fix: implement UserPolicy.canDestroy as policy for UserController.des…

…troy
UN-OCHA · Dec 6, 2021 · 842dd35 · 842dd35
1 parent aa308e8
commit 842dd35
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 12 deletions.
diff --git a/api/controllers/UserController.js b/api/controllers/UserController.js
@@ -494,31 +494,31 @@ module.exports = {
    *     description: Requested user not found.
    */
   async destroy(request, reply) {
-    // Don't allow admins to delete their account.
-    if (!request.auth.credentials.is_admin
-      && request.auth.credentials._id.toString() !== request.params.id) {
+    // Find user in DB.
+    const user = await User.findById(request.params.id);
+
+    // User not found.
+    if (!user) {
       logger.warn(
-        `[UserController->destroy] User ${request.auth.credentials._id.toString()} is not allowed to delete user ${request.params.id}`,
+        `[UserController->destroy] Could not find user ${request.params.id}`,
         {
           request,
           fail: true,
         },
       );
-      throw Boom.forbidden('You are not allowed to delete this account');
+      throw Boom.notFound();
     }
 
-    // Find user in DB.
-    const user = await User.findOne({ _id: request.params.id });
-
-    if (!user) {
+    // User is admin and cannot be deleted.
+    if (user.is_admin) {
       logger.warn(
-        `[UserController->destroy] Could not find user ${request.params.id}`,
+        `[UserController->destroy] User ${request.params.id} is an admin and cannot be deleted.`,
         {
           request,
           fail: true,
         },
       );
-      throw Boom.notFound();
+      throw Boom.forbidden();
     }
 
     // Notify user that their account was deleted.
@@ -527,14 +527,14 @@ module.exports = {
     // Delete this user.
     await user.remove();
 
+    // Log the event and return success code.
     logger.info(
       `[UserController->destroy] Removed user ${request.params.id}`,
       {
         request,
         security: true,
       },
     );
-
     return reply.response().code(204);
   },
 

diff --git a/config/routes.js b/config/routes.js
@@ -398,6 +398,7 @@ module.exports = [
     path: '/api/v3/user/{id}',
     options: {
       pre: [
+        UserPolicy.canDestroy,
         AuthPolicy.isTOTPEnabledAndValid,
       ],
       handler: UserController.destroy,