For authorize in application.rb, would it be safe to use “unless session[:user_id]” rather than “unless User.find_by_id(session[:user_id])” to check whether the user is logged in, or can the former be exploited somehow? Thank you.
Say the user was being a pest, and you wanted to stop them logging on. You could delete their row from the database. With the book’s code, that would mean that the authorize method would then fail for them. Only checking the session id would allow them to log in, but would then confuse the rest of the application as there’d be no user data there.