Jonathan Bowman Jonathan Bowman - 1 month ago 42
Ruby Question

Rails and ActiveAdmin before_destroy Isn't Stopping the Destroy Action

Using Rails 4.2.4 and ActiveAdmin 1.0.0.pre4.

From the ActiveAdmin User dashboard, I need to check whether or not a user has permission to delete another user when they click the default

Delete
link AA provides. This is what I currently have in
app/admin/user.rb
:

controller do

before_destroy :check_if_user_can_destroy

def check_if_user_can_destroy(resource)
if current_user == resource || current_user.level < resource.level
puts "plz stop"
return false
end
end

end


The text "plz stop" gets outputted to the console when I delete someone I shouldn't be able to, but the delete action happens anyways and the user gets zapped.

From what I've read, returning
false
in a
before
action should stop the subsequent action from running, is that not correct?




UPDATE 1

I changed things around and wound up with this, which seems to work...but I don't trust it yet for some reason. Am I good? Any glaring "gotchas" in doing this?

Still in
app/admin/user.rb
, of course:

controller do

def destroy
if current_user == resource || current_user.level < resource.level
redirect_to "/admin/users"
else
resource.destroy
end
end

end

Answer

before_destroy can't abort a destroy, it only runs code before the destroying. It is for example to send a notice mail or something like that.

Your overwrite is safe for work!

But what you do in the overwrite is much more better placed in a Authentification System (for example cancancan or pundit). Here you find how to use them in ActiveAdmin.

Comments