Preventing destroy action via a DELETE HTTP request submitted with jQuery

Hi folks,

Rails beginner here..

I have a users resource where I implemented a callback that's supposed
to prevent an admin user from deleting herself.

  before_filter :admin_no_delete, only: :destroy

    def admin_no_delete
      admin_id = if current_user.admin?
      redirect_to users_path if params[:id] == admin_id

If this looks familiar to some, it's from Michael Hartl's rails
tutorial, exercise #10 here

My (lame) test for this actually runs successfully

        describe "deleting herself should not be permitted" do
          before do
            delete user_path(admin)
          it { should redirect_to(users_path) }

The test seems lame because I was able to go around it using jQuery to
delete the record being protected by the callback (using Web
Inspector’s javascript console):
      $.ajax({url: ‘http://localhost:3000/users/104’, type: ‘DELETE’,
success: function(result){alert(result)} })

Looking for ideas on how to prevent a DELETE HTTP request from
succeeding in this situation.. also any ideas on how to properly test
for this kind of situation?


What was current_user when you did that? I note that your code will
only stop the admin user deleting herself, it will not stop another
user from deleting the admin user.


Thanks for replying, Colin.

I’ve got some corrections to this case… To sum it up, my mistake was in the comparison of the params :id element with (String vs. FixNum)

Here’s the thread in SO with more details.