Fix that users can delete their own accounts unconditionally via REST API (#11870).

Patch by Mizuki ISHIKAWA and Kevin Fischer. git-svn-id: http://svn.redmine.org/redmine/trunk@20782 e93f8b46-1217-0410-a6f0-8f06a7374b81
2026-01-10 01:21:32 +00:00 · 2021-03-13 07:20:57 +00:00 · 2021-03-13 07:20:57 +00:00 · 5063d3faf0
commit 5063d3faf0
parent e5d13152be
2 changed files with 25 additions and 0 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -192,6 +192,8 @@ class UsersController < ApplicationController
  end

  def destroy
+    return render_error status: 422 if @user == User.current && !@user.own_account_deletable?
+
    if api_request? || params[:lock] || params[:confirm] == @user.login
      if params[:lock]
        @user.update_attribute :status, User::STATUS_LOCKED
--- a/test/functional/users_controller_test.rb
+++ b/test/functional/users_controller_test.rb
@ -915,4 +915,27 @@ class UsersControllerTest < Redmine::ControllerTest
      )
    end
  end
+
+  def test_destroy_without_unsubscribe_is_denied
+    user = User.find(2)
+    user.update(admin: true) # Create other admin so self can be deleted
+    @request.session[:user_id] = user.id
+    with_settings unsubscribe: 0 do
+      assert_no_difference 'User.count' do
+        delete :destroy, params: {id: user.id}
+      end
+      assert_response 422
+    end
+  end
+
+  def test_destroy_last_admin_is_denied
+    user = User.find(1)
+    @request.session[:user_id] = user.id
+    with_settings unsubscribe: 1 do
+      assert_no_difference 'User.count' do
+        delete :destroy, params: {id: user.id}
+      end
+      assert_response 422
+    end
+  end
 end