diff --git a/app/controllers/api/users.php b/app/controllers/api/users.php index 61a9e24a41..ff64259409 100644 --- a/app/controllers/api/users.php +++ b/app/controllers/api/users.php @@ -725,6 +725,11 @@ App::delete('/v1/users/:userId') throw new Exception('User not found', 404); } + /** + * DO NOT DELETE THE USER RECORD ITSELF. + * WE RETAIN THE USER RECORD TO RESERVE THE USER ID AND ENSURE THAT THE USER ID IS NOT REUSED. + */ + // clone user object to send to workers $clone = clone $user; @@ -733,6 +738,8 @@ App::delete('/v1/users/:userId') ->setAttribute("email", null) ->setAttribute("password", null) ->setAttribute("deleted", true) + ->setAttribute("tokens", []) + ->setAttribute("search", null) ; $dbForProject->updateDocument('users', $userId, $user); diff --git a/app/workers/deletes.php b/app/workers/deletes.php index f4fd667d2a..8caf7ddb23 100644 --- a/app/workers/deletes.php +++ b/app/workers/deletes.php @@ -188,9 +188,22 @@ class DeletesV1 extends Worker */ protected function deleteUser(Document $document, string $projectId): void { + /** + * DO NOT DELETE THE USER RECORD ITSELF. + * WE RETAIN THE USER RECORD TO RESERVE THE USER ID AND ENSURE THAT THE USER ID IS NOT REUSED. + */ + $userId = $document->getId(); + $user = $this->getProjectDB($projectId)->getDocument('users', $userId); + + // Delete all sessions of this user from the sessions table and update the sessions field of the user record + $this->deleteByGroup('sessions', [ + new Query('userId', Query::TYPE_EQUAL, [$userId]) + ], $this->getProjectDB($projectId)); + + $user->setAttribute('sessions', []); + $updated = Authorization::skip(fn() => $this->getProjectDB($projectId)->updateDocument('users', $userId, $user)); - // Tokens and Sessions removed with user document // Delete Memberships and decrement team membership counts $this->deleteByGroup('memberships', [ new Query('userId', Query::TYPE_EQUAL, [$userId])