Forum: Ruby on Rails Secure but elegant destruction method

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
242dfb8324501cb3b020625639044377?d=identicon&s=25 Vahagn Hayrapetyan (vahagn)
on 2009-02-25 16:40
Hi,-

I am looking for a clean and secure way for an ActiveRecord instance to
delete itself. Say I have a User model in my app. Then the destructive
action would be /users/user_id/destroy. If this action is not secured by
a filter like:

(*) before_filter :check_administrator_role, :only => :destroy

then any user could potentially log in and start issuing:

/users/1/destroy
/users/2/destroy
.
.
.
/users/n/destroy

But I want to give a User the possibility to delete [him|her]self.
Currently the only way I can think of it is this:

1) Remove the filter (*)
2) Re-code the destroy method so:
  def destroy
    @user = User.find(params[:id])
    if logged_in_user == @user or
logged_in_user.has_role?('administrator')
    if @user.destroy
      flash[:notice] = "User deleted"
    else
      flash[:error] = "There was a problem deleting this user."
    end
    redirect_to :action => 'index'
  end

But, is this the best way to do it?

Thanks in advance,
Vahagn
242dfb8324501cb3b020625639044377?d=identicon&s=25 Vahagn Hayrapetyan (vahagn)
on 2009-02-25 17:02
Sorry, the code should have been:

 def destroy
    @user = User.find(params[:id])
    if @user == logged_in_user or
logged_in_user.has_role?('administrator')
      if @user.destroy
        flash[:notice] = "User deleted"
      else
        flash[:error] = "There was a problem deleting this user."
      end
      redirect_to :action => 'index'
    end
  end

/ V.
D69d23d8e811e8ab2a8593380d6ede63?d=identicon&s=25 Jeff Emminger (jemminger)
on 2009-02-26 03:49
(Received via mailing list)
I don't see anything wrong with this.  I'd only resort to a filter if
it was going to be used by multiple actions.

On Feb 25, 11:02 am, Vahagn Hayrapetyan <rails-mailing-l...@andreas-
242dfb8324501cb3b020625639044377?d=identicon&s=25 Vahagn Hayrapetyan (vahagn)
on 2009-02-26 13:14
Yeah - good point Jeff.

/ V.

Jeff Emminger wrote:
> I don't see anything wrong with this.  I'd only resort to a filter if
> it was going to be used by multiple actions.
>
> On Feb 25, 11:02�am, Vahagn Hayrapetyan <rails-mailing-l...@andreas-
This topic is locked and can not be replied to.