forked from AkkomaGang/akkoma
Merge branch 'delete-account-fix' into 'develop'
TwitterAPI: allow deleting one's own account with request body Closes #2799 and #2746 See merge request pleroma/pleroma!3564
This commit is contained in:
commit
6eb7d69e60
3 changed files with 49 additions and 5 deletions
lib/pleroma/web
test/pleroma/web/twitter_api
|
@ -191,6 +191,7 @@ def delete_account_operation do
|
||||||
parameters: [
|
parameters: [
|
||||||
Operation.parameter(:password, :query, :string, "Password")
|
Operation.parameter(:password, :query, :string, "Password")
|
||||||
],
|
],
|
||||||
|
requestBody: request_body("Parameters", delete_account_request(), required: false),
|
||||||
responses: %{
|
responses: %{
|
||||||
200 =>
|
200 =>
|
||||||
Operation.response("Success", "application/json", %Schema{
|
Operation.response("Success", "application/json", %Schema{
|
||||||
|
@ -237,4 +238,22 @@ def remote_subscribe_operation do
|
||||||
responses: %{200 => Operation.response("Web Page", "test/html", %Schema{type: :string})}
|
responses: %{200 => Operation.response("Web Page", "test/html", %Schema{type: :string})}
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
|
defp delete_account_request do
|
||||||
|
%Schema{
|
||||||
|
title: "AccountDeleteRequest",
|
||||||
|
description: "POST body for deleting one's own account",
|
||||||
|
type: :object,
|
||||||
|
properties: %{
|
||||||
|
password: %Schema{
|
||||||
|
type: :string,
|
||||||
|
description: "The user's own password for confirmation.",
|
||||||
|
format: :password
|
||||||
|
}
|
||||||
|
},
|
||||||
|
example: %{
|
||||||
|
"password" => "prettyp0ony1313"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -123,8 +123,10 @@ def change_email(%{assigns: %{user: user}, body_params: body_params} = conn, %{}
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def delete_account(%{assigns: %{user: user}} = conn, params) do
|
def delete_account(%{assigns: %{user: user}, body_params: body_params} = conn, params) do
|
||||||
password = params[:password] || ""
|
# This endpoint can accept a query param or JSON body for backwards-compatibility.
|
||||||
|
# Submitting a JSON body is recommended, so passwords don't end up in server logs.
|
||||||
|
password = body_params[:password] || params[:password] || ""
|
||||||
|
|
||||||
case CommonAPI.Utils.confirm_current_password(user, password) do
|
case CommonAPI.Utils.confirm_current_password(user, password) do
|
||||||
{:ok, user} ->
|
{:ok, user} ->
|
||||||
|
|
|
@ -473,7 +473,10 @@ test "without permissions", %{conn: conn} do
|
||||||
|
|
||||||
test "with proper permissions and wrong or missing password", %{conn: conn} do
|
test "with proper permissions and wrong or missing password", %{conn: conn} do
|
||||||
for params <- [%{"password" => "hi"}, %{}] do
|
for params <- [%{"password" => "hi"}, %{}] do
|
||||||
ret_conn = post(conn, "/api/pleroma/delete_account", params)
|
ret_conn =
|
||||||
|
conn
|
||||||
|
|> put_req_header("content-type", "application/json")
|
||||||
|
|> post("/api/pleroma/delete_account", params)
|
||||||
|
|
||||||
assert json_response_and_validate_schema(ret_conn, 200) == %{
|
assert json_response_and_validate_schema(ret_conn, 200) == %{
|
||||||
"error" => "Invalid password."
|
"error" => "Invalid password."
|
||||||
|
@ -481,8 +484,28 @@ test "with proper permissions and wrong or missing password", %{conn: conn} do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
test "with proper permissions and valid password", %{conn: conn, user: user} do
|
test "with proper permissions and valid password (URL query)", %{conn: conn, user: user} do
|
||||||
conn = post(conn, "/api/pleroma/delete_account?password=test")
|
conn =
|
||||||
|
conn
|
||||||
|
|> put_req_header("content-type", "application/json")
|
||||||
|
|> post("/api/pleroma/delete_account?password=test")
|
||||||
|
|
||||||
|
ObanHelpers.perform_all()
|
||||||
|
assert json_response_and_validate_schema(conn, 200) == %{"status" => "success"}
|
||||||
|
|
||||||
|
user = User.get_by_id(user.id)
|
||||||
|
refute user.is_active
|
||||||
|
assert user.name == nil
|
||||||
|
assert user.bio == ""
|
||||||
|
assert user.password_hash == nil
|
||||||
|
end
|
||||||
|
|
||||||
|
test "with proper permissions and valid password (JSON body)", %{conn: conn, user: user} do
|
||||||
|
conn =
|
||||||
|
conn
|
||||||
|
|> put_req_header("content-type", "application/json")
|
||||||
|
|> post("/api/pleroma/delete_account", %{password: "test"})
|
||||||
|
|
||||||
ObanHelpers.perform_all()
|
ObanHelpers.perform_all()
|
||||||
assert json_response_and_validate_schema(conn, 200) == %{"status" => "success"}
|
assert json_response_and_validate_schema(conn, 200) == %{"status" => "success"}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue