-
-
Save kloon/4951687 to your computer and use it in GitHub Desktop.
<?php | |
// Delete Account Functionality | |
add_action( 'woocommerce_after_my_account', 'woo_delete_account_button' ); | |
function woo_delete_account_button() { | |
?> | |
<a href="<?php echo add_query_arg( 'wc-api', 'wc-delete-account', home_url( '/' ) ) ?>" class="button">Delete Account</a> | |
<?php | |
} | |
add_action( 'woocommerce_api_' . strtolower( 'wc-delete-account' ), 'woo_handle_account_delete' ); | |
function woo_handle_account_delete() { | |
// we do not want the admin to delete their account | |
// advised to add more checks here to ensure you delete the correct account. | |
if ( ! is_admin() ) { | |
require('./wp-admin/includes/user.php'); | |
wp_delete_user(get_current_user_id()); | |
} | |
} | |
?> |
There are a couple of issues with this.
-
The check to see if a user is an admin is wrong. Your check is_admin() is to see we are currently in the back end of the site.
This is a poorly named function, and a very common mistake. -
More importantly, this is very open to cross-site forgery attacks. Users can easily be sent a link that will delete their account once clicked.
The solution to this to add a nonce.
Here is an example fix:
<?php // Delete Account Functionality add_action( 'woocommerce_after_my_account', 'woo_delete_account_button' ); function woo_delete_account_button() { $delete_url = add_query_arg( 'wc-api', 'wc-delete-account', home_url( '/' ) ); $delete_url = wp_nonce_url( $delete_url, 'wc_delete_user' ); ?> <a href="<?php echo $delete_url; ?>" class="button">Delete Account</a> <?php } add_action( 'woocommerce_api_' . strtolower( 'wc-delete-account' ), 'woo_handle_account_delete' ); function woo_handle_account_delete() { if ( ! current_user_can( 'manage_options' ) ) { $security_check_result = check_admin_referer( 'wc_delete_user' ); if ( $security_check_result ) { wp_delete_user( get_current_user_id() ); wp_redirect( home_url() ); die(); } } } ?>
@icreatesolutions does not work. when I click it. giving critical error
@WOLKYDJ I'd recommend adding a plugin if you need this feature.
https://wordpress.org/plugins/wp-delete-user-accounts/
https://wordpress.org/plugins/delete-me/
I don't know what happens to the orders of deleted users, so you'd want to test that.
@icreatesolutions
the error because of this code line "require('./wp-admin/includes/user.php');" If you remove it, it will fix it
@WOLKYDJ Thanks I have edited my comment.
I further added a condition for the button to not appear if the user is admin:
add_action( 'woocommerce_after_my_account', 'woo_delete_account_button' );
function woo_delete_account_button() {
$delete_url = add_query_arg( 'wc-api', 'wc-delete-account', home_url( '/' ) );
$delete_url = wp_nonce_url( $delete_url, 'wc_delete_user' );
?>
<?php if (! current_user_can( 'manage_options' )):?>
<a href="<?php echo $delete_url; ?>" class="button">Delete Account</a>
<?php endif; ?>
<?php
}
add_action( 'woocommerce_api_' . strtolower( 'wc-delete-account' ), 'woo_handle_account_delete' );
function woo_handle_account_delete() {
if ( ! current_user_can( 'manage_options' ) ) {
$security_check_result = check_admin_referer( 'wc_delete_user' );
if ( $security_check_result ) {
wp_delete_user( get_current_user_id() );
wp_redirect( home_url() ); die();
}
}
}
Hello, how are you? How do I add this button to Edit Account only? (/account/edit-account)
How, before delete user, cancel all orders???
It is an interesting option but... What about of create a disable button for admins to disable the user profile editing of "my-account" page?