Making sure the Admin of a website is not deleted
32 views
Skip to first unread message
Zainab Mohamed
Mar 4, 2014, 2:07:38 PM3/4/14
to rubyonra...@googlegroups.com
Hello,
I am a second year undergrad designing a ruby on rail program for
wedding.
I am struggling so much with lots of code but one main thing which I
don't understand how to do is to make sure that if the administrator has
the rights to delete any registered users, then they don't delete their
own account in the process, as is currently the case.
Please can someone help me? I know it is a code within user
controller.rb which has "def destroy" but I don't know how to go about
doing that.
Thank you
Zainab Mohamed
--
Posted via http://www.ruby-forum.com/.
I am a second year undergrad designing a ruby on rail program for
wedding.
I am struggling so much with lots of code but one main thing which I
don't understand how to do is to make sure that if the administrator has
the rights to delete any registered users, then they don't delete their
own account in the process, as is currently the case.
Please can someone help me? I know it is a code within user
controller.rb which has "def destroy" but I don't know how to go about
doing that.
Thank you
Zainab Mohamed
--
Posted via http://www.ruby-forum.com/.
Ganesh Ranganathan
Mar 4, 2014, 2:21:36 PM3/4/14
to rubyonra...@googlegroups.com
You can use a before_action filter in the controller to check both the current user's permissions and the user he is about to delete.
And if it is another admin user or himself, then redirect them to another page with a flash error message. More details at the filter link below
Thanks,
Ganesh
--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-ta...@googlegroups.com.
To post to this group, send email to rubyonra...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/5e1541e64d742fbc8d53eaf8aa1e547c%40ruby-forum.com.
For more options, visit https://groups.google.com/groups/opt_out.
Zainab Mohamed
Mar 4, 2014, 2:53:59 PM3/4/14
to rubyonra...@googlegroups.com
Ganesh Ranganathan wrote in post #1138798:
Thank you for your reply. I only have one admin on the website as shown
below (code taken from seeds.rb).
User.create(:name => "weds4u", :password => "w", :password_confirmation
=> "w", :role => 'admin')
User.create(:name => "Afsheen", :password => "a",
:password_confirmation => "a", :role => '')
I tried the following IF statement from another website but that doesn't
seem to work. Could you suggest some correction to the below code or do
I need to change where I am putting the code in the first place?
def destroy
@user = User.find(params[:id])
if not user.role = 'admin'
@user.destroy
else
respond_to do |format|
format.html { redirect_to users_path,
notice: "#{@user.name} is an admin. You do not have
permission to delete this user" }
format.json { head :no_content }
end
end
> You can use a before_action filter in the controller to check both the
> current user's permissions and the user he is about to delete.
>
> And if it is another admin user or himself, then redirect them to
> another
> page with a flash error message. More details at the filter link below
>
> http://guides.rubyonrails.org/action_controller_overview.html
>
> Thanks,
> Ganesh
Hi,
> current user's permissions and the user he is about to delete.
>
> And if it is another admin user or himself, then redirect them to
> another
> page with a flash error message. More details at the filter link below
>
> http://guides.rubyonrails.org/action_controller_overview.html
>
> Thanks,
> Ganesh
Thank you for your reply. I only have one admin on the website as shown
below (code taken from seeds.rb).
User.create(:name => "weds4u", :password => "w", :password_confirmation
=> "w", :role => 'admin')
User.create(:name => "Afsheen", :password => "a",
:password_confirmation => "a", :role => '')
I tried the following IF statement from another website but that doesn't
seem to work. Could you suggest some correction to the below code or do
I need to change where I am putting the code in the first place?
def destroy
@user = User.find(params[:id])
if not user.role = 'admin'
@user.destroy
else
respond_to do |format|
format.html { redirect_to users_path,
notice: "#{@user.name} is an admin. You do not have
permission to delete this user" }
format.json { head :no_content }
end
end
Zainab Mohamed
Mar 4, 2014, 2:54:38 PM3/4/14
to rubyonra...@googlegroups.com
Hi,
Thank you for your reply. I only have one admin on the website as shown
below (code taken from seeds.rb).
User.create(:name => "weds4u", :password => "w", :password_confirmation
=> "w", :role => 'admin')
User.create(:name => "Afsheen", :password => "a",
:password_confirmation => "a", :role => '')
I tried the following IF statement from another website but that doesn't
seem to work. Could you suggest some correction to the below code or do
I need to change where I am putting the code in the first place?
def destroy
@user = User.find(params[:id])
if not user.role = 'admin'
@user.destroy
else
respond_to do |format|
format.html { redirect_to users_path,
notice: "#{@user.name} is an admin. You do not have
permission to delete this user" }
format.json { head :no_content }
end
end
Thank you for your reply. I only have one admin on the website as shown
below (code taken from seeds.rb).
User.create(:name => "weds4u", :password => "w", :password_confirmation
=> "w", :role => 'admin')
User.create(:name => "Afsheen", :password => "a",
:password_confirmation => "a", :role => '')
I tried the following IF statement from another website but that doesn't
seem to work. Could you suggest some correction to the below code or do
I need to change where I am putting the code in the first place?
def destroy
@user = User.find(params[:id])
if not user.role = 'admin'
@user.destroy
else
respond_to do |format|
format.html { redirect_to users_path,
notice: "#{@user.name} is an admin. You do not have
permission to delete this user" }
format.json { head :no_content }
end
end
mike
Mar 4, 2014, 3:48:28 PM3/4/14
to rubyonra...@googlegroups.com
IMO, this isn't good code. I recommend you look at railstutorial.org which has an online book. Chapters 6-9 give a very good tutorial on building user login functionality, how to insure only admins can delete users, and how to insure an admin can't delete themselves. As Ganesh posted above, generally before_actions are used in the controller instead of the language you have above to insure only admins can delete users.
I believe this tutorial is good because it builds authentication from the ground up (roll your own) and you learn the concepts. In practice, I don't usually do that because there are gems that are easier to use such as devise.
Good Luck.
Reply all
Reply to author
Forward
0 new messages