High Leverage Rails
Introduction
Introduction to this course
Why use Ruby on Rails
Why use SQLite
Ruby on Rails + SQLite
Powering Your App with SQLite
Creating tables
Timestamps
Column types
Typeof
Ruby types
Creating table introduction
Creating table advanced
Inserting data
Updating data
Upserting data
Reading data
Virtual columns
Enums
Introduction to JSON
Indexing JSON
JSON table functions
Building a Modern Rails Application
Creating a new Rails application
Installing Solid Queue
Installing Solid Cache
Installing Solid Cable
Dockerfile
Application overview
Authentication
Base styles
Registration
Scaffolding posts
Polishing posts
Scaffolding comments
Polishing comments
Polishing models
Polishing controllers
Creating new post
Updating post
Reviewing MVP
Tagging posts
Custom tags
Friendly URLs
Full text search
Deploying & Operating Your App
Backups
Check Litestream locally
Verifying backups
Deployment options
Deploying with Hatchbox
Deployment constraints
Vertical scaling
Database access
Migrations
Locked video

Please purchase the course to watch this video.

Video thumbnail
Building a Modern Rails Application
Polishing posts

Full Course

$
129
USD
plus local taxes
HoneybadgerHoneybadger

Move fast and fix things

Application monitoring that helps developers get it done.

Hatchbox.ioHatchbox.io

Rails hosting made simple

Deploy apps to servers that you own and control.

Summary

Learn how to secure post management in Rails by restricting edits and deletions to post owners while keeping posts publicly viewable. This video covers implementing authentication checks, refining user permissions, and updating the UI to prevent unauthorized actions. By the end, you'll have a solid foundation for managing user-generated content securely in a Rails application.

Video Transcript

Now that we have posts set up in our application, it's time to refine the post resource so that it aligns perfectly with Lorem News’ specific needs.

Defining Our Requirements for Posts

I took some time to write out the expected behavior for posts in Lorem News:

  • Posts are publicly readable, but only authenticated users can create them.
  • Only the original author of a post can edit or delete it.
  • The homepage (root route) should display the 50 most recent posts.

We've made good progress, but there's still work to be done. Let’s jump into our Post controller and refine our logic.

Ensuring Public Access to Index and Show Actions

We want unauthenticated users to be able to:

  • View the homepage (list of posts)
  • View individual posts

But they should not be able to create, edit, or delete posts.

To allow this, we modify our Post controller to permit unauthenticated access only to index and show:

class PostsController < ApplicationController
  allow_unauthenticated_access only: [:index, :show]
end

This ensures that anyone can browse posts, but only signed-in users can interact beyond that.

Setting the Root Route to Show Recent Posts We also ensure that the homepage correctly displays the latest posts by modifying index to return the 50 most recent posts:

def index
  @posts = Post.order(created_at: :desc).limit(50)
end

Now, when we visit /, we see exactly what we want—a feed of the latest posts.

Restricting Post Editing and Deletion

Next, we need to prevent unauthorized users from modifying or deleting posts.

We update our Post controller to ensure that only the original author can perform edit, update, or destroy:

before_action :set_post, only: %i[ edit update destroy ]
allow_unathenticated_access only: %i[index show]

private

def set_post
  @post = Post.find(params.expect(:id))
  raise NotAuthorized unless @post.user == Current.user
end

Defining a Custom NotAuthorized Exception Since NotAuthorized isn’t a built-in Rails exception, we define it inside our ApplicationController:

class ApplicationController < ActionController::Base
  NotAuthorized = Class.new(StandardError)
end

This means:

  • If a user tries to edit or delete a post that isn't theirs, an exception is raised.
  • Only the post owner can make changes.

Hiding Edit/Delete Buttons for Unauthorized Users

Even though the server now prevents unauthorized actions, we should also hide the buttons in the UI to improve the user experience.

We update our post view (show.html.erb):

<% if @post.user == Current.user %>
  <%= link_to "Edit", edit_post_path(@post) %>
  <%= link_to "Delete", @post, method: :delete %>
<% end %>

This ensures:

  • Only the post owner sees the edit and delete buttons.
  • Unauthorized users won’t even know these options exist.

Finalizing and Committing Our Changes

With these changes, we now have:

  • Publicly readable posts
  • Authenticated users can create posts
  • Only the post owner can edit or delete a post
  • The homepage displays the latest posts

Let's commit everything.

Now that posts are working securely and correctly, our next step is to add comments to posts. Once we scaffold comments, we’ll focus on polishing the UI for an excellent user experience.