I’m trying to understand iteration E3:
The text reads “In the controller, we’ll modify the destroy() method to ensure that the user is deleting their own cart (think about it!)…” but the actual source code shown is:
def destroy @cart.destroy session[:cart_id] = nil … end
Is this destroying any cart with the provided GET param? It seems to me like this would allow users to delete carts from others since @cart is being defined from the get param but it might be my lack of in depth rails knowledge.
Should I be comparing the session id to the get id prior to delete?