NO_STORY do extra check when unlinking user from identity

bwreg-service/src/main/java/edu/kit/scc/webreg/service/UserDeleteService.java

@@ -7,6 +7,6 @@ public interface UserDeleteService {
 
 	void deleteUserData(IdentityEntity identity, String executor);
 
-	void unlinkAndDeleteAccount(UserEntity user, String executor);
+	void unlinkAndDeleteAccount(UserEntity user, IdentityEntity checkIdentity, String executor);
 
 }

bwreg-service/src/main/java/edu/kit/scc/webreg/service/impl/UserDeleteServiceImpl.java

@@ -116,8 +116,13 @@ public class UserDeleteServiceImpl implements UserDeleteService {
 	private EventSubmitter eventSubmitter;
 
 	@Override
-	public void unlinkAndDeleteAccount(UserEntity user, String executor) {
+	public void unlinkAndDeleteAccount(UserEntity user, IdentityEntity checkIdentity, String executor) {
 		user = userDao.fetch(user.getId());
+
+		if (! user.getIdentity().equals(checkIdentity)) {
+			throw new IllegalArgumentException("check identity");
+		}
+
 		IdentityEntity identity = user.getIdentity();
 		logger.info("Unlink and delete user account {} from identity {}", user.getId(), identity.getId());
 

bwreg-webapp/src/main/java/edu/kit/scc/webreg/bean/UnlinkAndDeleteAccountBean.java

@@ -14,12 +14,6 @@ import java.io.IOException;
 import java.io.Serializable;
 import java.util.List;
 
-import jakarta.faces.context.FacesContext;
-import jakarta.faces.event.ComponentSystemEvent;
-import jakarta.faces.view.ViewScoped;
-import jakarta.inject.Inject;
-import jakarta.inject.Named;
-
 import org.slf4j.Logger;
 
 import edu.kit.scc.webreg.entity.RegistryEntity;
@@ -32,6 +26,11 @@ import edu.kit.scc.webreg.service.UserService;
 import edu.kit.scc.webreg.service.identity.IdentityService;
 import edu.kit.scc.webreg.session.SessionManager;
 import edu.kit.scc.webreg.util.ViewIds;
+import jakarta.faces.context.FacesContext;
+import jakarta.faces.event.ComponentSystemEvent;
+import jakarta.faces.view.ViewScoped;
+import jakarta.inject.Inject;
+import jakarta.inject.Named;
 
 @Named
 @ViewScoped
@@ -71,7 +70,7 @@ public class UnlinkAndDeleteAccountBean implements Serializable {
 	}
 
 	public String commit() {
-		userDeleteService.unlinkAndDeleteAccount(getUser(), "identity-" + getIdentity().getId());
+		userDeleteService.unlinkAndDeleteAccount(getUser(), getIdentity(), "identity-" + getIdentity().getId());
 		try {
 			FacesContext.getCurrentInstance().getExternalContext().redirect("/logout/local?redirect=unlink_and_delete_account");
 		} catch (IOException e) {
@@ -81,8 +80,12 @@ public class UnlinkAndDeleteAccountBean implements Serializable {
 	}
 
 	public UserEntity getUser() { 
-		if (user == null)
+		if (user == null) {
 			user = userService.fetch(id);
+			if (! user.getIdentity().equals(getIdentity())) {
+				throw new IllegalArgumentException("not authorized");
+			}
+		}
 		return user;
 	}