]> git.openstreetmap.org Git - rails.git/commitdiff
projects / rails.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 14bd660)
Disallow account deletion after confirmation
authorAnton Khorev <tony29@yandex.ru>
Tue, 24 Oct 2023 18:20:19 +0000 (21:20 +0300)
committerAnton Khorev <tony29@yandex.ru>
Wed, 22 Nov 2023 14:37:04 +0000 (17:37 +0300)
app/controllers/accounts_controller.rb patch | blob | history
test/controllers/accounts_controller_test.rb patch | blob | history

diff --git a/app/controllers/accounts_controller.rb b/app/controllers/accounts_controller.rb
index 63da1293ff731ecfe85d0430f9c6f0f1819a2008..db972101088b2a958fa0f3ffe25798fec41f1bbf 100644 (file)
--- a/app/controllers/accounts_controller.rb
+++ b/app/controllers/accounts_controller.rb
@@ -53,12 +53,16 @@ class AccountsController < ApplicationController
   end
 
   def destroy
-    current_user.soft_destroy!
+    if current_user.deletion_allowed?
+      current_user.soft_destroy!
 
-    session.delete(:user)
-    session_expires_automatically
+      session.delete(:user)
+      session_expires_automatically
 
-    flash[:notice] = t ".success"
-    redirect_to root_path
+      flash[:notice] = t ".success"
+      redirect_to root_path
+    else
+      head :bad_request
+    end
   end
 end
diff --git a/test/controllers/accounts_controller_test.rb b/test/controllers/accounts_controller_test.rb
index 7546c3797ee6f2939834dd1d9a0fc1b68587f6ba..131292f412d90f286b8798b81b84bde1015b2be4 100644 (file)
--- a/test/controllers/accounts_controller_test.rb
+++ b/test/controllers/accounts_controller_test.rb
@@ -152,4 +152,23 @@ class AccountsControllerTest < ActionDispatch::IntegrationTest
     # Make sure we have a button to "go public"
     assert_select "form.button_to[action='/user/go_public']", true
   end
+
+  def test_destroy_allowed
+    user = create(:user)
+    session_for(user)
+
+    delete account_path
+    assert_response :redirect
+  end
+
+  def test_destroy_not_allowed
+    with_user_account_deletion_delay(24) do
+      user = create(:user)
+      create(:changeset, :user => user, :created_at => Time.now.utc)
+      session_for(user)
+
+      delete account_path
+      assert_response :bad_request
+    end
+  end
 end
The OpenStreetMap web site