Actions / links that change something, especially destructive ones, should not be made available through GET. This is dangerous, because for example search engines that crawl your website could follow such a link and accidentally delete a user.
In this case, you should use HTTP DELETE. To do so,
change your route to
delete 'commands/deleteuser' => 'commands#delete_user', as: :delete_user
in your link helper, add the method attribute
<%= link_to "Delete", delete_user_path(:user_id => user.id, :command_id => @command.id), method: :delete, data: { confirm: "Are you sure?" } %>
There are two ways parameters can be passed from browser to server with a request:
- as query string parameters, that is, as part of the URL, e.g. example.com?param=value
- as part of the request body
Your browser transmits a lot of data to the server with each interaction (clicking a link, submitting a form etc.) that is usually invisible to you. Take a look at the developer tools built into your browser to make them visible. Here is a screenshot from Chromes developer tools:
This is a POST request, something you usually see for example when submitting a form. The data that would be appended to the URL in a GET request is visible here under "Form Data".