From b99440ea7543142b736a8282fa89606027613114 Mon Sep 17 00:00:00 2001
From: hyzen <hyzen@disroot.org>
Date: Fri, 19 Jun 2026 16:25:40 +0200
Subject: [PATCH] Fix: too many otp requests when deleting user and
 re-registering

---
 admin.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/admin.php b/admin.php
index 7201713..fbfbbc1 100644
--- a/admin.php
+++ b/admin.php
@@ -139,7 +139,7 @@ if ($user_id === 0) {
 $pdo = db_connect();
 
 // Prevent admin from acting on themselves
-$stmt = $pdo->prepare('SELECT username FROM users WHERE id = :id LIMIT 1');
+$stmt = $pdo->prepare('SELECT username, email FROM users WHERE id = :id LIMIT 1');
 $stmt->execute([':id' => $user_id]);
 $target = $stmt->fetch();
 if (!$target) {
@@ -202,6 +202,12 @@ if ($action === 'delete_user') {
 
     $pdo->prepare('DELETE FROM users WHERE id = :id')
         ->execute([':id' => $user_id]);
+
+    // Clear OTP history for this email so re-signing-up doesn't hit the
+    // daily OTP request limit because of OTPs sent before deletion.
+    $pdo->prepare('DELETE FROM email_otps WHERE email = :e')
+        ->execute([':e' => $target['email']]);
+
     json_out(['success' => true]);
 }