Let user remove their account by themselves #4162
Comments
teolemon
added
✨ enhancement
teolemon
changed the title
|
@M123-dev @monsieurtanuki @g123k this one is really useful, since answering manually to deletion requests is a lot of recurring work |
|
@teolemon The thing is that I don't think we have such thing as "check that the user is logged in" in off-dart. |
|
What we could do is change the url of the webview to the deletion page on the website @monsieurtanuki |
|
@teolemon Currently we go to this page: final Uri uri = Uri(
scheme: 'https',
host: 'blog.openfoodfacts.org',
pathSegments: <String>[
'en',
'account-deletion',
],
queryParameters: <String, String>{
'your-subject': subject,
if (userId != null && userId.isEmail)
'your-mail': userId
else if (userId != null)
'your-name': userId
});What should the URL be instead? |
|
https://world.openfoodfacts.org/cgi/user.pl?type=edit&userid=teolemon (replace teolemon by user-id) |
|
I land on an "edit your profile" page, in English, and cannot see a "delete" button. |
|
@alexgarel @stephanegigandet will deploy that soon I believe. It should be live on .net, but I don't see it with my regular account, as opposed to my superadmin one |
|
Ping when it's available on .org. |
|
@monsieurtanuki it is live |
|
@teolemon It's not that easy. If you're not connected before on the website, you land on an obscure "Error" page If I remove the "type=edit" parameter, I land on a "Register" page (with an improbable pessimistic "Delete account" button) Is there a URL to the sign in page? |
|
@john-gom Just checking: anybody can call
It would be much safer if you also asked for the password. I mean, in the context you developed (website) it's not very important (already connected), but it is for an API. |
|
@teolemon I didn't mean that it was a desired feature: my limited knowledge of perl made me ask that while trying to reverse engineer /cgi/user.pl. curl
-X POST https://fr.openfoodfacts.org/cgi/user.pl -H "Content-Type: application/x-www-form-urlencoded"
-d "userid=test-del-20230703-1&type=edit&action=process&delete=on&password=test-del-20230703-1" |
|
You won't be able to call the API directly like that. You would need a session cookie for the user before it would work. |
|
Then is that possible only for the website or also for flutter? I don't know how it would work. |
|
Sorry, it seems we may have to add an API point ! |
|
@alexgarel It definitely looks so. Maybe it's not even enough, as someone could erase all users in bruteforce attack. I don't know how deleting a user works here:
|
|
Users can only delete their own user account. To work, the request needs to be authenticated: either with a session cookie, or with userid + password. |
|
@stephanegigandet That's what I tried unsuccessfully with the code I mentioned earlier: curl
-X POST https://fr.openfoodfacts.org/cgi/user.pl -H "Content-Type: application/x-www-form-urlencoded"
-d "userid=test-del-20230703-1&type=edit&action=process&delete=on&password=test-del-20230703-1"Is there some typo in my request? |
|
A test is currently being written https://github.com/openfoodfacts/openfoodfacts-server/pull/8723/files |
|
my %delete_form = ( |
|
@monsieurtanuki I've successfully deleted the account in two steps from my browser, login in, and then deleting using the url you tried. It seems you can't do both at the same time. |
@teolemon Actually we don't have that much methods in off-dart regarding users:
That said, there's nothing for the moment on the server side that would delete a user in just one command if you're not already connected to the website. |
|
I believe we had this issue specifically for iOS, and we'll soon have the same issue for android:
|
M123-dev
added
blocked on server
and removed
blocked on openfoodfacts-dart release
labels
|
I've just created openfoodfacts/openfoodfacts-server#8940. Please add any corrections if I am wrong @monsieurtanuki |
What
Part of
The text was updated successfully, but these errors were encountered: