fix: request current password when deleting users

2026-01-07 04:21:22 -05:00 · 2026-01-07 04:21:22 -05:00 · 3aa5d91463
commit 3aa5d91463
parent 94ec786d34
7 changed files with 36 additions and 5 deletions
--- a/frontend/src/api/settings.ts
+++ b/frontend/src/api/settings.ts
@ -4,6 +4,10 @@ export function get() {
  return fetchJSON<ISettings>(`/api/settings`, {});
 }

+export function getAuthMethod() {
+  return fetchJSON<{ authMethod: string }>(`/api/settings/auth-method`, {});
+}
+
 export async function update(settings: ISettings) {
  await fetchURL(`/api/settings`, {
    method: "PUT",
--- a/frontend/src/api/users.ts
+++ b/frontend/src/api/users.ts
@ -42,8 +42,15 @@ export async function update(
  });
 }

-export async function remove(id: number) {
+export async function remove(
+  id: number,
+  currentPassword: string | null = null
+) {
  await fetchURL(`/api/users/${id}`, {
    method: "DELETE",
+    body: JSON.stringify({
+      what: "user",
+      ...(currentPassword != null ? { current_password: currentPassword } : {}),
+    }),
  });
 }
--- a/frontend/src/views/settings/Profile.vue
+++ b/frontend/src/views/settings/Profile.vue
@ -142,7 +142,7 @@ onMounted(async () => {
  dateFormat.value = authStore.user.dateFormat;
  aceEditorTheme.value = authStore.user.aceEditorTheme;
  layoutStore.loading = false;
-  const { authMethod } = await settings.get();
+  const { authMethod } = await settings.getAuthMethod();
  isCurrentPasswordRequired.value = authMethod == "json";

  return true;
--- a/frontend/src/views/settings/User.vue
+++ b/frontend/src/views/settings/User.vue
@ -146,7 +146,7 @@ const deleteUser = async (e: Event) => {
    return false;
  }
  try {
-    await api.remove(user.value.id);
+    await api.remove(user.value.id, currentPassword.value);
    router.push({ path: "/settings/users" });
    $showSuccess(t("settings.userDeleted"));
  } catch (err) {
--- a/http/http.go
+++ b/http/http.go
@ -80,6 +80,7 @@ func NewHandler(
 	api.PathPrefix("/share").Handler(monkey(shareDeleteHandler, "/api/share")).Methods("DELETE")

 	api.Handle("/settings", monkey(settingsGetHandler, "")).Methods("GET")
+	api.Handle("/settings/auth-method", monkey(authMethodGetHandler, "")).Methods("GET")
 	api.Handle("/settings", monkey(settingsPutHandler, "")).Methods("PUT")

 	api.PathPrefix("/raw").Handler(monkey(rawHandler, "/api/raw")).Methods("GET")
--- a/http/settings.go
+++ b/http/settings.go
@ -42,6 +42,14 @@ var settingsGetHandler = withAdmin(func(w http.ResponseWriter, r *http.Request,
 	return renderJSON(w, r, data)
 })

+var authMethodGetHandler = func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+	data := &settingsData{
+		AuthMethod: d.settings.AuthMethod,
+	}
+
+	return renderJSON(w, r, data)
+}
+
 var settingsPutHandler = withAdmin(func(_ http.ResponseWriter, r *http.Request, d *data) (int, error) {
 	req := &settingsData{}
 	err := json.NewDecoder(r.Body).Decode(req)
--- a/http/users.go
+++ b/http/users.go
@ -103,8 +103,19 @@ var userGetHandler = withSelfOrAdmin(func(w http.ResponseWriter, r *http.Request
 	return renderJSON(w, r, u)
 })

-var userDeleteHandler = withSelfOrAdmin(func(_ http.ResponseWriter, _ *http.Request, d *data) (int, error) {
-	err := d.store.Users.Delete(d.raw.(uint))
+var userDeleteHandler = withSelfOrAdmin(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
+	req, err := getUser(w, r)
+	if err != nil {
+		return http.StatusBadRequest, err
+	}
+
+	if d.settings.AuthMethod == auth.MethodJSONAuth {
+		if !users.CheckPwd(req.CurrentPassword, d.user.Password) {
+			return http.StatusBadRequest, fberrors.ErrCurrentPasswordIncorrect
+		}
+	}
+
+	err = d.store.Users.Delete(d.raw.(uint))
 	if err != nil {
 		return errToStatus(err), err
 	}