diff options
| author | Eugen Rochko <eugen@zeonfederated.com> | 2019-09-15 21:08:39 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-09-15 21:08:39 +0200 |
| commit | c707ef49d9b13932f4d98c127ec3148a5cdc3479 (patch) | |
| tree | 6d282c8b2ee513f2d3f29753bf6c6c0d2c3a227c /app/controllers/settings | |
| parent | 1511638975de077b6b8d5397a830239bb317a016 (diff) | |
Fix 2FA challenge and password challenge for non-database users (#11831)
* Fix 2FA challenge not appearing for non-database users Fix #11685 * Fix account deletion not working when using external login Fix #11691
Diffstat (limited to 'app/controllers/settings')
| -rw-r--r-- | app/controllers/settings/deletes_controller.rb | 25 |
1 files changed, 19 insertions, 6 deletions
diff --git a/app/controllers/settings/deletes_controller.rb b/app/controllers/settings/deletes_controller.rb index 97fe4d328..15a59c999 100644 --- a/app/controllers/settings/deletes_controller.rb +++ b/app/controllers/settings/deletes_controller.rb @@ -14,12 +14,11 @@ class Settings::DeletesController < Settings::BaseController end def destroy - if current_user.valid_password?(delete_params[:password]) - Admin::SuspensionWorker.perform_async(current_user.account_id, true) - sign_out + if challenge_passed? + destroy_account! redirect_to new_user_session_path, notice: I18n.t('deletes.success_msg') else - redirect_to settings_delete_path, alert: I18n.t('deletes.bad_password_msg') + redirect_to settings_delete_path, alert: I18n.t('deletes.challenge_not_passed') end end @@ -29,11 +28,25 @@ class Settings::DeletesController < Settings::BaseController redirect_to root_path unless Setting.open_deletion end - def delete_params - params.require(:form_delete_confirmation).permit(:password) + def resource_params + params.require(:form_delete_confirmation).permit(:password, :username) end def require_not_suspended! forbidden if current_account.suspended? end + + def challenge_passed? + if current_user.encrypted_password.blank? + current_account.username == resource_params[:username] + else + current_user.valid_password?(resource_params[:password]) + end + end + + def destroy_account! + current_account.suspend! + Admin::SuspensionWorker.perform_async(current_user.account_id, true) + sign_out + end end |