Skip to content

don't allow self-deletion for an account that (still) uses 2fa#1695

Merged
cellio merged 3 commits intodevelopfrom
cellio/no-2fa-self-delete
Jul 22, 2025
Merged

don't allow self-deletion for an account that (still) uses 2fa#1695
cellio merged 3 commits intodevelopfrom
cellio/no-2fa-self-delete

Conversation

@cellio
Copy link
Member

@cellio cellio commented Jul 22, 2025
edited
Loading

Small followup to #1668. While testing something else I noticed that we should probably make it harder for a 2FA user to self-delete. Rather than trying to check the second factor (complicated), I propose that we not allow self-deletion in this case. If you use 2FA and want to delete your account, first disable 2FA (which will require a code) and then proceed.

We ought to also block the SSO case, but I don't know how to set up an SSO environment to develop/test in. I propose spinning that off as a separate issue for the future and making sure we document this gap in the release notes.

@cellio cellio requested a review from ArtOfCode- July 22, 2025 02:56
@Oaphi
Copy link
Member

Oaphi commented Jul 22, 2025
edited
Loading

Maybe we should require passing MFA for users with it enabled instead? That's more complex to implement, but if a user is already at the point of self-deletion, we might as well not cause further frustration.

@Oaphi Oaphi mentioned this pull request Jul 22, 2025
Merged
@codecov
Copy link

codecov bot commented Jul 22, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 72.97%. Comparing base (6418a35) to head (f7bebe0).
Report is 4 commits behind head on develop.

Additional details and impacted files
Components Coverage Δ
controllers 68.69% <100.00%> (-0.01%) ⬇️
helpers 75.96% <ø> (ø)
jobs 48.57% <ø> (ø)
models 85.86% <ø> (ø)

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@cellio
Copy link
Member Author

cellio commented Jul 22, 2025
edited by Oaphi
Loading

Maybe we should require passing MFA for users with it enabled instead? That's more complex to implement, but if a user is already at the point of self-deletion, we might as well not cause further frustration.

I'm proposing the easy fix now because self-delete is already merged so 2fa self-delete is possible without the second factor. If we decide to instead do the second-factor check as part of the deletion, we can improve that later.

@trichoplax trichoplax mentioned this pull request Jul 22, 2025
Open
@cellio cellio merged commit 434fcca into develop Jul 22, 2025
9 of 10 checks passed
@cellio cellio deleted the cellio/no-2fa-self-delete branch July 22, 2025 15:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ArtOfCode- ArtOfCode- ArtOfCode- approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cellio @Oaphi @ArtOfCode-