WAIT: Make event registrations deletable only when safe#1862
Draft
maebeale wants to merge 3 commits into
Draft
Conversation
…ndance records Hiding the Delete button alone leaves the DELETE route open to admins/owners, so deletability is enforced in the model, view, and controller. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Main's registration-suite added a public De-register button that hard-deletes the registration; without the same guard a paid registrant could orphan their allocation. Hide the button and refuse the destroy when not deletable. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Main added its own attended? (status == "attended", used by certificate and joinable logic). Drop the duplicate this branch introduced and inline the attendance check in deletable? so it still blocks both attended and incomplete_attendance without clobbering main's method. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
maebeale
commented
Jun 22, 2026
| !allocations.exists? && !status.in?(%w[ attended incomplete_attendance ]) | ||
| end | ||
|
|
||
| def checked_in? |
Collaborator
Author
There was a problem hiding this comment.
🤖 From Claude: Single source of truth for both delete paths. allocations has no dependent: :destroy, so deleting a registration with payments/scholarships would orphan those rows — hence the guard rather than a cascade.
maebeale
commented
Jun 22, 2026
|
|
||
| authorize! @event_registration | ||
|
|
||
| unless @event_registration.deletable? |
Collaborator
Author
There was a problem hiding this comment.
🤖 From Claude: Enforced server-side here (not just by hiding the button) because the DELETE route stays reachable for authorized users. Points the registrant to cancel, which is a soft status change that preserves the payment record.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What is the goal of this PR and why is this important?
allocations(payments and scholarships) have nodependent: :destroy, so deleting such a registration leaves dangling records; attended/incomplete-attendance registrations are kept as a record.How did you approach the change?
EventRegistration#deletable?(!allocations.exists?and not an attended status) as the single source of truth.EventRegistrationsController#destroyandEvents::RegistrationsController#destroy(hiding a button alone leaves the DELETE route open).UI Testing Checklist
Anything else to add?
attended?(used by certificate/joinable logic) by inlining the attendance check indeletable?rather than redefining the method.