Fix that users can delete their own accounts unconditionally via REST API (#11870).

Patch by Mizuki ISHIKAWA and Kevin Fischer. git-svn-id: http://svn.redmine.org/redmine/trunk@20782 e93f8b46-1217-0410-a6f0-8f06a7374b81
author: Go MAEDA <maeda@farend.jp> 2021-03-13 07:20:57 +0000
committer: Go MAEDA <maeda@farend.jp> 2021-03-13 07:20:57 +0000
commit: 5063d3faf0057e9cdb24556b6908aa6fc2bec77b (patch)
tree: 45953588da70cb406641243a6f49c2baea5806dc /app/controllers
parent: e5d13152bea6c4737f90d99d3b2df54fcd1544d3 (diff)
download: redmine-5063d3faf0057e9cdb24556b6908aa6fc2bec77b.tar.gz
redmine-5063d3faf0057e9cdb24556b6908aa6fc2bec77b.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index c12704e2e..d412433fd 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -192,6 +192,8 @@ class UsersController < ApplicationController
   end
 
   def destroy
+    return render_error status: 422 if @user == User.current && !@user.own_account_deletable?
+
     if api_request? || params[:lock] || params[:confirm] == @user.login
       if params[:lock]
         @user.update_attribute :status, User::STATUS_LOCKED
author	Go MAEDA <maeda@farend.jp>	2021-03-13 07:20:57 +0000
committer	Go MAEDA <maeda@farend.jp>	2021-03-13 07:20:57 +0000
commit	5063d3faf0057e9cdb24556b6908aa6fc2bec77b (patch)
tree	45953588da70cb406641243a6f49c2baea5806dc /app/controllers
parent	e5d13152bea6c4737f90d99d3b2df54fcd1544d3 (diff)
download	redmine-5063d3faf0057e9cdb24556b6908aa6fc2bec77b.tar.gz redmine-5063d3faf0057e9cdb24556b6908aa6fc2bec77b.zip