Hi folks,

Rails beginner here..

I have a users resource where I implemented a callback that's supposed
to prevent an admin user from deleting herself.

before_filter :admin_no_delete, only: :destroy

def admin_no_delete
admin_id = current_user.id if current_user.admin?
redirect_to users_path if params[:id] == admin_id
end

If this looks familiar to some, it's from Michael Hartl's rails
tutorial, exercise #10 here
http://ruby.railstutorial.org/chapters/updating-showing-and-deleting-users?version=3.2#sec:updating_deleting_exercises

My (lame) test for this actually runs successfully

describe "deleting herself should not be permitted" do
before do
delete user_path(admin)
end
it { should redirect_to(users_path) }
end
end

The test seems lame because I was able to go around it using jQuery to
delete the record being protected by the callback (using Web
Inspector's javascript console):
$.ajax({url: 'http://localhost:3000/users/104', type: 'DELETE',
success: function(result){alert(result)} })

Looking for ideas on how to prevent a DELETE HTTP request from
succeeding in this situation.. also any ideas on how to properly test
for this kind of situation?

Thanks.
rme

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.

Search Discussions

  • Colin Law at Apr 4, 2012 at 9:12 pm

    On 4 April 2012 12:13, rme wrote:
    Hi folks,

    Rails beginner here..

    I have a users resource where I implemented a callback that's supposed
    to prevent an admin user from deleting herself.

    before_filter :admin_no_delete,    only: :destroy

    def admin_no_delete
    admin_id = current_user.id if current_user.admin?
    redirect_to users_path if params[:id] == admin_id
    end

    If this looks familiar to some,  it's from Michael Hartl's rails
    tutorial, exercise #10 here
    http://ruby.railstutorial.org/chapters/updating-showing-and-deleting-users?version=3.2#sec:updating_deleting_exercises

    My (lame) test for this actually runs successfully

    describe "deleting herself should not be permitted" do
    before do
    delete user_path(admin)
    end
    it { should redirect_to(users_path) }
    end
    end

    The test seems lame because I was able to go around it using jQuery to
    delete the record being protected by the callback (using Web
    Inspector's javascript console):
    $.ajax({url: 'http://localhost:3000/users/104', type: 'DELETE',
    success: function(result){alert(result)} })
    What was current_user when you did that? I note that your code will
    only stop the admin user deleting herself, it will not stop another
    user from deleting the admin user.

    Colin

    --
    You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
    To post to this group, send email to rubyonrails-talk@googlegroups.com.
    To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
  • Rme at Apr 5, 2012 at 1:31 am
    Thanks for replying, Colin.

    I've got some corrections to this case... To sum it up, my mistake was in
    the comparison of the params :id element with current_user.id (String vs.
    FixNum)
    Here's<http://stackoverflow.com/questions/10010078/how-to-prevent-a-delete-http-request-from-succeeding-in-this-situation/10011656#10011656>the thread in SO with more details.

    Thanks
    On Thursday, April 5, 2012 5:12:02 AM UTC+8, Colin Law wrote:
    On 4 April 2012 12:13, rme wrote:
    Hi folks,

    Rails beginner here..

    I have a users resource where I implemented a callback that's supposed
    to prevent an admin user from deleting herself.

    before_filter :admin_no_delete, only: :destroy

    def admin_no_delete
    admin_id = current_user.id if current_user.admin?
    redirect_to users_path if params[:id] == admin_id
    end

    If this looks familiar to some, it's from Michael Hartl's rails
    tutorial, exercise #10 here
    http://ruby.railstutorial.org/chapters/updating-showing-and-deleting-users?version=3.2#sec:updating_deleting_exercises
    My (lame) test for this actually runs successfully

    describe "deleting herself should not be permitted" do
    before do
    delete user_path(admin)
    end
    it { should redirect_to(users_path) }
    end
    end

    The test seems lame because I was able to go around it using jQuery to
    delete the record being protected by the callback (using Web
    Inspector's javascript console):
    $.ajax({url: 'http://localhost:3000/users/104', type: 'DELETE',
    success: function(result){alert(result)} })
    What was current_user when you did that? I note that your code will
    only stop the admin user deleting herself, it will not stop another
    user from deleting the admin user.

    Colin
    --
    You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/98F08wATGdAJ.
    To post to this group, send email to rubyonrails-talk@googlegroups.com.
    To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouprubyonrails-talk @
categoriesrubyonrails
postedApr 4, '12 at 8:30p
activeApr 5, '12 at 1:31a
posts3
users2
websiterubyonrails.org
irc#RubyOnRails

2 users in discussion

Rme: 2 posts Colin Law: 1 post

People

Translate

site design / logo © 2021 Grokbase