users: disallow banned users from changing email or deleting account.

This is to prevent people from wiping their email address after they've been banned and reusing it to verify a new account.
2021-05-15 03:02:56 -05:00
parent 4cf62c520c
commit 2537145b02
4 changed files with 24 additions and 1 deletions
--- a/app/logical/user_deletion.rb
+++ b/app/logical/user_deletion.rb
@@ -74,5 +74,9 @@ class UserDeletion
    if user.is_admin?
      errors.add(:base, "Admins cannot delete their account")
    end
+
+    if user.is_banned?
+      errors.add(:base, "You cannot delete your account if you are banned")
+    end
  end
 end
--- a/app/policies/email_address_policy.rb
+++ b/app/policies/email_address_policy.rb
@@ -9,7 +9,7 @@ class EmailAddressPolicy < ApplicationPolicy

  def update?
    # XXX here record is a user, not the email address.
-    record.id == user.id
+    record.id == user.id && !user.is_banned?
  end

  def verify?