From: Go MAEDA Date: Sat, 13 Mar 2021 07:20:57 +0000 (+0000) Subject: Fix that users can delete their own accounts unconditionally via REST API (#11870). X-Git-Tag: 4.2.0~55 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=5063d3faf0057e9cdb24556b6908aa6fc2bec77b;p=redmine.git Fix that users can delete their own accounts unconditionally via REST API (#11870). Patch by Mizuki ISHIKAWA and Kevin Fischer. git-svn-id: http://svn.redmine.org/redmine/trunk@20782 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index c12704e2e..d412433fd 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -192,6 +192,8 @@ class UsersController < ApplicationController end def destroy + return render_error status: 422 if @user == User.current && !@user.own_account_deletable? + if api_request? || params[:lock] || params[:confirm] == @user.login if params[:lock] @user.update_attribute :status, User::STATUS_LOCKED diff --git a/test/functional/users_controller_test.rb b/test/functional/users_controller_test.rb index 5883f344b..700a3a842 100644 --- a/test/functional/users_controller_test.rb +++ b/test/functional/users_controller_test.rb @@ -915,4 +915,27 @@ class UsersControllerTest < Redmine::ControllerTest ) end end + + def test_destroy_without_unsubscribe_is_denied + user = User.find(2) + user.update(admin: true) # Create other admin so self can be deleted + @request.session[:user_id] = user.id + with_settings unsubscribe: 0 do + assert_no_difference 'User.count' do + delete :destroy, params: {id: user.id} + end + assert_response 422 + end + end + + def test_destroy_last_admin_is_denied + user = User.find(1) + @request.session[:user_id] = user.id + with_settings unsubscribe: 1 do + assert_no_difference 'User.count' do + delete :destroy, params: {id: user.id} + end + assert_response 422 + end + end end