Preventing destroy action via a DELETE HTTP request submitted with jQuery

Hi folks,

Rails beginner here…

I have a users resource where I implemented a callback that’s supposed
to prevent an admin user from deleting herself.

before_filter :admin_no_delete, only: :destroy

def admin_no_delete
  admin_id = current_user.id if current_user.admin?
  redirect_to users_path if params[:id] == admin_id
end

If this looks familiar to some, it’s from Michael H.'s rails
tutorial, exercise #10 here
http://ruby.railstutorial.org/chapters/updating-showing-and-deleting-users?version=3.2#sec:updating_deleting_exercises

My (lame) test for this actually runs successfully

    describe "deleting herself should not be permitted" do
      before do
        delete user_path(admin)
      end
      it { should redirect_to(users_path) }
    end
  end

The test seems lame because I was able to go around it using jQuery to
delete the record being protected by the callback (using Web
Inspector’s javascript console):
$.ajax({url: ‘http://localhost:3000/users/104’, type: ‘DELETE’,
success: function(result){alert(result)} })

Looking for ideas on how to prevent a DELETE HTTP request from
succeeding in this situation… also any ideas on how to properly test
for this kind of situation?

Thanks.
rme

On 4 April 2012 12:13, rme [email protected] wrote:

admin_id = current_user.id if current_user.admin?
before do
success: function(result){alert(result)} })
What was current_user when you did that? I note that your code will
only stop the admin user deleting herself, it will not stop another
user from deleting the admin user.

Colin

Thanks for replying, Colin.

I’ve got some corrections to this case… To sum it up, my mistake was
in
the comparison of the params :id element with current_user.id (String
vs.
FixNum)
Here’shttp://stackoverflow.com/questions/10010078/how-to-prevent-a-delete-http-request-from-succeeding-in-this-situation/10011656#10011656the
thread in SO with more details.

Thanks