Prevent last admin deletion & Update the Delete user feature

2025-02-17 02:41:13 +01:00 · 2023-03-10 16:02:56 +01:00 · 2023-03-10 16:02:56 +01:00 · 4753401827
commit 4753401827
parent fd6941d300
2 changed files with 19 additions and 20 deletions
--- a/app/Http/Controllers/Auth/UserController.php
+++ b/app/Http/Controllers/Auth/UserController.php
@ -6,7 +6,7 @@
 use App\Http\Controllers\Controller;
 use App\Http\Requests\UserDeleteRequest;
 use App\Http\Requests\UserUpdateRequest;
-use Illuminate\Support\Facades\Artisan;
+use App\Models\User;
 use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\DB;
 use Illuminate\Support\Facades\Hash;
@ -51,40 +51,38 @@ public function update(UserUpdateRequest $request)
    public function delete(UserDeleteRequest $request)
    {
        $validated = $request->validated();
        $user = Auth::user();
-        Log::info(sprintf('Deletion of user ID #%s requested', $validated['user_id']));
+        Log::info(sprintf('Deletion of user ID #%s requested', $user->id));
        if ($user->is_admin && User::admins()->count() == 1) {
            return response()->json(['message' => __('errors.cannot_delete_the_only_admin')], 400);
        }
        if (! Hash::check($validated['password'], Auth::user()->password)) {
            return response()->json(['message' => __('errors.wrong_current_password')], 400);
        }
        try {
-            DB::transaction(function () {
+            DB::transaction(function () use ($user) {
-                DB::table('twofaccounts')->delete();
+                DB::table('twofaccounts')->where('user_id', $user->id)->delete();
-                DB::table('groups')->delete();
+                DB::table('groups')->where('user_id', $user->id)->delete();
-                DB::table('options')->delete();
+                DB::table('webauthn_credentials')->where('authenticatable_id', $user->id)->delete();
-                DB::table('webauthn_credentials')->delete();
+                DB::table('webauthn_recoveries')->where('email', $user->email)->delete();
-                DB::table('webauthn_recoveries')->delete();
+                DB::table('oauth_access_tokens')->where('user_id', $user->id)->delete();
-                DB::table('oauth_access_tokens')->delete();
+                DB::table('password_resets')->where('email', $user->email)->delete();
-                DB::table('oauth_auth_codes')->delete();
+                DB::table('users')->where('id', $user->id)->delete();
                DB::table('oauth_clients')->delete();
                DB::table('oauth_personal_access_clients')->delete();
                DB::table('oauth_refresh_tokens')->delete();
                DB::table('password_resets')->delete();
                DB::table('users')->delete();
            });
            Artisan::call('passport:install --force');
            Artisan::call('config:clear');
        }
        // @codeCoverageIgnoreStart
        catch (\Throwable $e) {
-            Log::error('User deletion failed');
+            Log::error(sprintf('Deletion of user ID #%s failed, transaction has been rolled-back', $user->id));
            return response()->json(['message' => __('errors.user_deletion_failed')], 400);
        }
        // @codeCoverageIgnoreEnd
-        Log::info(sprintf('User ID #%s deleted', $validated['user_id']));
+        
        Log::info(sprintf('User ID #%s deleted', $user->id));
        return response()->json(null, 204);
    }
--- a/resources/lang/en/errors.php
+++ b/resources/lang/en/errors.php
@ -51,4 +51,5 @@
    'file_upload_failed' => 'File upload failed',
    'unauthorized' => 'Unauthorized',
    'unauthorized_legend' => 'You do not have permissions to view this resource or to perform this action',
    'cannot_delete_the_only_admin' => 'Cannot delete the only admin account'
 ];