Merge branch 'delete-account-fix' into 'develop'

author lain <lain@soykaf.club>

Wed, 15 Dec 2021 21:26:45 +0000 (21:26 +0000)

committer lain <lain@soykaf.club>

Wed, 15 Dec 2021 21:26:45 +0000 (21:26 +0000)
author lain <lain@soykaf.club>
Wed, 15 Dec 2021 21:26:45 +0000 (21:26 +0000)
committer lain <lain@soykaf.club>
Wed, 15 Dec 2021 21:26:45 +0000 (21:26 +0000)
diff --git a/lib/pleroma/web/api_spec/operations/twitter_util_operation.ex b/lib/pleroma/web/api_spec/operations/twitter_util_operation.ex

index ebcfd3be231e661871a1409147331bf8fd228875..5a2b0bc49d574a79ed31b081fde5f01e742c03db 100644 (file)
--- a/lib/pleroma/web/api_spec/operations/twitter_util_operation.ex
+++ b/lib/pleroma/web/api_spec/operations/twitter_util_operation.ex
@@ -191,6 +191,7 @@ defmodule Pleroma.Web.ApiSpec.TwitterUtilOperation do
        parameters: [
          Operation.parameter(:password, :query, :string, "Password")
        ],
+      requestBody: request_body("Parameters", delete_account_request(), required: false),
        responses: %{
          200 =>
            Operation.response("Success", "application/json", %Schema{
@@ -237,4 +238,22 @@ defmodule Pleroma.Web.ApiSpec.TwitterUtilOperation do
        responses: %{200 => Operation.response("Web Page", "test/html", %Schema{type: :string})}
      }
    end
+
+  defp delete_account_request do
+    %Schema{
+      title: "AccountDeleteRequest",
+      description: "POST body for deleting one's own account",
+      type: :object,
+      properties: %{
+        password: %Schema{
+          type: :string,
+          description: "The user's own password for confirmation.",
+          format: :password
+        }
+      },
+      example: %{
+        "password" => "prettyp0ony1313"
+      }
+    }
+  end
  end
diff --git a/lib/pleroma/web/twitter_api/controllers/util_controller.ex b/lib/pleroma/web/twitter_api/controllers/util_controller.ex

index ef43f76820637cb8b44da7d423dc3ae288f4f4ed..a4e44efddf3b9ef439edf4c85a9ee056939ffc72 100644 (file)
--- a/lib/pleroma/web/twitter_api/controllers/util_controller.ex
+++ b/lib/pleroma/web/twitter_api/controllers/util_controller.ex
@@ -123,8 +123,10 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do
      end
    end
  
-  def delete_account(%{assigns: %{user: user}} = conn, params) do
-    password = params[:password] || ""
+  def delete_account(%{assigns: %{user: user}, body_params: body_params} = conn, params) do
+    # This endpoint can accept a query param or JSON body for backwards-compatibility.
+    # Submitting a JSON body is recommended, so passwords don't end up in server logs.
+    password = body_params[:password] || params[:password] || ""
  
      case CommonAPI.Utils.confirm_current_password(user, password) do
        {:ok, user} ->
diff --git a/test/pleroma/web/twitter_api/util_controller_test.exs b/test/pleroma/web/twitter_api/util_controller_test.exs

index 3380aec2234df8dc87d787d94f8ee0dc9d8ee8d0..ee658ddf64f6f780ae10a27f82fc0d9b69f7790d 100644 (file)
--- a/test/pleroma/web/twitter_api/util_controller_test.exs
+++ b/test/pleroma/web/twitter_api/util_controller_test.exs
@@ -473,7 +473,10 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
  
      test "with proper permissions and wrong or missing password", %{conn: conn} do
        for params <- [%{"password" => "hi"}, %{}] do
-        ret_conn = post(conn, "/api/pleroma/delete_account", params)
+        ret_conn =
+          conn
+          |> put_req_header("content-type", "application/json")
+          |> post("/api/pleroma/delete_account", params)
  
          assert json_response_and_validate_schema(ret_conn, 200) == %{
                   "error" => "Invalid password."
@@ -481,8 +484,28 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
        end
      end
  
-    test "with proper permissions and valid password", %{conn: conn, user: user} do
-      conn = post(conn, "/api/pleroma/delete_account?password=test")
+    test "with proper permissions and valid password (URL query)", %{conn: conn, user: user} do
+      conn =
+        conn
+        |> put_req_header("content-type", "application/json")
+        |> post("/api/pleroma/delete_account?password=test")
+
+      ObanHelpers.perform_all()
+      assert json_response_and_validate_schema(conn, 200) == %{"status" => "success"}
+
+      user = User.get_by_id(user.id)
+      refute user.is_active
+      assert user.name == nil
+      assert user.bio == ""
+      assert user.password_hash == nil
+    end
+
+    test "with proper permissions and valid password (JSON body)", %{conn: conn, user: user} do
+      conn =
+        conn
+        |> put_req_header("content-type", "application/json")
+        |> post("/api/pleroma/delete_account", %{password: "test"})
+
        ObanHelpers.perform_all()
        assert json_response_and_validate_schema(conn, 200) == %{"status" => "success"}
author	lain <lain@soykaf.club>
	Wed, 15 Dec 2021 21:26:45 +0000 (21:26 +0000)
committer	lain <lain@soykaf.club>
	Wed, 15 Dec 2021 21:26:45 +0000 (21:26 +0000)
lib/pleroma/web/api_spec/operations/twitter_util_operation.ex		patch \| blob \| history
lib/pleroma/web/twitter_api/controllers/util_controller.ex		patch \| blob \| history
test/pleroma/web/twitter_api/util_controller_test.exs		patch \| blob \| history