Secure but elegant destruction method

vahagn · February 25, 2009, 4:40pm

Hi,-

I am looking for a clean and secure way for an ActiveRecord instance to
delete itself. Say I have a User model in my app. Then the destructive
action would be /users/user_id/destroy. If this action is not secured by
a filter like:

(*) before_filter :check_administrator_role, :only => :destroy

then any user could potentially log in and start issuing:

/users/1/destroy
/users/2/destroy
.
.
.
/users/n/destroy

But I want to give a User the possibility to delete [him|her]self.
Currently the only way I can think of it is this:

Remove the filter (*)
Re-code the destroy method so:
def destroy
@user = User.find(params[:id])
if logged_in_user == @user or
logged_in_user.has_role?(‘administrator’)
if @user.destroy
flash[:notice] = “User deleted”
else
flash[:error] = “There was a problem deleting this user.”
end
redirect_to :action => ‘index’
end

But, is this the best way to do it?

Thanks in advance,
Vahagn

vahagn · February 25, 2009, 5:02pm

Sorry, the code should have been:

def destroy
@user = User.find(params[:id])
if @user == logged_in_user or
logged_in_user.has_role?(‘administrator’)
if @user.destroy
flash[:notice] = “User deleted”
else
flash[:error] = “There was a problem deleting this user.”
end
redirect_to :action => ‘index’
end
end

/ V.

vahagn · February 26, 2009, 3:49am

I don’t see anything wrong with this. I’d only resort to a filter if
it was going to be used by multiple actions.

On Feb 25, 11:02 am, Vahagn H. <rails-mailing-l…@andreas-

vahagn · February 26, 2009, 1:14pm

Yeah - good point Jeff.

/ V.

Jeff Emminger wrote:

I don’t see anything wrong with this. I’d only resort to a filter if
it was going to be used by multiple actions.

On Feb 25, 11:02ï¿½am, Vahagn H. <rails-mailing-l…@andreas-