🐛 fix unknown user id on deactivated event

no issue - if you delete an active user, Ghost logs an error message (Ghost does not crash!) - but the event logic is not triggered, that means we don't delete the users tokens - token deletion happens on: suspend a user and delete a user
2023-12-13 21:00:40 +01:00 · 2017-07-18 16:15:29 +02:00 · 2017-07-18 16:15:29 +02:00 · d4c74e74c4
parent 522bd02224
commit d4c74e74c4
2 changed files with 36 additions and 3 deletions
--- a/core/server/models/base/listeners.js
+++ b/core/server/models/base/listeners.js
@ -20,9 +20,14 @@ events.on('token.added', function (tokenModel) {
 /**
 * WHEN user get's suspended (status=inactive), we delete his tokens to ensure
 * he can't login anymore
+ *
+ * NOTE:
+ *   - this event get's triggered either on user update (suspended) or if an **active** user get's deleted.
+ *   - if an active user get's deleted, we have to access the previous attributes, because this is how bookshelf works
+ *     if you delete a user.
 */
 events.on('user.deactivated', function (userModel) {
-    var options = {id: userModel.id};
+    var options = {id: userModel.id || userModel.previousAttributes().id};

    models.Accesstoken.destroyByUser(options)
        .then(function () {
--- a/core/test/functional/routes/api/users_spec.js
+++ b/core/test/functional/routes/api/users_spec.js
@ -12,7 +12,7 @@ describe('User API', function () {
        authorAccessToken = '',
        editor, author, ghostServer, inactiveUser;

-    before(function (done) {
+    beforeEach(function (done) {
        // starting ghost automatically populates the db
        // TODO: prevent db init, and manage bringing up the DB with fixtures ourselves
        ghost().then(function (_ghostServer) {
@ -63,7 +63,7 @@ describe('User API', function () {
        }).catch(done);
    });

-    after(function () {
+    afterEach(function () {
        return testUtils.clearData()
            .then(function () {
                return ghostServer.stop();
@ -433,6 +433,34 @@ describe('User API', function () {
                    });
            });
        });
+
+        describe('Destroy', function () {
+            it('[success] Destroy active user', function (done) {
+                request.delete(testUtils.API.getApiQuery('users/' + editor.id))
+                    .set('Authorization', 'Bearer ' + ownerAccessToken)
+                    .expect(204)
+                    .end(function (err) {
+                        if (err) {
+                            return done(err);
+                        }
+
+                        done();
+                    });
+            });
+
+            it('[failure] Destroy unknown user id', function (done) {
+                request.delete(testUtils.API.getApiQuery('users/' + ObjectId.generate()))
+                    .set('Authorization', 'Bearer ' + ownerAccessToken)
+                    .expect(403)
+                    .end(function (err) {
+                        if (err) {
+                            return done(err);
+                        }
+
+                        done();
+                    });
+            });
+        });
    });

    describe('As Editor', function () {