Rails devise Deletes user from database after logout

Question

I have a problem with my devise gem. When I log out with a user, devise deletes my user out of my mysql database. I recognized this error first on yesterday, before it was working. I don't remember what register and login is also still possible.

User Controller

class UsersController < ApplicationController
def show
@user = User.find(params[:id])

respond_to do |format|
  format.html # show.html.erb
  format.json { render json: @user }
end
end

def destroy
@user = User.find(params[:id2])
  @user.destroy
respond_to do |format|
    format.html { redirect_to root_url}

end
end

end

Logout-Link

<%= link_to  " Logout", destroy_user_session_path(:id2 => current_user.id), :class => "btn  btn-danger icon-share-alt ",:style=>"font-family: FontAwesome;font-weight: bold;color:black", :method => :delete  %> 

User Model

class User < ActiveRecord::Base
rolify
belongs_to :ressourcen

devise :database_authenticatable, :registerable,
     :recoverable, :rememberable, :trackable, :validatable

attr_accessible :vorname, :nachname, :email, :password, :password_confirmation, :roleid,:id

validates :email, :uniqueness => true

Answer 1

That seems really weird. If devise and routes are setup in a default way, I can't see how this should happen. What does:

rake routes

show you for destroy_user_session_path? If you haven't overridden devise's SessionsController, and haven't changed devise's routes, the only entry for destroy_user_session should look something like this:

destroy_user_session  DELETE  /users/sign_out(.:format)  devise/sessions#destroy

It definitely shouldn't be going to your UsersController at all. It should be going to devise's SessionsController.

In any case, this logout link works for me:

<%= link_to "Sign out", destroy_user_session_path, :method => :delete %>

destroy_user_session_path shouldn't need the user id. It's only destroying the user in the session, so there is no need for an id.

UPDATE:

When you log out, what page are you returned to? If you haven't defined the SessionsController yourself and haven't overridden after_sign_out_path(), it should try to return to root_path. If you don't have root defined in your routes, it will return to "/". Can you confirm from your log file (e.g. development.log) exactly what happens when you click on the 'logout' link? Which actions are called and when/what SQL queries are called? Just when you click on the link, not when you later browse to look at users. Also, what does the devise_for line in your routes.rb look like? It's worth digging in to exactly what is happening when you only click on the logout link.

As far as I know the only thing inside devise which could delete a user from the database is RegistrationsController.destroy() which would be called if a DELETE request was sent to /users (with no id). It would find the currently-logged-in user from the session (which is why it doesn't need an id) and destroy them. In the standard devise views, it looks like this can only be called from devise/registrations/edit.html.erb and presumably you aren't doing this.

Answer 2

Try replacing this:

destroy_user_session_path

with this:

destroy_session_path(:user_id => current_user.id)

And than in SessionsController destroy your session. This way you are destroying your user every time someone click on logout link.

Answer 3

Did you customize/override the devise sessions controller?

If not your logout link should probably look like this:

<%= link_to  " Logout", destroy_user_session_path, :class => "btn  btn-danger icon-share-alt ",:style=>"font-family: FontAwesome;font-weight: bold;color:black", :method => :delete  %> 

Devise doesn't know what the :id2 param is.