fix(user): allow openid users to request their deletion
Some checks failed
continuous-integration/drone/push Build is failing

Resolves https://community.vikunja.io/t/delete-user-not-possible-when-using-oidc/1689/4
This commit is contained in:
kolaente 2023-10-11 19:06:59 +02:00
parent 58497f29e6
commit 9a29b29a04
Signed by: konrad
GPG Key ID: F40E70337AB24C9B
2 changed files with 39 additions and 29 deletions

View File

@ -47,20 +47,11 @@ type UserDeletionRequestConfirm struct {
// @Failure 500 {object} models.Message "Internal error"
// @Router /user/deletion/request [post]
func UserRequestDeletion(c echo.Context) error {
var deletionRequest UserPasswordConfirmation
if err := c.Bind(&deletionRequest); err != nil {
return echo.NewHTTPError(http.StatusBadRequest, "No password provided.")
}
err := c.Validate(deletionRequest)
if err != nil {
return echo.NewHTTPError(http.StatusBadRequest, err)
}
s := db.NewSession()
defer s.Close()
err = s.Begin()
err := s.Begin()
if err != nil {
return handler.HandleHTTPError(err, c)
}
@ -71,10 +62,22 @@ func UserRequestDeletion(c echo.Context) error {
return handler.HandleHTTPError(err, c)
}
err = user.CheckUserPassword(u, deletionRequest.Password)
if err != nil {
_ = s.Rollback()
return handler.HandleHTTPError(err, c)
if u.IsLocalUser() {
var deletionRequest UserPasswordConfirmation
if err := c.Bind(&deletionRequest); err != nil {
return echo.NewHTTPError(http.StatusBadRequest, "No password provided.")
}
err = c.Validate(deletionRequest)
if err != nil {
return echo.NewHTTPError(http.StatusBadRequest, err)
}
err = user.CheckUserPassword(u, deletionRequest.Password)
if err != nil {
_ = s.Rollback()
return handler.HandleHTTPError(err, c)
}
}
err = user.RequestDeletion(s, u)
@ -155,20 +158,11 @@ func UserConfirmDeletion(c echo.Context) error {
// @Failure 500 {object} models.Message "Internal error"
// @Router /user/deletion/cancel [post]
func UserCancelDeletion(c echo.Context) error {
var deletionRequest UserPasswordConfirmation
if err := c.Bind(&deletionRequest); err != nil {
return echo.NewHTTPError(http.StatusBadRequest, "No password provided.")
}
err := c.Validate(deletionRequest)
if err != nil {
return echo.NewHTTPError(http.StatusBadRequest, err)
}
s := db.NewSession()
defer s.Close()
err = s.Begin()
err := s.Begin()
if err != nil {
return handler.HandleHTTPError(err, c)
}
@ -179,10 +173,22 @@ func UserCancelDeletion(c echo.Context) error {
return handler.HandleHTTPError(err, c)
}
err = user.CheckUserPassword(u, deletionRequest.Password)
if err != nil {
_ = s.Rollback()
return handler.HandleHTTPError(err, c)
if u.IsLocalUser() {
var deletionRequest UserPasswordConfirmation
if err := c.Bind(&deletionRequest); err != nil {
return echo.NewHTTPError(http.StatusBadRequest, "No password provided.")
}
err = c.Validate(deletionRequest)
if err != nil {
return echo.NewHTTPError(http.StatusBadRequest, err)
}
err = user.CheckUserPassword(u, deletionRequest.Password)
if err != nil {
_ = s.Rollback()
return handler.HandleHTTPError(err, c)
}
}
err = user.CancelDeletion(s, u)

View File

@ -154,7 +154,7 @@ func (u *User) GetID() int64 {
}
// TableName returns the table name for users
func (User) TableName() string {
func (*User) TableName() string {
return "users"
}
@ -353,6 +353,10 @@ func CheckUserCredentials(s *xorm.Session, u *Login) (*User, error) {
return user, nil
}
func (u *User) IsLocalUser() bool {
return u.Issuer == IssuerLocal
}
func handleFailedPassword(user *User) {
key := user.GetFailedPasswordAttemptsKey()
err := keyvalue.IncrBy(key, 1)