Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

Ruby

Posted by brianhays
brianhays
4,787 Points

Treebook app - only the owner of a status should be able to see edit or delete links

Hi,

I recently finished the "Build a Simple Ruby on Rails Application" project tutorial and started the next project section called "Building Social Features in Ruby on Rails" it seems that in the views (specifically the index and show views) all users can see 'edit' and 'delete' links for a status post. Putting a <% if user_signed_in? %> statement around the edit/delete links in the index and show views works for removing the links for non-signed in users but then any 'logged in user' could still see edit or delete links fo any other user's statuses.

This may be covered in future courses so forgive me if I'm jumping ahead. The actual functionality of editing or deleting another user's status posts can be negated by adding the following to the create, edit and update methods "@status = current_user.statuses.find(params[:id])" ... but how can those edit and delete links only be shown to the owner of a given status?

Here is what the relevant part of my status index view currently looks like:

<% if user_signed_in? %>
<span class="admin">
  | <%= link_to "Edit", edit_status_path(status) %> |
  <%= link_to "Delete", status, method: :delete, data: {confirm: "Are you sure you want to delete this status?"} %>
 </span>
 <% end %>

4 Answers

Derrick Mull
Derrick Mull
18,518 Points
Derrick Mull
Derrick Mull
18,518 Points

I've not done this part of the rails yet, but am familiar with devise, and it has a helper "current_user."

Just riffing, but I would suppose if you used:

<%= if status.user.full_name == current_user %>

or 

<%= if user_signed_in? && status.user.full_name == current_user %>

you should be able to achieve the result of only the current user being able to edit or delete their own code. The latter code example is overkill, i suppose, because there is no current user if the user isn't signed in.

brianhays
brianhays
4,787 Points
brianhays
brianhays
4,787 Points

Hi Derrick!

Thank you for the help! Based on your suggestion I was able to use the following in the index view:

<% if status.user == current_user %>

and the following (almost the same) in the show view:

<% if @status.user == current_user %>

This seems to have solved the issue perfectly :)

Mike Torosyan
Mike Torosyan
1,211 Points
Mike Torosyan
Mike Torosyan
1,211 Points

I too am wondering if this will be covered in the future lessons or if it is going to be left like this.

Andrew Merrick
Andrew Merrick
20,151 Points
Andrew Merrick
Andrew Merrick
20,151 Points

I'm in the Advanced portion and this has not been updated in any of the videos.