don't allow self-deletion for an account that (still) uses 2fa

cellio · cellio · commit e65b7ec30285 · 2025-07-21T22:48:41.000-04:00
diff --git a/app/controllers/users/registrations_controller.rb b/app/controllers/users/registrations_controller.rb
@@ -37,6 +37,9 @@ def do_delete
     elsif @user.moderator?
       @user.errors.add(:base, I18n.t('users.errors.no_mod_self_delete'))
       render :delete
+    elsif @user.enabled_2fa
+      @user.errors.add(:base, I18n.t('users.errors.no_2fa_self_delete'))
+      render :delete
     elsif params[:username] != @user.username
       @user.errors.add(:base, I18n.t('users.errors.self_delete_wrong_username'))
       render :delete
diff --git a/app/views/devise/registrations/edit.html.erb b/app/views/devise/registrations/edit.html.erb
@@ -66,7 +66,14 @@
   <p class="has-color-red has-font-size-caption">
     Moderators and admins cannot be self-deleted. Contact support if you wish to delete your account.
   </p>
-<% else %>
+<% elsif current_user.enabled_2fa %>
+  <%= link_to 'javascript:void(8)', class: 'button is-outlined is-danger', disabled: true do %>  
+    Delete my account &raquo;
+  <% end %>
+  <p class="has-color-red has-font-size-caption">
+    Your account uses two-factor authentication (2FA). In order to delete your account, you must first disable 2FA.
+  </p>
+  <% else %>
   <%= link_to delete_account_path, class: 'button is-outlined is-danger' do %>
     Delete my account &raquo;
   <% end %>
diff --git a/config/locales/strings/en.users.yml b/config/locales/strings/en.users.yml
@@ -5,5 +5,7 @@ en:
         Admin accounts cannot be self-deleted. Contact support.
       no_mod_self_delete: >
         Moderator accounts cannot be self-deleted. Contact support.
+      no_2fa_self_delete: >
+        Accounts using 2FA cannot be self-deleted. Disable 2FA first.
       self_delete_wrong_username: >
         The username you entered was incorrect.
