Hi,-
I am looking for a clean and secure way for an ActiveRecord instance to delete itself. Say I have a User model in my app. Then the destructive action would be /users/user_id/destroy. If this action is not secured by a filter like:
(*) before_filter :check_administrator_role, :only => :destroy
then any user could potentially log in and start issuing:
/users/1/destroy /users/2/destroy . . . /users/n/destroy
But I want to give a User the possibility to delete [him|her]self. Currently the only way I can think of it is this:
1) Remove the filter (*) 2) Re-code the destroy method so: def destroy @user = User.find(params[:id]) if logged_in_user == @user or logged_in_user.has_role?('administrator') if @user.destroy flash[:notice] = "User deleted" else flash[:error] = "There was a problem deleting this user." end redirect_to :action => 'index' end
But, is this the best way to do it?
Thanks in advance, Vahagn