feat(medusa): allow users deletion

[NicolasGorga]

Summary

What — What changes are introduced in this PR?

Allow users to delete other users and prevent them from deleting themselves.

Why — Why are these changes relevant or necessary?

Inability to delete other users causes old users that maybe don't work anymore with the business to have access still.

How — How have these changes been implemented?

Inverted the check in the admin delete user endpoint, to allow users deleting other users but themselves.

Testing — How have these changes been tested, or how can the reviewer test the feature?

Integration tests

---

Examples

Provide examples or code snippets that demonstrate how this feature works, or how it can be used in practice.
This helps with documentation and ensures maintainers can quickly understand and verify the change.

// Example usage

---

Checklist

Please ensure the following before requesting a review:

• I have added a changeset for this PR
  • Every non-breaking change should be marked as a patch
  • To add a changeset, run yarn changeset and follow the prompts
• The changes are covered by relevant tests
• I have verified the code works as intended locally
• I have linked the related issue(s) if applicable

---

Additional Context

Add any additional context, related issues, or references that might help the reviewer understand this PR.

closes OPS-97

---

Note

Enables deleting other users via admin DELETE endpoint while blocking self-deletion, with corresponding integration tests and changeset.

• Backend
  • Update DELETE /admin/users/:id in packages/medusa/src/api/admin/users/[id]/route.ts:
    • Disallow self-deletion when actor_id === id with NOT_ALLOWED error.
    • Execute removeUserAccountWorkflow and return standard delete response.
• Tests
  • Expand integration-tests/http/__tests__/user/admin/user.spec.ts:
    • Create a second admin user; delete it and verify auth identity app_metadata no longer includes user_id.
    • Confirm token still authenticates but access is revoked (401 on /admin/users/me).
    • Assert self-deletion returns 400 with message "A user cannot delete itself".
• Changeset
  • Add .changeset/dull-plants-create.md (patch for @medusajs/medusa).

^{Written by Cursor Bugbot for commit f1f8252. This will update automatically on new commits. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

8 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
api-reference	Ignored			Nov 7, 2025 9:14am
api-reference-v2	Ignored	Preview		Nov 7, 2025 9:14am
cloud-docs	Ignored	Preview		Nov 7, 2025 9:14am
docs-ui	Ignored	Preview		Nov 7, 2025 9:14am
docs-v2	Ignored	Preview		Nov 7, 2025 9:14am
medusa-docs	Ignored	Preview		Nov 7, 2025 9:14am
resources-docs	Ignored	Preview		Nov 7, 2025 9:14am
user-guide	Ignored	Preview		Nov 7, 2025 9:14am

[changeset-bot]

🦋 Changeset detected

Latest commit: f1f8252

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 74 packages

Name	Type
@medusajs/medusa	Patch
@medusajs/test-utils	Patch
@medusajs/medusa-oas-cli	Patch
integration-tests-http	Patch
@medusajs/analytics	Patch
@medusajs/api-key	Patch
@medusajs/auth	Patch
@medusajs/caching	Patch
@medusajs/cart	Patch
@medusajs/currency	Patch
@medusajs/customer	Patch
@medusajs/file	Patch
@medusajs/fulfillment	Patch
@medusajs/index	Patch
@medusajs/inventory	Patch
@medusajs/link-modules	Patch
@medusajs/locking	Patch
@medusajs/notification	Patch
@medusajs/order	Patch
@medusajs/payment	Patch
@medusajs/pricing	Patch
@medusajs/product	Patch
@medusajs/promotion	Patch
@medusajs/region	Patch
@medusajs/sales-channel	Patch
@medusajs/settings	Patch
@medusajs/stock-location	Patch
@medusajs/store	Patch
@medusajs/tax	Patch
@medusajs/user	Patch
@medusajs/workflow-engine-inmemory	Patch
@medusajs/workflow-engine-redis	Patch
@medusajs/draft-order	Patch
@medusajs/oas-github-ci	Patch
@medusajs/cache-inmemory	Patch
@medusajs/cache-redis	Patch
@medusajs/event-bus-local	Patch
@medusajs/event-bus-redis	Patch
@medusajs/analytics-local	Patch
@medusajs/analytics-posthog	Patch
@medusajs/auth-emailpass	Patch
@medusajs/auth-github	Patch
@medusajs/auth-google	Patch
@medusajs/caching-redis	Patch
@medusajs/file-local	Patch
@medusajs/file-s3	Patch
@medusajs/fulfillment-manual	Patch
@medusajs/locking-postgres	Patch
@medusajs/locking-redis	Patch
@medusajs/notification-local	Patch
@medusajs/notification-sendgrid	Patch
@medusajs/payment-stripe	Patch
@medusajs/core-flows	Patch
@medusajs/framework	Patch
@medusajs/js-sdk	Patch
@medusajs/modules-sdk	Patch
@medusajs/orchestration	Patch
@medusajs/types	Patch
@medusajs/utils	Patch
@medusajs/workflows-sdk	Patch
@medusajs/cli	Patch
@medusajs/deps	Patch
@medusajs/telemetry	Patch
@medusajs/admin-bundler	Patch
@medusajs/admin-sdk	Patch
@medusajs/admin-shared	Patch
@medusajs/admin-vite-plugin	Patch
@medusajs/dashboard	Patch
@medusajs/icons	Patch
@medusajs/toolbox	Patch
@medusajs/ui-preset	Patch
create-medusa-app	Patch
medusa-dev-cli	Patch
@medusajs/ui	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[cursor]

Bug: Unauthenticated Deletion Privilege via Misconfigured Endpoint

The DELETE endpoint has AUTHENTICATE = false which allows unauthenticated requests. When actor_id is undefined (no authentication), the check if (actor_id === id) will always be false, allowing the deletion to proceed. This means an unauthenticated attacker could delete any user by making a DELETE request without credentials. The endpoint should either require authentication or explicitly check that actor_id is defined before performing the comparison.

 

[willbouch]

LGTM

[willbouch]

@olivermrbl was approved on Slack but I'll let you merge that one still

[adrien2p]

Todo: you can rm integration tests from here

[adrien2p]

suggestion: Pr title, this will also show up in the changelog

[adrien2p]

Suggested change

	"You can't delete yourself"
	"A user cannot delete itself"

[willbouch]

nit: "cannot delete themself". Itself is for objects and themself here is a gender-neutral pronoun that replaces "herself" or "himself"