Move the access control to a dedicated helper

app/controllers/application_controller.rb

@@ -154,6 +154,13 @@ class ApplicationController < ActionController::Base
     end
   end
 
+  def admin_or_self_login_required
+    unless User.find(session['user_id']).is_admin || session['user_id'] == params[:id]
+      render :body => t('errors.user_unauthorized'), :status => 401
+      return false
+    end
+  end
+
   def redirect_back_or_home
     respond_to do |format|
       format.html { redirect_back_or_default root_url }

app/controllers/users_controller.rb

@@ -1,6 +1,7 @@
 class UsersController < ApplicationController
 
   before_action :admin_login_required, :only => [ :index, :show ]
+  before_action :admin_or_self_login_required, :only => [ :destroy ]
   skip_before_action :login_required, :only => [ :new, :create ]
   prepend_before_action :login_optional, :only => [ :new, :create ]
 
@@ -132,12 +133,6 @@ class UsersController < ApplicationController
   def destroy
     @deleted_user = User.find(params[:id])
 
-    # Check that the user has access (logged in as admin or the target user.)
-    unless current_user && (current_user.is_admin || current_user == @deleted_user)
-      render :body => t('errors.user_unauthorized'), :status => 401
-      return
-    end
-
     # Remove the user
     @saved = @deleted_user.destroy