From 947249719ae39d0b1cbe0c66be61189b190cff3b Mon Sep 17 00:00:00 2001
From: Arpit Jalan <arpit@arpitjalan.com>
Date: Thu, 4 Jul 2024 06:58:00 +0530
Subject: [PATCH] FEATURE: add option to delete user associated account on
 password reset (#27696)

---
 app/controllers/users_controller.rb    |  4 ++++
 config/locales/server.en.yml           |  2 ++
 config/site_settings.yml               |  2 ++
 spec/requests/users_controller_spec.rb | 25 +++++++++++++++++++++++++
 4 files changed, 33 insertions(+)

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index d9f47a431d0..1400ae0e8f2 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -901,6 +901,10 @@ class UsersController < ApplicationController
           secure_session["password-#{token}"] = nil
           secure_session["second-factor-#{token}"] = nil
 
+          if SiteSetting.delete_associated_accounts_on_password_reset
+            @user.user_associated_accounts.destroy_all
+          end
+
           UserHistory.create!(
             target_user: @user,
             acting_user: @user,
diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml
index 69bddef58bd..f6c6552ccea 100644
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@@ -2369,6 +2369,8 @@ en:
     allow_users_to_hide_profile: "Allow users to hide their profile and presence"
     hide_user_activity_tab: "Hide the activity tab on user profiles except for Admin and self."
 
+    delete_associated_accounts_on_password_reset: "Delete user associated account when user changes the password."
+
     allow_featured_topic_on_user_profiles: "Allow users to feature a link to a topic on their user card and profile."
 
     show_inactive_accounts: "Allow logged in users to browse profiles of inactive accounts."
diff --git a/config/site_settings.yml b/config/site_settings.yml
index f711ef530e6..aa0d8553784 100644
--- a/config/site_settings.yml
+++ b/config/site_settings.yml
@@ -793,6 +793,8 @@ users:
   hide_user_activity_tab:
     default: false
     client: true
+  delete_associated_accounts_on_password_reset:
+    default: false
 
 groups:
   enable_group_directory:
diff --git a/spec/requests/users_controller_spec.rb b/spec/requests/users_controller_spec.rb
index 17b14190df2..7b23aa3ff7b 100644
--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@@ -304,6 +304,31 @@ RSpec.describe UsersController do
         expect(user1.user_option.reload.timezone).to eq("America/Chicago")
       end
 
+      it "deletes user associated accounts" do
+        SiteSetting.delete_associated_accounts_on_password_reset = true
+        UserAssociatedAccount.create(
+          user_id: user.id,
+          provider_uid: "example0",
+          provider_name: "facebook",
+        )
+        UserAssociatedAccount.create(
+          user_id: user1.id,
+          provider_uid: "example1",
+          provider_name: "facebook",
+        )
+
+        get "/u/password-reset/#{email_token.token}"
+
+        expect do
+          put "/u/password-reset/#{email_token.token}",
+              params: {
+                password: "hg9ow8yhg98oadminlonger",
+              }
+        end.to change { UserAssociatedAccount.count }.by(-1)
+
+        expect(UserAssociatedAccount.count).to eq(1)
+      end
+
       it "logs the password change" do
         get "/u/password-reset/#{email_token.token}"