Thanks for replying, Colin. I've got some corrections to this case... To sum it up, my mistake was in the comparison of the params :id element with current_user.id (String vs. FixNum) Here's<http://stackoverflow.com/questions/10010078/how-to-prevent-a-delete-http-request-from-succeeding-in-this-situation/10011656#10011656>the thread in SO with more details.
Thanks On Thursday, April 5, 2012 5:12:02 AM UTC+8, Colin Law wrote: > > On 4 April 2012 12:13, rme <[email protected]> wrote: > > Hi folks, > > > > Rails beginner here.. > > > > I have a users resource where I implemented a callback that's supposed > > to prevent an admin user from deleting herself. > > > > before_filter :admin_no_delete, only: :destroy > > > > def admin_no_delete > > admin_id = current_user.id if current_user.admin? > > redirect_to users_path if params[:id] == admin_id > > end > > > > If this looks familiar to some, it's from Michael Hartl's rails > > tutorial, exercise #10 here > > > http://ruby.railstutorial.org/chapters/updating-showing-and-deleting-users?version=3.2#sec:updating_deleting_exercises > > > > My (lame) test for this actually runs successfully > > > > describe "deleting herself should not be permitted" do > > before do > > delete user_path(admin) > > end > > it { should redirect_to(users_path) } > > end > > end > > > > The test seems lame because I was able to go around it using jQuery to > > delete the record being protected by the callback (using Web > > Inspector's javascript console): > > $.ajax({url: 'http://localhost:3000/users/104', type: 'DELETE', > > success: function(result){alert(result)} }) > > What was current_user when you did that? I note that your code will > only stop the admin user deleting herself, it will not stop another > user from deleting the admin user. > > Colin > > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/98F08wATGdAJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
