Reputation: 925

Allow current user to delete their account

I have a user model and I would like to allow a logged-in user to delete their account completely. I was able to allow an admin user to delete other users, but for a user to delete their own account it did not work! What am I doing wrong?

users_controller.rb

class UsersController < ApplicationController
before_filter :signed_in_user,
            only: [:index, :edit, :update, :destroy, :following, :followers]
before_filter :correct_user,   only: [:edit, :update, :destroy]
before_filter :admin_user,     only: :destroy

def index
   @users = User.paginate(page: params[:page])
end

def show
   @user = User.find(params[:id])
   @microposts = @user.microposts.paginate(page: params[:page])
end

def new
   @user = User.new
end

def create
   @user = User.new(params[:user])
  if @user.save
    sign_in @user
    flash[:success] = "Welcome to the Course Management System!"
    redirect_to @user
  else
    render 'new'
  end
end

def edit
end

def update
  if @user.update_attributes(params[:user])
     flash[:success] = "Profile updated"
     sign_in @user
     redirect_to @user
  else
     render 'edit'
  end
end

def destroy
   User.find(params[:id]).destroy
   flash[:success] = "User destroyed."
   redirect_to users_url
end

def following
   @title = "Following"
   @user = User.find(params[:id])
   @users = @user.followed_users.paginate(page: params[:page])
   render 'show_follow'
end

def followers
   @title = "Followers"
   @user = User.find(params[:id])
   @users = @user.followers.paginate(page: params[:page])
   render 'show_follow'
end

private

def correct_user
  @user = User.find(params[:id])
  redirect_to(root_url) unless current_user?(@user)
end

def admin_user
  redirect_to(root_url) unless current_user.admin?
end
end

_user.html.erb

<li>
  <%= gravatar_for user, size: 52 %>
  <%= link_to user.name, user %>

  <% if current_user?(user) %>
| <%= link_to "delete", user, method: :delete %>
  <% end %>

  <% if current_user.admin? && !current_user?(user) %>
| <%= link_to "delete", user, method: :delete,
                              data: { confirm: "You sure?" } %>
   <% end %>

</li>

Now, when I hit "delete", it just redirects me to the homepage without deleting the user. When I am an admin though, I can delete other users with no problem.

Upvotes: 2

Answers (3)

epicrato

Reputation: 8408

class UsersController < ApplicationController
  before_action :correct_user, only: [:edit, :update, :destroy]

  # .
  # .
  # .

  def destroy
    @user = User.find(params[:id])

    # if current user is deleting his/herself whether or not he/she is admin
    if current_user?(@user)
      @user.destroy
      flash[:success] = 'Your account has been destroyed forever.'
      redirect_to root_url

    # if current_user is admin and is deleting anybody
    elsif current_user.admin?
      @user.destroy
      flash[:success] = 'User deleted.'
      redirect_to users_url

    # somebody non admin is trying to delete somebody else
    # this is supposed to never happen due to before_action :correct_user
    else
      flash[:danger] = "You can't delete somebody else's account."
      redirect_to root_url
    end
  end

  # .
  # .
  # .

  private

    def correct_user
      @user = User.find(params[:id])
      redirect_to(root_url) unless current_user?(@user) || current_user.admin?
    end
end

Upvotes: 0

Ashutosh Tiwari

Reputation: 998

Look at your filters in your controller.

before_filter :admin_user, only: :destroy I think you are checking that a usr should be admin to delete the record. a normal use is not admin so he is not able to delete his account.
Check your logs this filter will be haulting execution.

Upvotes: 1

Esse

Reputation: 3298

You have before_filter that prevents non-admin user from reaching destroy action.

Remove line:

before_filter :admin_user,     only: :destroy

Upvotes: 2

Allow current user to delete their account

Answers (3)

Related Questions