My code for post controller is as follows. What I'm trying to do is user should be able to delete his own posts, and admin_user can delete any posts. The following code make admin_user can delete posts, but for normal user, when trying to delete his own post, it redirect to root_path
It seems do_authentication doesn't work properly, a normal user is trying to be authenticated as an admin instead of "correct_user"
What could be wrong?
Thanks!
class PostsController < ApplicationController
before_filter :signed_in_user, only: [:index, :create, :destroy]
before_filter :do_authentication, only: :destroy
.
.
.
def destroy
@post.destroy
flash[:success] = "Post deleted!"
redirect_back_or user_path(current_user)
end
private
def do_authentication
correct_user || admin_user
end
def correct_user
@post = current_user.posts.find_by_id(params[:id])
redirect_to user_path(current_user) if @post.nil?
end
def admin_user
@post = Post.find_by_id(params[:id])
redirect_to(root_path) unless current_user.admin?
end
First of all I would suggest using cancan for authorization. I think your problem is the return value of correct_user. You don't control that. If that method returns something that evaluates to false the do_authentication method will also call admin_user. Also looking at your code it seems that the admin authorization won't work also ...
try this: