,6 +76,36 @@ Setting this for every action can be tedious, therefore the +load_and_authorize_
 See {Authorizing Controller Actions}[https://github.com/ryanb/cancan/wiki/authorizing-controller-actions] for more information.
 
 
+==== Strong Parameters
+
+When using <tt>strong_parameters</tt> or Rails 4+, you have to sanitize inputs before saving the record, in actions such as <tt>:create</tt> and <tt>:update</tt>.
+
+By default, CanCan will try to sanitize the input on <tt>:create</tt> and <tt>:update</tt> routes by seeing if your controller will respond to the following methods (in order):
+
+* <tt>create_params</tt> or <tt>update_params</tt> (depending on the action you are performing)
+* <tt><model_name>_params</tt> such as <tt>article_params</tt> (this is the default convention in rails for naming your param method)
+* <tt>resource_params</tt> (a generically named method you could specify in each controller)
+
+Additionally, <tt>load_and_authorize_resource</tt> can now take a <tt>param_method</tt> option to specify a custom method in the controller to run to sanitize input.
+
+  class ArticlesController < ApplicationController
+    load_and_authorize_resource param_method: :my_sanitizer
+
+    def create
+      if @article.save
+        # hurray
+      else
+        render :new
+      end
+    end
+
+    private
+
+    def my_sanitizer
+      params.require(:article).permit(:name)
+    end
+  end
+
 === 3. Handle Unauthorized Access
 
 If the user authorization fails, a <tt>CanCan::AccessDenied</tt> exception will be raised. You can catch this and modify its behavior in the +ApplicationController+.

cancan.gemspec

@@ -10,9 +10,8 @@ Gem::Specification.new do |s|
   s.files        = Dir["{lib,spec}/**/*", "[A-Z]*", "init.rb"] - ["Gemfile.lock"]
   s.require_path = "lib"
 
-  s.add_development_dependency 'rspec', '~> 2.6.0'
+  s.add_development_dependency 'rspec', '~> 2.14.0'
   s.add_development_dependency 'rails', '~> 3.0.9'
-  s.add_development_dependency 'rr', '~> 0.10.11' # 1.0.0 has respond_to? issues: http://github.com/btakita/rr/issues/issue/43
   s.add_development_dependency 'supermodel', '~> 0.1.4'
 
   s.rubyforge_project = s.name

lib/cancan/ability.rb

@@ -256,9 +256,20 @@ def unauthorized_message_keys(action, subject)
     # This should be called before "matches?" and other checking methods since they
     # rely on the actions to be expanded.
     def expand_actions(actions)
-      actions.map do |action|
-        aliased_actions[action] ? [action, *expand_actions(aliased_actions[action])] : action
-      end.flatten
+      expanded_actions[actions] ||= begin
+        expanded = []
+        actions.each do |action|
+          expanded << action
+          if aliases = aliased_actions[action]
+            expanded += expand_actions(aliases)
+          end
+        end
+        expanded
+      end
+    end
+
+    def expanded_actions
+      @expanded_actions ||= {}
     end
 
     # Given an action, it will try to find all of the actions which are aliased to it.
@@ -278,10 +289,12 @@ def rules
     # Returns an array of Rule instances which match the action and subject
     # This does not take into consideration any hash conditions or block statements
     def relevant_rules(action, subject)
-      rules.reverse.select do |rule|
+      relevant = rules.select do |rule|
         rule.expanded_actions = expand_actions(rule.actions)
         rule.relevant? action, subject
       end
+      relevant.reverse!
+      relevant
     end
 
     def relevant_rules_for_match(action, subject)

lib/cancan/controller_resource.rb

@@ -127,11 +127,15 @@ def authorization_action
     end
 
     def id_param
+      @params[id_param_key].to_s if @params[id_param_key]
+    end
+
+    def id_param_key
       if @options[:id_param]
-        @params[@options[:id_param]]
+        @options[:id_param]
       else
-        @params[parent? ? :"#{name}_id" : :id]
-      end.to_s
+        parent? ? :"#{name}_id" : :id
+      end
     end
 
     def member_action?
@@ -177,7 +181,9 @@ def collection_instance
     def resource_base
       if @options[:through]
         if parent_resource
-          @options[:singleton] ? resource_class : parent_resource.send(@options[:through_association] || name.to_s.pluralize)
+          base = @options[:singleton] ? resource_class : parent_resource.send(@options[:through_association] || name.to_s.pluralize)
+          base = base.scoped if base.respond_to?(:scoped) && defined?(ActiveRecord) && ActiveRecord::VERSION::MAJOR == 3
+          base
         elsif @options[:shallow]
           resource_class
         else
@@ -214,7 +220,9 @@ def name
     end
 
     def resource_params
-      if @options[:class]
+      if param_actions.include?(@params[:action].to_sym) && params_method.present?
+        return @controller.send(params_method)
+      elsif @options[:class]
         params_key = extract_key(@options[:class])
         return @params[params_key] if @params[params_key]
       end
@@ -226,6 +234,19 @@ def resource_params_by_namespaced_name
       @params[extract_key(namespaced_name)]
     end
 
+    def params_method
+      params_methods.each do |method|
+        return method if @controller.respond_to?(method, true)
+      end
+      nil
+    end
+
+    def params_methods
+      methods = ["#{@params[:action]}_params".to_sym, "#{name}_params".to_sym, :resource_params]
+      methods.unshift(@options[:param_method]) if @options[:param_method].present?
+      methods
+    end
+
     def namespace
       @params[:controller].split(/::|\//)[0..-2]
     end
@@ -245,11 +266,15 @@ def instance_name
     end
 
     def collection_actions
-      [:index] + [@options[:collection]].flatten
+      [:index] + Array(@options[:collection])
     end
 
     def new_actions
-      [:new, :create] + [@options[:new]].flatten
+      [:new, :create] + Array(@options[:new])
+    end
+
+    def param_actions
+      [:create, :update]
     end
 
     private

lib/cancan/model_adapters/active_record_adapter.rb

@@ -73,8 +73,7 @@ def tableized_conditions(conditions, model_class = @model_class)
                 value.delete(k)
                 nested[k] = v
               else
-                name = model_class.reflect_on_association(name).table_name.to_sym
-                result_hash[name] = value
+                result_hash[model_class.reflect_on_association(name).table_name.to_sym] = value
               end
               nested
             end
@@ -102,9 +101,9 @@ def database_records
         elsif @model_class.respond_to?(:where) && @model_class.respond_to?(:joins)
           mergeable_conditions = @rules.select {|rule| rule.unmergeable? }.blank?
           if mergeable_conditions
-            @model_class.where(conditions).joins(joins)
+            @model_class.where(conditions).includes(joins)
           else
-            @model_class.where(*(@rules.map(&:conditions))).joins(joins)
+            @model_class.where(*(@rules.map(&:conditions))).includes(joins)
           end
         else
           @model_class.scoped(:conditions => conditions, :joins => joins)

lib/cancan/rule.rb

@@ -38,7 +38,7 @@ def matches_conditions?(action, subject, extra_args)
         matches_conditions_hash?(subject)
       else
         # Don't stop at "cannot" definitions when there are conditions.
-        @conditions.empty? ? true : @base_behavior
+        conditions_empty? ? true : @base_behavior
       end
     end
 
@@ -111,7 +111,7 @@ def matches_conditions_hash?(subject, conditions = @conditions)
             else
               attribute = subject.send(name)
               if value.kind_of?(Hash)
-                if attribute.kind_of? Array
+                if attribute.kind_of?(Array) || attribute.kind_of?(ActiveRecord::Relation)
                   attribute.any? { |element| matches_conditions_hash? element, value }
                 else
                   !attribute.nil? && matches_conditions_hash?(attribute, value)