diff --git a/api/controllers/UserController.js b/api/controllers/UserController.js index d81942ad..a7f743f0 100644 --- a/api/controllers/UserController.js +++ b/api/controllers/UserController.js @@ -494,31 +494,31 @@ module.exports = { * description: Requested user not found. */ async destroy(request, reply) { - // Don't allow admins to delete their account. - if (!request.auth.credentials.is_admin - && request.auth.credentials._id.toString() !== request.params.id) { + // Find user in DB. + const user = await User.findById(request.params.id); + + // User not found. + if (!user) { logger.warn( - `[UserController->destroy] User ${request.auth.credentials._id.toString()} is not allowed to delete user ${request.params.id}`, + `[UserController->destroy] Could not find user ${request.params.id}`, { request, fail: true, }, ); - throw Boom.forbidden('You are not allowed to delete this account'); + throw Boom.notFound(); } - // Find user in DB. - const user = await User.findOne({ _id: request.params.id }); - - if (!user) { + // User is admin and cannot be deleted. + if (user.is_admin) { logger.warn( - `[UserController->destroy] Could not find user ${request.params.id}`, + `[UserController->destroy] User ${request.params.id} is an admin and cannot be deleted.`, { request, fail: true, }, ); - throw Boom.notFound(); + throw Boom.forbidden(); } // Notify user that their account was deleted. @@ -527,6 +527,7 @@ module.exports = { // Delete this user. await user.remove(); + // Log the event and return success code. logger.info( `[UserController->destroy] Removed user ${request.params.id}`, { @@ -534,7 +535,6 @@ module.exports = { security: true, }, ); - return reply.response().code(204); }, diff --git a/config/routes.js b/config/routes.js index 7c80afbf..edd585d7 100644 --- a/config/routes.js +++ b/config/routes.js @@ -398,6 +398,7 @@ module.exports = [ path: '/api/v3/user/{id}', options: { pre: [ + UserPolicy.canDestroy, AuthPolicy.isTOTPEnabledAndValid, ], handler: UserController.destroy,