update /user/delete defroute: add 'type username input check'.

When the user wants to delete their account they must now enter their username as part of the form they submit. This is so they don't accidently delete thier account.
2 years ago · 9430942cb5
1 changed files with 27 additions and 14 deletions
--- a/src/web.lisp
+++ b/src/web.lisp
@ -545,12 +545,25 @@

 (defroute ("/user/delete" :method :POST) ()
  (destructuring-bind
-      (&key authenticity-token &allow-other-keys)
+      (&key authenticity-token delete-account-check &allow-other-keys)
      (utils:request-params (lack.request:request-body-parameters ningle:*request*))
    (cond ((not (string= authenticity-token (auth:csrf-token)))
 	   `(,+forbidden+ (:content-type "text/plain") ("Denied")))
 	  (t (hermetic:auth (:logged-in)
 			    ;; Authorised
+			    (cond ((utils:string-is-nil-or-empty? delete-account-check)
+				   (utils:set-alert
+				    "No username entered. Account not deleted."
+				    "missing-data")
+				   (redirect "/user/edit"))
+				  ((not (string= delete-account-check
+						 (user::username-of
+						  (auth:get-current-user))))
+				   (utils:set-alert
+				    "Wrong username entered. Account not deleted."
+				    "invalid-data")
+				   (redirect "/user/edit"))
+				  (t
 				   (progn
 				     (nera-db:delete-user
 				      (user::username-of (auth:get-current-user)))
@ -563,7 +576,7 @@
 				      ;; (session data persits).
 				      (progn (utils:set-alert
 					      "Unable to delete session data." "error")
-				      (redirect "/"))))
+					     (redirect "/"))))))
 			    ;; Not Authorised
 			    (progn (utils:set-alert "You are not logged in."
 						    "error")