From cfa6c5864e5e7673aa9f3180e4964e0db92cc4da Mon Sep 17 00:00:00 2001
From: Ariel Leyva <msomnium.info@gmail.com>
Date: Sun, 18 Jan 2026 02:36:25 -0500
Subject: [PATCH] fix: request current password when deleting users (#5667)

---
 frontend/src/api/users.ts            |  8 +++++++-
 frontend/src/views/settings/User.vue |  9 +++------
 http/users.go                        | 20 +++++++++++++++++++-
 3 files changed, 29 insertions(+), 8 deletions(-)

diff --git a/frontend/src/api/users.ts b/frontend/src/api/users.ts
index 56e1d0f3..dc45e084 100644
--- a/frontend/src/api/users.ts
+++ b/frontend/src/api/users.ts
@@ -42,8 +42,14 @@ export async function update(
   });
 }
 
-export async function remove(id: number) {
+export async function remove(
+  id: number,
+  currentPassword: string | null = null
+) {
   await fetchURL(`/api/users/${id}`, {
     method: "DELETE",
+    body: JSON.stringify({
+      ...(currentPassword != null ? { current_password: currentPassword } : {}),
+    }),
   });
 }
diff --git a/frontend/src/views/settings/User.vue b/frontend/src/views/settings/User.vue
index be46fabb..77786e2a 100644
--- a/frontend/src/views/settings/User.vue
+++ b/frontend/src/views/settings/User.vue
@@ -71,6 +71,7 @@ import { computed, inject, onMounted, ref, watch } from "vue";
 import { useRoute, useRouter } from "vue-router";
 import { useI18n } from "vue-i18n";
 import { StatusError } from "@/api/utils";
+import { authMethod } from "@/utils/constants";
 
 const error = ref<StatusError>();
 const originalUser = ref<IUser>();
@@ -105,11 +106,7 @@ const fetchData = async () => {
 
   try {
     if (isNew.value) {
-      const {
-        authMethod,
-        defaults,
-        createUserDir: _createUserDir,
-      } = await settings.get();
+      const { defaults, createUserDir: _createUserDir } = await settings.get();
       isCurrentPasswordRequired.value = authMethod == "json";
       createUserDir.value = _createUserDir;
       user.value = {
@@ -146,7 +143,7 @@ const deleteUser = async (e: Event) => {
     return false;
   }
   try {
-    await api.remove(user.value.id);
+    await api.remove(user.value.id, currentPassword.value);
     router.push({ path: "/settings/users" });
     $showSuccess(t("settings.userDeleted"));
   } catch (err) {
diff --git a/http/users.go b/http/users.go
index adae7729..5604dc38 100644
--- a/http/users.go
+++ b/http/users.go
@@ -103,7 +103,25 @@ var userGetHandler = withSelfOrAdmin(func(w http.ResponseWriter, r *http.Request
 	return renderJSON(w, r, u)
 })
 
-var userDeleteHandler = withSelfOrAdmin(func(_ http.ResponseWriter, _ *http.Request, d *data) (int, error) {
+var userDeleteHandler = withSelfOrAdmin(func(_ http.ResponseWriter, r *http.Request, d *data) (int, error) {
+	if r.Body == nil {
+		return http.StatusBadRequest, fberrors.ErrEmptyRequest
+	}
+
+	var body struct {
+		CurrentPassword string `json:"current_password"`
+	}
+
+	if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+		return http.StatusBadRequest, err
+	}
+
+	if d.settings.AuthMethod == auth.MethodJSONAuth {
+		if !users.CheckPwd(body.CurrentPassword, d.user.Password) {
+			return http.StatusBadRequest, fberrors.ErrCurrentPasswordIncorrect
+		}
+	}
+
 	err := d.store.Users.Delete(d.raw.(uint))
 	if err != nil {
 		return errToStatus(err), err