From bfe39c62de19f36455f0793d578ddeb3c39bc2a9 Mon Sep 17 00:00:00 2001
From: Miodec <jack@monkeytype.com>
Date: Sun, 28 Apr 2024 16:44:49 +0200
Subject: [PATCH] impr(server): dont allow banned accounts to reset or delete
 their data

---
 backend/src/api/controllers/user.ts | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/backend/src/api/controllers/user.ts b/backend/src/api/controllers/user.ts
index 0acec976b..571e4c82e 100644
--- a/backend/src/api/controllers/user.ts
+++ b/backend/src/api/controllers/user.ts
@@ -180,6 +180,10 @@ export async function deleteUser(
 
   const userInfo = await UserDAL.getUser(uid, "delete user");
 
+  if (userInfo.banned) {
+    throw new MonkeyError(403, "Banned users cannot delete their account");
+  }
+
   //cleanup database
   await Promise.all([
     UserDAL.deleteUser(uid),
@@ -211,6 +215,10 @@ export async function resetUser(
   const { uid } = req.ctx.decodedToken;
 
   const userInfo = await UserDAL.getUser(uid, "reset user");
+  if (userInfo.banned) {
+    throw new MonkeyError(403, "Banned users cannot reset their account");
+  }
+
   const promises = [
     UserDAL.resetUser(uid),
     deleteAllApeKeys(uid),