Re: [Rails] Preventing destroy action via a DELETE HTTP request submitted with jQuery

Thanks for replying, Colin.

I've got some corrections to this case... To sum it up, my mistake was in the comparison of the params :id element with current_user.id (String vs. FixNum)

Here's the thread in SO with more details.

Thanks

On Thursday, April 5, 2012 5:12:02 AM UTC+8, Colin Law wrote:

On 4 April 2012 12:13, rme <xxx@gmail.com> wrote:
> Hi folks,
>
> Rails beginner here..
>
> I have a users resource where I implemented a callback that's supposed
> to prevent an admin user from deleting herself.
>
>  before_filter :admin_no_delete,    only: :destroy
>
>    def admin_no_delete
>      admin_id = current_user.id if current_user.admin?
>      redirect_to users_path if params[:id] == admin_id
>    end
>
> If this looks familiar to some,  it's from Michael Hartl's rails
> tutorial, exercise #10 here
> http://ruby.railstutorial.org/chapters/updating-showing-and-deleting-users?version=3.2#sec:updating_deleting_exercises
>
> My (lame) test for this actually runs successfully
>
>        describe "deleting herself should not be permitted" do
>          before do
>            delete user_path(admin)
>          end
>          it { should redirect_to(users_path) }
>        end
>      end
>
> The test seems lame because I was able to go around it using jQuery to
> delete the record being protected by the callback (using Web
> Inspector's javascript console):
>      $.ajax({url: 'http://localhost:3000/users/104', type: 'DELETE',
> success: function(result){alert(result)} })

What was current_user when you did that?  I note that your code will
only stop the admin user deleting herself, it will not stop another
user from deleting the admin user.

Colin

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/98F08wATGdAJ.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.