Currently, in my app, I’ve discovered that if you intercept a packet about to

Question

0

Asked: May 23, 20262026-05-23T18:02:49+00:00 2026-05-23T18:02:49+00:00

Currently, in my app, I’ve discovered that if you intercept a packet about to

0

Currently, in my app, I’ve discovered that if you intercept a packet about to perform a delete command, you can change the ID to any id, and that object will get deleted, regardless if it belong to the person who made it or not.

So, my question is, is there a way to somehow make a global modification to the way destroy / delete works such that the current_user must own the item about to be deleted (or whatever other condition, as many apps are a bit more complicated than simple user ownership)

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-23T18:02:50+00:00

It is not a good idea to write global rule for destroy action. In the simplest way you just need to check access in your controllers:

class MyController < ApplicationController
  before_filter :access, :only => [:edit, :update, :destroy]

  ...

  private
  def access
    my_object = MyObject.find(params[:id])
    unless logged_in? && my_object.user == current_user
      render :template => "/error/401.html.erb", :status => 401
    end
  end
end

Also you should look into CanCan gem

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Currently, in my app, I’ve discovered that if you intercept a packet about to

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply