Letting the users delete cases

Deleting posts

Let's also give your app the ability to delete a case, if you don't want anyone to be able to access it anymore. Previously we destroyed (deleted) cases from the console, and now we will do it directly from your app.

First we need a delete link for each post we display. For this go to app/views/cases/index.html.erb and after the line that mentions the email of the author add this line:

<p> <%=link_to("Delete", case_path(c), method: :delete) %> </p>

This adds a link with the text Delete, that will go to the case_path of our case and use on it the method delete.

Adding the controller action

If you save, refresh the browser page, and click on Delete, as usual when adding new functionality to our website you will get an error.

Let's define what action our posts controller should execute when clicking delete. In /app/controllers/cases_controller.rb type:

def destroy
  @case = Case.find(params[:id])
  redirect_to cases_path

Checking that everything works

Save everything and try adding and deleting posts in your app. Voilà!

Restricting access

We're getting close to the end of the first day, but before we finish there's one more thing to consider. We don't want anyone to be able to access everything stored in your app. For example, we would like to restrict the patients personal data to authorized hospital staff.

Let's explore a few restriction scenarios and their solutions.

Using controller filters

First, you may not want people who are not logged into your app to view the cases. At this stage, if you open an incognito window in your browser and go to localhost:3000/cases you will still be able to see all the cases.

Opening the link in an incognito window in your browser allows you to use the application as an unauthenticated user. Thus, you can have one browser window where you are logged in and a window where you view your app as it is seen by the public.

To solve this, type at the very beginning of cases_controller.rb, before all the other actions:

before_action :authenticate_user!

before_action stops whatever Rails is doing. :authenticate_user! is a Devise instruction that tells Rails if anyone is signed in. If not, the user will be redirected to the /users/sign_in page.

Restrict delete action to owners

A second case of restricting access is that you don't want users to delete other people's posts. The way we will do it is by showing the Delete button for each case only if the current_user is the user who created the case.

In /app/views/cases/index.html.erb change the line with the delete link with the following code:

<% if current_user == c.user %>
    <%=link_to("Delete", case_path(c), method: :delete) %>
<% end %>

The code above, in a Ruby tag that doesn't return anything (<% %>) checks if the current_user is equal to the case's creator user. If true, the following block of code will display(<%= %>) the Delete link.

Checking that everything works

To check if it works open again an incognito window in your browser, go to localhost:3000/users/sign_up and create a new account. When you visit the localhost:3000/cases page, there are no Delete links near the posts that were created with your first account.

If you now create a case with the current user account, you will see a Delete link for it.

results matching ""

    No results matching ""