Merge pull request #1695 from codidact/cellio/no-2fa-self-delete

cellio · web-flow · commit 434fccaf8568 · 2025-07-22T11:33:31.000-04:00
don't allow self-deletion for an account that (still) uses 2fa
diff --git a/app/controllers/users/registrations_controller.rb b/app/controllers/users/registrations_controller.rb
@@ -37,6 +37,9 @@ def do_delete
     elsif @user.moderator?
       @user.errors.add(:base, I18n.t('users.errors.no_mod_self_delete'))
       render :delete
+    elsif @user.enabled_2fa
+      @user.errors.add(:base, I18n.t('users.errors.no_2fa_self_delete'))
+      render :delete
     elsif params[:username] != @user.username
       @user.errors.add(:base, I18n.t('users.errors.self_delete_wrong_username'))
       render :delete
diff --git a/app/views/devise/registrations/edit.html.erb b/app/views/devise/registrations/edit.html.erb
@@ -66,7 +66,14 @@
   <p class="has-color-red has-font-size-caption">
     Moderators and admins cannot be self-deleted. Contact support if you wish to delete your account.
   </p>
-<% else %>
+<% elsif current_user.enabled_2fa %>
+  <%= link_to 'javascript:void(8)', class: 'button is-outlined is-danger', disabled: true do %>  
+    Delete my account &raquo;
+  <% end %>
+  <p class="has-color-red has-font-size-caption">
+    Your account uses two-factor authentication (2FA). In order to delete your account, you must first disable 2FA.
+  </p>
+  <% else %>
   <%= link_to delete_account_path, class: 'button is-outlined is-danger' do %>
     Delete my account &raquo;
   <% end %>
diff --git a/config/locales/strings/en.users.yml b/config/locales/strings/en.users.yml
@@ -5,5 +5,7 @@ en:
         Admin accounts cannot be self-deleted. Contact support.
       no_mod_self_delete: >
         Moderator accounts cannot be self-deleted. Contact support.
+      no_2fa_self_delete: >
+        Accounts using 2FA cannot be self-deleted. Disable 2FA first.
       self_delete_wrong_username: >
         The username you entered was incorrect.
diff --git a/test/controllers/users/registrations_controller_test.rb b/test/controllers/users/registrations_controller_test.rb
@@ -90,10 +90,11 @@ class Users::RegistrationsControllerTest < ActionController::TestCase
   test 'should prevent self-deletion if the user is at least a moderator' do
     locale_string_map = {
       moderator: 'users.errors.no_mod_self_delete',
-      admin: 'users.errors.no_admin_self_delete'
+      admin: 'users.errors.no_admin_self_delete',
+      enabled_2fa: 'users.errors.no_2fa_self_delete'
     }
 
-    [:moderator, :admin].each do |name|
+    [:moderator, :admin, :enabled_2fa].each do |name|
       sign_in users(name)
       session[:sudo] = DateTime.now.iso8601
 
