FIX: Do not set destination_url cookie after deleting own account. (#8028)
destination_url cookie is used to redirect the user to the a private page after they have logged in. After deleting own account, a user’s pages would be refreshed which would set the destination_url, cookie that can cause a redirect to an invalid page after logging in again.
User is at
/u/:username/preferences/accountand deletes account by requesting DELETE
User is being destroyed and a MessageBus message (
['refresh']) is published.
User receives response to DELETE request, but page may be or not refreshed. Anyway, since they can no longer see the preferences page, they are redirected to
destination_urlcookie is set, that will redirect on next login (but to the previous preferences page).
diff --git a/app/services/user_destroyer.rb b/app/services/user_destroyer.rb index 9ef3394..bc3c1e3 100644 --- a/app/services/user_destroyer.rb +++ b/app/services/user_destroyer.rb @@ -111,7 +111,7 @@ class UserDestroyer end StaffActionLogger.new(deleted_by).log_user_deletion(user, opts.slice(:context)) end - MessageBus.publish "/file-change", ["refresh"], user_ids: [result.id] + MessageBus.publish "/logout", result.id, user_ids: [result.id] end end
GitHub sha: 34a76bf1