closes #6412

public/language/en-GB/user.json

@@ -13,7 +13,7 @@
 	"ban_account_confirm": "Do you really want to ban this user?",
 	"unban_account": "Unban Account",
 	"delete_account": "Delete Account",
-	"delete_account_confirm": "Are you sure you want to delete your account? <br /><strong>This action is irreversible and you will not be able to recover any of your data</strong><br /><br />Enter your username to confirm that you wish to destroy this account.",
+	"delete_account_confirm": "Are you sure you want to delete your account? <br /><strong>This action is irreversible and you will not be able to recover any of your data</strong><br /><br />Enter your password to confirm that you wish to destroy this account.",
 	"delete_this_account_confirm": "Are you sure you want to delete this account? <br /><strong>This action is irreversible and you will not be able to recover any data</strong><br /><br />",
 	"account-deleted": "Account deleted",
 

public/src/client/account/edit.js

@@ -158,22 +158,45 @@ define('forum/account/edit', ['forum/account/header', 'translator', 'components'
 	function handleAccountDelete() {
 		$('#deleteAccountBtn').on('click', function () {
 			translator.translate('[[user:delete_account_confirm]]', function (translated) {
-				var modal = bootbox.confirm(translated + '<p><input type="text" class="form-control" id="confirm-username" /></p>', function (confirm) {
+				var modal = bootbox.confirm(translated + '<p><input type="password" class="form-control" id="confirm-password" /></p>', function (confirm) {
 					if (!confirm) {
 						return;
 					}
 
-					if ($('#confirm-username').val() !== app.user.username) {
-						app.alertError('[[error:invalid-username]]');
-						return false;
-					}
-					socket.emit('user.deleteAccount', {}, function (err) {
-						if (err) {
-							return app.alertError(err.message);
+					var confirmBtn = modal.find('.btn-primary');
+					confirmBtn.html('<i class="fa fa-spinner fa-spin"></i>');
+					confirmBtn.prop('disabled', true);
+
+					socket.emit('user.checkPassword', {
+						uid: parseInt(ajaxify.data.uid, 10),
+						password: $('#confirm-password').val(),
+					}, function (err, ok) {
+						function restoreButton() {
+							translator.translate('[[modules:bootbox.confirm]]', function (confirmText) {
+								confirmBtn.text(confirmText);
+								confirmBtn.prop('disabled', false);
+							});
 						}
 
-						window.location.href = config.relative_path + '/';
+						if (err) {
+							restoreButton();
+							return app.alertError(err.message);
+						} else if (!ok) {
+							restoreButton();
+							return app.alertError('[[error:invalid-password]]');
+						}
+
+						confirmBtn.html('<i class="fa fa-check"></i>');
+						socket.emit('user.deleteAccount', {}, function (err) {
+							if (err) {
+								return app.alertError(err.message);
+							}
+
+							window.location.href = config.relative_path + '/';
+						});
 					});
+
+					return false;
 				});
 
 				modal.on('shown.bs.modal', function () {

src/socket.io/user/profile.js

@@ -103,6 +103,13 @@ module.exports = function (SocketUser) {
 		], callback);
 	}
 
+	SocketUser.checkPassword = function (socket, data, callback) {
+		isPrivilegedOrSelfAndPasswordMatch(socket.uid, data, function (err) {
+			// Return a bool (without delayed response to prevent brute-force checking of password validity)
+			setTimeout(callback.bind(null, null, !err), 1000);
+		});
+	};
+
 	SocketUser.changePassword = function (socket, data, callback) {
 		if (!socket.uid) {
 			return callback(new Error('[[error:invalid-uid]]'));