fix: Added feature toggle check for account deletion API (#32846) (#3…

…3062) --------- Co-authored-by: Edward Zarecor <[email protected]>
openedx · Dec 4, 2023 · e78e6d3 · e78e6d3
1 parent 0650b4f
commit e78e6d3
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/openedx/core/djangoapps/user_api/accounts/views.py b/openedx/core/djangoapps/user_api/accounts/views.py
@@ -59,6 +59,7 @@
 from openedx.core.djangoapps.credit.models import CreditRequest, CreditRequirementStatus
 from openedx.core.djangoapps.lang_pref import LANGUAGE_KEY
 from openedx.core.djangoapps.profile_images.images import remove_profile_images
+from openedx.core.djangoapps.site_configuration import helpers as configuration_helpers
 from openedx.core.djangoapps.user_api import accounts
 from openedx.core.djangoapps.user_api.accounts.image_helpers import get_profile_image_names, set_has_profile_image
 from openedx.core.djangoapps.user_api.accounts.utils import handle_retirement_cancellation
@@ -572,6 +573,15 @@ def post(self, request):
         Marks the user as having no password set for deactivation purposes,
         and logs the user out.
         """
+
+        # Ensure the account deletion is not disable
+        enable_account_deletion = configuration_helpers.get_value(
+            'ENABLE_ACCOUNT_DELETION', settings.FEATURES.get('ENABLE_ACCOUNT_DELETION', False)
+        )
+
+        if not enable_account_deletion:
+            return Response(status=status.HTTP_403_FORBIDDEN)
+
         user_model = get_user_model()
         try:
             # Get the username from the request and check that it exists