dektrium · thyseus · Mar 16, 2017 · Mar 16, 2017 · Mar 16, 2017 · Jan 10, 2017
diff --git a/controllers/SettingsController.php b/controllers/SettingsController.php
@@ -12,12 +12,15 @@
 namespace dektrium\user\controllers;
 
 use dektrium\user\Finder;
+use dektrium\user\models\AccountDeletionForm;
+use dektrium\user\models\PasswordChangeForm;
 use dektrium\user\models\Profile;
 use dektrium\user\models\SettingsForm;
 use dektrium\user\models\User;
 use dektrium\user\Module;
 use dektrium\user\traits\AjaxValidationTrait;
 use dektrium\user\traits\EventTrait;
+use Yii;
 use yii\filters\AccessControl;
 use yii\filters\VerbFilter;
 use yii\web\Controller;
@@ -103,10 +106,10 @@ class SettingsController extends Controller
     protected $finder;
 
     /**
-     * @param string           $id
+     * @param string $id
      * @param \yii\base\Module $module
-     * @param Finder           $finder
-     * @param array            $config
+     * @param Finder $finder
+     * @param array $config
      */
     public function __construct($id, $module, Finder $finder, $config = [])
     {
@@ -122,21 +125,21 @@ public function behaviors()
                 'class' => VerbFilter::className(),
                 'actions' => [
                     'disconnect' => ['post'],
-                    'delete'     => ['post'],
+                    'delete' => ['post'],
                 ],
             ],
             'access' => [
                 'class' => AccessControl::className(),
                 'rules' => [
                     [
-                        'allow'   => true,
+                        'allow' => true,
                         'actions' => ['profile', 'account', 'networks', 'disconnect', 'delete'],
-                        'roles'   => ['@'],
+                        'roles' => ['@'],
                     ],
                     [
-                        'allow'   => true,
+                        'allow' => true,
                         'actions' => ['confirm'],
-                        'roles'   => ['?', '@'],
+                        'roles' => ['?', '@'],
                     ],
                 ],
             ],
@@ -180,28 +183,39 @@ public function actionProfile()
      */
     public function actionAccount()
     {
-        /** @var SettingsForm $model */
-        $model = \Yii::createObject(SettingsForm::className());
-        $event = $this->getFormEvent($model);
+        $settings = \Yii::createObject(SettingsForm::className());
+        $account_deletion = \Yii::createObject(AccountDeletionForm::className());
+        $password_change = \Yii::createObject(PasswordChangeForm::className());
+        $event = $this->getFormEvent($settings);
 
-        $this->performAjaxValidation($model);
+        $this->performAjaxValidation($settings);
+        $this->performAjaxValidation($password_change);
 
         $this->trigger(self::EVENT_BEFORE_ACCOUNT_UPDATE, $event);
-        if ($model->load(\Yii::$app->request->post()) && $model->save()) {
-            \Yii::$app->session->setFlash('success', \Yii::t('user', 'Your account details have been updated'));
+
+        if ($settings->load(\Yii::$app->request->post()) && $settings->save()) {
+            \Yii::$app->session->setFlash('success', Yii::t('user', 'Your account details have been updated'));
+            $this->trigger(self::EVENT_AFTER_ACCOUNT_UPDATE, $event);
+            return $this->refresh();
+        }
+
+        if ($password_change->load(\Yii::$app->request->post()) && $password_change->save()) {
+            \Yii::$app->session->setFlash('success', Yii::t('user', 'Your password has been changed successfully.'));
             $this->trigger(self::EVENT_AFTER_ACCOUNT_UPDATE, $event);
             return $this->refresh();
         }
 
         return $this->render('account', [
-            'model' => $model,
+            'settings' => $settings,
+            'account_deletion' => $account_deletion,
+            'password_change' => $password_change,
         ]);
     }
 
     /**
      * Attempts changing user's email address.
      *
-     * @param int    $id
+     * @param int $id
      * @param string $code
      *
      * @return string
@@ -273,21 +287,33 @@ public function actionDisconnect($id)
      */
     public function actionDelete()
     {
-        if (!$this->module->enableAccountDelete) {
-            throw new NotFoundHttpException(\Yii::t('user', 'Not found'));
+        if (!Yii::$app->getModule('user')->enableAccountDelete) {
+            throw new NotFoundHttpException(\Yii::t('user', 'Account deletion is deactivated'));
         }
 
         /** @var User $user */
-        $user  = \Yii::$app->user->identity;
-        $event = $this->getUserEvent($user);
+        $user = \Yii::$app->user->identity;
+        $account_deletion = new AccountDeletionForm();
 
-        \Yii::$app->user->logout();
+        $this->performAjaxValidation($account_deletion);
 
-        $this->trigger(self::EVENT_BEFORE_DELETE, $event);
-        $user->delete();
-        $this->trigger(self::EVENT_AFTER_DELETE, $event);
+        if ($account_deletion->load(Yii::$app->request->post()) && $account_deletion->validate()) {
+            $event = $this->getUserEvent($user);
 
-        \Yii::$app->session->setFlash('info', \Yii::t('user', 'Your account has been completely deleted'));
+            Yii::$app->user->logout();
+
+            $this->trigger(self::EVENT_BEFORE_DELETE, $event);
+            $success = $user->delete();
+            $this->trigger(self::EVENT_AFTER_DELETE, $event);
+
+            if ($success) {
+                Yii::$app->session->setFlash('info', \Yii::t('user', 'Your account has been completely deleted'));
+                return $this->goHome();
+            } else {
+                Yii::$app->session->setFlash('danger', \Yii::t('user', 'Your account could not be deleted'));
+                return $this->goBack();
+            }
+        }
 
         return $this->goHome();
     }

diff --git a/messages/de/user.php b/messages/de/user.php
@@ -19,6 +19,7 @@
  */
 return [
     'Are you sure?' => 'Sind Sie sicher?',
+    'Are you sure? There is no going back' => 'Sind Sie wirklich Sicher? Ihr Konto wird permanent entfernt',
     'A confirmation message has been sent to your new email address' => 'Eine Aktivierungsnachricht wurde an ihre E-Mail Adresse versandt',
     'A message has been sent to your email address. It contains a confirmation link that you must click to complete registration.' => 'Eine Nachricht wurde an ihre E-Mail Adresse versandt. Diese enthält einen Aktivierungslink, den Sie besuchen müssen, um die Registrierung fortzusetzen.',
     'A message has been sent to your email address. It contains a password that we generated for you.' => 'Eine Nachricht wurde an ihre E-Mail Adresse versandt. Diese enthält ein Passwort, das für Sie generiert wurde.',
@@ -27,6 +28,7 @@
     'A new confirmation link has been sent' => 'Ein neuer Bestätigungs-Link wurde versendet.',
     'Account' => 'Konto',
     'Account confirmation' => 'Kontobestätigung',
+    'Account deletion is deactivated' => 'Konto-Löschung ist deaktiviert',
     'Account details' => 'Kontodetails',
     'Account details have been updated' => 'Kontodetails wurden gespeichert',
     'Account settings' => 'Kontoeinstellungen',
@@ -47,10 +49,12 @@
     'Credentials will be sent to the user by email' => 'Zugangsdaten werden dem Benutzer per E-Mail gesendet',
     'Delete' => 'Löschen',
     'Don\'t have an account? Sign up!' => 'Noch kein Konto? Jetzt registrieren!',
+    'Delete account' => 'Konto löschen',
     'In order to finish your registration, we need you to enter your email address' => 'Um ihre Registrierung abzuschliessen, müssen Sie ihre E-Mail Adresse angeben',
     'Invalid or expired link' => 'Falscher oder abgelaufener Link',
     'New email' => 'Neue E-Mail Adresse',
     'New password' => 'Neues Passwort',
+    'New password confirmation' => 'Passwort Bestätigung',
     'New permission' => 'Neue Berechtigung',
     'New role' => 'Neue Rolle',
     'New user' => 'Neuer Benutzer',
@@ -152,6 +156,7 @@
     'Confirmed at {0, date, MMMM dd, YYYY HH:mm}' => 'Bestätigt am {0, date, dd MMMM, YYYY HH:mm}',
     'Connect' => 'Verbunden',
     'Continue' => 'Weiter',
+    'Change password' => 'Passwort ändern',
     'Create a user account' => 'Neuen Zugang erstellen',
     'Current password' => 'Aktuelles Passwort',
     'Current password is not valid' => 'Das von Ihnen eingegebene Passwort stimmt nicht',
@@ -175,6 +180,7 @@
     'In order to complete your registration, please click the link below' => 'Um die Registrierung abzuschließen, klicken Sie bitte auf den folgenden Link',
     'In order to complete your request, please click the link below' => 'Um die Anfrage abzuschließen, klicken Sie bitte auf den folgenden Link',
     'Information' => 'Information',
+    'It will be deleted forever' => 'Es wird für immer gelöscht',
     'Impersonate user is disabled in the application configuration' => 'Das wechseln zu anderen Nutzern wurde deaktiviert',
     'Invalid login or password' => 'Benutzername oder Passwort ungültig',
     'Joined on {0, date}' => 'Registriert am d. {0, date}',
@@ -185,20 +191,24 @@
     'Name' => 'Name',
     'Networks' => 'Netzwerke',
     'Password' => 'Passwort',
+    'Password confirmation' => 'Passwort Bestätigung',
     'Password has been changed' => 'Passwort wurde geändert',
     'Please click the link below to complete your password reset' => 'Bitte überprüfen Sie Ihre E-Mail und klicken Sie auf den Bestätigungslink um Ihren Passwort-Reset abzuschließen',
     'Please fix following errors:' => 'Bitte beheben Sie folgende Fehler:',
     'Profile' => 'Profil',
     'Profile settings' => 'Profil Einstellungen',
     'Recover your password' => 'Passwort wiederherstellen',
+    'Please be certain' => 'Seien Sie sich sicher',
     'Registration ip' => 'Registrierungs-IP',
     'Registration time' => 'Registrierungszeit',
     'Remember me next time' => 'Anmeldung für das nächste Mal merken',
     'Request new confirmation message' => 'Neue Bestätigungsmail anfordern',
     'Reset your password' => 'Passwort zurücksetzen',
+    'Once you delete your account, there is no going back' => 'Wenn Sie ihr Konto löschen, gibt es kein Zurück',
     'Never' => 'Nie',
     'Last login' => 'Letzte Anmeldung',
     'Save' => 'Speichern',
+    'Save account settings' => 'Kontoänderungen speichern',
     'Sign in' => 'Anmelden',
     'Sign up' => 'Registrieren',
     'Thank you for signing up on {0}' => 'Vielen Dank für Ihre Anmeldung bei {0}',
@@ -222,6 +232,7 @@
     'You need to confirm your email address' => 'Sie müssen Ihre Email-Adresse bestätigen.',
     'Your account has been blocked' => 'Ihr Zugang wurde gesperrt',
     'Your account has been created' => 'Ihr Zugang wurde erstellt',
+    'Your account has been completely deleted' => 'Ihr Konto wurde komplett gelöscht',
     'Your account on {0} has a new password' => 'Ihr Konto auf {0} hat ein neues Passwort',
     'Your password on {0} has been changed' => 'Ihr Passwort auf {0} wurde verändert',
     '{0, date, MMMM dd, YYYY HH:mm}' => '{0, date, dd MMMM, YYYY HH:mm}',

diff --git a/models/AccountDeletionForm.php b/models/AccountDeletionForm.php
@@ -0,0 +1,93 @@
+<?php
+
+/*
+ * This file is part of the Dektrium project.
+ *
+ * (c) Dektrium project <http://github.com/dektrium/>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace dektrium\user\models;
+
+use dektrium\user\helpers\Password;
+use dektrium\user\traits\ModuleTrait;
+use Yii;
+use yii\base\Model;
+use yii\web\BadRequestHttpException;
+
+/**
+ * AccountDeletionForm prompts for the password of the currently logged in user. If it´s correct,
+ * the account gets deleted.
+ *
+ * @property User $user
+ *
+ * @author Herbert Maschke <[email protected]>
+ */
+class AccountDeletionForm extends Model
+{
+    use ModuleTrait;
+
+    /** @var string */
+    public $current_password;
+
+    /** @var User */
+    private $_user;
+
+    /** @return User */
+    public function getUser()
+    {
+        if ($this->_user == null) {
+            $this->_user = Yii::$app->user->identity;
+        }
+
+        return $this->_user;
+    }
+
+    /** @inheritdoc */
+    public function rules()
+    {
+        return [
+            'currentPasswordRequired' => ['current_password', 'required'],
+            'currentPasswordValidate' => ['current_password', function ($attr) {
+                if (!Password::validate($this->$attr, $this->user->password_hash)) {
+                    $this->addError($attr, Yii::t('user', 'Current password is not valid'));
+                }
+            }],
+        ];
+    }
+
+    /** @inheritdoc */
+    public function attributeLabels()
+    {
+        return [
+            'current_password' => Yii::t('user', 'Current password'),
+        ];
+    }
+
+    /** @inheritdoc */
+    public function formName()
+    {
+        return 'account-deletion-form';
+    }
+
+    /**
+     * Do the dirty work.
+     *
+     * @return bool
+     */
+    protected function delete()
+    {
+        if (!$this->module->enableAccountDelete) {
+            throw new NotFoundHttpException(\Yii::t('user', 'Account deletion is deactivated'));
+        }
+
+        if (!$this->validate()) {
+            return false;
+        }
+
+        return false;
+    }
+
+}