Additional before_close_account for admin panel

[Halvanhelv]

Hi! Janko Marohnić

Could you please advise me on the best way to do this, I have the basic functionality for the after_close_account hook

# RodauthMain
    after_close_account do
      Account::RemovalService.new(rails_account).call
    end

and everything works fine, but I have a need that the admin on the admin panel can delete other accounts, the admin is a simple user who just has the flag admin, the functionality of rodauth I did not use for this, but decided to create a separate config for the removal of the account

class RodauthAdmin < Rodauth::Rails::Auth
  configure do
  enable :close_account

  prefix "/admin"
  session_key_prefix "admin_"

  rails_controller { Admin::RodauthController }

  before_close_account do
    Account::RemovalService.new(blablabla).call
  end
  end
end

class RodauthApp < Rodauth::Rails::App
  # primary configuration
  configure RodauthMain

  # secondary configuration
  configure RodauthAdmin, :admin

  route do |r|
    rodauth.load_memory # autologin remembered users

    r.rodauth # route rodauth requests

    # ==> Secondary configurations
    r.rodauth(:admin) # route admin rodauth requests
  end
end

that I could use rodauth(:admin).close_account_path(email: email) to delete other people's accounts.

But when I try to run the query it tries to redirect me to the login page

Started GET "/admin/close-account" for ::1 at 2023-07-14 02:52:19 +0400
Processing by RodauthApp#call as HTML
Redirected to /admin/login
Completed 302 Found in 63ms (ActiveRecord: 0.0ms | Allocations: 507)


Started GET "/admin/login" for ::1 at 2023-07-14 02:52:19 +0400
  
ActionController::RoutingError (No route matches [GET] "/admin/login"):

I think it's a problem with session key or something like that, is it possible to implement such functionality without drastic changes?

I can of course just directly call account closure in a self-designed controller, but I would like to use ready-made hooks, because in the future this config for admin will be expanded with the growth of the application.

[janko]

If your admin users are authenticated through the RodauthMain configuration, then using a separate configuration with a different session prefix will not work for this, because that session won't be authenticated.

Rodauth actually has a neat solution for performing authentication actions on behalf of other accounts – the internal_request feature. With this feature enabled, in your controller you could call the close_account class method, passing it the email or ID of the account you want to delete:

RodauthApp.rodauth.close_account(account_login: "[email protected]")

Internally this makes a fake Rack request to the /close-account route, with the session being whatever you set it to be. The benefit is that this triggers all Rodauth hooks and validations, just like a regular request would.

[Halvanhelv]

Thanks, I'll use this method