Letting the users delete cases
Deleting posts
Let's also give your app the ability to delete a case, if you don't want anyone to be able to access it anymore. Previously we destroyed (deleted) cases from the console, and now we will do it directly from your app.
Adding the delete link
First we need a delete link for each post we display. For this go to app/views/cases/index.html.erb
and after the line that mentions the email of the author add this line:
<p> <%=link_to("Delete", case_path(c), method: :delete) %> </p>
This adds a link with the text Delete, that will go to the case_path
of our case
and use on it the method delete
.
Adding the controller action
If you save, refresh the browser page, and click on Delete, as usual when adding new functionality to our website you will get an error.
Let's define what action
our posts controller should execute when clicking delete. In /app/controllers/cases_controller.rb
type:
def destroy
@case = Case.find(params[:id])
@case.destroy
redirect_to cases_path
end
Checking that everything works
Save everything and try adding and deleting posts in your app. Voilà!
Restricting access
We're getting close to the end of the first day, but before we finish there's one more thing to consider. We don't want anyone to be able to access everything stored in your app. For example, we would like to restrict the patients personal data to authorized hospital staff.
Let's explore a few restriction scenarios and their solutions.
Using controller filters
First, you may not want people who are not logged into your app to view the cases. At this stage, if you open an incognito window in your browser and go to localhost:3000/cases
you will still be able to see all the cases.
Opening the link in an incognito window in your browser allows you to use the application as an unauthenticated user. Thus, you can have one browser window where you are logged in and a window where you view your app as it is seen by the public.
To solve this, type at the very beginning of cases_controller.rb
, before all the other actions:
before_action :authenticate_user!
before_action
stops whatever Rails is doing. :authenticate_user!
is a Devise
instruction that tells Rails if anyone is signed in. If not, the user will be redirected to the /users/sign_in
page.
Restrict delete action to owners
A second case of restricting access is that you don't want users to delete other people's posts. The way we will do it is by showing the Delete button for each case only if the current_user
is the user who created the case.
In /app/views/cases/index.html.erb
change the line with the delete link with the following code:
<% if current_user == c.user %>
<%=link_to("Delete", case_path(c), method: :delete) %>
<% end %>
The code above, in a Ruby tag that doesn't return anything (<% %>
) checks if the current_user
is equal to the case's creator user. If true, the following block of code will display(<%= %>
) the Delete link.
Checking that everything works
To check if it works open again an incognito window in your browser, go to localhost:3000/users/sign_up
and create a new account. When you visit the localhost:3000/cases
page, there are no Delete links near the posts that were created with your first account.
If you now create a case with the current user account, you will see a Delete link for it.