fix(user): allow openid users to request their deletion

Resolves https://community.vikunja.io/t/delete-user-not-possible-when-using-oidc/1689/4
2023-10-11 19:06:59 +02:00 · 2023-10-11 19:06:59 +02:00 · 9a29b29a04
parent 58497f29e6
commit 9a29b29a04
2 changed files with 39 additions and 29 deletions
--- a/pkg/routes/api/v1/user_deletion.go
+++ b/pkg/routes/api/v1/user_deletion.go
@ -47,20 +47,11 @@ type UserDeletionRequestConfirm struct {
 // @Failure 500 {object} models.Message "Internal error"
 // @Router /user/deletion/request [post]
 func UserRequestDeletion(c echo.Context) error {
-	var deletionRequest UserPasswordConfirmation
-	if err := c.Bind(&deletionRequest); err != nil {
-		return echo.NewHTTPError(http.StatusBadRequest, "No password provided.")
-	}
-
-	err := c.Validate(deletionRequest)
-	if err != nil {
-		return echo.NewHTTPError(http.StatusBadRequest, err)
-	}

 	s := db.NewSession()
 	defer s.Close()

-	err = s.Begin()
+	err := s.Begin()
 	if err != nil {
 		return handler.HandleHTTPError(err, c)
 	}
@ -71,10 +62,22 @@ func UserRequestDeletion(c echo.Context) error {
 		return handler.HandleHTTPError(err, c)
 	}

-	err = user.CheckUserPassword(u, deletionRequest.Password)
-	if err != nil {
-		_ = s.Rollback()
-		return handler.HandleHTTPError(err, c)
+	if u.IsLocalUser() {
+		var deletionRequest UserPasswordConfirmation
+		if err := c.Bind(&deletionRequest); err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, "No password provided.")
+		}
+
+		err = c.Validate(deletionRequest)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, err)
+		}
+
+		err = user.CheckUserPassword(u, deletionRequest.Password)
+		if err != nil {
+			_ = s.Rollback()
+			return handler.HandleHTTPError(err, c)
+		}
 	}

 	err = user.RequestDeletion(s, u)
@ -155,20 +158,11 @@ func UserConfirmDeletion(c echo.Context) error {
 // @Failure 500 {object} models.Message "Internal error"
 // @Router /user/deletion/cancel [post]
 func UserCancelDeletion(c echo.Context) error {
-	var deletionRequest UserPasswordConfirmation
-	if err := c.Bind(&deletionRequest); err != nil {
-		return echo.NewHTTPError(http.StatusBadRequest, "No password provided.")
-	}
-
-	err := c.Validate(deletionRequest)
-	if err != nil {
-		return echo.NewHTTPError(http.StatusBadRequest, err)
-	}

 	s := db.NewSession()
 	defer s.Close()

-	err = s.Begin()
+	err := s.Begin()
 	if err != nil {
 		return handler.HandleHTTPError(err, c)
 	}
@ -179,10 +173,22 @@ func UserCancelDeletion(c echo.Context) error {
 		return handler.HandleHTTPError(err, c)
 	}

-	err = user.CheckUserPassword(u, deletionRequest.Password)
-	if err != nil {
-		_ = s.Rollback()
-		return handler.HandleHTTPError(err, c)
+	if u.IsLocalUser() {
+		var deletionRequest UserPasswordConfirmation
+		if err := c.Bind(&deletionRequest); err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, "No password provided.")
+		}
+
+		err = c.Validate(deletionRequest)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, err)
+		}
+
+		err = user.CheckUserPassword(u, deletionRequest.Password)
+		if err != nil {
+			_ = s.Rollback()
+			return handler.HandleHTTPError(err, c)
+		}
 	}

 	err = user.CancelDeletion(s, u)
--- a/pkg/user/user.go
+++ b/pkg/user/user.go
@ -154,7 +154,7 @@ func (u *User) GetID() int64 {
 }

 // TableName returns the table name for users
-func (User) TableName() string {
+func (*User) TableName() string {
 	return "users"
 }

@ -353,6 +353,10 @@ func CheckUserCredentials(s *xorm.Session, u *Login) (*User, error) {
 	return user, nil
 }

+func (u *User) IsLocalUser() bool {
+	return u.Issuer == IssuerLocal
+}
+
 func handleFailedPassword(user *User) {
 	key := user.GetFailedPasswordAttemptsKey()
 	err := keyvalue.IncrBy(key, 1)