Fix another user self-delete regression (#7877)

Regression from #7763 Earlier regression which was fixed before #7626 In addition: * get rid of `data-toggle` (refactor) * show invalid login message if deleting account and entered incorrect password instead of redirect to 403 * remove unused reference to `r` parameter * `forgetOpenCategories()` on login not on any crypto form
2026-04-04 22:53:27 -04:00 · 2025-09-15 22:17:14 +02:00
parent 38b7daedf7
commit ddb51c0e95
11 changed files with 111 additions and 118 deletions
--- a/app/Controllers/userController.php
+++ b/app/Controllers/userController.php
@@ -635,13 +635,16 @@ class FreshRSS_user_Controller extends FreshRSS_ActionController {
 					$username, FreshRSS_Context::userConf()->passwordHash,
 					$nonce, $challenge
 				);
+				if (!$ok) {
+					Minz_Request::bad(_t('feedback.auth.login.invalid'), ['c' => 'user', 'a' => 'profile']);
+					return;
+				}
 			} elseif (self::reauthRedirect()) {
 				return;
 			}

-			if ($ok) {
-				$ok &= self::deleteUser($username);
-			}
+			$ok &= self::deleteUser($username);
+
 			if ($ok && $self_deletion) {
 				FreshRSS_Auth::removeAccess();
 				$redirect_url = ['c' => 'index', 'a' => 'index'];