added a password field before account closure

app/controllers/users_controller.rb

@@ -80,11 +80,15 @@ class UsersController < ApplicationController
   end
 
   def destroy
-    Resque.enqueue(Jobs::DeleteAccount, current_user.id)
-    current_user.lock_access!
-    sign_out current_user
-    flash[:notice] = I18n.t 'users.destroy'
-    redirect_to root_path
+    if params[:user][:current_password] && current_user.valid_password?(params[:user][:current_password])
+      Resque.enqueue(Jobs::DeleteAccount, current_user.id)
+      current_user.lock_access!
+      sign_out current_user
+      flash[:notice] = I18n.t 'users.destroy'
+      redirect_to root_path
+    else
+      redirect_to :back
+    end
   end
 
   def public

app/views/users/edit.html.haml

@@ -166,6 +166,11 @@
   .span-5.last
     %h3 
       = t('.close_account')
-    = link_to t('.close_account'), user_path,
-      :confirm => t('are_you_sure'), :method => :delete,
-        :class => "button"
+    = form_for 'user', :url => user_path, :html => { :method => :delete } do |f|
+      = f.error_messages
+
+      %p
+        = f.label :current_password, t('.current_password')
+        = f.password_field :current_password
+      %p
+        = f.submit t('.close_account'), :confirm => t('are_you_sure')

spec/controllers/users_controller_spec.rb

@@ -187,13 +187,18 @@ describe UsersController do
   end
 
   describe '#destroy' do
+    it 'does nothing if the password does not match' do
+      Resque.should_not_receive(:enqueue)
+      delete :destroy, :password => "stuff"
+    end
+
     it 'enqueues a delete job' do
       Resque.should_receive(:enqueue).with(Jobs::DeleteAccount, alice.id)
-      delete :destroy
+      delete :destroy, :password => "bluepin7"
     end
 
     it 'locks the user out' do
-      delete :destroy
+      delete :destroy, :password => "bluepin7"
       alice.reload.access_locked?.should be_true
     end
   end