12 Jul 2013, 14:38
Generic-user-small

Aaron Holmes (2 posts)

Hello All,

I’m trying to understand iteration E3:

The text reads “In the controller, we’ll modify the destroy() method to ensure that the user is deleting their own cart (think about it!)…” but the actual source code shown is:

def destroy @cart.destroy session[:cart_id] = nil … end

Is this destroying any cart with the provided GET param? It seems to me like this would allow users to delete carts from others since @cart is being defined from the get param but it might be my lack of in depth rails knowledge.

Should I be comparing the session id to the get id prior to delete?

Thanks! Aaron

12 Jul 2013, 15:09
Samr_small_pragsmall

Sam Ruby (584 posts)

Congratulations! You’ve found a bug!

Easiest fix is as follows:

def destroy
  @cart.destroy if @cart.id == session[:cart_id]
  session[:cart_id] = nil
  ...
end
12 Jul 2013, 16:46
Generic-user-small

Aaron Holmes (2 posts)

Thanks Sam! I’m enjoying the book :)

  You must be logged in to comment