Preventing destroy action via a DELETE HTTP request submitted with jQuery
35 views
Skip to first unread message
rme
Apr 4, 2012, 7:13:42 AM4/4/12
to Ruby on Rails: Talk
Hi folks,
Rails beginner here..
I have a users resource where I implemented a callback that's supposed
to prevent an admin user from deleting herself.
before_filter :admin_no_delete, only: :destroy
def admin_no_delete
admin_id = current_user.id if current_user.admin?
redirect_to users_path if params[:id] == admin_id
end
If this looks familiar to some, it's from Michael Hartl's rails
tutorial, exercise #10 here
http://ruby.railstutorial.org/chapters/updating-showing-and-deleting-users?version=3.2#sec:updating_deleting_exercises
My (lame) test for this actually runs successfully
describe "deleting herself should not be permitted" do
before do
delete user_path(admin)
end
it { should redirect_to(users_path) }
end
end
The test seems lame because I was able to go around it using jQuery to
delete the record being protected by the callback (using Web
Inspector's javascript console):
$.ajax({url: 'http://localhost:3000/users/104', type: 'DELETE',
success: function(result){alert(result)} })
Looking for ideas on how to prevent a DELETE HTTP request from
succeeding in this situation.. also any ideas on how to properly test
for this kind of situation?
Thanks.
rme
Rails beginner here..
I have a users resource where I implemented a callback that's supposed
to prevent an admin user from deleting herself.
before_filter :admin_no_delete, only: :destroy
def admin_no_delete
admin_id = current_user.id if current_user.admin?
redirect_to users_path if params[:id] == admin_id
end
If this looks familiar to some, it's from Michael Hartl's rails
tutorial, exercise #10 here
http://ruby.railstutorial.org/chapters/updating-showing-and-deleting-users?version=3.2#sec:updating_deleting_exercises
My (lame) test for this actually runs successfully
describe "deleting herself should not be permitted" do
before do
delete user_path(admin)
end
it { should redirect_to(users_path) }
end
end
The test seems lame because I was able to go around it using jQuery to
delete the record being protected by the callback (using Web
Inspector's javascript console):
$.ajax({url: 'http://localhost:3000/users/104', type: 'DELETE',
success: function(result){alert(result)} })
Looking for ideas on how to prevent a DELETE HTTP request from
succeeding in this situation.. also any ideas on how to properly test
for this kind of situation?
Thanks.
rme
Colin Law
Apr 4, 2012, 5:12:02 PM4/4/12
to rubyonra...@googlegroups.com
What was current_user when you did that? I note that your code will
only stop the admin user deleting herself, it will not stop another
user from deleting the admin user.
Colin
rme
Apr 4, 2012, 9:31:31 PM4/4/12
to rubyonra...@googlegroups.com
Thanks for replying, Colin.
On Thursday, April 5, 2012 5:12:02 AM UTC+8, Colin Law wrote:
I've got some corrections to this case... To sum it up, my mistake was in the comparison of the params :id element with current_user.id (String vs. FixNum)
Here's the thread in SO with more details.
Thanks
On Thursday, April 5, 2012 5:12:02 AM UTC+8, Colin Law wrote:
Reply all
Reply to author
Forward
0 new messages