Added some security

app/controllers/application_controller.rb

@@ -17,6 +17,14 @@ class ApplicationController < ActionController::Base
     end
   end
 
+  def ensure_owner(item)
+    unless current_user && item && (item.user_id == current_user.id || current_user.admin?)
+      flash[:warning] = "Operation Not Permitted"
+      return redirect_to root_path
+    end
+    yield if block_given?
+  end
+
   def current_user
     @current_user ||= User.find(session[:user_id]) if session[:user_id]
   end

app/controllers/recipes_controller.rb

@@ -28,6 +28,7 @@ class RecipesController < ApplicationController
 
   # GET /recipes/1/edit
   def edit
+    ensure_owner @recipe
   end
 
   # POST /recipes
@@ -44,21 +45,25 @@ class RecipesController < ApplicationController
 
   # PATCH/PUT /recipes/1
   def update
-    if @recipe.update(recipe_params)
+    ensure_owner(@recipe) do
-      redirect_to @recipe, notice: 'Recipe was successfully updated.'
+      if @recipe.update(recipe_params)
-    else
+        redirect_to @recipe, notice: 'Recipe was successfully updated.'
-      render :edit
+      else
+        render :edit
+      end
     end
   end
 
   # DELETE /recipes/1
   def destroy
-    @recipe.deleted = true
+    ensure_owner(@recipe) do
+      @recipe.deleted = true
 
-    if @recipe.save
+      if @recipe.save
-      redirect_to recipes_url, notice: 'Recipe was successfully destroyed.'
+        redirect_to recipes_url, notice: 'Recipe was successfully destroyed.'
-    else
+      else
-      redirect_to recipes_url, error: 'Recipe could not be destroyed.'
+        redirect_to recipes_url, error: 'Recipe could not be destroyed.'
+      end
     end
   end