User must be logged-in to use the cancel account link that is emailed

Created on 23 November 2016, about 8 years ago
Updated 16 May 2024, 7 months ago

Problem/Motivation

When cancelling a user account, an administrator has the option to require email confirmation to cancel the account. This can be optionally checked.

The user in question receives a unique link to then cancel their account. This does not work correctly for said user if they are logged out of the CMS, instead they see a 403 page. However, when logged into the CMS as the user in question the link works correctly and their account is disabled.

Proposed resolution

Remaining tasks

πŸ› Bug report
Status

Needs work

Version

11.0 πŸ”₯

Component
User moduleΒ  β†’

Last updated about 16 hours ago

Created by

πŸ‡¬πŸ‡§United Kingdom xiwar

Live updates comments and jobs are added and updated live.
  • Needs backport to D7

    After being applied to the 8.x branch, it should be considered for backport to the 7.x branch. Note: This tag should generally remain even after the backport has been written, approved, and committed.

  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • πŸ‡«πŸ‡·France 5

    Maybe we can refactor this cancel confirm route so it asks your password one last time.

    Something like changing the link form cancellation_url to /user/login?destination=cancellation_url, which should transparently

    • if not connected, makes the user land on user login form instead of unattended 403 (making it understand it may login in order to confirm the cancellation of its account)
    • if connected, makes the user land to the cancellation confirmation page

    ?

Production build 0.71.5 2024