Account deletion must be confirmed #95
Conversation
|
|
||
| send_mail( | ||
| 'Confirm Your Account Deletion', | ||
| f'Click the link to confirm deletion: {confirm_url}', |
There was a problem hiding this comment.
Please add a note to the email how long the token is valid.
| user = User.objects.filter(email=email).first() | ||
|
|
||
| if user: | ||
| if user.deleted: |
There was a problem hiding this comment.
Is this the case when a user is deleted and then logs in again?
| path("request_delete/", views.request_delete, name="request_delete"), | ||
| path("confirm-delete/<str:token>/", views.confirm_account_deletion, name="confirm_delete"), | ||
| path("finalize-delete/", views.finalize_account_deletion, name="finalize_delete"), |
There was a problem hiding this comment.
Please stick to one style of URLs - I suggest to stick with hyphens only.
| cache.set(f"delete_token_{token}", user.id, timeout=3600) | ||
|
|
||
| confirm_url = request.build_absolute_uri(reverse('optimap:confirm_delete', args=[token])) | ||
|
|
||
| send_mail( |
There was a problem hiding this comment.
Suggest to define the pre-string only in one location and then import that string here, and elsewhere. If you search the code for "delete_token", you'll find multiple spots.
Also, we might have other tokens in the future, so user_delete_token would be more explicit.
| def confirm_account_deletion(request, token): | ||
| user_id = cache.get(f"delete_token_{token}") | ||
|
|
||
| if user_id is None: |
There was a problem hiding this comment.
What about checking that the currently logged in user actually is the to be deleted user?
| user.deleted = True | ||
| user.deleted_at = now() | ||
| user.save() |
There was a problem hiding this comment.
Can you put these lines in a try catch block?
If something goes wrong during the save, the cache.delete(.. and the removal of the token from the session might not be properly called.
Closes #25