Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User should be able to delete his account even with no password set #104

Closed
wassim opened this issue Apr 22, 2021 · 7 comments · Fixed by #107
Closed

User should be able to delete his account even with no password set #104

wassim opened this issue Apr 22, 2021 · 7 comments · Fixed by #107
Labels
bug Something isn't working

Comments

@wassim
Copy link
Contributor

wassim commented Apr 22, 2021

Is there a specific reason for the following modification?

old

<div v-if="$page.props.jetstream.hasAccountDeletionFeatures">
    <jet-section-border />

    <delete-user-form class="mt-10 sm:mt-0" />
</div>

new

<div v-if="$page.props.socialstream.hasPassword">
    <jet-section-border />

    <delete-user-form class="mt-10 sm:mt-0" />
</div>
@wassim wassim added the bug Something isn't working label Apr 22, 2021
@joelbutcher
Copy link
Owner

joelbutcher commented Apr 22, 2021
edited
Loading

Yes, it's a security flaw and jetstream by default requires a password to delete an account, so I've kept that functionality.

The code may be modified to include the check for the feature, but the requirement of a password should still be present

@joelbutcher joelbutcher mentioned this issue Apr 22, 2021
Merged
@joelbutcher
Copy link
Owner

@wassim see #107

@wassim wassim closed this as completed Apr 22, 2021
@lsmith77
Copy link
Contributor

lsmith77 commented Dec 1, 2021

for my clarification, this means until Jetstream supports deleting without password, socialstream will not support deleting of password-less users either? ie. if I want to allow password-less users to delete their account, I will need to take this up with jetstream maintainers?

semi-related I want to even make it possible to disable setting a password entirely on a team aka domain level, so that organizations can force the use of SSO.

@joelbutcher
Copy link
Owner

joelbutcher commented Dec 2, 2021
edited
Loading

@lsmith77, yes the team at Laravel are responsible for disabling deleting an account without a password. They may publish a file on install, that you can override, but I can't guarantee it.

RE your SSO questions, is it not enough to just hide the forms with a condition?

@if (! $organisation->supportsSso())
    <!-- Render form -->
@endif

@lsmith77
Copy link
Contributor

lsmith77 commented Dec 2, 2021

yeah but I then also need to add some logic to the controller to check this. will have to see how I can do this somewhat cleanly. kinda wish that socialstream would be seen as part of jetstream core.

@lsmith77
Copy link
Contributor

lsmith77 commented Dec 2, 2021

ah .. looks like I am digging up old “wounds” with my above statement as I just found laravel/jetstream#444

I will look into this a bit more on the jetstream side to see what sort of extension points might be needed to make this work cleanly. if I have any findings (ie. ideally a PR) you will seen it soon enough.

@joelbutcher
Copy link
Owner

joelbutcher commented Dec 3, 2021
edited
Loading

@lsmith77 Yup, don't go there... 😢😂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add missing jetstream feature flag joelbutcher/socialstream
3 participants
@lsmith77 @joelbutcher @wassim