Rails - Apr 2012 - Preventing destroy action via a DELETE HTTP request submitted with jQuery

Hi folks,

Rails beginner here..

I have a users resource where I implemented a callback that''s supposed
to prevent an admin user from deleting herself.

  before_filter :admin_no_delete,    only: :destroy

    def admin_no_delete
      admin_id = current_user.id if current_user.admin?
      redirect_to users_path if params[:id] == admin_id
    end

If this looks familiar to some,  it''s from Michael Hartl''s
rails
tutorial, exercise #10 here
http://ruby.railstutorial.org/chapters/updating-showing-and-deleting-users?version=3.2#sec:updating_deleting_exercises

My (lame) test for this actually runs successfully

        describe "deleting herself should not be permitted" do
          before do
            delete user_path(admin)
          end
          it { should redirect_to(users_path) }
        end
      end

The test seems lame because I was able to go around it using jQuery to
delete the record being protected by the callback (using Web
Inspector''s javascript console):
      $.ajax({url: ''http://localhost:3000/users/104'', type:
''DELETE'',
success: function(result){alert(result)} })

Looking for ideas on how to prevent a DELETE HTTP request from
succeeding in this situation.. also any ideas on how to properly test
for this kind of situation?

Thanks.
rme

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

On 4 April 2012 12:13, rme
<rhojel.echano-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> Hi folks,
>
> Rails beginner here..
>
> I have a users resource where I implemented a callback that''s
supposed
> to prevent an admin user from deleting herself.
>
>  before_filter :admin_no_delete,    only: :destroy
>
>    def admin_no_delete
>      admin_id = current_user.id if current_user.admin?
>      redirect_to users_path if params[:id] == admin_id
>    end
>
> If this looks familiar to some,  it''s from Michael
Hartl''s rails
> tutorial, exercise #10 here
>
http://ruby.railstutorial.org/chapters/updating-showing-and-deleting-users?version=3.2#sec:updating_deleting_exercises
>
> My (lame) test for this actually runs successfully
>
>        describe "deleting herself should not be permitted" do
>          before do
>            delete user_path(admin)
>          end
>          it { should redirect_to(users_path) }
>        end
>      end
>
> The test seems lame because I was able to go around it using jQuery to
> delete the record being protected by the callback (using Web
> Inspector''s javascript console):
>      $.ajax({url: ''http://localhost:3000/users/104'',
type: ''DELETE'',
> success: function(result){alert(result)} })
What was current_user when you did that?  I note that your code will
only stop the admin user deleting herself, it will not stop another
user from deleting the admin user.

Colin

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

Thanks for replying, Colin.

I''ve got some corrections to this case... To sum it up, my mistake was
in
the comparison of the params :id element with current_user.id (String vs. 
FixNum)
Here''s<http://stackoverflow.com/questions/10010078/how-to-prevent-a-delete-http-request-from-succeeding-in-this-situation/10011656#10011656>the
thread in SO with more details.

Thanks

On Thursday, April 5, 2012 5:12:02 AM UTC+8, Colin Law
wrote:
>
> On 4 April 2012 12:13, rme
<xxx-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > Hi folks,
> >
> > Rails beginner here..
> >
> > I have a users resource where I implemented a callback that''s
supposed
> > to prevent an admin user from deleting herself.
> >
> >  before_filter :admin_no_delete,    only: :destroy
> >
> >    def admin_no_delete
> >      admin_id = current_user.id if current_user.admin?
> >      redirect_to users_path if params[:id] == admin_id
> >    end
> >
> > If this looks familiar to some,  it''s from Michael
Hartl''s rails
> > tutorial, exercise #10 here
> > 
>
http://ruby.railstutorial.org/chapters/updating-showing-and-deleting-users?version=3.2#sec:updating_deleting_exercises
> >
> > My (lame) test for this actually runs successfully
> >
> >        describe "deleting herself should not be permitted"
do
> >          before do
> >            delete user_path(admin)
> >          end
> >          it { should redirect_to(users_path) }
> >        end
> >      end
> >
> > The test seems lame because I was able to go around it using jQuery to
> > delete the record being protected by the callback (using Web
> > Inspector''s javascript console):
> >      $.ajax({url: ''http://localhost:3000/users/104'',
type: ''DELETE'',
> > success: function(result){alert(result)} })
>
> What was current_user when you did that?  I note that your code will
> only stop the admin user deleting herself, it will not stop another
> user from deleting the admin user.
>
> Colin
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/rubyonrails-talk/-/98F08wATGdAJ.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.