krikkert/habitica
1
0
Fork 0
mirror of https://github.com/HabitRPG/habitica.git synced 2025-12-19 07:37:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Added password requirement

Browse Source
This commit is contained in:
Keith Holliday
2016-03-25 08:31:49 -05:00
parent 7f65707ee4
commit 075b31c075
3 changed files with 44 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
website/src/controllers/api-v3/user.js
View File

@@ -15,6 +15,7 @@ import { model as User } from '../../models/user';
import Q from 'q';
import _ from 'lodash';
import * as firebase from '../../libs/api-v3/firebase';
import * as passwordUtils from '../../libs/api-v3/password';
let api = {};
@@ -61,6 +62,18 @@ api.deleteUser = {
let user = res.locals.user;
let plan = user.purchased.plan;
req.checkBody({
password: {
notEmpty: {errorMessage: res.t('missingPassword')},
},
});
let validationErrors = req.validationErrors();
if (validationErrors) throw validationErrors;
let oldPassword = passwordUtils.encrypt(req.body.password, user.auth.local.salt);
if (oldPassword !== user.auth.local.hashed_password) throw new NotAuthorized(res.t('wrongPassword'));
if (plan && plan.customerId && !plan.dateTerminated) {
throw new NotAuthorized(res.t('cannotDeleteActiveAccount'));
}
@@ -68,9 +81,8 @@ api.deleteUser = {
let types = ['party', 'publicGuilds', 'privateGuilds'];
// @TODO: The group leave route doesn't work unless it has these fields. We should probably force the group to get these
let groupFields = basicGroupFields.concat(' leader memberCount');
let populateLeader = true;
let groupsUserIsMemberOf = await Group.getGroups({user, types, groupFields, populateLeader});
let groupsUserIsMemberOf = await Group.getGroups({user, types, groupFields});
let groupLeavePromises = groupsUserIsMemberOf.map((group) => {
return group.leave(user, 'remove-all');