Added some security

app/controllers/application_controller.rb

@@ -17,6 +17,14 @@ class ApplicationController < ActionController::Base
     end
   end
 
+  def ensure_owner(item)
+    unless current_user && item && (item.user_id == current_user.id || current_user.admin?)
+      flash[:warning] = "Operation Not Permitted"
+      return redirect_to root_path
+    end
+    yield if block_given?
+  end
+
   def current_user
     @current_user ||= User.find(session[:user_id]) if session[:user_id]
   end

app/controllers/recipes_controller.rb

@@ -28,6 +28,7 @@ class RecipesController < ApplicationController
 
   # GET /recipes/1/edit
   def edit
+    ensure_owner @recipe
   end
 
   # POST /recipes
@@ -44,15 +45,18 @@ class RecipesController < ApplicationController
 
   # PATCH/PUT /recipes/1
   def update
+    ensure_owner(@recipe) do
       if @recipe.update(recipe_params)
         redirect_to @recipe, notice: 'Recipe was successfully updated.'
       else
         render :edit
       end
     end
+  end
 
   # DELETE /recipes/1
   def destroy
+    ensure_owner(@recipe) do
       @recipe.deleted = true
 
       if @recipe.save
@@ -61,6 +65,7 @@ class RecipesController < ApplicationController
         redirect_to recipes_url, error: 'Recipe could not be destroyed.'
       end
     end
+  end
 
   private
     # Use callbacks to share common setup or constraints between actions.