Require password for account deletion by default

[mnlse]

Current behavior

Devise requires current password in order to change account, but does not require current password for account deletion.

Expected behavior

Devise should require current password in order to delete account.

Manual solution

def destroy
  if resource.destroy_with_password(params[:user][:current_password])
    flash[:notice] = "Your account has been deleted"
    redirect_to root_path    
  else                       
    flash[:alert] = "Wrong password"
    render :edit, layout: 'application'                                                 
  end  
end

[tegon]

I'm ok with supporting this feature, but we can't require it by default since it isn't backward compatible.
We can add a setting and then check for it in the destroy method.
@mnlse If you're willing to open a pull request for this, we'd be happy to accept it.

Thanks!

[iorme1]

I'll be working on a PR for this.

[iorme1]

I finished the feature and submitted a PR.

[lancecarlson]

@tegon @iorme1 This looks good to me. If you want this to default to off, I would make the generated config commented out and assigned to true. If you want this to default to on, then I would leave the config uncommented, but change its value to true.

[collimarco]

I am really interested in this feature. It doesn't make sense that a user cannot change the email, but can destroy the account without password!

Can you merge the PR?

[tegon]

@collimarco The PR still needs some fixes, that's why I haven't merged yet.