Building off of an existing question that walks through how to require a password to delete a user account using the Ruby gem Devise's destroy_with_password.
My destroy action looks like this:
def destroy
@user = User.find(current_user.id)
if @user.destroy_with_password(user_params)
redirect_to root_url, notice: "User deleted."
else
redirect_to root_url
flash[:notice] = "Couldn't delete"
end
end
def user_params
params.require(:user).permit(:first_name, :last_name, :password,
:password_confirmation, :current_password... (etc) )
end
and the form:
<%= form_for(resource, as: resource_name, url: registration_path(resource_name), html: { method: :delete }) do |f| %>
<%= f.password_field :current_password, autocomplete: "off" %>
<%= f.button :submit %>
<% end %>
The redirect works, but it redirects even when the correct password is inputted without deleting the account.
I run binding.pry, and @user.destroy_with_password(user_params) always returns false.
If I open user_params this is what is returned:
<ActionController::Parameters {"current_password"=>"123456"} permitted: true>
According to the official docs destroy_with_password accepts current_password argument, so instead of passing the whole user_params just pass the current_password, do this
@user.destroy_with_password(user_params[:current_password])
More info in rubydoc
Devise::Models::DatabaseAuthenticatable#destroy_with_password
Give it a try.