Letting the users delete cases
Let's also give your app the ability to delete a case, if you don't want anyone to be able to access it anymore. Previously we destroyed (deleted) cases from the console, and now we will do it directly from your app.
Adding the delete link
First we need a delete link for each post we display. For this go to
app/views/cases/index.html.erb and after the line that mentions the email of the author add this line:
<p> <%=link_to("Delete", case_path(c), method: :delete) %> </p>
This adds a link with the text Delete, that will go to the
case_path of our
case and use on it the method
Adding the controller action
If you save, refresh the browser page, and click on Delete, as usual when adding new functionality to our website you will get an error.
Let's define what
action our posts controller should execute when clicking delete. In
def destroy @case = Case.find(params[:id]) @case.destroy redirect_to cases_path end
Checking that everything works
Save everything and try adding and deleting posts in your app. Voilà!
We're getting close to the end of the first day, but before we finish there's one more thing to consider. We don't want anyone to be able to access everything stored in your app. For example, we would like to restrict the patients personal data to authorized hospital staff.
Let's explore a few restriction scenarios and their solutions.
Using controller filters
First, you may not want people who are not logged into your app to view the cases. At this stage, if you open an incognito window in your browser and go to
localhost:3000/cases you will still be able to see all the cases.
Opening the link in an incognito window in your browser allows you to use the application as an unauthenticated user. Thus, you can have one browser window where you are logged in and a window where you view your app as it is seen by the public.
To solve this, type at the very beginning of
cases_controller.rb, before all the other actions:
before_action stops whatever Rails is doing.
:authenticate_user! is a
Devise instruction that tells Rails if anyone is signed in. If not, the user will be redirected to the
Restrict delete action to owners
A second case of restricting access is that you don't want users to delete other people's posts. The way we will do it is by showing the Delete button for each case only if the
current_user is the user who created the case.
/app/views/cases/index.html.erb change the line with the delete link with the following code:
<% if current_user == c.user %> <%=link_to("Delete", case_path(c), method: :delete) %> <% end %>
The code above, in a Ruby tag that doesn't return anything (
<% %>) checks if the
current_user is equal to the case's creator user. If true, the following block of code will display(
<%= %>) the Delete link.
Checking that everything works
To check if it works open again an incognito window in your browser, go to
localhost:3000/users/sign_up and create a new account. When you visit the
localhost:3000/cases page, there are no Delete links near the posts that were created with your first account.
If you now create a case with the current user account, you will see a Delete link for it.