gitea icon indicating copy to clipboard operation
gitea copied to clipboard
verified publisher icon go-gitea

Fix account deletion for users without passwords

Open wackbyte opened this issue 2 years ago • 6 comments

Hides the password input of the account deletion form if the user does not have a password (i.e. they registered with OAuth or similar and never set a password) and puts a note saying that they must create a password before being able to delete their account.

Before: image (with a 500 error after attempting to confirm deletion)

After: image

Closes #18329.

wackbyte avatar Jan 27 '24 04:01 wackbyte

I just worry about such approach would lead to some security problems. Deleting an account indeed requires some last step "verification".

My thought in https://github.com/go-gitea/gitea/issues/18329#issuecomment-1017267372 is:

A possible solution could be: we save the external login time in session, then if a user wants to delete the account within 1 minute after login, we allow it. This solution make every user have a chance to delete their account with a fresh external login.

I am not sure whether my idea is good enough either, so feel free to consider it or not.

wxiaoguang avatar Jan 29 '24 01:01 wxiaoguang

I agree that this approach has problems in terms of security. I think another good alternative could be disabling the button and adding a note along the lines of "you must set a password before you can delete your account."

wackbyte avatar Jan 29 '24 04:01 wackbyte

I agree that this approach has problems in terms of security. I think another good alternative could be disabling the button and adding a note along the lines of "you must set a password before you can delete your account."

Please send another PR or update this PR to the new approach.

lunny avatar Jan 29 '24 08:01 lunny

Updated.

wackbyte avatar Jan 30 '24 03:01 wackbyte

Maybe we'd say if there is no password, the account can only be deleted by the administrator? Where can the password be set?

lunny avatar Jan 30 '24 06:01 lunny

Where can the password be set?

The top of the account settings page has the password change form (above the account deletion one) so I thought the message wouldn't need to tell its location.

wackbyte avatar Jan 30 '24 13:01 wackbyte

Another idea would be to not request the password but send an email with a confirmation link. That would work for all types of accounts.

KN4CK3R avatar Feb 11 '24 21:02 KN4CK3R

For non-local users, maybe they should not allowed to delete the account themselves.

lunny avatar Mar 08 '24 13:03 lunny

For non-local users, maybe they should not allowed to delete the account themselves.

I think all users should be able to, if we want to comply with "Right to be forgotten".

silverwind avatar Mar 14 '24 23:03 silverwind