Preventing destroy action via a DELETE HTTP request submitted with jQuery

Hi folks,

Rails beginner here..

I have a users resource where I implemented a callback that's supposed
to prevent an admin user from deleting herself.

  before_filter :admin_no_delete, only: :destroy

    def admin_no_delete
      admin_id = current_user.id if current_user.admin?
      redirect_to users_path if params[:id] == admin_id
    end

If this looks familiar to some, it's from Michael Hartl's rails
tutorial, exercise #10 here
http://ruby.railstutorial.org/chapters/updating-showing-and-deleting-users?version=3.2#sec:updating_deleting_exercises

My (lame) test for this actually runs successfully

        describe "deleting herself should not be permitted" do
          before do
            delete user_path(admin)
          end
          it { should redirect_to(users_path) }
        end
      end

The test seems lame because I was able to go around it using jQuery to
delete the record being protected by the callback (using Web
Inspector’s javascript console):
      $.ajax({url: ‘http://localhost:3000/users/104’, type: ‘DELETE’,
success: function(result){alert(result)} })

Looking for ideas on how to prevent a DELETE HTTP request from
succeeding in this situation.. also any ideas on how to properly test
for this kind of situation?

Thanks.
rme

What was current_user when you did that? I note that your code will
only stop the admin user deleting herself, it will not stop another
user from deleting the admin user.

Colin

Thanks for replying, Colin.

I’ve got some corrections to this case… To sum it up, my mistake was in the comparison of the params :id element with current_user.id (String vs. FixNum)

Here’s the thread in SO with more details.

Thanks