fix: #8163, prevent account deletion

5 years ago · 4d0636f847
parent f4ed35c998
commit 4d0636f847
2 changed files with 15 additions and 0 deletions
--- a/src/socket.io/user.js
+++ b/src/socket.io/user.js
@ -49,6 +49,9 @@ SocketUser.deleteAccount = async function (socket, data) {
 	if (isAdmin) {
 		throw new Error('[[error:cant-delete-admin]]');
 	}
+	if (meta.config.allowAccountDelete !== 1) {
+		throw new Error('[[error:no-privileges]]');
+	}
 	const userData = await user.deleteAccount(socket.uid);
 	require('./index').server.sockets.emit('event:user_status_change', { uid: socket.uid, status: 'offline' });

--- a/test/user.js
+++ b/test/user.js
@ -1446,6 +1446,18 @@ describe('User', function () {
 			});
 		});

+		it('should fail to delete user if account deletion is not allowed', async function () {
+			const oldValue = meta.config.allowAccountDeletion;
+			meta.config.allowAccountDeletion = 0;
+			const uid = await User.create({ username: 'tobedeleted' });
+			try {
+				await socketUser.deleteAccount({ uid: uid }, {});
+			} catch (err) {
+				assert.equal(err.message, '[[error:no-privileges]]');
+			}
+			meta.config.allowAccountDeletion = oldValue;
+		});
+
 		it('should fail if data is invalid', function (done) {
 			socketUser.emailExists({ uid: testUid }, null, function (err) {
 				assert.equal(err.message, '[[error:invalid-data]]');