Bug: Deleting a member user destroys the entire account and workspace
Summary
When a user deletes their profile via Settings → Delete Account, the ProfileController@destroy method explicitly calls $account->delete(). Because all users created through the invite flow share the same account_id as the workspace owner, this deletes the shared account and cascades to destroy all workspaces, posts, social accounts, and all associated data for the entire organization.
Steps to reproduce
- Register as account owner (e.g.
owner@example.com) and set up a workspace
- Invite a team member (e.g.
member@example.com) via the dashboard
- Member completes registration — TryPost assigns them the same
account_id as the owner
- Member goes to Settings → Delete Account and confirms deletion
- Expected: Only the member's user record is removed, they are detached from the workspace, owner's account and workspace are unaffected
- Actual: The shared account is deleted, cascading to delete all workspaces, posts, social accounts, signatures, labels — the entire organization's data is wiped
Root cause
ProfileController@destroy always calls $account->delete() regardless of whether the user is the account owner or a regular member. Since invited members are assigned the owner's account_id during registration, any member can accidentally destroy the entire organization by deleting their own profile.
Relevant code in app/Http/Controllers/App/Settings/ProfileController.php:
if ($account) {
$account->delete(); // This should only run if $user->isAccountOwner()
}Suggested fix
Only delete the account if the user is the account owner:
if ($account && $user->isAccountOwner()) {
$account->delete();
}For non-owner members, the destroy method should only:
- Detach the user from all workspaces
- Set
current_workspace_id to null
- Delete the user record
Environment
- Self-hosted, MySQL 8.0.45, PHP 8.4, Ubuntu 24.04
- TryPost latest
main branch as of May 2026
- Reproduced twice
Impact
Critical — any team member can permanently destroy the entire organization's account, workspaces, and all social media content by simply deleting their own profile. No confirmation beyond their own password is required. All data loss is irreversible.
Bug: Deleting a member user destroys the entire account and workspace
Summary
When a user deletes their profile via Settings → Delete Account, the
ProfileController@destroymethod explicitly calls$account->delete(). Because all users created through the invite flow share the sameaccount_idas the workspace owner, this deletes the shared account and cascades to destroy all workspaces, posts, social accounts, and all associated data for the entire organization.Steps to reproduce
owner@example.com) and set up a workspacemember@example.com) via the dashboardaccount_idas the ownerRoot cause
ProfileController@destroyalways calls$account->delete()regardless of whether the user is the account owner or a regular member. Since invited members are assigned the owner'saccount_idduring registration, any member can accidentally destroy the entire organization by deleting their own profile.Relevant code in
app/Http/Controllers/App/Settings/ProfileController.php:Suggested fix
Only delete the account if the user is the account owner:
For non-owner members, the destroy method should only:
current_workspace_idto nullEnvironment
mainbranch as of May 2026Impact
Critical — any team member can permanently destroy the entire organization's account, workspaces, and all social media content by simply deleting their own profile. No confirmation beyond their own password is required. All data loss is irreversible.