Hi folks,
Rails beginner here..
I have a users resource where I implemented a callback that's supposed to prevent an admin user from deleting herself.
before_filter :admin_no_delete, only: :destroy
def admin_no_delete admin_id = current_user.id if current_user.admin? redirect_to users_path if params[:id] == admin_id end
If this looks familiar to some, it's from Michael Hartl's rails tutorial, exercise #10 here http://ruby.railstutorial.org/chapters/updating-showing-and-deleting-users?version=3.2#sec:updating_deleting_exercises
My (lame) test for this actually runs successfully
describe "deleting herself should not be permitted" do before do delete user_path(admin) end it { should redirect_to(users_path) } end end
The test seems lame because I was able to go around it using jQuery to delete the record being protected by the callback (using Web Inspector's javascript console): $.ajax({url: 'http://localhost:3000/users/104’, type: 'DELETE', success: function(result){alert(result)} })
Looking for ideas on how to prevent a DELETE HTTP request from succeeding in this situation.. also any ideas on how to properly test for this kind of situation?
Thanks. rme