Merge remote-tracking branch 'origin/develop' into manifest

author: Alex Gleason <alex@alexgleason.me> 2021-12-19 11:33:10 -0600
committer: Alex Gleason <alex@alexgleason.me> 2021-12-19 11:33:10 -0600
commit: e4f9cb1c1b3969164c03a219d5a760df07d2b3cd (patch)
tree: d9549feae7691be9988106f2a92ea387b3fdeaf2 /lib/pleroma/web/twitter_api/controllers/util_controller.ex
parent: 720198d56950ca98f4d947dd630b0e170eda569b (diff)
parent: bd853199d93e03fedf43397455939c6d633fa36b (diff)
download: pleroma-e4f9cb1c1b3969164c03a219d5a760df07d2b3cd.tar.gz
1 files changed, 4 insertions, 2 deletions
diff --git a/lib/pleroma/web/twitter_api/controllers/util_controller.ex b/lib/pleroma/web/twitter_api/controllers/util_controller.ex
index ef43f7682..a4e44efdd 100644
--- a/lib/pleroma/web/twitter_api/controllers/util_controller.ex
+++ b/lib/pleroma/web/twitter_api/controllers/util_controller.ex
@@ -123,8 +123,10 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do
     end
   end
 
-  def delete_account(%{assigns: %{user: user}} = conn, params) do
-    password = params[:password] || ""
+  def delete_account(%{assigns: %{user: user}, body_params: body_params} = conn, params) do
+    # This endpoint can accept a query param or JSON body for backwards-compatibility.
+    # Submitting a JSON body is recommended, so passwords don't end up in server logs.
+    password = body_params[:password] || params[:password] || ""
 
     case CommonAPI.Utils.confirm_current_password(user, password) do
       {:ok, user} ->
author	Alex Gleason <alex@alexgleason.me>	2021-12-19 11:33:10 -0600
committer	Alex Gleason <alex@alexgleason.me>	2021-12-19 11:33:10 -0600
commit	e4f9cb1c1b3969164c03a219d5a760df07d2b3cd (patch)
tree	d9549feae7691be9988106f2a92ea387b3fdeaf2 /lib/pleroma/web/twitter_api/controllers/util_controller.ex
parent	720198d56950ca98f4d947dd630b0e170eda569b (diff)
parent	bd853199d93e03fedf43397455939c6d633fa36b (diff)
download	pleroma-e4f9cb1c1b3969164c03a219d5a760df07d2b3cd.tar.gz