Merge ce81b8bcab into 4fd18a382c

2026-01-10 09:30:39 +01:00 · 2026-01-10 09:30:39 +01:00 · 231834f06a
commit 231834f06a
parent 4fd18a382c ce81b8bcab
4 changed files with 26 additions and 11 deletions
--- a/frontend/src/api/users.ts
+++ b/frontend/src/api/users.ts
@ -42,8 +42,15 @@ export async function update(
  });
 }

-export async function remove(id: number) {
+export async function remove(
+  id: number,
+  currentPassword: string | null = null
+) {
  await fetchURL(`/api/users/${id}`, {
    method: "DELETE",
+    body: JSON.stringify({
+      what: "user",
+      ...(currentPassword != null ? { current_password: currentPassword } : {}),
+    }),
  });
 }
--- a/frontend/src/views/settings/Profile.vue
+++ b/frontend/src/views/settings/Profile.vue
@ -96,11 +96,12 @@
 <script setup lang="ts">
 import { useAuthStore } from "@/stores/auth";
 import { useLayoutStore } from "@/stores/layout";
-import { users as api, settings } from "@/api";
+import { users as api } from "@/api";
 import AceEditorTheme from "@/components/settings/AceEditorTheme.vue";
 import Languages from "@/components/settings/Languages.vue";
 import { computed, inject, onMounted, ref } from "vue";
 import { useI18n } from "vue-i18n";
+import { authMethod } from "@/utils/constants";

 const layoutStore = useLayoutStore();
 const authStore = useAuthStore();
@ -142,7 +143,6 @@ onMounted(async () => {
  dateFormat.value = authStore.user.dateFormat;
  aceEditorTheme.value = authStore.user.aceEditorTheme;
  layoutStore.loading = false;
-  const { authMethod } = await settings.get();
  isCurrentPasswordRequired.value = authMethod == "json";

  return true;
--- a/frontend/src/views/settings/User.vue
+++ b/frontend/src/views/settings/User.vue
@ -71,6 +71,7 @@ import { computed, inject, onMounted, ref, watch } from "vue";
 import { useRoute, useRouter } from "vue-router";
 import { useI18n } from "vue-i18n";
 import { StatusError } from "@/api/utils";
+import { authMethod } from "@/utils/constants";

 const error = ref<StatusError>();
 const originalUser = ref<IUser>();
@ -105,11 +106,7 @@ const fetchData = async () => {

  try {
    if (isNew.value) {
-      const {
-        authMethod,
-        defaults,
-        createUserDir: _createUserDir,
-      } = await settings.get();
+      const { defaults, createUserDir: _createUserDir } = await settings.get();
      isCurrentPasswordRequired.value = authMethod == "json";
      createUserDir.value = _createUserDir;
      user.value = {
@ -146,7 +143,7 @@ const deleteUser = async (e: Event) => {
    return false;
  }
  try {
-    await api.remove(user.value.id);
+    await api.remove(user.value.id, currentPassword.value);
    router.push({ path: "/settings/users" });
    $showSuccess(t("settings.userDeleted"));
  } catch (err) {
--- a/http/users.go
+++ b/http/users.go
@ -103,8 +103,19 @@ var userGetHandler = withSelfOrAdmin(func(w http.ResponseWriter, r *http.Request
 	return renderJSON(w, r, u)
 })

-var userDeleteHandler = withSelfOrAdmin(func(_ http.ResponseWriter, _ *http.Request, d *data) (int, error) {
-	err := d.store.Users.Delete(d.raw.(uint))
+var userDeleteHandler = withSelfOrAdmin(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+	req, err := getUser(w, r)
+	if err != nil {
+		return http.StatusBadRequest, err
+	}
+
+	if d.settings.AuthMethod == auth.MethodJSONAuth {
+		if !users.CheckPwd(req.CurrentPassword, d.user.Password) {
+			return http.StatusBadRequest, fberrors.ErrCurrentPasswordIncorrect
+		}
+	}
+
+	err = d.store.Users.Delete(d.raw.(uint))
 	if err != nil {
 		return errToStatus(err), err
 	}