From 4d0636f84750102aac9664bc5f2be0638843f11f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Thu, 13 Feb 2020 11:31:20 -0500
Subject: [PATCH] fix: #8163, prevent account deletion

---
 src/socket.io/user.js |  3 +++
 test/user.js          | 12 ++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/src/socket.io/user.js b/src/socket.io/user.js
index a57885a76f..5a55769001 100644
--- a/src/socket.io/user.js
+++ b/src/socket.io/user.js
@@ -49,6 +49,9 @@ SocketUser.deleteAccount = async function (socket, data) {
 	if (isAdmin) {
 		throw new Error('[[error:cant-delete-admin]]');
 	}
+	if (meta.config.allowAccountDelete !== 1) {
+		throw new Error('[[error:no-privileges]]');
+	}
 	const userData = await user.deleteAccount(socket.uid);
 	require('./index').server.sockets.emit('event:user_status_change', { uid: socket.uid, status: 'offline' });
 
diff --git a/test/user.js b/test/user.js
index 66654cd649..046c6cd7ac 100644
--- a/test/user.js
+++ b/test/user.js
@@ -1446,6 +1446,18 @@ describe('User', function () {
 			});
 		});
 
+		it('should fail to delete user if account deletion is not allowed', async function () {
+			const oldValue = meta.config.allowAccountDeletion;
+			meta.config.allowAccountDeletion = 0;
+			const uid = await User.create({ username: 'tobedeleted' });
+			try {
+				await socketUser.deleteAccount({ uid: uid }, {});
+			} catch (err) {
+				assert.equal(err.message, '[[error:no-privileges]]');
+			}
+			meta.config.allowAccountDeletion = oldValue;
+		});
+
 		it('should fail if data is invalid', function (done) {
 			socketUser.emailExists({ uid: testUid }, null, function (err) {
 				assert.equal(err.message, '[[error:invalid-data]]');