From 29414952579c4d987339b80fcd2a16464a805128 Mon Sep 17 00:00:00 2001 From: Philipp Metzner Date: Fri, 6 Feb 2026 08:49:03 +0100 Subject: [PATCH 1/4] Fix deleteprofile --- assets/js/custom.js | 3 --- library/ajax/deleteprofile.php | 7 ++++--- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/assets/js/custom.js b/assets/js/custom.js index 55503f48..109b5a1c 100644 --- a/assets/js/custom.js +++ b/assets/js/custom.js @@ -631,9 +631,6 @@ $(".delete-user").on("click", function (e) { $.ajax({ type: "post", url: "ajax.php?file=deleteprofile", - data: { - cms_user_id: el.data("id"), - }, dataType: "json", success: function (result) { AjaxCheckSuccess(result); diff --git a/library/ajax/deleteprofile.php b/library/ajax/deleteprofile.php index 4e72a5a5..8513bc96 100644 --- a/library/ajax/deleteprofile.php +++ b/library/ajax/deleteprofile.php @@ -1,14 +1,15 @@ after the @ symbol (e.g., user@domain.com.deleted.123) - db_query('UPDATE cms_users SET deleted = NOW(), email = CONCAT(email,".deleted.",id) WHERE id = :id AND (NOT deleted OR deleted IS NULL) AND email NOT REGEXP "@.*\.deleted\.[0-9]+$"', ['id' => $_POST['cms_user_id']]); - updateAuth0UserFromDb($_POST['cms_user_id']); + db_query('UPDATE cms_users SET deleted = NOW(), email = CONCAT(email,".deleted.",id) WHERE id = :id AND (NOT deleted OR deleted IS NULL) AND email NOT REGEXP "@.*\.deleted\.[0-9]+$"', ['id' => $user_id]); + updateAuth0UserFromDb($user_id); }); -simpleSaveChangeHistory('cms_users', $_POST['cms_user_id'], 'Record deleted without undelete'); +simpleSaveChangeHistory('cms_users', $user_id, 'Record deleted without undelete'); // when a user deactive its account we need to ensure that user logged out immediately and then redirected to Auth0 login page global $settings; logout(); From 2e2b9bbd615fa33431e779a2a6fb524267bbfd5b Mon Sep 17 00:00:00 2001 From: Philipp Metzner Date: Fri, 6 Feb 2026 08:58:45 +0100 Subject: [PATCH 2/4] Run simpleSaveChangeHistory in transaction - now it sees user_id, too - if updateAuth0UserFromDb fails, we don't end up with an inconsistent DB state --- library/ajax/deleteprofile.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ajax/deleteprofile.php b/library/ajax/deleteprofile.php index 8513bc96..85c667fe 100644 --- a/library/ajax/deleteprofile.php +++ b/library/ajax/deleteprofile.php @@ -7,9 +7,9 @@ // Pattern checks for .deleted. after the @ symbol (e.g., user@domain.com.deleted.123) db_query('UPDATE cms_users SET deleted = NOW(), email = CONCAT(email,".deleted.",id) WHERE id = :id AND (NOT deleted OR deleted IS NULL) AND email NOT REGEXP "@.*\.deleted\.[0-9]+$"', ['id' => $user_id]); updateAuth0UserFromDb($user_id); + simpleSaveChangeHistory('cms_users', $user_id, 'Record deleted without undelete'); }); -simpleSaveChangeHistory('cms_users', $user_id, 'Record deleted without undelete'); // when a user deactive its account we need to ensure that user logged out immediately and then redirected to Auth0 login page global $settings; logout(); From 7a29ff5be19d3780c09576e33e90cd2ee03b00bf Mon Sep 17 00:00:00 2001 From: Philipp Metzner Date: Fri, 6 Feb 2026 09:09:16 +0100 Subject: [PATCH 3/4] Correct log message --- library/ajax/deleteprofile.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ajax/deleteprofile.php b/library/ajax/deleteprofile.php index 85c667fe..bb5a8c11 100644 --- a/library/ajax/deleteprofile.php +++ b/library/ajax/deleteprofile.php @@ -7,7 +7,7 @@ // Pattern checks for .deleted. after the @ symbol (e.g., user@domain.com.deleted.123) db_query('UPDATE cms_users SET deleted = NOW(), email = CONCAT(email,".deleted.",id) WHERE id = :id AND (NOT deleted OR deleted IS NULL) AND email NOT REGEXP "@.*\.deleted\.[0-9]+$"', ['id' => $user_id]); updateAuth0UserFromDb($user_id); - simpleSaveChangeHistory('cms_users', $user_id, 'Record deleted without undelete'); + simpleSaveChangeHistory('cms_users', $user_id, 'Record deleted'); }); // when a user deactive its account we need to ensure that user logged out immediately and then redirected to Auth0 login page From d616b0caf77e02aa215431ab3cfc72969580df95 Mon Sep 17 00:00:00 2001 From: Philipp Metzner Date: Fri, 6 Feb 2026 09:11:30 +0100 Subject: [PATCH 4/4] Set modified and modified_by --- library/ajax/deleteprofile.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ajax/deleteprofile.php b/library/ajax/deleteprofile.php index bb5a8c11..b858524a 100644 --- a/library/ajax/deleteprofile.php +++ b/library/ajax/deleteprofile.php @@ -5,7 +5,7 @@ // Only append .deleted suffix if the email doesn't already have it // This prevents double-deletion if the query is somehow executed twice // Pattern checks for .deleted. after the @ symbol (e.g., user@domain.com.deleted.123) - db_query('UPDATE cms_users SET deleted = NOW(), email = CONCAT(email,".deleted.",id) WHERE id = :id AND (NOT deleted OR deleted IS NULL) AND email NOT REGEXP "@.*\.deleted\.[0-9]+$"', ['id' => $user_id]); + db_query('UPDATE cms_users SET modified = NOW(), modified_by = :id, deleted = NOW(), email = CONCAT(email,".deleted.",id) WHERE id = :id AND (NOT deleted OR deleted IS NULL) AND email NOT REGEXP "@.*\.deleted\.[0-9]+$"', ['id' => $user_id]); updateAuth0UserFromDb($user_id); simpleSaveChangeHistory('cms_users', $user_id, 'Record deleted'); });