1 files changed, 12 insertions, 8 deletions

diff --git a/lib/web/userRouter.js b/lib/web/userRouter.js
index b8bd9154..6832d901 100644
--- a/lib/web/userRouter.js
+++ b/lib/web/userRouter.js
@@ -38,25 +38,29 @@ UserRouter.get('/me', function (req, res) {
 })
 
 // delete the currently authenticated user
-UserRouter.get('/me/delete', function (req, res) {
+UserRouter.get('/me/delete/:token?', function (req, res) {
   if (req.isAuthenticated()) {
     models.User.findOne({
       where: {
         id: req.user.id
       }
     }).then(function (user) {
-      if (!user) { return response.errorNotFound(res) }
-      user.destroy().then(function () {
-        res.redirect(config.serverURL + '/')
-      })
+      if (!user) {
+        return response.errorNotFound(res)
+      }
+      if (user.deleteToken === req.params.token) {
+        user.destroy().then(function () {
+          res.redirect(config.serverURL + '/')
+        })
+      } else {
+        return response.errorForbidden(res)
+      }
     }).catch(function (err) {
       logger.error('delete user failed: ' + err)
       return response.errorInternalError(res)
     })
   } else {
-    res.send({
-      status: 'forbidden'
-    })
+    return response.errorForbidden(res)
   }
 })