fix(#259): Add authorization checks to delete_user()

[DogukanUrker]

Summary

Implements the authorization matrix defined in issue #259 and the unified plan in the comments.

fixes #259

Changes

Core: app/utils/delete.py

• Gate 1 — Authorization: Non-admin users can only delete their own account. Admins can delete any non-admin user. Unauthorized attempts are logged and return False.
• Gate 2 — Last-admin guard: Admin count can never drop to zero. If deleting an admin would leave zero admins, the operation is blocked regardless of caller.
• Return type: Changed from redirect() to bool (matching delete_post/delete_comment pattern).
• Session cleanup: Moved inside the function — clears session on self-deletion, returns redirect URL.

Callers updated

• app/routes/admin_panel_users.py — passes session["username"] as perpetrator, logs rejections
• app/routes/account_settings.py — passes session["username"], handles bool return

Translations (all 12 files)

• Added flash.delete.not_authorized key
• Added flash.delete.last_admin key

Tests (tests/e2e/auth/test_delete_user_auth.py)

Covers the full authorization matrix:

1. Admin deletes non-admin ✓
2. Admin deletes other admin (>=2 admins remain) ✓
3. Admin cannot delete last admin ✓
4. Non-admin cannot delete other user (forged request) ✓
5. Non-admin can delete own account ✓

Authorization Matrix

Caller	Target	Allowed?
Admin	non-admin	yes
Admin	other admin, >=2 admins	yes
Admin	other admin, only 1 left	no
Admin (self)	self, >=2 admins	yes
Admin (self)	self, last admin	no
User	self	yes
User	anyone else	no

[coderabbitai]

Warning

Review limit reached

@DogukanUrker, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 24 minutes and 31 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d0f7847f-ff22-49d0-a6e4-02383ddf7e5f

📥 Commits

Reviewing files that changed from the base of the PR and between 0d112bc and 6d1a77a.

📒 Files selected for processing (16)

• app/routes/account_settings.py
• app/routes/admin_panel_users.py
• app/translations/de.json
• app/translations/en.json
• app/translations/es.json
• app/translations/fr.json
• app/translations/hi.json
• app/translations/ja.json
• app/translations/pl.json
• app/translations/pt.json
• app/translations/ru.json
• app/translations/tr.json
• app/translations/uk.json
• app/translations/zh.json
• app/utils/delete.py
• tests/e2e/auth/test_delete_user_auth.py

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/259-delete-user-auth

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}