We are building a web app, and realized through some testing that users could easily delete their own user account by being logged in, in the browser, and running the command 'await app.deleteUser(app.curentuser); ’
This immediately deletes the current user from app users in Realm. how can I block or prevent this? Our app is membership based, and ties into recurring billing, and we do not want the users to be able to self-delete the user record if at all possible.
Thanks in advance
I don’t have an answer but you have a very good question; a user being able to call that function to delete themselves seems like an oversight.
While it doesn’t appear to be a security risk, the issue is it deletes everything that user is connected to in Atlas - sure they can sign up again but that will be a new user account with a different uid.
It’s documented (node.js) here Delete User as well as in other SDK’s. Perhaps one of the MongoDB folks can chime in on how to prevent that from happening - maybe a rule?